Application of C2000+TMS570 dual-chip solution for automotive driver safety
With the rapid development of new energy vehicles and the increasing complexity of automotive electronic systems, the functional safety of automobiles has become more and more important, and the requirements for reliability have become higher and higher.
ISO 26262 is an international functional safety standard. The development of products according to the ISO26262 standard process can effectively improve the functional safety of automotive electronic products.In the development of automotive electric drives, more and more customers require a complete functional safety design, which must meet the system ASIL C safety level.
At present, the main control chip solution for electric drive function safety has a single chip solution and a two chip solution.Both options have advantages and disadvantages.
TI's main dual-chip solution is "C2000+TMS570", which takes advantage of the real-time advantages of the C2000 in motor control and the features of the TMS570 in a functional safety solution. This solution is loved by more and more customers. The two-chip solution has a huge advantage in automotive electronic security
The functional safety of the "F28379S + TMS570LS0714" dual-chip architecture.
The main safety goal of automotive electric drive systems is to avoid unexpected torque abrupt changes. Therefore, the safety measure required in the system design is to monitor the output torque. According to the ISO 26262 ASIL decomposition principle, the ASIL C of the system can be decomposed into "ASIL C + QM", that is to say, the C2000 is decomposed into QM-level motor control, and the TMS570 is decomposed into the safety function monitoring of ASIL C to realize the ASIL C control of the whole system.
It can not only take advantage of the real-time performance of the C2000 in motor control, but also utilize the TMS570 to specialize in functional safety. At the software level, most of the motor control code can be placed on the C2000, only to meet the QM level. The requirements, the small part of the security monitoring related code is executed on the TMS570 to meet the requirements of ASIL C, greatly reducing software development time and reducing costs.
The F28379S and TMS570LS017 communicate through the SPI, and data interaction and mutual verification between them is also a way to implement the security mechanism.
For example, the F28379S and TMS570LS0714 can simultaneously sample the current in a certain circuit. After the sampling result is transmitted, the mutual verification is performed through the SPI. If the inconsistency is not performed, the error processing is performed to control the system to a safe state.
The C2000 is a TI microcontroller designed for digital power and motor control applications.In recent years, with the rapid development of new energy vehicles, C2000 products are also widely used in motor controllers on electric vehicles, which can meet the real-time requirements of motor control.TMS320F28079S is the highest performance C2000 product at present, which can meet the control requirements of high motor control speed and real-time performance.The main features of TMS320F28079S at below:
1.200MHz core C28x core and CLA coprocessor;
2.4 differential input 16-bit ADC module;
3. Trigonometric accelerator (TMU, it takes only 1 to 3 cycles to execute instructions such as SIN, COS, ARCTAN;
4. Built-in 8-way window comparator can be used for over-current protection, over-voltage protection, etc.
5. Built-in CLB programmable logic control unit;
6.8-channel Sigma Delta sampling filter.
TMS570 series MCUs have passed the highest level of TUV-SUD（world-renowned third-party certification company）ASIL D certification, and strictly follow the requirements of 26262 in designing the production process. At the same time, they have a unique security architecture and perfect security mechanism to deal with hardware random failure. It is currently widely used in ECU systems such as Traction Inverter, BMS, OBC, and VCU on new energy vehicles.
In order to manage random hardware failures, the TMS570 MCU integrates many security mechanisms and uses the "safe island" security concept.The TMS570 MCU adopts the security mechanism of hardware diagnosis, which can ensure the normal operation of the MCU software system. The red part of the above figure includes the power supply, clock, CPU, FLASH, RAM and other modules. For example, the CPU architecture with dual-core lockstep, FLASH Hardware security mechanisms such as error correction code (ECC), RAM ECC, Memory BIST, etc.
In order to reduce the common cause failure, the TMS570 MCU has also taken measures in space and time.In space, one of the CPU images is flipped and then perpendicular to the other CPU, and the distance between the two CPUs exceeds 100 μm;In the time, the operation of the two CPUs is staggered by 2 clock cycles, and the operation result is sent to a special comparison module for real-time comparison. If there is a problem with the CPU operation, the error processing is immediately performed.
The TMS570 has the functions of FLASH and RAM ECC on the chip, that is, correcting one bit error of FLASH or RAM. If two bits are wrong, the error processing is performed. The TMS570 has two independent ADC modules, which can simultaneously sample and convert two signal.
This can be used in the analog redundancy check function of current, voltage, temperature, etc. to ensure the correctness of the monitoring data and reduce the failure caused by chip failure.The ADC module also supports ADC channel self-test, which can detect pin short circuit to power supply, GND and other faults.