40100 User Manual
Contents
1. Figure 10 4 Import projects Release User Manual V1 2 2013 06 17 82 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 10 3 Safety application firmware The SAFW is composed of 3 major parts the Safety application the SafeTI V Diagnostic Library and the TPS Library The source code of the Safety application is completely open source and delivered with an Eclipse projects Note If the license agreement for the SafeTI V Diagnostic Library has not been accepted during the installation process the Safety application project does not contain the SDL and therefore cannot be built This description explains only the HSK Safety Application project 10 3 1 Directory structure The source code is partitioned to several directories me AppMCU System f DataFlash E Debug BE X 22 Debug LE lg include kernel source RMAx kernel source TM5570 MCU System X OsAI z2 Release BE Release LE SafetyLib 45 source targetC onfigs gt tasks TPSLib Figure 10 5 Directories e AppMCU System contains MCU driver files generated with HalCoGen but have been changed manually e Include this directory contains configuration header files and one file for the subversion revision number e Kernel source RM48x and kernel souce TMS570 holds the SafeRTOS libraries with the API header e MCU System contains MCU driver files2. cccccccsesccccceeeceeceeeceeceeseceeeeueceeseuecesseuecesseaeeeeseueeessegecesseeeeeseseeesseeees 30 Table 5 9 User programmable push buttons ccccceeccccceeeceeceeeeeeceeeceeceeeececseueceseeusceeseuueeessaseceesaaeeeeseaeeeessaeess 30 Table 5 10 Digital accelerometer interface lsseeeessssesssssesssssseeeee nennen nenne nnn nnn nnn nnns sean n annis 31 Table 5 11 Temperature sensor interface ccccccccccceecceceesceeeeesecesceeeceesaeeeeeseeeeceseeaeeeeseeaeeessegecesseaeeeesseeeesaaaeees 31 Table 5 12 Potentiometer interface seere E RE E EE OEE ES E 31 Table 5 13 Test points between Safety MCU and TPS653681 esses esee nennen nnns 32 Table 5 14 Test points between Safety MCU and C amp M MCU rrrannnrnnnnnnennnnnnnonnnnnnrnnnnnnnnnnnnnsnnnnnnnennnnnnennnnnnnennnnene 33 Table 5 15 Mapping between test points and GUI signals r rranrrrrrnnnnernnnnnrrnrnnnnrnnnnnnnnnnnnnnenrnnnnennnnnsennnnnssennnnene 34 Table 6 1 Buttons in the Navigation Bal ccccccccccccsseceeceeceeceeeceeceeeceeceeeeesseseceesaueceeseaueeesseuecesseaeeeesseeeessaeees 36 Table 6 2 Information within the System flow part of the Overview PaQe cccccsseccecssseeeseeseeeeseeceeseeeeeesseaeees 39 Table 6 3 Signals within the System flow window part during fault injection eeeeeeeeeeseseeeeeess 41 Table 6 4 ESM error configuration seriemestere REEE Eien AEAEE R
3. h HSA Utils h e HSA WatchdogService c h HSA WatchdogService h Figure 10 7 kit application source files 10 5 3 Task overview FI Siq HSA Fl Handler SLS Sig HSA SafetyLibSever MIBSPI SPI MIBSPI gt 7 HSA SYSL Task HSA CMD Handler i ar HSA Template Task Task instance HSA Display Task HSA Figure 10 8 Architecture Task Level Release User Manual V1 2 2013 06 17 86 hiteX imm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS The figure above gives a rough overview over the tasks and their communication The grey ellipses represent one task instance while the white boxes stand for a message queue Most of the tasks have the structure depicted in Figure 10 9 Generic structure State 1 Staten Switch wrt Task Operating state S Figure 10 9 Generic structure of tasks in the Safety Kit Application After the boot phase see chapter 4 2 1 1 the scheduler starts running the task with the highest priority which is the HSA WDsService Task 10 5 4 HSA CMD Handler Task The responsibility of the command handler task is to process the messages sent from the C amp M device Another job for this instance is to send the application messages e g produced by other tasks which are available in the transfer queue and send these messages to the control and monitor device These messages could be text messages application mes
4. 10 5 9 HSA_DisplayTask The display instance serves the pictures or texts to be printed to the on board display It is realized as a task to ensure that the outputs of texts is serialized and therefore not mixed when different other tasks want to post messages in parallel The text messages are received out of a queue Priority 2 Assigned message 1 queues Assigned LED 0 External Interfaces SPI 2 interface to the onboard display Privilege level unprivileged Table 10 9 Display task properties Display messages 5 Consumer All other tasks Table 10 10 Display message queues For the data to be output to the display an API is used located in the source file onboardLCD c The onboard LCD API uses a special SPI driver because a special handling with the CS is necessary This driver is implemented in the source spi_display c Helease User Manual V1 2 2013 06 17 93 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS Sows fime Comment 0 Onboard lcd c C source API implementation Onboards Icd h Header API definition Spi display c C source SPI driver to display Spi display h Header SPI driver interface BW LCD c C source LCD command interface implementation BW LCD h Header LCD command interface header Font h Header Character fonts table Picture h Header Contains the pictures Hitex and TI logo Table 10 11 used files for onboard display api 10 5 10 HSA Template
5. Host Board Communication Power Supply i TEXAS INSTRUMENTS Figure 4 1 Main components of the kit 4 1 System components The HSK hardware platform consists of e Safety system The Safety system consists of the Safety MCU the power supply companion chip and a set of peripherals These are used to demonstrate safety features of the two devices as would be used in an actual application o Safety MCU SDUT The Safety MCU is one out of the different pin compatible variants of the Hercules ARM Safety Microcontrollers TMS570LS3137 or RM48952 It interfaces with various other components on the board amulti rail power supply with watchdog feature the TPS65381 acontrol and monitoring device or the C amp M device which monitors the SDUT and TPS devices User peripherals an accelerometer a temperature sensor an HMI 4xLED potentiometer LCD a CAN transceiver and a motor control interface DIMM connector Release User Manual V1 2 2013 06 17 21 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS The HSK provides the ability to an end user to evaluate the safety features of this device with the added ability to add other user functionality in terms of performance and connectivity An example safety application is provided in the HSK which runs on the SDUT This is an example application demonstrating key safety features of the Safety MCU and the power supply w
6. Ig p OO ar TESE i Figure 6 2 GUI Main Window after connection 6 1 3 Hyperlinks 3 The hyperlinks lead to the Hitex and Texas Instruments websites 6 1 4 Button Stop recording 4 With the button Stop recording the recording of events and data for the GUI pages is stopped e g to allow an in depth examination of the GUI content When recording stops the buttons name changes to Restart recording When the button is pressed again the recording of events and data is restarted after resetting the SDUT and the GUI Pages except the pages used for configuration 6 1 5 Status Bar 5 The Status Bar gives information about e The connection of the board and the GUI e The number of safety cycles executed by the safety microcontroller after reset a single execution of all microcontroller tests is counted as one safety cycle e The type of the microcontroller and the companion chip assembled on the connected board Helease User Manual V1 2 2013 06 17 37 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS 6 2 GUI Pages The GUI has seven pages These pages are selected via the corresponding buttons within the Navigation Bar see also Table 6 1 and displayed in the Main Viewing Area The structure and functionality of the pages are described in the Sections 6 2 1 to 6 2 7 6 2 1 Overview Page The Overview Page gives a general overview of the activities and the suppl
7. In ESM IRQ handler set respective ERR signal recognize FI command receivd from GUI and set FI pin Figure 7 3 Data flow of the SDUT recovery from fault Release User Manual V1 2 2013 06 17 54 hiteX imm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Note The safety application while waiting in the interrupt handler does not serve the external watchdog Q amp A As a consequence the error counter of the TPS increments above the configured limit leading to a signal indication of the nENDRV pin There is another mechanism which influences the nENDRV behavior If the TPS is configured to monitor the nESMERR pin then the nENDRY pin is also driven low after a configured timeout expires Global GUI parameter ESM low signaling duration The screenshot example is generated with a PSCON Lockstep PSCON fault which is a group 1 error The configuration parameter for recovery is set to no Also the parameters for ESM IRQ and Error pin are enabled Fault injection ERR Detection Safe state MCU Safe state TPS ESMIRQ pin nESMERR pin 10 Time ms Figure 7 4 Category 1 fault Lockstep PSCON The distinctive signals for this flow is that the ESMIRQ pin signal is asserted together with the ERR Detection signal 7 2 5 Faults which lead to an abort Category 2 behavior These are faults which produce a data abort in the safety application software In
8. configure the mpu according to requirements mpuSettings myPrivilegeLevel OSAL PRIVILEGED TASK mpuSettings myRegionCount 2 MPU region 0 controls the static data collected in the myCmdUserdata struct mpuSettings myRegions 0 myAccessPermissions OSAL MPUACCESS FULL mpuSettings myRegions 0 myBaseAddress void amp myCmdUserData mpuSettings myRegions 0 myLengthInBytes CMD_MPU_USERACCESS_AREA_LENGTH MPU region 1 enables the Peripherals and system memory to access mpuSettings myRegions 1 myAccessPermissions OSAL MPUACCESS FULL mpuSettings myRegions 1 myBaseAddress void 0xF0000000 mpuSettings myRegions 1 myLengthInBytes 0x10000000 For further information on the SafeRTOS refer to the documentation provided by Wittenstein Release User Manual V1 2 2013 06 17 85 hitex imum DEVELOPMENT TOOLS SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit 10 5 2 Source files al e m e HSA CommandHandler c h HSA CommandHandler h e HSA Display c h HSA Display h 4e HSA Faultinjection c h HSA FaultInjection h h HSA Protocol h e HSA SafetyLibraryServer c h HSA SafetyLibraryServer h 6 HSA SensorAndHMI c h HSA SensorAndHMI h 6 HSA SystemLoad c h HSA SystemLoad h gt je HSA_SystemSettings c h HSA SystemSettings h e HSA TemplateTask c gt h HSA TemplateTask h gt e HSA Utils c
9. hitex imm DEVELOPMENT TOOLS Safe T Hitex Safety Kit HSK User Manual of the Hitex Safety Kit User Manual 40100 V1 2 2013 06 17 User Manual hiteX imm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Edition 2013 06 17 Published by Hitex Development Tools GmbH Greschbachstr 12 76229 Karlsruhe Germany O 2013 Hitex Development Tools GmbH All Rights Reserved Legal Disclaimer The information given in this document shall in no event be regarded as a guarantee of conditions or characteristics With respect to any examples or hints given herein any typical values stated herein and or any information regarding the application of the product Hitex Development Tools GmbH hereby disclaims any and all warranties and liabilities of any kind including without limitation warranties of non infringement of intellectual property rights of any third party Information For further information on technology delivery terms and conditions and prices please contact the nearest Hitex Office www hitex com hiteX imm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Document history Date Modified by Medeo description 2013 06 17 1 2 Wenz Arnaout Review points considered Sander Ready to release We ask for your comments Is there any information in this document that you feel is wrong unclear or missing Your feedback will help
10. 29608237 EX 10 t 12169KB MON ev 2998434 REX 1l t 12293KB MON e 3028652 RA 10 t 12417KB MON ev 3058506 RX 1l t 12541kB MON ev 3089181 RA 10 t 12665KB 2 MOM ew a2 4119384 RX TORR te 127A9KR Monitor version Application version Ch oam co pa D co co ra ra Board revision 0 Board type TMS570 TPS8538 GUI version 1 0 0 502 MO o Co ba RBG OG f D rp T Ca OG cao co OG OG CO OG cO CO CO oo 1m Figure 6 9 Monitoring Page The application messages part of the Monitoring Page acts as a terminal to output user defined strings tagged with timestamps from the applications running on either the safety MCU or the C amp M device The messages can be used for debugging purposes 6 2 6 Application Page The Application Page depicted in Figure 6 10 shows temperature and acceleration values There are 3 acceleration axes displayed X horizontal Y horizontal orthogonal to X and Z vertical The values are standardized to acceleration with respect to gravity The application executed on the safety MCU reads the corresponding sensor data and subsequently performs certain conversion calculations Finally the results are transferred to the GUI Helease User Manual V1 2 2013 06 17 49 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS Temperature Acceleration X Y 7 0 20 40 2
11. 83 Figure 10 6 SAFW Architecture top level rrrrnnrrrrrrrnnnrrrvrrrnnnnrrrrrnnnnnrrnrrnnnnnrrnnrnnnnnsnnnnnnnnrsnnnnnnnnsrnnnnnnsnsennnnnnsnssen 84 Figure 10 7 Kil APPIC NON SOUFCe NES ccuasieienadsnmaisuaehoaioindiveaaueindaandanausdvatiaeinincudin diam udi ide en e hu x RP 86 Figure 10 8 Architecture Task Eumenes a ed hu a plua danene 86 Figure 10 9 Generic structure of tasks in the Safety Kit Application rrnnrrnnnnnrrrnrnnnrevrnnnnrnnnnnnrennnnnrennnnnnrennnnnnen 87 Figure 10 10 Command handler task data flOW cccccsseseceecceeeeeceeecaeeseeeeeeeeeseeeeseeeueeeesseeaeceeessaaseeeessaageeeeeeeas 88 Release User Manual V1 2 2013 06 17 7 hiteX imm SafeTI Hitex Safety Kit HSK DEVELOPMENT TOOLS Figure 10 11 Figure 10 12 Figure 10 13 Figure 10 14 Figure 10 15 Figure 10 16 Figure 10 17 Figure 10 18 Figure 10 19 Figure 10 20 User Manual of the Hitex Safety Kit Fault Injection handler task data flow cccccccccccsseccecesscceseeeceeceeeceeceeueeesseaecesseaeeeseueeessuseeessaees 88 Safety library server task data flow sssssssssisssssssseeeee nennen nnne nennen nena 89 Profiling measurement data flow ssseseessssssssseseeeeee nennen nennen nennen nnne nnns nn 90 Profiling full safety task data flow lsseeeesssssesssesseeeen nennen nnne 91 Sensor task dala TOW ee xdewRe ca euentu dub gae q cune duteuE Oct M n Rus abi
12. Data ECC e RAM Data ECC Diagnostic SRAM Data ECC logic Description An ECC error is forced on the SRAM Category 2 Reaction The access to data with wrong ECC bits lead to a data abort and the data abort handler is called In the handler the EnterSafeState function is called This function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered Release User Manual V1 2 2013 06 17 66 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS SRAM Name Correctable ECC profiling e ESM channel Diagnostic Correctable ECC profiling configuration Description The self test library function is called which e Recover from ESM forces the fault group 1 Category 1 Reaction An ESM group 1 interrupt is generated In the interrupt handler the EnterSafeState function is called if the parameter Recover from ESM group 1 error is set to no This function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered SRAM Name Redundant address decode e ESM channel Diagnostic Redundant address decode configuration Description The self test library function is called which e Recover from ESM forces the fault group 2 Category 1 Reaction An ESM group 2 interrupt is generated In the interrupt handler the EnterSafeState function is called if the parameter Recover from ESM group 1 error is set to no This function waits in an endless
13. EnterSafeState This function waits in an endless loop until the TPS resets the system The ERR Detection signal is not sensitive to this error since the fault detection occurs before the signal s GPIO pin is initialized FLASH Name Periodic hardware CRC check for Flash e CRC calculation contents Diagnostic CRC check Description The CRC value to check against is modified Consider that the runtime checking for CRC test has to be activated Category 6 Reaction The periodic CRC run time test detects the error The safety application firmware calls the function EnterSafeState This function initiates a system reset which causes the TPS to lose synchronization ENDRV low The TPS triggers a PORST to the safety MCU The fault detection time depends on the number of the runtime tests initiated and is defined as the interval between the fault injection point and the point where the runtime tests detects the fault provided that the detection occurs within the execution time of the runtime test FEE Name Data ECC e ESM channel Diagnostic FEE Data ECC configuration Description An ECC error is forced e Recover from ESM Category 1 group 1 Reaction An ESM group 1 interrupt is generated In the interrupt handler the EnterSafeState function is called if the parameter Recover from ESM group 1 error is set to no This function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered SRAM Name
14. mode Category 1 Reaction An ESM group 1 channel 38 interrupt is generated In the interrupt handler the EnterSafeState function is called if the parameter Recover from ESM group 1 error is set to no This function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered PSCON Name Privileged mode access and program e None sequence control registers Diagnostic Privileged mode access and program sequence control registers Description An access mode violation is stimulated Category 2 Reaction An abort happens and the data abort handler is executed In the handler the EnterSafeState function is called This function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered Power supply Name Under voltage on VBAT for TPS e None signals Diagnostic The safety device system is controlled by an external device TPS Description The power supply VBAT for the TPS is reduced below 4 8Volt Category 3 Reaction The nRST and PORST are triggered to the MCU The TPS activates Safe state indicated with ENDRV signal driven low Release User Manual V1 2 2013 06 17 60 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Power supply Name Disturb VBAT on TPS e None signals Diagnostic The safety device system is controlled by an external device TPS Description The power supply VBAT for the TPS is cut o
15. 21 4 2 SE eg 0 22 4 2 1 SNE Na 22 4 2 1 1 Safety application firmware 00 ecccccccccecccesesseeeceeeeeeeeeeeeeceeeeeeeaeeaeueeeeeesssueeseeseeeseessuaaseeeeeeeeessaas 23 4 2 1 2 Control monitor device firmware cece cece eeeeececeeeeeeeceeeceeeeeceeeceeeseceeesauaeceeesaaaseceeeeseaeeeeesaeaeeeess 23 4 2 2 EANET 24 4 2 3 Normal operallO p PRETI Un 24 4 2 3 1 Safety application firmware asesinada niekina Aiad nennen nennen nnne nnns Ainiai ekia 24 5 aee i aPI Iieqioij seem c 25 5 1 Hilex Safely Kil FeaIUGS seer a EP SF en pasen PEU Ep DE xe peser PERS ERiuD es eae eu Ea D rede 25 5 2 Physical BE Oo PR NIE 26 5 2 1 External GT EE EE 26 br MEN 26 5 2 1 2 TI DRV8312 controlCARD Interface rrrrnnnrnnnnnrrnnnnrnnnnrnnnnnrnnnnnennnnnennnnrnnnnnennnnnennnnsennnnsennnnennnnee 26 SMN 28 sx MOP Ness 28 ENG BENN 28 5 2 1 6 Power Supply Connecior vicie cccticccesisedacceneeeccsdedcueaaneceencecuaudssaneaveccededsdnecnsdeaneedudadscneedeeneeds a Reia 29 5 2 2 DET T 29 5 2 3 EID T OI 9 29 5 2 4 mU MOMS NN NE 30 5 2 5 Se rol NR NR EE ET 30 5 2 5 1 Digital Accelerometer ouseccsscvevoeneibxve bru d atbvas Eu rd Ya taa DE Wang va ER vide bU Eres iris
16. 8 Group CPU compare module CCM R4F e Self test Lockstep o enable The CPU lockstep test is executed at run time o disable The test is disabled e Error forcing test o enable The CPU error forcing test is executed at run time o disable The test is disabled e GSelf test error forcing o enable Error forcing self test is executed at run time o disable The test is disabled 6 2 4 9 Group ADC The ADC can be tested With the parameter the ADC a channel can be selected to be tested e ADC1 e ADC2 Helease User Manual V1 2 2013 06 17 48 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS 6 2 5 Monitoring Page The Monitoring Page is depicted in Figure 6 9 It is divided into three parts the Voltages 1 see also Section 6 2 1 the Version information 2 see also the About button in the Navigation Bar and the Application messages 3 VBAT Safing 11 77V 1468000 1470000 1472000 1474000 1476000 Time ms 2 MON ev 26005503 RA 94 106B4KB MON e 26359766 RX 94 gt l0807kB MON ev 26065962 RA A 10931KB 2 MON ev 2696233 HX l1055kB MON ev 27246440 RX A l1178kB MON e 27566926 RX 97 A 11302kB MON 2786905 RX 91 A 11425kB D MON ev 2617140 RA 9 A4 11549KB MON ev gt 2b47396 RX 100 t 11673kB MON ev 28077603 EX 10 t 11797KB MON ev 29407790 EX 10 fs 11921kB MON ev 2938016 RX li t 12045KB MON ev
