Application of “C2000+TMS570” dual-chip solution in automotive electric drive functional safety
[Copy link]
With the rapid development of new energy vehicles and the increasing complexity of automotive electronic systems, the functional safety of automobiles has received more and more attention, and the requirements for reliability have become higher and higher. ISO 26262 is the international functional safety standard. Developing products according to the ISO26262 standard process can effectively improve the functional safety of automotive electronic and electrical products.
In the development of electric drive for automobiles, more and more customers have the need for functional safety design, which must meet the system ASIL C safety level. Currently, there are single-chip solutions and dual-chip solutions for the main control chip solutions of electric drive functional safety, and both solutions have their own advantages and disadvantages. The dual-chip solution promoted by TI is "C2000+TMS570", which takes advantage of the real-time performance of C2000 in motor control and the characteristics of TMS570 in functional safety solutions. It is sampled by more and more customers and applied to the functional safety projects of electric drive for automobiles.
Figure 1. Functional safety electric drive block diagram based on the "F28379S + TMS570LS0714 " architecture
Figure 1 is a functional safety electric drive block diagram of the "F28379S + TMS570LS0714 " dual-chip architecture. The main safety goal of the automotive electric drive system is to avoid unexpected torque mutations. Therefore, the safety measure that needs to be taken in the system design is to monitor the output torque, which requires ASIL C. According to the ISO 26262 ASIL decomposition principle, the ASIL C of the system can be decomposed into "ASIL C + QM", that is, C2000 is decomposed into QM-level motor control, and TMS570 is decomposed into ASIL C safety function monitoring to achieve ASIL C control of the entire system. In this way, the real-time advantage of C2000 in motor control can be utilized, and the functional safety characteristics of TMS570 can also be utilized. Moreover, at the software level, most of the motor control code can be placed on C2000, and only the QM-level requirements need to be met. A small part of the code related to safety monitoring can be executed on TMS570 to meet the requirements of ASIL C, greatly reducing software development time and reducing costs.
F28379S and TMS570LS017 communicate through SPI to exchange data and verify each other, which is also a way to implement the safety mechanism. For example, F28379S and TMS570LS0714 can sample the current of a certain channel at the same time. The sampling results are transmitted through SPI and then verified against each other. If they are inconsistent, error processing is performed to control the system to a safe state.
C2000 is a microcontroller designed by TI specifically for digital power and motor control applications. With the rapid development of new energy vehicles in recent years, C2000 products are also widely used in motor controllers on electric vehicles, which can meet the motor control performance requirements of real-time motor control. TMS320F28079S is the highest performance C2000 product at present, which can meet the control requirements of higher and higher motor control speed and higher and higher real-time requirements. It has the following new features:
- 200MHz C28x core and CLA coprocessor;
- 16-bit ADC module with 4 differential inputs;
- Trigonometric function accelerator (TMU, only 1 to 3 cycles are required to execute instructions such as SIN, COS, ARCTAN, etc.
- Built-in 8-way window comparator can be used for overcurrent protection, over-voltage protection, etc.
- Built-in CLB programmable logic control unit;
- 8-way Sigma Delta sampling filter.
The entire series of TMS570 MCUs have passed the highest ASIL D certification of the third-party certification company TUV-SUD. The design and production process is strictly in accordance with the requirements of 26262. At the same time, it has a unique security architecture and a complete security mechanism to handle random hardware failures. Currently, it is widely used in ECU systems such as Traction Inverter, BMS, OBC, and VCU on new energy vehicles.
Figure 2. TMS570 safety feature block diagram
In order to manage random hardware failures, the TMS570 MCU integrates many safety mechanisms and adopts the "safe island" safety concept, that is, the hardware diagnostic safety mechanism is used for the minimum system part that can ensure the normal operation of the MCU software, such as the red part in the above figure, including power supply, clock, CPU, FLASH, RAM and other modules. For example, it adopts a dual-core lock-step CPU architecture, FLASH error correction code (ECC), RAM ECC, Memory BIST and other hardware safety mechanisms.
In order to reduce common cause failures, TMS570 MCU takes measures in space and time. In space, one CPU is flipped and perpendicular to the other CPU. The distance between the two CPUs in space exceeds 100 μm. In time, the operations of the two CPUs are staggered by 2 clock cycles. The operation results are sent to a special comparison module for real-time comparison. If there is a problem with the operation of one CPU, an error will be reported immediately. TMS570 has FLASH and RAM ECC functions on the chip, that is, it corrects a certain bit error of FLASH or RAM. If two bits are wrong, an error will be reported. TMS570 has two independent ADC modules, which can simultaneously sample and convert two signals. It can be used in the redundant verification function of analog quantities such as current, voltage, and temperature to ensure the correctness of monitoring data and reduce faults caused by chip failure. The ADC module also supports the ADC channel self-test function, which can detect faults such as pin short circuit to power supply and GND.
In addition to the security features of the TMS570 chip itself, TI also provides a series of security documents and tools to help system developers implement functional safety development on the system. The following are the documents and tools that TI can provide to customers publicly or by signing an NDA:
- Safety manual;
- Safety Analysis Report Summary (SAR1);
- Detailed Safety Analysis Report (SAR2);
- Safety TI Diagnostic Libraries;
- Safety Support Package (CSP) to verify the code reliability of the safety diagnostic library;
- Supports Autosar and can provide MCAL.
In addition, TMS570 has a wealth of online resources. The following links are provided to support data downloads and technical exchanges.
| 
提升卡
变色卡
千斤顶
京公网安备 11010802033920号