17. Mf TP16 S ERRINJ Safety MCU JE y C4 C amp M MCU inel nd TP17 S ESMIRQ Safety MCU SLR C5 C amp M MCU NOE p TP18 S ERRIRQ Safety MCU JR C6 C amp M MCU imi Su TP19 S GPIOO Safety MCU JE C10 C amp MMCU GIOA 0 A5 TP20 S GPIO1 Safety MCU ie C11 C amp MMCU GIOAM C2 TP21 S GPIO2 Safety MCU um j 012 C amp MMCU GIOA 2 C TP22 S GPIO3 Safety MCU ne C13 C amp MMCU GIOAB Elt TP23 S GPIO4 Safety MCU Sera C14 C amp MMCU GIOA 4 A6 Helease User Manual V1 2 2013 06 17 32 hitex SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS Ball Pin Ball Pin TP24 S GPIO5 Safety MCU FIT C15 C amp M MCU GIOAI5 RTP TP25 S GPIO6 Safety MCU MV 16 C amp MMCU GIOA 6 H3 TP26 S GPIO7 Safety MCU fik C17 C amp MMCU GIOA 7 Mi B B mn d Figure 5 3 Test points available on HSK Helease User Manual V1 2 2013 06 17 33 hiteX imm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Some of these signals are captured and displayed directly by the HSK Monitor GUI to demonstrate the features of the kit For detailed information about the GUI please refer to chapter 6 The following table maps the test point signals captured to the signals displayed on the GUI TPO1 S nPORST nPORST TPO2 WD Error nESMERR pin TPOS3 S GIOA3 ENDRV TPO03 S GIOAS inverted oafe State TPS TP16 S ERRINJ Fault Injection TP17 S ESMIRQ ESMIRQ pin TP18 S ERRIRQ ERR Detection TP19 TP22 S GPIO
18. SafeRTOS function TaskDelayUntil is used Activity on user LED4 indicates normal operation of this task e HSA Template Task HSA TemplateTask c This task is intended as a template for the application developer to integrate own code Release User Manual V1 2 2013 06 17 24 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 5 Hardware Description The SafeTI HSK serves as hardware and software platform to demonstrate safety featured applications using Texas Instruments Hercules ARM Safety MCUs The kit allows developers to evaluate the safety features of the MCUs as well as to reuse these features to develop and execute their own safety software The kit is presented in two variants depending on the safety MCU used one with the TMS570LS3137 and one with the RM48L952 5 1 Hitex Safety Kit Features The SafeTI HSK comes with a rich set of on board features that facilitates the demonstration of safety applications Key features include e ATI microcontroller TMS570LS3137 or RM48L952 as a safety application MCU e A second TI microcontroller RM48L952 as a control and monitor MCU e Two onboard USB XDS100v2 JTAG emulators one for each MCU e ARM 20 pin JTAG debug header in 0 500 inch 1 27mm pitch for external debugging of the safety MCU e Amulti rail power supply with watchdog feature TP565381 for the safety MCU e An onboard quad port USB hub e SCl accessible throug
19. Task This task instance is intended for a developer to integrate own code and to extend functionality of the kit The advantage to add own code here is that the GUI can be used to trigger and control the code execution No changes in the GUI or in the C amp M firmware are necessary The data flow of the template task is very simple It always waits on a user command If one is received a message is posted to the onboard display After that it waits again A board test is implemented as an example how to add own functions Priority Assigned message queues Assigned LED External Interfaces 4 2 0 Privilege level unprivileged Table 10 12 Template task properties User commands 1 Consumer Command Handler Displaymessages 5 Producer Display task Table 10 13 Template task message queues 10 5 11 Parameters Few parameters control the behavior of the kit firmware in different situations So the parameters are not directly assigned to one specific task instance The parameters also often named Configuration Settings are stored in the HSA SystemSettings c source file in an array consisting of structures The related API functions to manipulate the settings are also implemented in this source file Helease User Manual V1 2 2013 06 17 94 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Declaration of a configuration entry typedef struct uint16 t myAdressld
20. a task related information is output via 4 GPIO signals At least up to 15 tasks could be monitored In the implementation 8 tasks are monitored The monitoring application samples the GPIO signals and translates the information to a format suitable for the GUI 3408 044 Idle task g4ld 025 Safety library server 3414 761 Idle task 3420 025 Watchdog service 8420 138 Idle task Watchdog service Idle task Command handler Sensor and HMI task Idle task Watchdog service Idle task Watchdog service 52 Command handler Idle task 25 System load ldle task Safety library server 8454 050 Idle task 1781 40000 6717 14000 us 5377 7000 7125 20001 49911 923 14000 12951 7001 20237 7160 50000 4750 40000 1003 k H H k Pee ee ET Figure 9 3 Task monitor Release User Manual V1 2 2013 06 17 79 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS 10 The safety application This chapter is for users who want to explore the source code of the Safety Application Firmware SAFW and modify extend its functionality The software frame work is explained along with the major instances and the data flow 10 1 Considerations before you start e tis required to accept the license agreement for the SafeTI Diagnostic Library during the installation process If this is rejected the Safety application project does not contain the SDL and therefore cannot be b
21. application executed on the safety MCU could be stressed with a task that just wastes processor time see also Chapter 10 It is implemented in the RTI compare interrupt handler which is configured to produce an interrupt each 200 us In this interrupt handler a loop is processed according to the system load parameter The task execution can be set with the system load slider in the Global Settings Page If the system load selected is too high the watchdog service task is prevented from running in time Also the profiling times depend on the system load Helease User Manual V1 2 2013 06 17 43 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 6 2 3 3 ESM Settings The Error Signaling Module ESM is a hardware module in the safety MCU It is responsible to control the error signal output of the Safety MCU cf nESMERR signal in Table 6 3 The errors which may occur are partitioned into three groups Only group one errors can be configured to produce an interrupt and or set the error signal Group two and three errors always raise the error signal output pin The group one error channels that can be configured over drop down menus in the ESM Settings part of the Global Settings Page are compiled in Table 6 4 There are two other parameters which are not applicable in the ESM module itself instead they control the behavior of the safety application firmware when an ESM interrupt occurs For ESM g
22. device The GUI visualizes the result on the Application page There are 3 acceleration axes displayed x horizontal y horizontal orthographic to x and z vertical The values are standardized to acceleration due to gravity em 9 2 Acceleration move Helease User Manual V1 2 2013 06 17 77 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 9 3 Onboard display The SafeTI HSK features an on board 128 x 32 pixels LCD with white LED backlight The display is connected to the safety MCU via SPI2 port The software implementation provides an interface to all instances which may output one of two predefined pictures or simply text One picture is the Hitex logo and the other one is the logo of Texas Instruments The display output is realized as a task instance with an input queue containing the text messages This prevents the interruption of a text output initiated by a low priority task through a task with higher priority To test the picture output press the user buttons A text can be activated using the GUI on the user command page executing a user command 9 4 Push buttons Four push buttons are provided The buttons are polled in the HSA RunStateCb function This is a call back function which is processed each time the safeRTOS calls the scheduler The state of the buttons is saved and later on investigated in the sensor task User button 1 SW500 the Hitex logo is p
23. during fault injection When the Profiling tab is selected in the Fault injection and Profiling part the content of the System flow part just shows the signal that is used for profiling purposes see also Chapter 7 The TPS6538x state shows the current operating state of the companion chip The current state is highlighted with a light green filling of the corresponding state Further information on the companion chip and its states can be found in Texas Instruments 2012 The Fault injection window in the Fault injection and Profiling control part can be used to inject a fault into the running system see also Chapter 7 With a drop down menu see 1 in Figure 6 5 the unit in which the fault shall be injected is selected The faults available for injection for the corresponding unit are then displayed in a sub window arranged below 2 A fault for injection can be selected by a mouse click If the selected fault injection shall be configured a parameter value can be specified 3 However this feature is currently not used The actual fault injection is triggered when the INJECT button is pressed 4 The fault detection time and the time until a safe state is reached are displayed at the bottom of the Fault injection window 5 Fault injection Profiling 1 EXT WATCHDO v Fault parameter 000000000 3 INJECT 4 Disturb TPS communication SPI clock signal Disturb TPS communication SPI SOMI Disturb TPS communication SPI SIM
24. extended 3 1 System requirements Software Windows 7 Windows Vista or Windows XP Windows Net framework 4 0 or later Code Composer 5 3 FTDI drivers included in the quick start installation and will be installed automatically Licenses For evaluation purpose of the kit no product licenses are necessary e SafeRTOS runs with an evaluation license It is a runtime license which limits the use of the kit to eight hours continuously After a power on cycle evaluation can be restarted again e Code Composer Studio needs no license since it is connected to a TI controller 3 2 Quick start For a quick start with the kit the SafeTI M HSK DVD must be installed Insert the DVD and start with setup exe During installation the HSK Monitor GUI and associated drivers an update tool for the firmware documentation and the firmware projects for the SDUT and C amp M devices are installed After a successful installation you will find the following directories on your PC e Documentation Quick Start Guide QSG HSK User Manual PCB schematics e Drivers contains the FTDI drivers for USB communication between SafeTI HSK and the PC e Firmware application o One directory for the control and monitor application o One directory for the safety application o One directory containing the UniFlash utility for updating the kit e GUI contains all data required for the graphical command user interface HSK Monitor exe e Release notes The
25. following figure shows this structure EI dl safeTI HSK n Documentation pm drivers E di Firmware applications ControlMonitor application di Safety application di UpdateTool Gui n ReleaseNotes Figure 3 1 Directory structure Helease User Manual V1 2 2013 06 17 14 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 3 2 1 How to update your kit The GUI checks at startup for any updates on the Hitex SafeTI HSK update website It also checks whether the firmware in the kit is up to date with the newest one found in the installation directory safe TI HSK Firmware applications Downloading and installing the updates is completely optional nevertheless highly recommended To update your kit with a newer firmware it is required that you have either Code Composer Studio or the UniFlash utility The CCS UniFlash is provided with the SafeTI HSK installation installed on your PC The Code Composer Studio method is beyond the scope of this document and hence the recommended method is using CCS UniFlash 3 2 1 1 Updating your kit with UniFlash The first step is to have CCS UniFlash installed with the correct options on your PC The following describes the steps needed to correctly install CCS UniFlash which can be found under safeTl HSK Firmware applications Update TooN e Start uniflash setup 2 0 0 00013 exe installation and follow the instructions e Accep
26. interface is listed in the following table Helease User Manual V1 2 2013 06 17 26 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Ball Signal Signal Ball Number Name Name Number N C N C 51 N C 2 52 N C N C 3 53 N C N C 4 54 N C N C 5 55 N C N C 6 56 N C N C 7 57 N C GND 8 58 GND U13 AD2IN 01 IB FB 9 59 N C GND 10 60 GND U14 AD2IN 02 X VDCBUS 11 61 N C GND 12 62 GND U16 AD2IN 03 A FB 13 63 N C GND 14 64 GND N C 15 65 N C N C 16 66 N C N C 17 67 N C N C 18 68 N C N C 19 69 N C N C 20 70 N C N C 21 71 N C N C 22 72 N C W3 N2HETi O6 ePWM5A 23 73 ENDRV GIOAI S E Ji N2HET1 18 ePWM6A 24 74 ENDRV GIOAI S E P2 N2HET1 20 ePWM6B 25 75 ENDRV GIOAI 3 E N C 26 76 N C GND 27 27 N C N C 28 78 N C N C 29 79 N C N C 30 80 N C N C 31 81 N C N C 23 82 N C N C 33 83 nTZ1 Verne E N C 34 84 nTZ2 E B N C 35 85 N C N C 36 86 N C GND 37 87 N C N C 38 88 N C Release User Manual V1 2 2013 06 17 27 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Ball Signal Signal Ball Number Name Name Number N C 39 89 N C V2 NeHETi O1 EQEP2A 40 90 EQEP2B N2HET1 03 Uf N C 41 91 EQEP2I AE P N C 42 92 N C N C 43 93 N C N C 44 94 N C N C 45 95 N C N C 46 96 N C GND 47 97 N C N C 48 98 N C N C 49 99 N C N C 50 100 N C Table 5 3 Motor contr
27. interrupt handler the EnterSafeState function is called if the parameter Recover from ESM group 1 error is set to no The function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered Release User Manual V1 2 2013 06 17 64 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS CPU Name Periodic execution of STC e ESM channel Diagnostic Periodic execution of STC configuration Description The STC test is called with a time window given which is too short Category 6 Note The parameter Recover from ESM group error is not effective for this fault since the STC run time test occurs a reset Reaction The STC self test is called and returns with an error The error is recognized by the application and then the EnterSafeState function is called The function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered CPU Name Illegal operation and instruction trapping e None Diagnostic Illegal operation and instruction trapping Description Force an access violation Category 2 Reaction An undefined instruction exception happens and the exception handler is executed In the handler the EnterSafeState function is called This function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered FLASH Name Flash data ECC e Flash Data ECC Diagnostic Flash data ECC logic Description A
28. loop until the TPS resets the system ENDRV low PORST triggered SRAM Name Boot time PBIST check of RAM e Diagnostic PBIST check Description A fault is stored which indicates to the startup code to inject a fault after the reset is processed The boot time self test then injects the fault starting a PBIST check programmable built in self test with a wrong algorithm parameter Category 6 Reaction The safety application firmware checks the test result which is fail and calls the function EnterSafeState This function waits in an endless loop until the TPS resets the system The ERR Detection signal is not sensitive to this error since the fault detection occurs before the signal s GPIO pin is initialized SRAM Name Periodic PBIST check of RAM e Diagnostic PBIST check Description The pBIST is called with a wrong algorithm parameter Category 6 Reaction The safety application firmware calls the function EnterSafeState This function initiates a system reset which causes the TPS to lose synchronization ENDRV low The TPS triggers a PORST to the safety MCU Release User Manual V1 2 2013 06 17 67 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS VIM Name VIM SRAM data parity e ESM channel Diagnostic VIM SRAM data parity configuration Description The VIM RAM parity feature is enabled and a e Recover from ESM backup interrupt handler is setup Then one p
29. low together with the nESMERR pin signal and the ENDRV signal 7 2 8 Faults affecting the TPS Q amp A protocol Category 5 behavior Category 5 faults are the ones which have influence on the TPS question and answer protocol These are faults which disturb the SPI communication or miss the protocol rules Q amp A These faults are detected through the TPS when its internal error counter is increased above 7 Therefore the error detection time is above 100 ms because the wrong data is sent in the open close window cycles The screenshot example shows a EXT WATCHDOG Watchdog timer MCU sends data outside allowed window Helease User Manual V1 2 2013 06 17 57 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Fault injection ERR Detection Safe state MCU Safe state TPS ESMIRQ pin nESMERR pin 100 150 Time ms Figure 7 9 Category 5 fault MCU sends data outside allowed window The typical signal sequence is characterized with the ENDRV pin driven low which switches the system into safe state The Safe state TPS signal is raised previous to the signal Safe state MCU 7 2 9 Faults detected by software application Category 6 behavior These faults are detected through the application software which proceeds the configured safety tests at run time or at boot time These faults neither generate an IRQ on the ESM nor produce an abort A fault exampl
30. on error signal disabled Error forcing signal out enabled Error forcing lockstep enabled Error forcing access mode violation enabled gt Figure 6 8 Diagnostic Settings Page Release User Manual V1 2 2013 06 17 46 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS By marking the checkboxes besides the test groups in the Safety Diagnostics the tests that are conducted periodically at runtime can be set oelecting a test group will show the settings for that test group in the Safety Diagnostic Settings part of this page The selection is highlighted with a blue bar and can be changed by clicking on a different group In Figure 6 8 the Power state controller group is selected and the corresponding settings are shown The settings can be adapted by the drop down menus in the Safety Diagnostic Settings The changes made here impact the cyclic runtime tests as well as the parameterized profiling tests The groups and corresponding settings are further detailed in the following subsections 6 2 4 1 Group Self Test Controller STC e Logic built in self test o enable STC test is executed at run time o disable STC test is not executed e Interval Count a Value of 1 up to 24 is allowed This specifies the amount of intervals which are operated with one STC test run e Run timeout The total number of VBUS clock cycles it will take before a self test timeout error TI
31. pK ME sRR REDE UE EE 92 Watchdog service task data flow seesessssssssesssseesseee eese nennen nennen nnn nnne nnn nnn nnn 93 Source code extract configuration settings data storage sssssssseeeenreeeee 95 data flow of the handling for the Parameter SettinGS ccccscsccccssseeeeeeeeeeeeeeeeeeseeeeeeeseeeeesaaeeeeens 96 data TOW OF fault 1A eio ER 96 size Ae O TUNING NER TERT 97 Helease User Manual V1 2 2013 06 17 8 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS List of tables FEN 11 FET PENNE eee ee ne rn enn Ee De eee en ene ae eee ee 11 FE M ie 811 eM Eoo T TEES RT E en nae ee eee Oe ee eee 20 EN PENNEN 26 Table 5 2 JTAG c nnedtor pin asSIgNMENt eios comua oa isri des eset o corio eo eva cE Fausse ea dense su ess uU sees sus abesse n dense vehe sU ius 26 Table 5 3 Motor control interface pin assignment eeussessssssessssseseeseenne nennen nnn nnn nnna nnns nans ann nns 28 Table 5 4 CAN connector pin ASSIGNMENL cccccccceseceeceeceeceeseeeeceueceeceeeceeceeueeeeseueeessugeeessegeeesseeeeeseeeeessaaeees 28 Table 5 5 DIAGOUT jumper pil Assignment Luse E rus 28 Table 5 6 Display interface ccccccccccssececcseeceeceeseceeceeceeceaeceeseeseeeesaueeessaueceeseaeeesseaeeessuaeeessaeeesseaeeeessueeeessaneees 29 io ora ENN 30 Table 5 8 User programmable LEDS
32. the internal error counter of the TPS is increased above the configured threshold level Then the TPS restarts the system with power on reset Clock Name Low power clock detection e ESM channel Diagnostic Low power clock detection configuration Description The clock source for the safety device is provided by the C amp M device via the eclock output signal This clock source is cut off Note The parameter Recover from ESM group error is not effective for this fault since the fault is generated by the external C amp M device Category 1 Detection The on chip clock monitor detects this error Reaction An ESM group 1 interrupt is generated In the interrupt handler the EnterSafeState function is called This function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered Release User Manual V1 2 2013 06 17 62 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Clock Name Dual clock comparator e ESM channel Diagnostic Dual clock comparator configuration Description The clock source for the safety device is provided by the C amp M device via eclock output signal The frequency of this clock is reduced from 16 MHz to 13 3 Mhz Note The parameter Recover from ESM group error is not effective for this fault since the fault is generated by the external C amp M device Category 1 Detection The DCC module detect
33. then creates its tasks and queues and starts the scheduler At this point the boot phase is completed and normal operation is entered Release User Manual V1 2 2013 06 17 23 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS 4 2 2 External watchdog TPS The external watchdog controller the TPS6538x enters standby mode after the kit is powered on It starts after receiving a wake up event triggered through the GN input A logical built in self test BIST is performed and upon success the power signals to the SDUT are released The TPS itself then moves to the Diagnostic state and waits to be initialized by the Safety application which programs it over the SPI interface 4 2 3 Normal operation 4 2 3 1 Safety application firmware The main responsibilities are e Communicate with the C amp M device Inject faults Operate the profile measurements Initialize the external watchdog device service the TPS question and answer protocol Read sensor data Accelerometer Temperature sensor push buttons Print information to on board display Assign the GPIO signals according to the firmware flow These responsibilities are reflected in the software design of the Safety application in its task implementation and the inter task communication channels Note that there is one source and header file assigned to each task The following is a list of the tasks along with a brief description of th
34. to continuously improve the quality of this document Please send your comments including a reference to this document to application hitex de Release User Manual V1 2 2013 06 17 3 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS Table of Contents 1 Abbreviations definitions and scope Of document rrrrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnennnnnnnnnnennnn 10 1 1 POV el ONS EEE EE EE EE NE EE 10 1 2 DEN Mt 11 1 3 SCOPE Ordo 000 Ni ETT A EEEE EE a EEA E ENE 11 1 4 Related doCumentS SEM 11 2 Mod I e PROIN 12 2 1 Purpose of the document seeeesssssssssesssssseeee nennen nennen nnne nnne nnn nnns nna n nnn isnt a nnn nsns arn rns 13 2 2 Outline of the document cccccccceeeeeeeceeeeeeeaeeeeeeceeeeesseaeeeseeeeeeessaeeeeeeeeeeeessseasseeeeeessseeaseeeeeeeeessaas 13 3 duritiem 14 3 1 System requirements EE PER qure Maso eR Ra pi qu s dU ned Uu testudo 14 3 2 MK ago nc ERU 14 3 2 1 ANE VOU KI PRU m m 15 Sele Updating Vol Kit WiN UBIPISSD uses CE Pb SE Sun beu SE ub du ai 15 3 9 Eoo See ee T 19 4 STEN rris Me 21 4 1 Systelcopole OE ME estne ESe
35. using the GUI a command with a unique ID related to the selected test is sent via the GUI to the C amp M device which then forwards the command to the SDUT The SDUT recognizes the profiling command and raises a PIN that is detected by the C amp M device to start the time stamping of the test After that the SDUT calls the corresponding test function by the safety library Returning from the safety library the profiling PIN is cleared and the safety device continues operation refer to chapter 10 5 6 2 The C amp M device samples the signal and generates a timestamp This information is sent to the GUI where it is visualized 8 1 1 Understanding what is measured The sampling of the timestamps related to the profile signal is done within the C amp M device A timestamp is taken when the C amp M device recognizes a signal level change issued by the SDUT device The timestamp together with the sampled signal is sent to the GUI Since the profile signal drives an interrupt on the GPIO input of the C amp M device the timestamp value is captured in the interrupt handler A message is generated containing the signal level and the timestamp sampled in IRQ The GUI then displays the signal sequence and calculates the measured profiling time oince this process is done with software the resolution is limited It has to be noted that tests with execution time smaller than 5 us might not be recognized These tests will be executed 10 times consecutively an
36. 1 Deslamator Ball Pin Ball Pin caig Number Number TPO S nPORST TPS65381 nRES Safety MCU nPORST TP02 WD Error Safety MCU nERROR B14 TPS65381 aa 13 GIOA 3 TP03 S GIOA3 TPS65381 ENDRV 32 Safety MCU None E TP04 WD SCK Safety MCU m v9 TPS65381 SCLK 11 Release User Manual V1 2 2013 06 17 31 SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit hitex ium DEVELOPMENT TOOLS Ball Pin Ball Pin TPOS WD_NCS MIBSPI3 Safety MCU NCSIO V10 TPS65381 TP06 TPO7 TP08 TP09 TP10 WD SDI 53 SOM I VCCAD VCCIO VCC MIBSPI3 SIMO SDO VDD5 Safety MCU TPS65381 TPS65381 TPS65381 VDD3 5 TPS65381 W8 10 20 21 TPS65381 Safety MCU Safety MCU Safety MCU VT_1V2 Safety MCU Table 5 13 Test points between Safety MCU and TPS65381 The following table lists the test points between the safety MCU and the C amp M MCU Ball Pin Ball Pin MIBSPI1 SDI MIBSPI3 SOMI VCCAD VCCIO VCCP VCC VCCPLL MIBSPI1 9 V8 W15 F6 F8 F11 F14 G6 G14 H6 H14 J6 L14 M6 M14 N6 N14 P6 P9 P12 P14 F9 F10 H10 J14 K6 K8 K12 K14 L6 M10 P10 P11 TP11 C1 SCK C amp MMCU Mk F18 Safety MCU v F18 TP12 C1 NCS0 C amp M MCU E R2 Safety MCU Eu R2 TP13 C1 SIMO C amp MMCU Spo Fig Safety MCU Quo FAQ TP14 Ci SOMI Safety MCU Soi GI8 C amp MMCU Pow cig TP15 C IRQ C amp M MCU sita G3 Safety MCU GIOAI7
37. 1 0 1 2 Figure 6 10 Application Page 6 2 7 User Commands Page The User Commands Page is depicted in Figure 6 11 It consists of two parts the User commands 1 and the Application messages 2 see also the Application messages part in the Monitoring Page Section 6 2 5 The safety MCU application contains a task that is provided for user extensions The User commands part of the User Commands Page is a convenient way for users to send arguments from the GUI to this task By clicking the Execute button the corresponding argument becomes available to the task upon its next execution Release User Manual V1 2 2013 06 17 50 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 0x12345678 xabcdeftf 0x00000000 0x0000000f 28 516 events 973291 RX 34kB TX 3990kB AB gam events 1003504 35KB 4114kB 746 538 events 1033760 36kB 4238kB abr events 1065583895 37kB 1362kB 0B 540 events 1034172 38 kB i437kB 1B 546 events 1124441 40k5 4611k5 128 547 events 1154665 40kB A735kB 3B 548 events 1164491 41kB 48598 45 549 events 1215080 45kB 4983kB 5B 5560 events 1245329 44k5 S5107kB 05 551 events 12755351 45KB 5231kB 15 552 events 1305794 A65kB 9354 kB 26 557 events 1335984 47KB 5478KB Ae eE events 1366270 48KB s601EB 45 563 events 1336506 49KB 9725kB SB 564 events 1426703 SLKB 35848 kB 706 565 events 14568380 52KB 3972
38. 2 2013 06 17 45 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Low signaling duration ESM The TPS features a monitor which supervises the external ERROR input pin from MCU An MCU SAFETY ERR PWM L signaling error condition is detected when the ERROR pin remains low for a programmed amount of time set by the SAFETY ERR PWM LL register the low signaling duration Configure a register to be read If a register is selected this register is cyclically read out The value can be checked in the TPS6538x communication monitor in the Overview Page see 3 in Figure 6 3 Table 6 5 TPS Settings 6 2 4 Diagnostic Settings Page The execution of the periodic runtime tests and the parameterized profiling tests can be configured by the settings made in the Diagnostic Settings Page The page is depicted in Figure 6 8 It is divided in two parts the Safety Diagnostics 1 and the Safety Diagnostics Settings 2 It is possible to save and load settings 3 Clicking the corresponding buttons opens a file menu The current settings are applied to the running system when the Apply button is clicked 4 Self Test Controller STC Power state controller PSCON Programmable Memory BIST PBIST Tests on SRAM Tests on Flash CRC calculation EFuse Static Configuration E m E E E E E E CPU Compare Module CCM RAF Configure periodic PSCOM run time tests Error forcing stuck
39. 41 EFuse self test error 42 PLL2 Slip 43 Ethernet Controller master interface 62 DCC2 error Table 6 4 ESM error configuration 6 2 3 4 TPS6538x Settings The TPS setting that can be changed within the Global Settings Page are compiled in Table 6 5 with the respective register name or bit field indicated under the setting name Safe state timeout function Controls the SAFE state time out function If enabled the device transitions to the RESET state 680 ms after the error counter has exceeded its limit If disabled the device remains in the SAFE state when the error counter has exceeded its limit SAFETY FUNC CFG 7 Monitor safety device under test Controls the MCU ERROR pin function In our case the MCU ERROR input pin is connected to the SAFETY CHECK CTRL 2 nESMERROR pin of the safety device If enabled the MCU ERROR pin failure is monitored and detected If disabled the MCU ERROR pin failure is not monitored Control watchdog failure function When set a watchdog failure is detected when the watchdog failure counter reaches a value of 7 This SAFETY FUNC CFG S leads to a transition from ACTIVE to RESET state When cleared the device remains in current state when the watchdog failure counter reaches a value of 7 Open Window Duration Open time window duration value 1 x 0 55 ms WDT_WIN1_CFG Close Window Duration Close time window duration value 1 x 0 55 ms WDT WIN2 CFG 4 0 Helease User Manual V1
40. DC self test is enabled It is recommended to set the Safety loop to 100 ms Category 6 Reaction The periodic ADC input self test detects the error The safety application firmware calls the function EnterSafeState This function initiates a system reset which causes the TPS to lose synchronization ENDRV low The TPS triggers a PORST to the safety MCU The fault detection time depends on the number of the runtime tests initiated and is defined as the interval between the fault injection point and the point where the runtime tests detects the fault provided that the detection occurs within the execution time of the runtime test Figure 7 12 Faults Helease User Manual V1 2 2013 06 17 68 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 8 Profiling The profiling feature provides a mechanism to measure the execution time of several safety diagnostics This could help a customer to design their own software application related to safety runtime tests There are specific predefined tests along with others which depend on parameter configuration Select the Profiling tab to open the window Validating amp Profiling by selecting the Profiling tab Depending on the selected test group e g PSCON one specific test can be selected for measuring the execution time The test is executed once if the Profiling button is clicked 8 1 Data flow If a profiling measurement is started
41. ESM group 1 and group 2 rrmnnnnnnnvnnnnnnvnrnnnnrvrnnnnrenrnnnrennnnnnrnnnnnnrennnnssennnnene 54 Te Faults which lead to an abort errrnnnrnnvrrnnnnnnrrnrrnnnnnvenrnnnnnnrnnnnnnnnsrnnnnnnsnsrnnnnnnsnsennnnnnsnsennnnnnssennnnne 55 7 2 6 Faults injected on Power rails to TPS rrrnnrrrrnrrnnnnnvrnrrnnnnnrrnnnnnnnnrnnrnnnsnsennnnnnsnsrnnnnnnsnsennnnnnsseennnnne 56 7 2 7 Faults injected on Power rails and reset lines to SDUT rruuunnnnnnnnnnnnnnnnnnnnrrnnnnnnnnnnnnnnrnnnnsnnenennnnn 57 7 2 8 Faults affecting the TPS Q amp A protocol eeeeeesssssssssseeeeennnnennn nennen nennen nana 57 7 2 9 Faults detected by software application cccccccccssseeceeeeseseceeesseeeeeeeesseeeeeeeseaeeeeeeesaaeeeeesaaaaes 58 7 3 BcUlcm T 59 8 xri 69 8 1 BEG T 69 8 1 1 Understanding what is measured essssssssssssssseseeeeeeeenn nennen nennen ann nnns nnne nnn nsn nnns 69 8 1 2 Special Considerations RP TRTPT 70 8 2 611190 TOS 70 8 2 1 Specific details for the tests cccccssssccccccssseeceeceeseeeceeeeeegeceeeseeeeceeeeeeeeeeeesseueceeessegeeessesaaeeeess 70 8 2 1 1 Dedicated tests calling the self test in the safety library directly rrrnnnnnnrnnnnnnrrrnnnnrnnnnnnnen
42. I Emulators XD5100 Class Emulator Support 11 xp5560 PCI Emulator Spectrum Digital Emulators Install size 360 18 MB Texas Instruments Figure 3 4 Emulator selection screen e Wait until the installation has finished and start the tool Helease User Manual V1 2 2013 06 17 16 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS The next step is to download the new firmware into the kit Since the kit features two controllers onboard and two controller variants for the SDUT selecting the correct controller to update is done by loading a configuration file specific to that controller The following steps describe the process of updating the kit s firmware e Load a configuration by selecting File gt Open Target Configuration ccxml File New Target Configuration ccxml File Open Target Configuration ccxml File Save Target Configuraton coxml File D safeTI HSKXTestV 1 Firmware applications safetyR M48XX coxmi O tion ccxml File Or you can also use an existing targe art a session Exit Once the session is configured the GUI will be populated Here you can customi the settings to your flash operation and carry out flash load and erase operatio No consoles to display at this time Figure 3 5 Target Configuration selection screen e Navigate to the directory safeTl HSK Firmware applications and select t
43. MEOUT ERR will be triggered after the initiation of the self test run This is a fail safe feature to not hang up the system on account of any run away self test issues 6 2 4 2 Group Power state controller PSCON e Error forcing stuck on error signal o enable PSCON stuck in error signal test is executed at run time o disable The test is disabled e Error forcing signal out o enable PSCON error forcing signal out test is executed at run time o disable The test is disabled e Error forcing lockstep o enable Error forcing lockstep test is executed at run time o disable The test is disabled e Error forcing access mode violation o enable Error forcing access mode violation test is executed at run time o disable The test is disabled 6 2 4 3 Group Programmable Memory BIST pBIST PBIST GROUP The selection of the RAM group which shall be used for a test Algorithm Selection of the algorithm which is used to test the memory Memory type Selection of the memory type Single Port Two Port ROM Store Restore selected RAM It can be configured if the concerned RAM space shall be saved previously to the test and restored after the test execution or not Note Since not all memories can be tested with each algorithm care should be taken that the enabled memory groups can be tested with that algorithm For further information on that please take a look into the technical reference manual of the microcontroller device 6 2 4 4 Group T
44. O Disturb TPS communication SPI Chip select signal Stuck on ENDRV PIN high Stuck on ENDRY PIN low Fault detection time Time until safe state entry Figure 6 5 Fault selection configuration and injection Helease User Manual V1 2 2013 06 17 41 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS The Profiling window in the Fault injection and Profiling control part can be used to conduct timing measurements for certain runtime test 7 With a drop down menu see 1 in Figure 6 6 the unit for which the test is to be performed is selected The available tests for the corresponding unit are then displayed in a sub window arranged below 2 A test can be selected by a mouse click The measurement is started when the Profiling button is pressed 3 As alternative to a single test a full set of tests can be executed and measured by clicking on the Profiling full safety task button see 4 in Figure 6 6 The set of tests can be defined through the Diagnostic Settings page which is explained in 6 2 4 The measured profiling time is shown at the bottom in either case 5 1 EY Profiling Profiling full safety task NI Error forcing test Stuck on error signal x10 Error forcing test Error signal out x10 Error forcing test Lockstep x10 Error forcing test Privilege mode access violation x10 All parameterized tests together Figure 6 6 Test profiling
45. O S GPIO3 used for task monitoring 0 15 TP23 S GPIO4 Periodic tests TP25 S GPIO6 safe State MCU TP26 S GPIO7 used for profiling Table 5 15 Mapping between test points and GUI signals Release User Manual V1 2 2013 06 17 34 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS 6 HSK Monitor Graphical User Interface GUI 6 1 Main Window The GUI that comes with the SafeTI V HSK is started by executing the HSK Monitor exe file The Main Window after start up is shown in Figure 6 1 The Main Window contains the Main Viewing Area 1 the Navigation Bar 2 hyperlinks 3 the button Stop recording 4 and the Status Bar 5 All elements are further described in the following subsections E amp HSK Monitor ka Disconnect Overview Profiling Global Settings Diagnostic Settings Monitoring Application User Commands User Manual 4 Stop recording Not connected Safety cycles 0 Safety MC Figure 6 1 GUI Main Window after start up edited 6 1 1 Main Viewing Area 1 The Main Viewing Area is used to display what we refer to as GUI pages see Section 6 2 The displayed content depends on the function selected from the Navigation Bar 2 See also Section 6 1 2 Helease User Manual V1 2 2013 06 17 35 hiteX im SafeTI Hitex Safety Kit HSK DEVELOPMENT TOOLS User Manual of the Hitex Safety Kit 6 1 2 Navigation Bar 2 The Naviga
46. OT CAt_530 ccsv5 C C General CG TOOL ROOT Citi 530Vecsvattoolskveempilerarm 50 14 Debug ECLIPSE HOME Cati 530 ccsvoxeclipsek Project References EXTERNAL BUILD ART Refactoring History CtNnowECCW2 17 Run Debug Settings PARENT LOC D ymyProjectsy5 TI TM5570 SAFETY 1XImplement Task Tags PROJECT LOC D ymyProjectsy5 TI TM5570 SAFETY 1XImplement WORKSPACE LOC D YmyProjectsy5 TI TM5570 SAFETY 1XImplement t QD teamet setings Figure 1 0 1 Project properties Linked resources There are two other tools used in the safety application project but they are optional One of them is Subversion SVN for the configuration management and the other one is doxygen for documentation If you do not use SVN then remove the call from the post build step we Properties for HSK Safety Application type filter text Ccs Build 4 Resource Linked Resources Resource Filters Configuration Debug LE Active CCS General CCS Build ARM Compiler GF Steps b Variables P Environment Link Order s Dependencies ARM Linker Builders Pre build steps C C Build Command C C General subwerev exe S PWD PWD svn rev PWED includeXSVMrevision h Debug cum Project References FER Refactoring History get revision Run Debug Settings Task Tags Post build steps Command S NOWECC bin nowECC exe F021 16M ADD R4 a 5 ProjName LE out Description 2 Hide advan
47. PSCON PMA TEST Category 1 Helease User Manual V1 2 2013 06 17 72 SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit hitex ium DEVELOPMENT TOOLS PSCON Name All parameterized tests together e Run time test Call HSA SLS PSCON RuntimeTest configuration Test type several tests may be called depending on the e System load enabled tests Category 3 SIC Name Parameterized STC test logic built in self e Run time test test configuration Call HSA SLS STC Runtime Test e Interval count Test type ST RUN e Run timeout Category 4 e System load pBIST Name Parameterized programmable built in self test e Run time test Call HSA SLS pBistRam configuration Category 5 e Algorithm e Port e oave Restore e System load FLASH Name Error forcing test 1 Bit error e System load Call SL SelfTest Flash Test type FLASH ECC TEST MODE 1BIT Category 1 FLASH Name Error forcing test 2 Bit error e System load Call SL SelfTest Flash Test type FLASH ECC TEST MODE 2BIT Category 1 FLASH Name Parameterized Flash self test e Error forcing 1 Bit Call HSA SLS Flash RuntimeTest e Error forcing 2 Bit Category 3 e System load FLASH Name CRC calculation on code e Start address code Call SL_CRC_Calculate start address Category 3 e End address code end address e System load FLASH Name Parameterized CRC calculation e Start address Call SL_CRC_Calculate e End address Category 3 e System
48. SNGS 0 SPI E19 SDO ALT ADR MIBSPI5SOMI 0 SPI J18 SDA SDI SDIO MIBSPISSIMO 0 SPI J19 SCL SCLK MIBSPI5CLK SPI H19 INT1 GIOA 0 GPIO A5 INT2 GIOA 1 GPIO C2 Table 5 10 Digital accelerometer interface 5 2 5 2 Temperature Sensor The SafeTl HSK features a simple 100KOhm NTC thermistor as an ambient temperature sensor The thermistor is connected in a voltage divider circuit manner along with a 100KOhm resistor to an analog input from which the safety MCU can then derive the ambient temperature The following table lists the thermistor along with its connection to the safety MCU R507 Safety MCU AD1IN 01 V17 Table 5 11 Temperature sensor interface 5 2 5 3 Potentiometer The SafeTI HSK features a 10KOhm potentiometer that delivers to the safety application any voltage between OV and 5V The following table lists the potentiometer along with its connection to the safety MCU R503 Safety MCU AD1IN 02 V18 Table 5 12 Potentiometer interface 5 2 6 Test Points The SafeTI HSK features a set of test points for probing signals relevant to the safety application Figure 5 3 points out the respective locations of these test points The test points are divided into two groups depending on their from to connections The first group is for signals between the safety MCU and the TPS65381 and the second is for signals between the safety MCU and the C amp M MCU The table below lists the test points between the safety MCU and the TPS6538
49. Safety Kit DEVELOPMENT TOOLS EFUSE Name Parameterized EFUSE tests e Runtime test Call HSA SLS EFUSE RuntimeTest configuration Category 3 e System load CCMR4 Name CPU lockstep e System load Call SL SelfTest CCMR4F Test type CCMR4F SELF TEST Category 1 CCMR4 Name CPU Error forcing test e System load Call oL SelfTest CCMRAF Test type CCMR4F ERROR FORCING TEST Category 1 CCMR4 Name CPU self test error forcing e System load Call SL SelfTest CCMRAFY Test type CCMR4F SELF TEST ERROR FORCING Category 1 CCMR4 Name Parameterized CPU R4 tests e Run time test Call HSA CCMR4 RuntimeTest configuration Category 3 e System load ADC Name ADC self test Conversion e ADC ADC1 Call SL SelfTest ADC Category 1 Table 8 1 Profiling tests 8 2 3 Profiling full safety task There is another test which measures the execution time of all tests being executed during runtime This test is started with the button Profiling full safety task The execution time depends very much on the enabled and parameterized run time configuration The Profiling full safety task duration depends highly on the implementation of the firmware application The SAFW implementation encapsulates the execution of the configured runtime tests in a separate task In this task each test is assigned to an execution step The Profiling full safety task includes the execution process of all steps executed one after th
50. Safing Power supply for the supervision modules in the TPS VCCAD Supply voltage for Safety MCU analog digital converter cores provided by TPS VCCIO Safety MCU IO supply voltage provided by TPS VCC Safety MCU core supply voltage provided by TPS Table 6 2 Information within the System flow part of the Overview Page Zooming of information shown in the System flow part of the Overview page can be done best using a mouse wheel A click with the left mouse button onto a signal to gives timing and value information A context window for more detailed information can be opened with a right mouse click The signals over time can be horizontally moved by clicking and holding the right mouse button within the System flow and a subsequent movement of the mouse The Task monitor 2 gives information about the task execution on the safety MCU More specifically for each task the start time in ms the name and the time that has elapsed since the last execution is given in us The latter should correspond to the cycle time during normal operation The TPS6538x communication monitor 3 shows the recording of the SPI communication between the safety MCU master and the TPS6538x companion slave Each line in the TPS6538x communication monitor corresponds to one SPI frame which consists of an 8 bit SPI command phase and an 8 bit SPI data phase In the first column time stamps for the SPI frames are given The second and the third column give informati
51. Specific details for the tests Taking a look into the list of tests you can see that each test group has predefined tests and at least one test depends on GUI parameter configuration 8 2 1 1 Dedicated tests calling the self test in the safety library directly e Category 1 tests These tests directly call the corresponding API function provided with the safety library with a specific parameter set This parameter set is defined through the test itself The application itself does nothing more Example Group PSCON Test error forcing test Stuck on error signal 8 2 1 2 Run time parameterized tests e Category 3 tests These tests consider the GUI parameter settings parameter settings are explained in the chapter HSK Monitor The test routine considers which tests are enabled and then executes them one after each other These profiled tests depend on the GUI parameter configuration which provides enabling disabling the tests Profiling such a test means that the runtime test routine for the selected test group is called Example Group Flash Test Parameterized Flash self test e Category 4 tests This test differs from the other ones because the test itself does a reset Therefore the application saves the core register set and other registers previously to execute the test When the reset occurs the saved registers are restored to be able to continue with the application It should be considered that the time for saving and restoring t
52. a SA Pe Y RET dw dd 30 5 2 5 2 Temperature SONS OM Lee sun aei e cube Pr resi ODE en 31 onis ed REE Em 31 5 2 6 TAP NN TERR 31 6 HSK Monitor Graphical User Interface GUI nnrrnnnnnnennnnnnnnnnnnnnnnnnnnnennnnnnennnnnnnnnnnnnnnnnnnnnennnnnnennnn 35 6 1 Juri VANGO EEE 35 6 1 1 Main Viewing Area EE 35 6 1 2 Navigation Bat 2 EEE EEE 36 6 1 3 DE varer 37 6 1 4 Button Stop recording 4 EE 37 6 1 5 APT Ne 37 6 2 NPE 38 6 2 1 OSE AO OE 38 6 2 2 Validation amp Profiling Page iisiiainincnunecnnaatdiwdernsiei esac badideceusadanesdGiansenaiaaprialinandeceiininynaiidadewestaaueiianen 39 6 2 3 alobal Settings Page iussa tab ro Ex e is tato eo eno ER ruat in XE SEN ERI Haad Icon Sdn tita oed ine secu edi bbacsesn Mid Rosae pns 42 Er NNN 43 6232 NNN Emm 43 Release User Manual V1 2 2013 06 17 4 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 62339 NNN 44 6 234 TPS6599X SelllliQS eceieck nieu t o needed pekeren 45 6 2 4 Diagnostic Settings Page TETTE TTE T TETTE 46 6 2 4 4 Group Self Test Controller STO nennen nennen nennen nnne nnn nnn nnns 47 6 2 4 2 Group Power state controller PSCON sseessesssssessseeeeeene nennen nennen nnne nnns 47 6 2 4 3 Group Programmable Memory BIST pBIST rrronnnnrnnrnnnnnnvrrnnnnnnrennnnnnnnrvnrnnnnn
53. address identifier uint32 t myValueld boolean tmyValid slsConfigEntry Structure of the complete configuration data set typedef struct SLSConifgData configuration data for the safety library boolean_t mySLSConfigurationHasChanged slsConfigEntry mySLSCyclePeriod slsConfigEntry mySLSSystemLoad slsConfigEntry mySLS safetyConfigDataESM COUNT ESM SETTINGS slsConfigEntry mySLS safetyConfigDataTPS COUNT TPS SETTINGS slsConfigEntry mySLS Parameter COUNT PAR SETTINGS slsConfigData Figure 10 17 Source code extract configuration settings data storage As you can see each setting has an assigned address as a unique identifier This address defined in the settings xml file which is read out by the GUI It is necessary that the address identifiers used in the SAFW correlate to the ones used by the GUI 10 5 11 1 Global settings handling After reset the SAFW starts with the default values of the parameters The command handler task then requests to the C amp M device to send a complete list of the configuration settings This is necessary to make an alignment with the GUI parameter values If the parameters are received by the C amp M device they are only stored in the array The parameters take effect after they are applied by an extra command also received from the C amp M device For the TPS settings the system behaves different The reason for that is that the TPS settings cannot be changed once th
54. akes sense to categorize the typical fault reactions means that it is an active low signal The default value of these signals is Release User Manual V1 2 2013 06 17 53 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 7 2 2 Times measured e Fault detection time This is the duration from the start of a fault injection until the error is detected Detection of an error is indicated through the ERR Detection signal In some cases a reset occurs before the ERR Detection is raised In these cases the fault detection end timestamp is sampled when the nPORST or nRST gets active e Time until safe state entry The duration from the start of a fault injection till the safe state pin is asserted 7 2 3 Error servicing mechanism If an error is detected by the safety application program and the recovery from the error is not possible the error handler routine HSA EnterSafeState DoReset is called In this handler the ERR Detection signal is asserted This routine provides two methods to behave controlled through a parameter One method is that the routine generates a system reset and the firmware restarts The other way to handle the error handling is to reside in an endless loop The safety application while waiting in the interrupt handler does not serve the external watchdog Q amp A As a consequence the error counter of the TPS increments above the configured limit leading to a s
55. anual V1 2 2013 06 17 78 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS RGB LED Green for a successful write of the EPROM data Red if the TPS can t switch to active state C amp M LED Is blinking when data communication between C amp M device and the GUI takes place 9 6 User Commands Template task The safety application executes an instance which receives the so called user commands The user commands triggered by a user via the GUI are forwarded to the safety application and processed in the template task This task instance is called template task because it is intended that a user who wants to extend the existing software with own code has a simple entry point to start The code implemented is posting a text to the onboard display when a command is received 9 7 Task monitoring The kit has implemented a task monitoring feature It is visualized with the GUI in the overview page The task monitor gives information about the task execution on the safety MCU More specifically for each task the start time in ms the name and the time that has elapsed since the last execution is given in us The latter should correspond to the cycle time during normal operation The safety firmware has a call back function which is executed each time when the scheduler is started In this call back routine it is checked if the next executing task is different from the current running one and then
56. are partitioned into several task instances which use the inter task communication mechanisms provided with SafeRTOS Helease User Manual V1 2 2013 06 17 84 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 10 5 1 SafeRTOS The configuration is defined in the SafeRT OSConfig h define configMAX_PRIORITIES unsigned portBASE TYPE 10 define configMINIMAL STACK SIZE WITH FPU unsigned portLONG 512 Needs to be a power of two value define configMINIMAL STACK SIZE NO FPU unsigned portLONG 256 Needs to be a power of two value define configTICK RATE HZ portTickType 1000 Up to 9 priority levels are supported in this configuration where a value of 9 is the highest possible level oafeR TOS uses a preemptive scheduling which means that every task could be interrupted anytime by a higher priority task The tick count is configured to 1 millisecond which means that every millisecond the scheduler is invoked If no task is ready to run an idle task will be active It has to be considered that some of the tasks run in a privileged mode while others run in an unprivileged mode An MPU is configured thus putting restrictions on memory accesses for tasks which run in an unprivileged mode It is possible to configure up to 4 ranges with specific access rights when creating the task instance The example code below illustrates how to configure the access rights
57. arity bit of an group 1 entry is flipped After that an access to that entry is done Category 1 Reaction The MCU error pin gets active low Additionally the backup interrupt handler is called The implementation of the backup handler calls the EnterSafeState function This function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered ADC Name Boot time input self test e Diagnostic ADC input self test Description A fault is stored which indicates to the startup code to inject a fault after the reset is processed The boot time self test then injects the fault by selecting a free ADC channel This will produce an error similar to a stuck at fault at an input channel Category 6 Reaction The boot time ADC input self test detects the error The safety application firmware calls the function EnterSafeState This function waits in an endless loop until the TPS resets the system The ERR Detection signal is not sensitive to this error since the fault detection occurs before the signal s GPIO pin is initialized ADC Name Periodic time input self test e Diagnostic ADC input self test Description A fault is stored which indicates to the periodic tests to inject a fault The periodic ADC self test then injects the fault by selecting a free ADC channel This will produce an error similar to a stuck at fault at an input channel Ensure that the Safety Diagnostics parameter for periodic A
58. ars generated ERR Detection GPIO signal set when an error is detected by the safety Fault detected application firmware An error is detected when 1 an abort handler is called 2 the ENDRV is detected low 3 an ESM interrupt is detected Safe state MCU Signal indicates that the MCU is in safe state The MCU is Safe state reached regarded in safe State when PORST is active low Helease User Manual V1 2 2013 06 17 40 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Sow oesi utg Safe state TPS Signal indicates that a safe state is reached Despite to the Safe Safe state reached state CPU signal here the external watchdog recognized the error in the system and drives it to safe state ESMIRQ pin GPIO signal set in ESM interrupt handler Fault has been detected by ESM Periodic tests A GPIO signal that indicates the execution start of the periodic Run time test execution run time tests nESMERR pin Signal issued by the ESM of the safety MCU Fault indication to external devices ENDRV Output signal of the TPS to indicate that the error counter has Safe state reached exceeded its limit nRST Signal of the safety MCU to indicate a reset state System restarts nPORST pin Connected to nRES output of the TPS Power down safety MCU VBAT Supply voltage for the TPS VCC Supply voltage for the safety MCU core provided by TPS Table 6 3 Signals within the System flow window part
59. atch dog companion chip TP565381 The application is based on SafeRTOS and uses the SafeTl Diagnostic Library This software application provides the following user functionality Read data from an accelerometer and a temperature sensor Control an HMI consisting of an onboard display as well as some LEDs and push buttons Communicate with the TPS an external watchdog via an SPI interface Communicate with the C amp M device for fault injection and monitoring Following sections in this chapter describe the sequence of operations in the safety application Design of the safety application firmware is explained in chapter 10 of this manual in further detail o Safety companion chip TPS65381 It is a Multi Rail power supply controller for safety critical microcontrollers and provides the power supply to the Safety MCU Additionally a watchdog is implemented and could be configured via SPI In addition to these components following features are available for evaluation of the SafeT HSK with real world applications for analyzing their behavior in a safety system Accelerometer Display Potentiometer Four push buttons Four safety MCU controlled LEDs blue One RGB LED One LED red controlled by the C amp M device Temperature sensor e Control MCU C amp M An RM48L952 microcontroller executes the control and monitor application The main functions are o Communication with safety device over SPI Injecting Faul
60. ation Store Restore selected RAM Figure 8 5 Parameter set for the pBIST test Helease User Manual V1 2 2013 06 17 71 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 8 2 2 Profiling Tests list The following is a list of tests that are provided by the GUI Explanation of the list entries Column Test group The Test group selected in the GUI Column Test Name The selected tests to execute Column Test Call This is the function call the execution time of which is to be measured Function calls into the safety library start with the prefix SL function calls in the safety application start with HSA_ Column Test Test type A parameter which identifies the test for the safety diagnostics library API call Column Test Category The test category mentioned above Column Parameter The GUI Parameters which have influence on the test PSCON Name Error forcing test Stuck on error signal e none Call SL SelfTest PSCON Test type PSCON ERROR FORCING Category 1 PSCON Name Error forcing test Error signal out e System load Call SL SelfTest PSCON Test type PSCON SELF TEST ERROR FORCING Category 1 PSCON Name Error forcing test Lockstep e System load Call SL SelfTest PSCON Test type PSCON SELF TEST Category 1 PSCON Name Error forcing test Privilege mode access e System load violation Call SL SelfTest PSCON Test type
61. ccieinaeeeee 15 Figure 3 3 Processor selection installation SCreen rrrrnrnnnnrnnnnnnvrnrnnnrvnrnnnnrnnnnnnrnnnnnnrrnnnnnnrnnnnnnsnnnnnnssnnnnnennnnnnsen 16 Figure 3 4 Emulator selection STEEN Lam iareavernoresisarcuniaaccienduacusaraccavdanaacuncidasubandusteninausdvenuuatenciuawlonndusducmniawders 16 Figure 3 5 Target Configuration selection screen cccccsseecccecceeeeeceeecaeeeeeeecseeuseeeeeseeueeeessaaueceeessaaeeeeeessageeeesenas 17 Figure 3 6 Taget COME NNS vea dn a E E UR GPS Edd vulp UR dw ONG KE DN PR 17 Figure 3 7 Program process Soleca ensce a destnanadeainauaauaciaaiiandasinciniaedees 18 Figure 3 8 Download applications lssseeseissssssssesseseeee nennen nennen nnne nnn nnn nns nna nnn nsns annes 18 Figure 3 9 Tools DYD Se NEA E 19 Figure 3 10 Tools DVD software installation rarrrrnnnnrrerrnnnrrnrrnnnrerrnnnrerrnnnnrnnnnnnrennnnerennnnsnrnnnnnnnennnnnennnnsnsnnnnnnsen 19 Figure 4 1 Main components of the Kit rrrnnnrrnnnnnronnnnnrenrnnnnrrnnnnnrennnnnrennnnnnrnnnnnnrennnnsrennnnsnsnnnnnnsennnnsrennnnsnsnnnnnnnen 21 Figure 4 2 Startup Flow Diagram uoi tpe pi peor aaro pn Eae ram b Fo Io pnta uan upra bae kk ya Une 2g dva esed reor added 23 Figure 5 1 Block diagram of the KILsosssenuntesksnsstezkeuisFeskkamidexkesadiazaniikesd tnde edcatsteszaadatentacindusiaetsbustcatuieuscasatandeaauiustes 25 Figure 5 2 Input Power Supply Polarization ccccccccccsssecccsesececseeececeeseecceese
62. ced settings Figure 10 2 Project properties CCS Build If not using doxygen nothing has to be done at all Release User Manual V1 2 2013 06 17 81 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 10 2 1 Import projects into CCS Open the Import dialogue and select Existing CCS Eclipse Projects Select Imports existing CCS Eclipse projects into workspace Select an import source General E C C 4 amp Code Composer Studio ow Build Variables E Existing CCS Eclipse Projects Legacy CCSv3 3 Projects amp Git amp Install amp Run Debug Figure 10 3 Import dialogue Browse to the kit installation directory and select the safetyApplication zip Directory safeTl HSK Firmware applications Safety_application safetyApplication zip Import CCS Eclipse Projects r Select Existing CCS Eclipse Project Select a directory to search for existing CCS Eclipse projects Select search directory Select archive file D Hitex safeTI HSK Firmware applications Safety_application safetyApplication zip Discovered projects VI CI HSK Safety Application Select All Gy HSK SafeTlLib Ly HSK TPSLib Deselect All Refresh Copy projects into workspace Automatically import referenced projects Open the Resource Explorer and browse available example projects Cancel
63. d as such are marked with x10 at their name For these tests the measured duration is automatically divided by 10 Take into account that the accuracy is about 1 us IRQ handler for profile signal samples timestamp Signal message with sampled timestamp is sent to GUI forward a profile message to SDUT IRQ handler for profile signal samples timestamp Signal message with sampled timestamp is sent to GUI recognize command receivd from GUI Figure 8 1 Data flow of C amp M device The safety application is in charge of controlling the Profiling Signal and executing the self test This is done by signaling the begin of test by pulling the Profiling Signal high and then calling a specific function from the safety library which in turn starts the hardware test The safety library function then waits until the MCU completes the test It returns the test result to the application which in turn signals end of test by pulling the Profiling Signal low recognize start test Safety librar MCU test ende 8 set signal application part y y Safety library application part set signal command Tm part execute we Figure 8 2 Data flow of safety device Helease User Manual V1 2 2013 06 17 69 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 8 1 2 Special Considerations oince the test execution i
64. d others are helpful Note Code Composer Studio CCS is essential to debug develop the safety application further After starting with setup exe on the DVD the following window is shown Feel free to explore the content z Adobe Flash Player 10 El File View Control Help hitex DEVELOPMENT TOOLS About Hitex gt SafeTI HSK Documents SafeTI HSK Tool Installation Browse SafeTI HSK Website Figure 3 9 Tools DVD setup screen Click on the arrow next to SafeTI HSK Tool Installation Several tools from Texas Instruments are offered for installation Refer to Table 3 1 on the next page for further details r E Buero TO lt lt SHES alas File View Control Help hite je X pce About Hitex Software Installation DEVELOPMENT TOOLS Documents Browse Website M SafeTI HSK Tool Installation li Install Code Composer Studio CCS E Code Composer Studio CCStudio is an integrated development environment IDE for Texas Instruments TI embedded processor families Install NOWECC The nowECC tool generates the data to be programmed into the ECC memory locations of a Hercules Safety MCU device d Install HALCoGen HALCoGen is a code generator which provides a graphical user interface that allows the user to configure peripherals interrupts clocks and other microcontroller parameters e SAFERTOS Installs a demo vers
65. e TPS has reached the active state So the TPS settings are also stored in a data EEPROM This EEPROM data is read out at the very beginning of the boot phase and the values are copied to the System settings storage Therefore a reset is necessary to make changed TPS settings effective For writing and reading the EEPROM data a library from TI is used which supports flashing F021 flashes When new data is written successfully it is indicated through the RGB LED shining green Release User Manual V1 2 2013 06 17 95 hitex imm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Read EEPROMTPS data and copy to system settings Ifthe TPS settings have changed write Figure 10 18 data flow of the handling for the Parameter settings 10 5 12 Typical data flow example for a fault injection The rough data flow of a typical fault injection The example describes a fault injection issued by the SAFW It is demonstrated for faults which generate an interrupt ESM or abort Figure 10 19 data flow of fault injection Release User Manual V1 2 2013 06 17 96 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 10 5 13 Typical data flow example for a profiling measurement Safety app Figure 10 20 data flow profiling Release User Manual V1 2 2013 06 17 97 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Saf
66. e for a run time test is the periodic CRC check For errors detected at run time the fault detection time depends on the number of the runtime tests initiated and is defined as the interval between the fault injection point and the point where the runtime tests detects the fault provided that the detection occurs within the execution time of the runtime test So the value of the error detection time depends on the safety loop cycle and the enabled tests Some of the faults are injected into the boot time tests The handling is to store the fault which shall be injected in a variable After that a system reset is generated by software to restart with the boot time tests The startup code recognizes the request to inject a fault The fault detection time and Time until safe state entry of these errors are invalid since the C amp M measures the time from the fault injection point to the nRST triggered For this fault category the measurement method is not capable to retrieve the correct fault detection time and Time until safe state entry The screenshot example shows a FLASH Periodic hardware CRC check for Flash contents Release User Manual V1 2 2013 06 17 58 hiteX imm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Fault injection ERR Detection Time ms Figure 7 10 category 6 fault CRC check The distinctive flow is that the ERR Detection s
67. e other Since this implementation includes more software execution time the measurement duration is longer than the cumulative summary of the single run time tests Refer to chapter 10 5 6 2 for a closer look into it Release User Manual V1 2 2013 06 17 75 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 9 Application example demonstration The kit includes a few applications just for demonstration purposes The user benefit is a how to integrating some application code into the safety software framework safety application The following application examples are e Temperature sensor e Push buttons e Onboard display e Accelerometer e User controlled LEDs Beside these board components demonstration a task monitor is realized using GPIOs Most of the application example code is collected in the file HSA SensorAndHMI c and it is built as a task instance further simply called sensor task running periodically with low priority 9 1 Temperature sensor The SafeTl HSK features a simple 100KOhm NTC thermistor as an ambient temperature sensor It is connected to the input channel 1 of the ADC 1 peripheral of the safety MCU When the sensor task is started the ADC is initialized and the conversion is started The value is read out and then the conversion is restarted again The sensor value voltage if different from the previous one is then forwarded via the C amp M devic
68. e tasks For more detailed information please refer to chapter 10 Task instances e HSA CMD Handler HSA_Command_Handler c This task handles the communication messages from and to the C amp M device such as user commands or application data Activity on user LED1 indicates normal operation of this task e HSA Faultlnjection HSA Faultlnjection c This task handles the fault injection requests like triggering a certain fault injection signal or calling the corresponding function out of the SDL e HSA SafetyLibServer HSA_SafetyLibraryServer c This task handles two main jobs The first is executing the cyclic run time self tests which are activated in the HSK Monitor GUI The second job which is executed after the first is completed is to perform a profile measurement of a specific self test when activated by the user Activity on user LED3 indicates normal operation of this task e HSA HMI SensorAndHMI HSA SensorAndHMI c This task handles the data collection from the safety application s peripherals It is activated every 50ms Activity on user LED2 indicates normal operation of this task e HSA DisplayTask HSA DisplayTask c This task handles the process of displaying information from other subtasks on the on board display e HSA WDService Task HSA WatchdogService c This task handles servicing the external watchdog within the time constraints set by the TPS window open close time To ensure fulfilling the time constraint the
69. e to the GIU The GUI calculates the temperature depending on the parameters determined by the NTC and visualizes the result on the Application page Temperature o 20 40 Figure 9 1 March of temperature Temperature calculation The formula retrieved from data sheet R In g2g 7 4 1 G 725 In our case we can use voltage instead of resistance Release User Manual V1 2 2013 06 17 76 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS In 522 d 775 V25 3 3V 2 1 65V T25 273 25 298 K The formula for the current temperature calculation is 1 P In 1 65 29 4250 9 2 Accelerometer The SafeTI HSK also features a small thin ultralow power 3 axis accelerometer with high resolution 13 bit measurement at up to 16 g The digital output data is formatted as 16 bit twos complement and is accessible to the safety MCU through a 4 wire SPI digital interface It measures the static acceleration of gravity in tilt sensing applications as well as dynamic acceleration resulting from motion or shock Its high resolution 3 9 mg LSB enables measurement of inclination changes less than 1 0 The safety application reads out the accelerometer data periodically also in the sensor task It is forwarded via the C amp M device to the GUI The data includes a timestamp which is set when the data is read out via MIBSPI from the accelerometer
70. eecsageeeeseseeessseeessageeessegeeesseegeeeees 29 Figure 5 3 Test points available on HSK seien nennen nnn nnne n inna nnn rss nna a nnns nna nnn nnn 33 Figure 6 1 GUI Main Window after start up edited sess 35 Figure 6 2 GUI Main Window after connection eesssssssssssssssese nennen nnne nennen nnne nnn nnns nna nnne 37 Figure O en 38 Figure 6 4 Validation amp Profiling Page cesses nennen mnn nnne nn nnn nnns nnn nnns 40 Figure 6 5 Fault selection configuration and injection cccceeeccecseeeeeceeeeeeeceeeeeeeueeeeeeseaeeeeseaeeeeesaeeesseeeeessneeeeeens 41 Figure 6 6 Test profiling in the Validation amp Profiling Page seeeseseseeeeeeeeennreennnn nnn 42 Figure 6 7 Global Settings Page rnit th rtr rr Rn e ER ERE Unt ERR RE sk Ea Suec inaa TCR rk AR Rad dens SEE EVANS Kee OE Ee ERE e Teal Rin 43 Figure 6 8 Diagnostic Settings Page enses ninduken aian sean iadaaa anco aan a EY Ye a SO ARRA RR 3 4 ani a enaka 46 Figure 6 9 Monitonng PAGE sresti ienien PER MUR Pad ean E P vdd Vs i Rn AARRE A Eia nea EGO LI EENKI Pad ER RRA Dre 49 Figure 6 10 Application Page swrisincverssicdususave cunts dup aV abeo aate dE VERE a ra Dici Vela wu EEN ae a Ric VIUERE VONAGE R Ea We ri 50 Figure 6 11 User Commands PaQe ccccccccsssseceeceeeeeeeeeceeeseeeeecseueceeseueaseeeesseauseeee
71. ests on SRAM Several tests can be enabled disabled for run time execution Error forcing 1 Bit Error forcing 2 Bit Address and control parity Redundant address decode Furthermore with DataECC the data ECC logic can be switched on off for the RAM Release User Manual V1 2 2013 06 17 47 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 6 2 4 5 Group Tests on Flash Several tests can be enabled disabled for run time execution e Error forcing 1 Bit e Error forcing 2 Bit Furthermore with DataECC the data ECC logic can be switched on off for the Flash memory 6 2 4 6 Group CRC calculation The CRC value of a specific memory area can be calculated and checked with the value calculated at boot time Two parameters provide two checks at run time e CRC on flash code range e CRC on the VIM RAM Two additional parameters provide the possibility to define a memory range for a CRC calculation These parameters are intended for the profiling measurement e Start address e End address 6 2 4 7 Group Efuse Static Configuration e Autoload self test o enable Autoload self test is executed at run time o disable The test is disabled e EFuse self test ECC o enable ECC test on Efuse is executed at run time o disable The test is disabled e EFuse self test stuck at zero o enable Stuck at zero test is executed at run time o disable The test is disabled 6 2 4
72. ety Kit DEVELOPMENT TOOLS 11 Troubleshooting The table below lists some common problems encountered when using the kit Symptom Cause Workaround The GUI can t connect to the HSK Another GUI is already open and connected to the GUI Only one GUI board even if it is enumerated and instance can connect to a HSK safeTl kit indicated on COM port The GUI does not show to which Check the FTDI driver configuration on your host COM port the HSK is connected The red LED RGB LED is on That means that the TPS didn t operate in active state or does not come up Maybe a TPS configuration setting is used which does not work properly Change the settings again and after that power on the kit The TPS does not behave as Disable recording and enable the recording again The effect is that the kit expected after changing the gets a reset and takes over the TPS settings configuration parameters The XDS debugger can t connect Power on the kit while keeping the User button SW503 pressed The try to connect the debugger again If this does not help close the CCS and restart it Table 11 1 Troubleshooting Helease User Manual V1 2 2013 06 17 98 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 12 Appendix A References REF 01 30301 HSK Hardware Specification V0 1 1 docx REF 02 01003 HSK System Requirements V1 1 docx Helease User Manual V1 2 2013 06 17 99
73. ex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS 2 Introduction The SafeTI HSK is a valuable evaluation tool to explore how to achieve functional safety with SafeT Hercules microcontrollers and TPS6538x PMIC devices The kit provides a hardware reference design and a software application framework to enable an application developer to build a safety application using Tl s Hercules ARM safety microcontrollers The hardware for the kit consists of two Hercules ARM Safety microcontroller devices one which acts as a Safety Device Under Test SDUT and the second as a Control and Monitoring Device C amp M device The SDUT MCU is available in two variants one with the TMS570LS3137 and one with the RM48L952 The C amp M device is always a RM48L952 The TI TPS65381 multi rail power supply chip which is a companion PMIC for Hercules safety MCUs provides the power supply for the SDUT This device also has an integrated watchdog to be able to supervise the SDUT Figure 2 1 SafeTI HSK There are two firmware projects available with the Code Composer Studio IDE Eclipse based which can be evaluated A safety application runs on the SDUT while a monitor application runs on the C amp M Device Both firmware projects are based on safeRTOS which is a real time operating system for use in safety critical designs and are delivered with this kit full source code except the code of safeRTOS The
74. fety Kit DEVELOPMENTTOOLS Raise profiling GPIO CallfunctionforSLsS Step Callfunctionfor SLS Step CallfunctionforSls Step Measured profiling time CallfunctionforSL5 Step CallfunctionforSLsS Step Call function for SLS Step Figure 10 14 Profiling full safety task data flow 10 5 7 HSA HMI SensorAndHMI This instance is responsible to collect the accelerometer and the temperature data Priority 2 Assigned message queues Assigned LED 2 External Interfaces MIBSPI 5 to accelerometer ADC1 Privilege level privileged Table 10 6 Sensor handler task properties Sensor data 5 Producer Command handler task Display messages 5 Producer Display task Table 10 7 Sensor handler message queues Release User Manual V1 2 2013 06 17 91 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS 7 HMI Init nitialoize the ADC nitilaize the scoelerometer Switch wrt Task switch to next state Operating state HMI Operation Get temperature sensorvalue Get accelerometer data Build message with this data send message into the queue Checkif a user push button has been pressed Figure 10 15 Sensor task data flow 10 5 8 HSA WDService Task This task instance is responsible for servicing the external watchdog When started through the scheduler it waits on the TPS to receive the diagnostic state After that the TPS startup tests are executed acco
75. ff Category 3 Reaction The nRST and PORST are triggered to the MCU The TPS activates Safe state indicated with ENDRV signal driven low Power supply Name Disturb VBAT Safing to TPS e None signals Diagnostic The safety device system is controlled by an external device TPS Description The VBAT Safing reference to the TPS is cut Category 3 Reaction The PORST is triggered through the TPS watchdog The TPS activates Safe state indicated with ENDRV signal driven low Power supply Name Disturb power supply to safety device e None signals 3 3V Diagnostic external voltage supervisor Description The 3 3V power supply for the safety device is switched down Category 4 Reaction The nRST is triggered which causes the TPS to lose synchronization ENDRV low The TPS triggers a PORST to the safety MCU Power supply Name Disturb core power supply to safety device e None signals 1 20 Diagnostic nRST monitoring with TPS Description The 1 2V power supply for the safety device is switched down Category 4 Reaction Since this is the core power supply the nRST and nERROR is triggered followed by a PORST trigger through the TPS External WD Name Disturb TPS communication SPI SOMI e None Diagnostic External watchdog supervision Description The SOMI signal to TPS is disturbed Category 4 Reaction Since the question and answer protocol fails caused by the disruption the internal error counter
76. first simple enhancements the Template Task is the right place to insert code 10 2 Tooling The firmware is developed with the Code Composer Studio version 5 3 0 00090 CCS the development IDE from Texas Instruments based on eclipse Another tool from TI required is NOWECC which is used to calculate the ECC and append it to the output file These both tools are delivered with the SafeTI HSK Tool DVD If it is not already done install these tools on your development system PC Refer to the tools installation chapter 3 3 CCS includes a compiler for the Hercules Safety MCUs The compiler version used for firmware development is Tlv5 01 Ensure that the Linked Resource NOWECC is assigned to the correct installation path Helease User Manual V1 2 2013 06 17 80 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS lt xx Properties for HSK Safety Application 9 type filter text Linked Resources 4 Resource Tre Path Variables Linked Resources Resource Filters Path variables specify locations in the file system including other path variables with the syn CCS General The locations of linked resources may be specified relative to these path variables CCS Build Defined path variables for resource H5K Safety Application ARM Compiler gt ARM Linker Name Value CCS BASE ROOT CA S30Vocsv5lors baset C C Build CCS INSTALL RO
77. generated with Halcogen e Osal source code for the operating system abstraction layer e SafetyLib holds the library of the SafeTI Diagnostics Library e Source contains the application main c file and the linker command file e Tasks contains the sources used by the task instances Release User Manual V1 2 2013 06 17 83 hitex imm SafeTI Hitex Safety Kit HSK DEVELOPMENT TOOLS User Manual of the Hitex Safety Kit 10 4 Architecture MCU drivers derived from MCU Hardware Level Figure 10 6 SAFW Architecture top level Components MCU drivers Used accessing the peripherals of the MCU e g MIBSPI ADC SPI GPIO RTI SDL The safety diagnostics library provides a lot of safety diagnostic tests supported by the Hercules hardware controllers For more information refer to the SafeTI Diagnostic Library documentation TPS Library There is also a library included which provides an API for the handling of the control of the external TPS watchdog device SafeRTOS The kit application is based on SafeRTOS an embedded realtime operating system from Wittenstein OSAL This is an Operating system Abstraction Layer Kit Application This is the top level application using all the libraries and layers to fulfill its jobs e g Injecting faults Profile measurement This software will be explained in detail in the following sections 10 5 Kit application The kit application s main responsibilities
78. h header configures this functionality define RT ENABLE SPLIT FALSE A value of FALSE means that the runtime tests are processed in one go value of TRUE means to split the execution The default value is set to FALSE this executes the safety loop in one go Each execution step is assigned a set of self tests If the self tests can be selectively enabled or disabled through parameters set in the GUI The parameter setting is stored in the HSA SystemSettings c file and applied in a routine in this task instance 10 5 6 2 Profiling measurement Before the task finishes its active mode it is always checked if a profile measurement is requested If so the respective calibration routine is called In the calibration routine the profiling measurement is prepared and then the Profile signal is asserted Next the self test API in the SDL is called After return from SDL the Profile signal is deasserted Raise profiling GPIO Call a single self test function in SDL Measured profiling time gt Desert profiling GPIO Figure 10 13 Profiling measurement data flow A special handling is necessary for the Profiling full safety task feature For this case the Profiling signal is asserted and then the various selftests configured for all 5 steps are called After that the signal is deasserted Helease User Manual V1 2 2013 06 17 90 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Sa
79. h a USB virtual port VCP e ACAN transceiver with screw terminal block e One 128 x 32 pixels LCD module with white LED backlight SPI Mode e Six user programmable LEDs 4 blue LEDs and 1 RGB LED connected to safety MCU 1 red LED connected to C amp M MCU e One red LED for the safety MCU and one red LED for the C amp M MCU indicating reset states e Four user programmable pushbuttons e One reset pushbutton nRST connected to the safety MCU e One digital accelerometer with SPI e One ambient temperature sensor e One 10 KOhm potentiometer e I DRV8312 controICARD encoder and sensorless mode compatible interface e Programmable onboard fault injection logic e Power supply supporting 12V to 24V DC input Figure 5 1 shows a block diagram of the main functional components on the kit Items with dashed frames represent main functional components placed on the bottom side of the kit GIO Push Buttons Power Supply Sensor 10K IN 12V DC poti 128 x 32 LCD fee Fault our 5V 4 5V nection 3 3V 1 2V XDS100v2 XDS100v2 WES C amp M MCU Safety MCU Safety MCU RM48L952 Injection or RM48L952 Motor Control Interface Figure 5 1 Block diagram of the kit Release User Manual V1 2 2013 06 17 25 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS 5 2 Physical Description This section details the features of the SafeTI V HSK board and their interfaces 5 2 1 External Inte
80. he GUI After a short time duration the sampling stops and the GUI display is frozen to give the user a chance to evaluate what has been sampled To go on with the next fault injection it is required to restart the recording Note that with Restart recording the safety device is restarted Since the data flow and as a consequence the signal flow depends on various parameter settings and the fault which is injected a categorization has been provided below 7 2 System behavior categorization 7 2 1 Signals and their meaning Fault injection ERR Detection Safe state MCU Safe state TPS ESMIRQ pin nESMERR pin 6000 10000 Time ms Figure 7 1 Fault injection signals e Fault injection GPIO signal is raised by application previous to a fault generation In normal operation this signal is low indicating that no fault injection is active Meaning Appearance of a fault Release User Manual V1 2 2013 06 17 52 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS e ERR Detection GPIO signal set when an error is detected by the safety application firmware An Error is detected when 1 An abort handler is called 2 The ENDRV is detected low 3 An ESM interrupt is detected Meaning The fault has been detected e Safe state MCU A signal that indicates that the MCU is in Safe state The safety MCU is in Safe state according to user manual when the PORST input is active lo
81. he TPS also triggers the ENDRV to indicate to all system components to move to SafeState After the fault is deserted PORST and nRST are released and the SDUT restarts processing with the boot time tests The processing of the boot time tests are sensed through the toggling of the nESMERR signal The screenshot example shows a POWER SUPPLY SIGNALS Under voltage on VBAT for TPS System flow Fault injection ERR Detection Time ms Figure 7 7 Category 3 fault Under voltage on VBAT Release User Manual V1 2 2013 06 17 56 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS The signal sequence is characterized with an nPORST signal inverted to the Fault injection signal 7 2 7 Faults injected on Power rails and reset lines to SDUT Category 4 behavior These are faults affecting the power supply rails provided by the TPS to the safety device The MCU device gets into reset state indicated by the nRST signal and sets the ESM error pin The fault is also detected by the TPS monitoring the error pin The screenshot example shows a POWER SUPPLY SIGNALS Disturb Core power supply to safety device 1 2V On the signal flow you see that the VCC power is cut down Fault injection ERR Detection Safe state MCU Safe state TPS ESMIRQ pin nESMERR pin 0 Time ms Figure 7 8 Category 4 fault Disturb CoreVCC 1 2V The distinctive signal flow is the nRST signal going
82. he registers is included in the result time Since this tests is also dependent from the interval counter we recommend to profile several measurements with different interval counter values Helease User Manual V1 2 2013 06 17 70 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS Example Group STC Test Parameterized STC Test Logic Built in Self Test NE SS wills sad pels liban Mies resore registers See command high sets self_test_STC execute 8 js Figure 8 4 Data flow of safety device e Category 5 tests This test is executed on exactly one RAM space selected with the parameter PBIST GROUP The test algorithm is selected with the two parameters algorithm and memory type Since the test destroys the RAM contents it could configured if the RAM content shall be saved previous to the test execution and restored after the test execution This is done with the Store Restore selected RAM parameter The time for saving and restoring is included in the profile time It is the responsibility of the user to ensure that a valid configuration is selected If the test execution detects an error the profile time is marked invalid Example Group pBIST Test Parameterized programmable built in self test Configure the pBIST test for profiling measurement PBIST GROUP Memory test algorithm for the PBIST test algorithm marchl3n red memory type Two Port Configure software applic
83. he required configuration file o To update the firmware of the C amp M device select Monitor RM48L950 ccxmI o To update the firmware of an RM48L952 SDUT select SafetyRM48XX ccxml o To update the firmware a TMS570LS3137 SDUT select SafetyTMS570LS3137 ccxml Firmware applications id w folder Name Date modified Type E ControlMonitor application 11 01 2013 12 01 File folder pm Safety application 11 01 2013 12 01 File folder MonitorRM48L950 coxmi 27 11 2017 15 17 CCXML File _ SafetyRM48XX ccxml 29 11 2012 08 48 CCXML File _ SafetyR M48XX uniflashsession 18 01 2013 11 50 UNTFLASHSESSION _ SafetyTMS570L83137 ccxml 14 01 2013 13 59 CCXML File Figure 3 6 Target configurations Release User Manual V1 2 2013 06 17 17 hitex imm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS e Select Programs from the settings tree on the left pane and then click on the Add button to select the firmware to be downloaded o The image file for the C amp M device can be found under Safe TI HSK Firmware applications ControlMonitor_application HSK_Monitor_application out o The image file for an RM48L952 SDUT can be found under safeTI HSK Firmware applications Safety_application HSK_Safety_Application_LE out o The image file for a TMS570LS3137 SDUT can be found under safeTI HSK Firmware applications Safety_application HSK_Safety_Application_BE out GS CCS UniFlash D
84. ignal indication of the nENDRV pin At least a power on reset is generated by the external watchdog Reasons to call the function HSA EnterSafeState are e Abort exception e ESM interrupt e ENDRV is detected low e In conjunction with fault injection when a self test failed 7 2 4 Faults affecting the ESM group 1 and group 2 Since the ESM group1 and group2 errors are handled identical they are assigned to one category Category 1 behavior Many faults force the ESM to generate an interrupt and set the nERROR pin if configured respectively In the interrupt handler of the safety application the ESMIRQ pin is set This signal reflects the recognition of the failure The behavior is identical for group 1 and group 2 errors The processing of the ESM interrupt handler depends on the parameter for the respective ESM group recovery setting refer to 0 If this setting is set to no then the HSA_EnterSafeState function is called If the parameter is set to yes then the system emulates a repair and continues to process In ESM IRQ handler set respective ERR signal recognize FI command receivd from GUI and set FI pin wait until the TPS restarts the system with power on Set the signal MCU Safe state reached high value Figure 7 2 Data flow of the SDUT no recovery from fault remove the fault condition Reset the Err detection signal
85. ignal is asserted after the assertion of the Periodic tests signal A screenshot example of a FLASH Boot time hardware CRC check for Flash contents is shown below Fault injection ERR Detection ESMIRQ pin nESMERR pin a T P it Time me Figure 7 11 category 7 fault CRC check at boot time Typical is the nRST signal asserted together with the Fault Injection signal The error detection occurs during startup Since the Q amp A cannot be served considering the correct timing constraints after the reset the fail counter of the TPS increases and therefore resets the system with POSRT 7 3 Faults Explanation of the list entries Column Fault group The Fault group selected in the GUI Column Fault Name Release User Manual V1 2 2013 06 17 59 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS The selected fault to inject Column Fault Diagnostic This is diagnostic feature referred to the safety manual Column Fault Description The explanation how a fault is produced Column Fault Category A Fault category which lead to a typical system behavior Column Fault Reaction The system behavior application shall not recover from fault Column GUI Parameter The GUI Parameters which have influence on the test PSCON Name Lock step PSCON e Hecover from ESM Diagnostic Lock step PSCON group 1 Description The SAFW enables PSCON error forcing
86. in the Validation amp Profiling Page 6 2 3 Global Settings Page The overall behavior of the system can be influenced by some settings which can be changed within the Global Settings Page The page is depicted in Figure 6 7 It consists of four parts a Safety loop slider 1 a System load slider 2 ESM Settings 3 and TPS6538x Settings 4 It is possible to save and load settings 5 Clicking the corresponding buttons opens a file menu The current settings are applied to the running system when the Apply button is clicked 6 The four parts of the Global Settings Page are described in the following subsections Helease User Manual V1 2 2013 06 17 42 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS Safety loop ms 200 iu System load 0 2 Recover from fault gt Safe state timeout function enabled v 4 Recover from ESM group 1 error no v Monitor safety device under test M enabled v Recover from ESM group 2 error no v y Control watchdog failure function set v Group 1 channel 1 MibADC2 parity Open Window Duration in ms 20 v Interrupt enabled v Close Window Duration in ms 20 v nERROR Pin enabled v Configure a register to be read None Group 1 channel 2 DMA MPU ESM low signaling duration 0x0000007e Interrupt enabled v Note I The TPS6538x settings are stored in a data EEPROM due to the fact nERROR Pin enabled zi tha
87. ion of SAFERTOS for Hercules microcontrollers Figure 3 10 Tools DVD software installation Helease User Manual V1 2 2013 06 17 19 hiteX imm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Tot Code Composer Studio 5 3 0 00090 Mandatory NOWECC V2 17 Mandatory HALCoGen 03 05 00 Recommended HET IDE Optional safeRTOS Optional Table 3 1 Provided Tools For further information on these tools please refer to their manuals and user s guides Release User Manual V1 2 2013 06 17 20 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 4 System description The SafeTI HSK is a valuable evaluation tool to explore how to achieve functional safety with SafeT Hercules microcontrollers and TPS6538x PMIC devices This kit provides a hardware reference design and a software application framework to enable an application developer to build a safety application using TI s Hercules ARM safety microcontrollers The following figure shows a block diagram of the SafeTI HSK SafeTl Diagnostic SAFERTOS Lib TPS Lib SafeTI HSK Board HSK Monitor GUI Hercules MCU Sed 1 Hercules eMCU Safety MCU Safety Companion VCC SPI Reset TPS65381 Q1 1 TEXAS INSTRUMENTS Fault Injection and Monitoring SPI Fault Injection and Monitoring Hercules MCU Control MCU
88. kB 1B 565 events 1467232 33kB 6096EB 726 568 events 1517430 S4AkB 6220kB 35 570 events 1547637 55KB 6344kB ms Tram ar TiTT m 4 3 T earma m RR ER RRR BER RE REE EEEE Figure 6 11 User Commands Page Release User Manual V1 2 2013 06 17 51 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 7 Fault injection The intention of the fault injection feature is to evaluate the behavior of the example safety system when faults are injected into it These faults can be injected with the GUI and then disturb the normal application flow With the Diagnostic Settings and the Global Settings it is possible to change the example safety system behavior Select the Validating amp Profiling page The fault injection tab is preselected The various faults are grouped for a better handling A fault is injected when the button INJECT is clicked 7 1 Data flow If a fault is injected using the GUI a command with a unique ID related to the selected fault is sent via the GUI to the C amp M device The C amp M device investigates the fault ID and decides if it is a fault which has to be produced by itself or by the SDUT If the fault has to be produced by the safety application the command is forwarded Before the fault is generated the Fault injection signal is raised The C amp M device samples all the monitored signals with timestamps and sends the information to t
89. load Release User Manual V1 2 2013 06 17 73 SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit hitex ium DEVELOPMENT TOOLS SRAM Name Error forcing test 1 Bit error e System load Call SL SelfTest SRAM Test type SHAM ECC ERROR FORCING 1BIT Category 1 SRAM Name Error forcing test 2 Bit error e System load Call SL SelfTest SRAM Test type SHAM ECC ERROR FORCING 2BIT Category 1 SRAM Name Error forcing test Address and control parity e System load Call SL SelfTest SRAM Test type SRAM PAR ADDR CTRL SELF TEST Category 1 SRAM Name Error forcing test Redundant address decode e System load Call SL_SelfTest_SRAM Test type SRAM RADECODE DIAGNOSTICS Category 1 SRAM Name Parameterized SRAM tests e Runtime test Call HSA SLS SRAM RuntimeTest configuration Category 3 e System load SRAM Name CRC calculation on VIM RAM e System load Call oL CRC Caloculate Category 1 SRAM Name Parameterized CRC calculation e Start address Call SL_CRC_Calculate e End address Category 3 e System load EFUSE Name Error forcing test ECC e System load Call SL SelfTest EFUSE Test type EFUSE SELF TEST ECC Category 1 EFUSE Name Error forcing test stuck at zero e System load Call SL SelfTest EFUSE Test type EFUSE SELF TEST STUCK AT ZERO Category 1 Helease User Manual V1 2 2013 06 17 74 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex
90. n ECC error is forced Category 2 Reaction The access to data with wrong ECC bits lead to a data abort and the data abort handler is called In the handler the EnterSafeState function is called This function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered FLASH Name Address parity e ESM channel Diagnostic ATCM Address Bus Parity The on chip ATCM configuration bus connection to Flash memory is supported by a parity e Recover from ESM diagnostic on the address signals group 1 Description Force an address parity fault by calling the safety diagnostics Library API function SI SelfTest Flash with the parameter FLASH_ADDRESS_PARITY_FAULT_INJECT Category 1 Reaction An ESM group 1 interrupt is generated In the interrupt handler the EnterSafeState function is called if the parameter Recover from ESM group 1 error is set to no This function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered Release User Manual V1 2 2013 06 17 65 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS FLASH Name Boot time hardware CRC check for Flash e None contents Diagnostic CRC check Description The CRC value to compare against is modified and then a reset is generated The error is detected at boot time Category 6 Reaction The boot time CRC check detects the error and calls the function
91. n for the SafeTI HSK kit 1 4 Related documents Modifications to any of the following documents can have an impact on this document e Quick Start Guide e Safety application source code documentation e Control Monitor application source code documentation e HSK Monitor GUI source code documentation Referenced documents for information only no requirements e TMS570LS31x 21x 16 32 Bit RISC Flash Microcontroller Technical Reference Manual Literature Number SPNU499A November 2012 e RM48 16 32 Bit RISC Flash Microcontroller Technical Reference Manual Literature Number SPNU503A November 2012 e TMS570L53137 16 32 Bit RISC Flash Microcontroller Datasheet Literature Number SPNS162A November 2012 e RM48 16 32 Bit RISC Flash Microcontroller Datasheet Literature Number SPNS174 September 201 1 e TPS65381 Q1 Datasheet Literature Number SLVSBC4 May 2012 e Safety Manual for TMS570LS31x and TMS570LS21x Hercules ARMQ Safety Critical Microcontrollers User s Guide Literature Number SPNU511B April 2013 e TMS470 570 Platform F035 Flash API Reference Guide Version 1 06 Literature Number SPNU493C April 2012 e nowECC Generation Tool Version 2 17 User s Guide Literature Number SPNU491B August 2011 e SAFERTOS Datasheet e SAFERTOS User s Manual for the Code Composer Studio TMS570 MPU Product Variant Report Number 34 172 MAN 1 005 006 Issue Number 1 0 12 May 2011 Release User Manual V1 2 2013 06 17 11 hitex mm SafeTI Hit
92. nrnnnrrenrrnnnnrrrnnnnnenrrnnnnnnnnsennnnnnsnsenn 59 Fours A caus seeie 68 Figure 8 1 Data flow of C amp M device sssssesessssssssseseeseen nennen nennen nnns na nn nnns nna ann r nsn nana nns inan nnns nna 69 Figure 8 2 Data flow of safety device r rrrnnnnnnnnnnnrnrnnnnnnrnnnnnnnnnrnnrnnnnnnrnnrnnnsnsennnnnnsnsennnnnnnerennnnnssseennnnnssennnnnnsnssnn 69 Figure 8 3 Profile Timing invald Ec 70 Figure 8 4 Data flow of safety device rrrrrnrnnnnrnrvnrrnnnnnvrnrrnnnnrrnnrnnnnnrrnnnnnnnnrennnnnnsnsnnnnnnnnssnnnnnnssnsnnnnnnsssennnnnnsnssen 71 Figure 8 5 Parameter set for the pBIST test enne nennen nnn nnn nnns nnn nnn 71 Figure 9 1 March of temperature cccccecceccsesceeccesceccesseeeceeseeecsauseecseuseeessuseeessaeeesseaseesssaseeessageeessegeeeessegeeesss 76 Figure 9 2 Acceleration MOVG cccccsccccscssececcasececsceseecsceseeeesasaeeescsesescuseeessaseceesaseesencuseesesaseceesoueesesouseesssaseeeses 77 gle NES EEG 9 OK EE TREE 79 Figure 10 1 Project properties Linked resources rrrrrnnnnnnrnnnnnnrennnnnrenrnnnnrrnnnnnrennnnerennnnnnrnnnnnesennnnssennnnsnsnnnnnnsen 81 Figure 10 2 Project properties CCS Build otro etna ie stan ea nn aea den Veeedecnctdeeeeetieaeseeedecs 81 Figure 10 3 Import dialogue e 82 Figur 10 4 MDON 010 siti eem 82 Figure Be 0 EE EE EN EE
93. nrnnrnnnnnnennnnnnsnee 47 6 2 4 4 Group Tests on SRA 47 6 2 4 5 Group Tests on Flash cipinsccautenaacsadewsicsinieszeacaionnacautentacialnsadatniesnedcslenescasiuacennientiecanientareatenancnnineas 48 0246 Goup ORG CaACulatOM m 48 6 2 4 7 Group Efuse Static Configuration rrrrrvrvrrrrrrrrrrnnnnnnnnnrrnrrrrrrrrrrrrrrrrnnnnnnnnnnnnnnsssrvnnnnnnnnrnnnnnnnnnnn 48 6 2 4 8 Group CPU compare module CCM R4F ccccccccsssssseeceeeeeeeeeeeeeecceeeeeseaeeseseeeeesessaaaeeeseeeess 48 6249 NNN c ne en en ee eee eee ee ee ee ee ee ee 48 6 2 5 KONONO mico ETE TE TEE TITO 49 6 2 6 AEDIIESUOI E ACC EEE NE EEE 49 6 2 7 User Commands PaQe ccccccccssseeccccceseceeeceeueceeecaeaeeceeeeeeuseceeessaaseeeeessaaeeeeesseaeeeeessaageeeeesaaaass 50 7 aine m 52 7 1 BLE MC 52 7 2 System behavior categorization elssssesseissssssseseseeseee nennen nnne nnne nnne n nnns nna nnn nnn nn 52 7 2 1 Signals and their meaning sssseesssssssessseeeeeeen nnne nennen nnne nennen nnn ninh nnns nnn nnn ness n arn nnns 52 1 2 2 Times measured T 54 7 2 3 Error servicing MECNANISIM c ccccccccssececcceeseecceseecssaseeeceauececseuseeessuseeecsaueeeeseuseeessseeessageeessaaeees 54 7 2 4 Faults affecting the
94. ntroller Unit MIBSPI Multi Buffered Serial Peripheral Interface NTC Negative Temperature Coefficient Thermistor OSAL Operating System Abstraction Layer PBIST Programmable Built In Self Test PMIC Power management integrated circuit PMM Power Management Module PSCON Power State Controller Q amp A Question And Answer RGB LED Red Green Blue LED RTI Real Time Interrupt Module SAFW Safety Application Firmware SDUT Safety Device Under Test SDL SafeTI Diagnostics Library SIMO SPI Connection Slave In Master Out SOMI SPI Connection Slave Out Master In SPI Serial Protocol Interface STC Self Test Controller TCRAM Tightly Coupled Random Access Memory Release User Manual V1 2 2013 06 17 10 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS UM User Manual VCLK Primary peripheral Clock VIM Vectored Interrupt Manager Module Table 1 1 Abbreviations 1 2 Definitions Error Detection Time This is the time duration from when a fault is injected fault injection signal until the error is detected ERR detection signal Monitor App Monitor application This is the firmware running on the C amp M device Safety App Safety application This is the firmware running on the SDUT TPS A separate controller which provides the power supply to the SDUT It also incorporates a watchdog Table 1 2 Definitions 1 3 Scope of document This document contains the user documentatio
95. of the TPS is increased above the configured threshold level Then the TPS enters safe state ENDRV low and restarts the system with power on reset Release User Manual V1 2 2013 06 17 61 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS External WD Name Stuck on ENDRV PIN low e None Diagnostic External watchdog pin ENDRV monitoring Description The ENDRV Pin is forced to low level Category 5 Detection Through polling of the ENDRV pin by the safety application the error is detected Reaction The EnterSafeState function is called This function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered External WD Name Watchdog error failures MCU sends wrong e None data Diagnostic External watchdog Description The safety device sends several wrong answers to the request Q amp A The timing constraints are considered Category 5 Reaction The TPS enters reset state after the fail counter of the TPS is increased above the threshold level Then the TPS restarts the system with power on reset External WD Name Watchdog error failures MCU sends data e Open window time outside allowed window Diagnostic External watchdog supervision Description The safety device sends an answer to the request Q amp A outside the open window Category 5 Reaction Since the question and answer protocol fails caused by the timing violation
96. ol interface pin assignment 5 2 1 3 CAN Connector X501 offers a high speed CAN communication link driven by CAN2 module of the safety MCU The pinout of the CAN connector is listed in the following table 1 CANH 2 GND 3 CANL Table 5 4 CAN connector pin assignment The CAN driver U501 gets disabled when the TPS65381 deactivates the ENDRV signal 5 2 1 4 DIAGOUT Jumper The TPS65381 has the possibility to report diagnostic information through the DIAGOUT pin which can be represented as analog measurement values as well as digital information X800 offers the possibility to connect this pin either to a digital input pin or to an analog input pin on the safety MCU as well as on the C amp M MCU By default the analog channel is jumpered The following table lists the connection possibilities Ball Number Ball Number A DIAGOUT T19 DIAGOUT D DIAGOUT A4 N1 G1 3 Table 5 5 DIAGOUT jumper pin assignment 5 2 1 5 USB Connector X1000 offers a communication link between the SafeTI HSK and a host PC The USB port is connected to an on board USB hub which manages the communication between the two on board XDS100v2 emulators and the host PC This channel is used to debug the MCUSs to program them with their respective applications and to communicate with demonstrator GUI Release User Manual V1 2 2013 06 17 28 hiteX imm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 5 2 1 6 Power Suppl
97. on regarding the SPI command phase whether a register within the TPS6538x is read or written and the name of the corresponding register The fourth column gives the data value that is transmitted during the SPI data phase 6 2 2 Validation amp Profiling Page The Validation amp Profiling Page is for fault injection and profiling measuremenis It is depicted in Figure 6 4 and consists of three parts the System flow 1 the TPS6538x state machine 2 and the Fault injection and Profiling control part 3 Release User Manual V1 2 2013 06 17 39 hiteX imm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Fault injection 0 Safe state MCU 0 846000 Time ms 2 Fault injection Profiling Fault parameter 0x00000000 INJECT Diagnostic Lock step PSCON Privileged mode access and program sequence control registers Stand By Figure 6 4 Validation amp Profiling Page The content of the System flow part is determined by the tab selection within the Fault injection and Profiling control part either Fault injection or Profiling The signals that are displayed when the Fault injection tab is selected are compiled in Table 6 3 The handling is similar to the handling of the System flow part in the Overview Page see Section 6 2 1 Signa Description Meaning Fault injection GPIO signal raised by either application before a fault is Fault appe
98. onfigure TPS and start Q amp A SDUT Figure 4 2 Startup Flow Diagram 4 2 1 1 Safety application firmware The safety application firmware starts executing after the power on reset NPORRST pin on the Hercules Safety MCU is released by the TPS device The software first executes tests called boot time self tests Following are the Self tests executed at boot time e STC PBIST on RAM and FLASH Self tests on TCRAM Self tests FEE PBIST on Peripherals PSCON self tests EFUSE CCM R4 ADC Note Configuration for setting up tests to run at boot up is in the file HSA config h The boot time code is in the sys startup c file In addition to the boot time self tests the controller peripherals are initialized in the startup code The application firmware next creates all the task instances queues and semaphores Then the SafeRTOS scheduler is started which takes control over the task execution in normal operation 4 2 1 2 Control monitor device firmware The control and monitor MCU starts executing its firmware after its reset is released this is initiated through switching the power of the kit on After initializing the stacks memory and necessary peripherals the ignition pin is asserted The ignition pin is a GPIO output connected to the IGN pin of the TPS This is important to consider as the assertion of ignition wakes up the TPS device which in turn powers the safety system The control monitor application
99. plication programmable The last one is connected to the nHST signal to trigger a warm reset The following table lists the push buttons along with their designated ports SW300 Safety MCU nRST B17 SW500 Safety MCU GIOB 0 M2 SW501 Safety MCU GIOB 1 K2 SW502 Safety MCU GIOB 2 F2 SW503 Safety MCU GIOB 3 W10 Table 5 9 User programmable push buttons 5 2 5 Sensors The SafeTI V HSK features a number of sensors that may be used by the safety application The following sections details these sensors along with the connections to the safety MCU 5 2 5 1 Digital Accelerometer The SafeTI HSK features a small thin ultralow power 3 axis accelerometer with high resolution 13 bit measurement at up to 16 g The digital output data is formatted as 16 bit twos complement and is accessible to the safety MCU through a 4 wire SPI digital interface It measures the static acceleration of gravity in tilt sensing applications as well as dynamic acceleration resulting from motion or shock Its high resolution 3 9 Release User Manual V1 2 2013 06 17 30 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS mg LSB enables measurement of inclination changes less than 1 0 Activity is signaled to the safety MCU through two extra interrupt pins The following table lists the signals between the safety MCU signals and the Sensor Sensor Signal Safety MCU Signal Functional Mode Ball Number CS MIBSPI
100. plication can be extended modified and rebuilt with Code Composer Studio 2 2 Outline of the document Chapter 3 Installation Explains the handling and installation instructions of the two DVD packages delivered with this kit Chapter 4 System description Contains the system description explaining the major system components Chapter 5 Hardware Description Contains a description of the hardware Chapter 6 HSK Monitor Graphical User Interface GUI Contains the HSK Monitor GUI description All the GUI window pages are explained Chapter 7 Fault injection Explains the fault injection functionality in detail Chapter 8 Profiling Explains the profiling functionality in detail Chapter 9 Application example demonstration Contains a description of the application examples Chapter 10 The safety application Explains the safety application firmware framework the included libraries together with major instances Chapter 11 Troubleshooting Explains how to troubleshoot problems with the kit Helease User Manual V1 2 2013 06 17 13 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 3 Installation The SafeTI HSK includes two DVDs the SafeTI HSK DVD for the kit installation and a Tool DVD for tools installation e he SafeTI V HSK DVD is sufficient if you only intend to evaluate the kit e he Tools DVD is required only if the safety application will be investigated modified
101. rding to configuration If the tests are successful then the TPS is initialized with respect to the configuration at least deposited in the GUI When everything is ok the task enters a loop in which the question and answer protocol is operated It is important for this task to meet the timing constraints specified through the TPS window open close time The task uses the SAFERTOS function TaskDelayUntil to ensure this Property Starts with 9 and is changed to 7 in normal Priority operation mode Assigned message 0 queues Assigned LED 4 External Interfaces MIBSPI 3 via the TPS library Privilege level privileged Table 10 8 Watchdog server task properties Release User Manual V1 2 2013 06 17 92 hilex im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Call startup Initialize TPS device according to parsmeters Send O amp A in open window Watton close window Send Q amp A in close window Read parameterized register Wait on open window Figure 10 16 Watchdog service task data flow It is important for this task to meet the timing constraints specified through the TPS window open close time The task uses the SafeRTOS function TaskDelayUntil to ensure this For the Q amp A protocol the TPS library API is used After an answer response cycle the watchdog fails counter is read out and the TPS state is checked This is required by the TPS sniffer in the C amp M device
102. rfaces The SafeTI HSK board offers a number of interface ports used to connect the board to various external devices These ports are listed below and detailed in the following sections Designator fruene SSS O X300 ARM 20 pin 0 500 inch external JTAG connector X500 TI DRV8312 controICARD encoder and sensorless mode compatible interface X501 CAN connector X800 TPS65381 DIAGOUT pin jumper X1000 Micro USB AB connector X1500 Power supply input connector Table 5 1 External Interfaces 5 2 1 1 JTAG Connector X300 offers a second debug channel to connect to the safety MCU via an external 3 party JTAG emulator used to debug ARM microcontrollers The pinout of the connector is listed in the following table Vref 1 2 N C nTRST 3 4 GND TDI 5 6 GND TMS 7 8 Cable Detect GND TCK 9 10 GND RTCK 11 12 GND TDO 13 14 GND nRST 15 16 GND N C 17 18 GND N C 19 20 GND Table 5 2 JTAG connector pin assignment The SafeTI HSK features a cable detection circuit that senses when an external JTAG emulator is plugged onto X300 It then disables the onboard XDS100v2 emulator and switches the indicator LED D301 on 5 2 1 2 TI DRV8312 controlCARD Interface X500 offers an interface to connect the SafeTI HSK board to any TI board featuring the 100 pin DIMM connector The signals brought out to the interface allow the integration of the SafeTI V HSK in motor control applications driven in encoder and sensorless compatible mode The pinout of the
103. rinted User button 2 SW501 the Texas instruments logo is printed User button 3 SW502 the Hitex logo is printed User button 4 SW503 the Hitex logo is printed Reset button SW300 resets the safety MCU nRST A special function is provided with user button 3 Keep this button pressed during Power On of the kit the safety application software stays in a while loop and does no start with the application This is intended for development purposes to avoid that a miss configuration leads to problems so that a debugger cannot connect anymore 9 5 LEDs The kit features several LEDs where some of them are programmable To get an overview of all the LEDs provided refer to chapter 5 2 3 The following table lists the application programmable LEDs along with their drivers D501 Blue oafety MCU User LED1 D502 Red Green Blue Safety MCU RGB LED D503 Blue Safety MCU User LED2 D504 Blue Safety MCU UserLED3 D505 Blue Safety MCU UserLED4 D700 Red C amp M MCU C amp M LED Table 9 1 User programmable LEDs The user LEDs are blinking to indicate activities of the safety application firmware User LED1 Indicates communication between safety application and control monitor application User LED2 Indicates that the instance retrieving sensor data temperature and accelerometer is active User LEDS The instance controlling the runtime tests is processing User LED4 The external watchdog Q amp A is in use and serviced Release User M
104. rnnnre 70 8 2 1 2 Runtime parameterized tests ccccccccccsesccccseeeeecseseeecseuscecceuseesseaeeecsaseecsegseesseuseeessageeessaeees 70 8 2 2 ga CSS EEE EEE NE 72 8 2 3 Profiling full safety TASK ROUES m m 75 9 Application example demonstration nnnrernnnnnnnnnnnnnnnnnnennnnnnnnnennnnnnnnnnnnnnnnnnennnnnnnnnvnnnnnnnnnennnnnnnnnennnnn 76 9 1 Tonpa SeS O a 76 9 2 ACCORTO O O e NE TOT 17 9 3 MIE NN 78 9 4 PSI DOORNS oar o em 78 9 5 LEDO 78 9 6 User Commands Template task sessi eene nennen nnne nennen nn nnns nan nnns 79 9 7 Task MOU e 79 10 The safety application me 80 10 1 Considerauolis Defore you Saeed 80 10 2 TOON EEE 80 10 2 1 Impor projects NOG Sune E aai 82 10 3 Safety application firmware rrrrnrrrrrnnnnnnarvrvrrrnnnnnnntrrnnnrnnnnnnnnsrennnnnnnnnennssrnnnnnnnnnsnsssnnnnnnnnnsnnaeennn 83 10 3 1 BI 010 SUC TUNG EE TU T TNT 83 10 4 AE ME made nde 84 10 5 FIO DN eiie EEE EE EN 84 10 5 1 SE OS 85 10 5 2 OU S M EN 86 10 5 3 GE M 86 Helease User Manual V1 2 2013 06 17 5 hiteX im SafeTI Hitex Safe
105. roup1 and group 2 errors itis possible to configure if the system recovers from the fault or not This is specified using the parameters e Recover from group1 error yes no e Recover from group2 error yes no If a recover from a group error is set to yes then the firmware in the ESM interrupt handler routine resets the fault and continues with normal operation If the Value is no then the firmware in the ESM interrupt handler calls safestate routine which enters an endless loop As a consequence the external watchdog TPS Q amp A is no more serviced Channel Error 1 MibADC2 parity 2 DMA MPU 3 DMA parity 5 DMA imprecise read error 6 FMC correctable error 7 N2HET1 N2HET2 parity 8 HET TU1 HET TU2 parity 9 HET TU1 HET TU2 MPU 10 PLL slip 11 Clock Monitor interrupt 13 DMA imprecise write error 15 VIM RAM parity 17 MibSPI1 parity 18 MibSPI3 parity 19 MibADC1 parity 21 DCAN 1 parity 22 DCANS parity 23 DCAN2 parity 24 MibSPI5 parity 26 BOTOM correctable error 27 CPU self test 28 B1TCM correctable error 30 DCC1 error 31 CCMR4 self test Release User Manual V1 2 2013 06 17 44 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS Channel feer 35 FMC correctable error 36 FMC uncorrectable error 37 IOMM Mux configuration error 38 PSCON compare error 39 PSCON self test error 40 EFuse controller error
106. s or are available for the application The following table lists all the static LEDs along with their designated functions Designator Color Jrumenon SSS S D300 Red Safety MCU Reset nRST D301 Blue External JTAG Emulator present D600 Red C amp M MCU Reset nRST Status indication of VBAT D904 Red Green Green 12V present nominal supply Red 4 5V present undervoltage Status indication of VBAT SAFING D905 Red Green Green 12V present nominal supply Red 4 5V present undervoltage D1100 Blue Safety XDS100v2 SCI RX D1101 Blue Safety XDS100v2 SCI TX Release User Manual V1 2 2013 06 17 29 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS D1202 Blue Safety XDS100V2 PWRENn D1300 Blue C amp M XDS100v2 SCI RX D1301 Blue C amp M XDS100v2 SCI TX D1402 Blue C amp M XDS100V2 PWRENn D1500 Blue Power present 12V nominal D1502 Blue 5V present Table 5 7 LED indicators The following table lists the application programmable LEDSs along with their drivers D501 Blue Safety MCU GIOB 4 G1 N2HET1 0 Green K18 D502 Red Green Blue Safety MCU N2HET 1 28 Blue K19 N2HET 1 31 Red J17 D503 Blue Safety MCU GIOB 5 G2 D504 Blue Safety MCU GIOBJ 6 J2 D505 Blue Safety MCU GIOB 7 F1 D700 Red C amp M MCU SPI2ENA SPI2NCS 1 D3 Table 5 8 User programmable LEDs 5 2 4 Push Buttons The SafeTI HSK features five push buttons connected to the safety MCU four of which are ap
107. s operated in a software context several issues need to be considered e he task which runs the test HSA SafetyLibServer Task is set to highest priority prior to the test execution so that it does not get interrupted by other tasks This may lead to the Q amp A task running out of time if the test takes too much time to execute However this has no influence on the measured result e Profiling depends highly on the clock frequency with which the safety MCU is clocked to run the safety application which in turn runs the self tests The PLL is configured to generate a clock of 160MHz which is used as the HCLK source and VOLK HCLK 2 e Interrupts from peripherals may occur during the test run and may add a small part to the measured time The only interrupt sources are the MIBSPI1 module and the RTI counter Important is to keep in mind that the MIBSPI 1 interrupt is driven through the C amp M and occurs every 20 ms e Some self tests can be parameterized arbitrarily and may cause the test to fail if conflicts occur with the set parameters If the test fail is detected then the measured profiling time is invalidated and is indicated in the HSK Monitor GUI as shown below Measured profiling time fall Figure 8 3 Profile Timing invalid e It is strongly recommended that the parameter System load is set to a value of 0 slider in global settings page to avoid an influence through the RTI interrupt 8 2 Profiling Tests 8 2 1
108. s this failure at least after 5 ms and activates the corresponding ESM channel Reaction An ESM group 1 interrupt is generated In the interrupt handler the EnterSafeState function is called This function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered RESET Name Stuck on nPORST low e Diagnostic Description The power on signal is stuck at low Category 4 Reaction The SDUT remains in reset state since the NPORST is held low RESET Name Watchdog error failures NRST PIN stuck at e low Diagnostic Description The nRST signal is stuck at low Category 4 Reaction The safety device under test is held in system reset MCU SYSTEM Name Privileged mode access and multi bit key e enable Diagnostic Privileged mode access and multi bit key enable Description An access violation is forced by the application software Category 2 Reaction The data abort handler is entered The EnterSafeState function is called The function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered Helease User Manual V1 2 2013 06 17 63 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS ESM Name External MCU Error Pin Monitor SDUT e Monitor safety recovers in time device under test Diagnostic Error pin monitoring Description The Error Pin is raised for a short time 200 us This shall simulate that the
109. safeTI HSK TestV1 Firmware applications SafetyTMS570LS3137 ccxml e ni xi File Program Session Window Help Programs lt TMS570LS3137 Texas Instruments XDS100v2 Emulator CortexR4 gt TMS570L83137 Texas Instruments XDS 100v2 USB Emulator CortexR4 5 TMS570L53137 Flash Settings Path Flash Settings Range Options Erase Options Blank Check Options Programs gt N Remove Check Uncheck Program Uniflash Debug Console 14 21 57 Loaded target configuration from D safeTI HSK TestV1 Firmware applications SafetyTMS57 LS3137 ccxml 2 Figure 3 7 Program process selection e Select the image and click the Program button to start the download JE SNK I FYN ILL YEN 1 nip ar text here Programs lt RM48L950 Texas Instruments 3 Texas Instruments XD5 100v2 USB Emulator O CortexR4 950 Flash Settings ash Settings ange Options ase Options ank Check Options ams C HSK_Safety_Application_BE out HSK Monitor Application out Figure 3 8 Download applications e After a successful update power cycle the board to restart the application Release User Manual V1 2 2013 06 17 18 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 3 3 Tools installation For users who want to explore or even modify extend the source code of the safety application some tools are required an
110. safety application firmware additionally includes two libraries Tl s SafeTI Diagnostic Library which provides interfaces to run the self tests safety diagnostics and another library for serving the external watchdog TPS6538X The software package is delivered on two DVDs e SafeTI HSK DVD is for users who want to explore the example application e he Tool DVD is needed when the example safety application needs to be modified extended and debugged A graphical user interface called HSK Monitor is included in the kit which is a Windows application that communicates with the board via USB Among others it provides the capability to inject faults to the SDUT and observe its behavior It also allows to profile runtime self tests With these features an application developer can design different runtime self test configurations to design their safety system The safety application firmware is explained in chapter 10 of this manual in further detail Helease User Manual V1 2 2013 06 17 12 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 2 1 Purpose of the document The purpose of this document is to explain how to use the SafeTI HSK kit for evaluating the safety features of the Hercules controllers and the TP56538X PMIC in conjunction with the example application software For users who want to investigate the safety application software further the document explains how the ap
111. safety application has detected an error and resolves it in time Category 1 Reaction The ESMError pin is active for 200 microseconds The Error is detected and resolved ESM Name External MCU Error Pin Monitor SDUT e Monitor safety does not recover in time device under test Diagnostic Error pin monitoring TPS Description The error pin is raised for a specific time e Error pin low longer than that of the external watchdog timeout for signaling duration monitoring the MCU error pin TPS Category 1 Reaction The TPS detects the error through the MCU error pin monitoring feature The TPS resets the system ENDRV low PORST triggered ESM Name Software test of error path reporting Diagnostic Software test of error path reporting Description A TCM RAM self test function error forcing 1 Bit is called Due to that function call the activation of the MCU Error pin is expected The MCU Error pin is checked and a fault detection emulated by the safety application Category 1 Reaction The application software detects the failure on the error pin and calls the EnterSafeState function The function waits in an endless loop until the TPS resets the system ENDRV low PORST triggered CPU Name Lock step compare e ESM channel Diagnostic Lock step compare configuration Description Enable CCM R4 error forcing mode e Recover from ESM Category 1 group 1 Reaction An ESM group 1 interrupt is generated In the
112. sages or may be sensor data messages containing the acceleration data and the temperature value When the job is done the task sleeps for a while The communication to the C amp M device is implemented using the MIBSPI driver In the receive interrupt handler the received data is put into the receive external messages queue using the OSAL Queue ReceiveFromISR routine To transmit data the DMA methodology driver provide by HalCoGen is applied Priority 5 Assigned message 5 queues Assigned LED LED 1 Privilege level Privileged External Interfaces MIBSPI 3 Table 10 1 Command handler task properties Receive external messages 10 Consumer C amp M device receive IRQ Fault injection 1 Producer Fault injection task System load 1 Producer System load task User commands 1 Producer Template task C amp M responses 10 Consumer All other tasks Table 10 2 Command handler message queues Release User Manual V1 2 2013 06 17 87 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS 1 CMD Init Request Configuration data GUI Parameters wat until the dats has been sent switch to next state CDM Monitor Check queue receive for data from C amp M device Switch wrt Task i investigate command and process it Operatingstate q Commands Inject fault Read configuration dats Write configuration data Profile Apply configuration data switch to next state CMD DATA Aq
113. sd E R AEA deea isi rs sessi risas AEEA 45 FEST NE 46 TE TPM EET EE EEE E EE T ETE 75 Table 9 1 User programmable LEDS ccccccccesccccceneceeceeeeeeceeeecescaeceecaesceesseaeceseeaceessaeeessageceesegeeeessseeessaeeees 78 Table 10 1 Command handler task properties rrrrrrrrrnnrrrrrrannrerrnnnrerrnnnnrnrnnnnrenrnnnnrnnnnnnsennannsennnnssennnnnneennnnssennnnene 87 Table 10 2 Command handler message queues cccccesceeceeseeeeceseceeceeceecseueceeceeeceessaueeessauecessaeeeeteseeessaeeees 87 Table 10 3 Fault handler task properties ccccccccccceseceeceeeceeceeseeesceeeceeseeeeecseueeeeseaueeeeeeseeesseaeeeeseaeeeessaeeeesseeeees 89 Table 10 4 Fault handler message queues ccccccesecceceesceeceesececceueceeceeeececsaueceeesuceessaueeesseaeceeseaeeeesseeeessaeees 89 Table 10 5 Safety library server task properties ccccccseecccceesececceeeceeceeceeceeeeeeeceseceessueeesseeeeeeseaeeeeseaeeeeseaeees 90 Table 10 6 Sensor handler task properties ccccccsecccccessceeceeseeecceueceeceeeeesseueeesceueceeseueeesseseeeeseaeeeesseeeeseaeeees 91 Table 10 7 Sensor handler message QUEUEGS ccccceeeccecsssceeceeeececceueceeceeeeeecseuecesseaeceessaeeeesseueeesseaeeeeseeeeesaeeees 91 Table 10 8 Watchdog server task PrOpertiGS ccccceeeccccesscceceeseceeceeeceeceeeecesseseceecaueceeseueeesseseceesaaeeeeseeeeesaaeees 92 Table 10 9 Display task properties les
114. ser Commands Page within the Main Viewing Area see also Section 6 2 6 Opens the user manual with a pdf reader Shows copyright information as well as the monitor version the application version the board revision the board type the GUI version and the GUI date in an additional window A hyperlink that leads to an update website is also given Table 6 1 Buttons in the Navigation Bar A selected button is indicated by a blue arrow pointing to the current content of the Main Viewing Area Figure 6 2 Helease User Manual V1 2 2013 06 17 36 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS M c 2 122 TA P TEQN ra sm e lt o m 055 443 idle task 1690 tl WRITE WDG ANSWER gt na ta 1 An s m 060 721 Command handler 20000 us 1624 724 WRITE WDG ANSWER 50 2 746 Sensor and HMI te 0026 ws 162 731 AZAD SAFETY STATUS2 A P hi SAFETY STATUSS TE WDG ANSWER E WDG ANSWER ITE WDO ANSWER U RAGER ITE WDG ANSWER ea rte o SAFETY STATUS PEPE OPATINEC SAFETY STATUSS i Watchdog service 14000 1 2 729 WRITE WDG ANSWER Z6 va a BAT S 769 Idle task 5 m n m a hn efor f v aoe b Watchdog service 7000 1652 741 WRITE WDG ANSWER Tt Q m aun iS Idle task a 16 Pe IRITE WDG ANSWER pa 09 721 Command handler TA idle task 22 Watchdog service or and HMI tasi gt KG ODO Re OG GO O O 3 0 M XM XXxXxMxx x 0 vU
115. sseeeseeeessaaeeeesssaaeeeesesageeeeneaas 51 Figure 7 1 Fault injection signals lessen nennen nnnm nnne nnn nnna nnns nn nnns sn anra a annes 52 Figure 7 2 Data flow of the SDUT no recovery from fault elsseseesssesssseseeeeeene nnne 54 Figure 7 3 Data flow of the SDUT recovery from fault ccc ccccceeeeeeeeceeeseeeeeeaeeseeeeeseeesceeeeseaeeeeeessaaeeeeeessaeeeeeesas 54 Figure 7 4 Category 1 fault Lockstep PSCON sssssssesssesssesseenne nnne nennen n nnns nsns nna nnns n rns sans a enn n nnns 55 Figure 7 5 Data flow of the SDUT sess nn nn nnnnnnnnn nnn iners sinnsa ains rris sana a ann ns 55 Figure 7 6 Category 2 fault PMA on PSCON rrrnnnnnnnnrnnnnnnnnnrnnnnrnnnnnnnnsnnnnnrnnnnnnnnnsnnnnrnnnnnnnnnsnnnnnnnnnnnnnssennnnnnnnnsnnnee 56 Figure 7 7 Category 3 fault Under voltage on VBAT esssssessseseseeee enne nnne nnne nnn nennen nnne nn 56 Figure 7 8 Category 4 fault Disturb CoreVCG 1 2V rrrrnnnnrnnnnnnnrrnnnnnnnnrnrnnrrnnnnnnnnsennnnrnnnnnnnnnssnnnnnnnnnnnnesennnnnnnnnsnnnee 57 Figure 7 9 Category 5 fault MCU sends data outside allowed window rrnnrrrnvvnnnrrnnnnrrrrrvnnrrrnnnnrrrrrvennrnnnnnsnnnee 58 Figure 7 10 category 6 fault CRO check eesssssssssesissseesseeseeeene nennen nnn nsn nna rn nnns sna iain nsn naa nnns sna nnne nnn 59 Figure 7 11 category 7 fault CRC check at boot time rrrrrnnnnnnnnrnnnnnnvrrrnnnnnrrn
116. sseeessssessseseesseeeene nennen nennen nnne nnnnnn nnns snas sss nas n rss a annis 93 Table 10 10 Display message queues ccccccsesecccceseceeceeeeeeceesececceueceesaueceesseuecesceueceeseuseeesseseeeessaeeeessaeeeesseneees 93 Table 10 11 used files for onboard display API ee cccccseecccceeeeeecceeeceeceesceeceesecesseueeeeseueeesseeeceeseueeeessaneeetsaeess 94 Table 10 12 Template task properties 1 leessseeesssssessssssssssseseenn nennen nennen nnn nnnnnn nnns nhan rss n ann rs naa nis 94 Table 10 13 Template task message queues ccccceeeccccesceeceeeeceeceeeceeceeueeeceeseeeseaseeeseuueeesseaecesseeeeesseeeessaeeees 94 Table 11 1 Troubleshooting esris a e EAEE E NAE an a rE EEA E 98 Release User Manual V1 2 2013 06 17 9 hitex ium DEVELOPMENT TOOLS SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit 1 Abbreviations definitions and scope of document 1 1 Abbreviations ADC Analog to Digital Converter API Application Programming Interface C amp M device Control And Monitoring Device CCM R4 CPU Compare Module for Cortex RAF CCS Code Composer Studio ENDRV Enable Driver Output pin from TPS ECC Error Correction Code ESM Error Signaling Module FEE Flash Emulated EEPROM FMC Flash Memory Controller HALCoGen Hardware Abstraction Layer Code Generator HCLK Primary CPU and memory subsystem Clock LCD Liquid Crystal Display LED Light Emitting Diode MCU Microco
117. t injection 1 Consumer Command handler task Table 10 4 Fault handler message queues 10 5 6 HSA SafetyLibServer This task has two main jobs to do e One part is to call the cyclic self tests periodically e he other part is to provide profile measurement capability which can be invoked by the user using the HSK Monitor GUI The task delay duration depends on the configuration parameter Safety loop This parameter defines the time available for one complete cycle The variable containing this parameter value is myCyclePeriod SwitchwrtTask f Operating state S b SL5 Stepi Profiling measurement if required SS Step SS Steps M SLS Step4 SLS Steps Figure 10 12 Safety library server task data flow Delay until Release User Manual V1 2 2013 06 17 89 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS Priority 4 Assigned message 0 queues Assigned LED 3 Privilege level privileged Table 10 5 Safety library server task properties 10 5 6 1 Run time self test execution The run time tests executions are implemented in one routine called HSA SLS runCyclicTest As can be seen in the data flow structure in Figure 10 12 Safety library server task data flow the task has 5 operating states Step1 to 5 The safety application can be configured to either run all steps in one go or to run these individually A macro defined in the HSA Config
118. t some data cannot be modified after the TPS has entered the operating state ACTIVE Behavior When the Safety MCU firmware is started the EEPROM data is read out enabled v and the TPS is configured according to the TPS6538x settings Group 1 channel 3 DMA parity Interrupt How to proceed nERROR Pin enabled v Change the settings i Apply the settings which means that they are stored Group 1 channel 5 DMA imprecise read error in the EEPROM of the safety MCU The green LED on the board indicates success e Restart the safety MCU to use the new configuration Interrupt enabled w by Stop recording and Restart recording nERROR Pin enabled v Group 1 channel 6 FMC correctable error Interrupt enabled vw nERROR Pin enabled v Group 1 channel 7 N2HET1 N2HET 2 parity Interrupt enabled v Figure 6 7 Global Settings Page 6 2 3 1 Safety loop With the safety loop slider the cycle time of the run time tests can be changed The application task which triggers the run time tests splits the execution of these tests into 5 slots In each slot a specific subset of the tests is executed After the execution of all 5 slots all tests have been processed If for example the safety loop slider has a value of 100 ms this means that all tests have to be processed within 100ms It is obvious that a small time interval for the tests increases the system load 6 2 3 2 System load The
119. t the license agreement and select an installation directory e Select the setup type Custom CCS UniFlash v2 Setup E x we Setup Type dl Select the setup type that best suits your needs Click the type of Setup you prefer Custom Complete Feature Set Select this option if you wish to customize the individual features that are installed Texas Instruments Figure 3 2 Setup Type installation screen Release User Manual V1 2 2013 06 17 15 hitex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS e Select the processor architecture Cortex R4F MCUs Processor Support Select Processor Architectures to be installed C msr430 Low Power MCUs C c28x 32 bit Real time MCUs Stellaris Cortex M MCUs Cortex R4F MCUs wireless Connectivity CCxxxx Cortex M Devices Processor Architectures induded ARM Includes support for Hercules msy amp TM557U Select All Install size 0 MB Texas Instruments Figure 3 3 Processor selection installation screen e Select the emulators you are using Select at least XDS100 Class Emulator support CCS UniFlash v2 Setup d Select Emulators nJ Select the emulators you want installed and deselect emulators you want to leave out X T Roll IL LL I Installs support for all XD5100 dass emulators lg v JTAG Emulator Support C Blackhawk Emulators T
120. the abort interrupt handler of the safety application the ERRIRQ pin is set This signal reflects the recognition of the failure The HSA EnterSafeState function is called for every case In the abort IRQ handler recognize FI wait until the TPS command receivd KSSE set i restarts the systrem m respective with power on P ERR signal Figure 7 5 Data flow of the SDUT Note Consider that the safety application waiting in the interrupt handler does no more serve the external watchdog Q amp A As a consequence the error counter of the TPS increments above the configured limit leading to a signal indication of the NENDRV pin Helease User Manual V1 2 2013 06 17 55 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS The screenshot example shows a PSON privileged mode access and program sequence control registers fault injection System flow Fault injection ERR Detection Time ms Figure 7 6 Category 2 fault PMA on PSCON The distinctive signals for this flow are that the ESMIRQ pin signal is not asserted The ERR Detection signal is asserted just a short time after the fault injection 7 2 6 Faults injected on Power rails to TPS Category 3 behavior These are faults affecting the TPS companion chip Normally with these faults the SDUT gets a power on reset asserted by the TPS device and enters SafeState T
121. tion Bar consists of 11 buttons These buttons provide the menu interface to the user to select functionality of the HSK The functions of these buttons are described in Table 6 1 Enabled buttons are shown in light gray disabled buttons are shown in dark gray and cannot be selected Connect Disconnect Overview Validation amp Profiling Global Settings Diagnostic Settings Monitoring Application User Commands User Manual About The evaluation board communicates with the PC over USB A Virtual COM port driver causes the board to appear as an additional COM port available to the PC In order to connect the board to the GUI the corresponding COM port e g COMS33 HSK has to be selected After the connection is established the Overview Page is shown in the Main Viewing Area see Figure 6 2 Disconnects the connection between the PC GUI application and the board Displays the Overview Page within the Main Viewing Area see also Section 6 2 1 Displays the Validation amp Profiling Page within the Main Viewing Area see also Section 6 2 2 Displays the Global Settings Page within the Main Viewing Area see also Section 6 2 3 Displays the Diagnostic Settings Page within the Main Viewing Area see also Section 6 2 4 Displays the Monitoring Page within the Main Viewing Area see also Section 6 2 5 Displays the Application Page within the Main Viewing Area see also Section 6 2 6 Displays the U
122. ts to the safety device and monitor its behavior upon fault Supervision of TPS supply rails via inputs to an on chip ADC Communication with the HSK Monitor GUI via UART Sample the signals asserted from the SDUT connected to GPIOs Exchange configuration data between the GUI and the SDUT O OOOO e HSK Monitor GUI The safety features of the kit can be evaluated with the HSK Monitor GUI The user can trigger specific faults which then will be injected to the safety device Profiling measurements of the safety diagnostic features can be executed Additionally several states of the SDUT can be visualized in a task monitor like view together with the TPS operating states The user has the capability to send 5 predefined user commands to the safety application software For more information refer to the chapter HSK Monitor user manual 4 2 System behavior 4 2 1 Startup power on Upon power on the three components on the board start up the C amp M device the TPS and the SDUT The flow is depicted in the figure below and detailed in the following sections Release User Manual V1 2 2013 06 17 22 hilex mm SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS T Power on reset C amp M Boot phase startup Setignition signal Normal operation TPS SDUT Boot phase startup Boot phase startup Standby mode i d Boottime tests Wake up provide power supplys to Setup SAFERTOS C
123. ty Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS 10 5 4 HSA GNMD THSbSIer EEE REE EEE EE 87 10 5 5 ROA Ga EEE EEE EEE ER 88 10 5 6 HSA STELL BSE LNG Gade 89 10 5 6 1 Run time SelrtestexecblllOll iaetahocicatuiexrcacatancscauiusiewtslnsiiccinientancitensacsuiusdanielesleaielensaatetentseaniusian 90 10 5 6 2 Profiling measurement ETC 90 10 5 7 HSA HMI Sensor salu M 91 10 5 8 ASA WDSerice TASK QMRENINREEMCCKKTR 92 10 5 9 HSA IS Oley WAS TRU S 93 10 5 10 HSA ME rel cT m 94 10 5 11 xui m TP E 94 105111 Global settings NANNING EN E 95 10 5 12 Typical data flow example for a fault injection rrrrrrrnnnrrrrrrrnnnnnrrrrnnnnnrrnrrnnnnnrrnnrnnnnnsennnnnnsnsenn 96 10 5 13 Typical data flow example for a profiling measurement rrnrrrrrnnnnnvvrnnnnrnrnnnnrvrnnnnrerrnnererrnnrrnnnnn 97 11 TOUDESNOO UNO ENIRO H 98 12 Appendix A BEEN sake 99 Release User Manual V1 2 2013 06 17 6 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS List of figures ge NE EEE EE EE EE 12 Figure 9 1 Directory STIGE Lams segeexaainuinthielarateatutassussgheenaaumedivetens 14 Figure 3 2 Setup Type installation screen ionis iei eerie cesceneessceventeesdecwensacsdbeaenssnuteeevaciaed Qenwessacedbsacac
124. uilt e The monitor application implementation asserts the ignition pin of the TPS device This is necessary for the TPS to start and to deliver the power lines to the safety application If you remove that in the code then the SDUT gets no more powered It is implemented in the file MON CommandHandler c in the function CMD Resetappl The function is MON ignition e The safety application checks for a user button pressed at a very early stage of the boot code If user button SW503 is pressed during power on then the safety app firmware stays in an endless loop This ensures that reprogramming of the kit is possible even if the current firmware will fail and reset all the time e There are different types of kits differentiated by the assembled SDUT MCUs As the TMS570 controllers support code in big endianess format where the RM48 MCUS support little endianess format ensure that the correct build configuration is selected in the Code Composer Studio project e Acompile time configuration setting configured by the C language macro DEBUG is defined in HAS Config h During debug it is recommended to set this to 0 doing this deactivates some interaction with the external watchdog E g this avoids that the ENDRV pin input from the TPS monitoring is deactivated Note Stepping through the code always leads to the ENDRV pin going low e A special task is prepared to facilitate a kit user to start development with the kit For the
125. uisition Send application msg Sensor data Send sensordata Figure 10 10 Command handler task data flow 10 5 5 HSA FI Handler This task instance features the fault injection process It waits on messages to request a fault injection If received one the GPIO pin related to the FI signal is asserted After that the fault is injected which mostly means to call the corresponding function in the SDL If the function returns the FI signal will be deserted It has a very simple structure Waiton a command to inject a fault Enterfaultinjection assertthe Fault injection signal Injectthe faultrespective to the ID Leave the fault injection desertthe fault injection signal Figure 10 11 Fault Injection handler task data flow The fault injection routine is a big switch case construct for the different faults to inject If a fault is injected very often the system generates an interrupt and enters the Safe state function A parameter setting defines if the system returns back to the calling function or enters a safe state For most of the faults the Safety application makes an API call provided by the SafeTI Diagnostic Library Release User Manual V1 2 2013 06 17 88 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENT TOOLS Priority 8 Assigned message 1 queues Assigned LED External Interfaces Privilege level privileged Table 10 3 Fault handler task properties Faul
126. w Meaning Safe State reached e Safe state TPS A signal that indicates that the TPS moved the system to safe state In a safety system all the devices and components connected to ENDRV pin shall enter safe state Meaning Safe State reached e ESMIRQ pin GPIO signal set in ESM interrupt handler Meaning The fault has been detected e nESMERR pin oignal issued by the ESM of the SDUT Meaning Indication of a fault e Periodic tests A GPIO Signal triggered by the application every time when a periodic tests cycle starts This signal always indicates when the task instance servicing the runtime self tests starts with a cycle Which one of the runtime tests are really operated are determined by the runtime test configuration loaded previously through the GUI So even if no self test is enabled the signal is raised for a short time anyway The frequency of the signal depends on the safety loop counter setting Meaning IO signal indicating start of run time tests cycle e ENDRV Output signal of the TPS to indicate that the error counter has expired the limit Meaning Safe State reached e nRST Signal of the SDUT to indicate a reset state Meaning System restarts e nPORST pin nRES output of the TPS Meaning Power down e VBAT power supply of the TPS e VCC Core power supply to the safety MCU device output from TPS A signal name with a prefixed n high The system reaction to specific faults very often is similar So it m
127. y Connector X1500 is the main power supply connector which feeds in a supply voltage between 12V and 14V nominally into the board The 2 5mm barrel type jack has the outer shell at negative potential and the inner pin as the positive potential as shown in Figure 5 2 12V 14VDC Figure 5 2 Input Power Supply Polarization On board the input 12V is fed to generate the 5V 3 3V and 1 2V necessary to operate the USB debug interface the onboard emulators and the C amp M functionality along with the fault injection block Moreover the 12V is fed through power switches Q902 and Q903 to power the TPS65381 at its inputs VBAT and VBAT SAFING respectively which in turn generates the 5V 3 3V and 1 2V necessary for the safety MCU and its peripherals Finally the 12V is also used to generate a 4 5V power domain needed to simulate power faults onto the VBAT and VBAT SAFING domains of the TPS65381 5 2 2 Display The Safell HSK features an on board 128 x 32 pixels LCD with white LED backlight The display is connected to the safety MCU via SPI2 port The following table lists the safety MCU signals used to drive the display Display Signal Safety MCU Signal Functional Mode Ball Number CS1B SPI2NCS 0 SPI N3 RST nRST Reset B17 AO SPI2NENA SPI2NCS 1 GPIO D3 SCL SPI2CLK SPI E2 SDA SI SPI2SIMO SPI D1 Table 5 6 Display interface 5 2 3 LEDs The SafeTI HSK features a number of LEDs used as static indicator
128. y voltages within the system It is depicted in Figure 6 3 The page consists of three main parts the System flow 1 the Task monitor 2 and the TPS6538x communication monitor 3 10000 Time ms 10960 767 Sensor and HMI task 10960 901 Idle task 10969 741 Watchdog service 10969 789 Idle task 10976 742 Watchdog service 10976 785 Idle task 10980 741 Command handler 10980 776 Idle task 10990 742 Watchdog service 10990 790 Idle task 10997 742 Watchdog service 10997 786 Idle task 11000 741 Command handler 11000 767 Idle task 11010 741 Sensor and HMI task 11010 879 Idle task 11011 741 Watchdog servic 11011 790 Idle task 11018 742 Watchdog servic SAFETY_STATUS2 SAFETY STATUSS WDG ANSWER WDG ANSWER 7001 WDG ANSWER 6996 WDG ANSWER 19999 75 SAFETY STATUS2 3991 760 SAFETY STATUSS 14000 7 WDG ANSWER 10014 53 757 1 WDG ANSWER 7000 WDG ANSWER 6996 7567 745 WRITE WDG ANSWER 20000 1567 75 SAFETY STATUS2 2981 7567 7 D SAFETY STATUSS vide 7574 7 WDG_ANSWER 1011 mien MEET 13999 E Reset i Safety MCU Figure 6 3 Overview Page 50026 511 1399 8888 J ttet ob ob ob ob 6l v 4l 4 ee 4 The System flow 1 depicts voltages to and from the TPS6538x over time The voltages are compiled in Table 6 2 Helease User Manual V1 2 2013 06 17 38 hiteX im SafeTI Hitex Safety Kit HSK User Manual of the Hitex Safety Kit DEVELOPMENTTOOLS VBAT Power supply for the TPS VBAT
Download Pdf Manuals
Related Search