TI Hercules TMS5704357BZWTQQ1 Design Guide for Automotive ASIL-D and Industrial Functional Safety
Complete integration guide for the TI Hercules TMS5704357BZWTQQ1 dual-core lockstep Cortex-R5F MCU: lockstep CPU, ECC RAM, FlexRay/CAN-FD, and ASIL-D pitfalls.
Last updated: May 2026
Bottom Line: The TI Hercules TMS5704357BZWTQQ1 is a dual-core lockstep ARM Cortex-R5F MCU built for ASIL-D automotive and IEC 61508 SIL-3 industrial safety applications. Its hardware-redundant CPU cores, ECC-protected memories, and integrated FlexRay/CAN-FD communication make it one of the most capable safety MCUs available. When integrating this device, engineers must configure the IOMM for safe peripheral access, implement the startup self-test routines (PBIST/LBIST), and handle FlexRay timing with a dedicated external crystal to avoid clock-related safety violations.
TI Hercules TMS5704357BZWTQQ1 Design Guide for Automotive ASIL-D and Industrial Functional Safety
Introduction
The TMS5704357BZWTQQ1 is Texas Instruments' highest-density member of the Hercules TMS570 family, offering a dual-core lockstep ARM Cortex-R5F at 300 MHz, 4 MB of ECC-protected flash, 512 KB of ECC-protected SRAM, and a rich peripheral set that includes FlexRay 2.1A, dual CAN-FD nodes, Ethernet MAC, and a 12-channel NHET timer engine. It targets ISO 26262 ASIL-D (automotive) and IEC 61508 SIL-3 (industrial machinery, rail, power grid) safety domains.
This design guide walks through the key integration challenges — lockstep CPU configuration, memory ECC handling, FlexRay/CAN-FD bring-up, safe clock design, and common pitfalls — so your team can reach hardware qualification faster.
Design Considerations
1. Dual-Core Lockstep Architecture and CPU Monitor
The TMS5704357BZWTQQ1's safety architecture is built around two Cortex-R5F cores running identical instruction streams 1 cycle apart, with a hardware compare module (CCM-R5) that flags any divergence. This lockstep configuration satisfies the ISO 26262 hardware architectural metric (PMHF < 10 FIT) at ASIL-D without requiring software voting logic.
Configuration: The CCM-R5 must be enabled in the CCMKEYR register before the application transitions to user mode. TI's HALCoGen generates this initialization in sys_core.asm. Do not disable the CCM for debug convenience — the silicon captures CCM errors as ESM group 2 faults, which trigger an NMI.
Operating modes: The device supports lockstep mode (required for ASIL-D), single-CPU mode (ASIL-B at best), and split mode for debug. Production builds must assert the LOCKSTEP_EN eFuse or set SYS_CLK_CNTRL:CLKMOD to lock the mode register after startup.
Startup LBIST: The Logic Built-In Self-Test (LBIST) must run at every power-on reset before the CPU enters user mode. LBIST coverage on the TMS5704357BZWTQQ1 is ≥ 97% for the CPU logic domain (see TI SPNU503B, Table 4-1). Allow 50–80 ms for the LBIST sequence at 300 MHz before releasing the safety watchdog.
2. ECC-Protected Memory: Flash and SRAM Handling
Every byte of the 4 MB program flash and 512 KB SRAM on the TMS5704357BZWTQQ1 is protected by a 72-bit SECDED ECC code, delivering single-error correction and double-error detection per 64-bit data word. The Memory Built-In Self-Test (PBIST) controller can test all SRAM and ROM instances in parallel.
ECC error reporting: Single-bit correctable errors (SBE) are reported via the ESM group 1 channel; uncorrectable double-bit errors (DBE) assert ESM group 2 and pull ERROR low. Your ESM handler must distinguish these levels: SBE typically warrants logging and continued operation; DBE should trigger a safe-state transition per your safety concept.
Stack and heap placement: Place safety-relevant stacks in the ECC SRAM (address range 0x08000000–0x0807FFFF). Avoid locating safety stacks in the message RAM (used by FlexRay/CAN), which has separate memory protection (MPU) but does not share the SRAM ECC controller.
Flash ECC initialization: After programming, verify ECC banks using the flash wrapper's FEDACSTATUS register and the FDIAGCTRL:DIAG_EN diagnostic mode as described in SPNU503B, Section 5.4. Leaving ECC in an uninitialized state can cause false DBE faults on the first read.
3. Clock Architecture and Oscillator Selection
The TMS5704357BZWTQQ1 operates from two on-chip PLLs (PLL1: up to 300 MHz; PLL2: fixed 200 MHz for FlexRay), each requiring an external crystal reference. The frequency monitor (FM) and clock supervisor (CS) are safety mechanisms that detect PLL unlock within one PLL clock cycle.
Crystal requirement for FlexRay: FlexRay requires a phase-synchronous timing reference. Use a 20 MHz or 40 MHz crystal with ESR ≤ 80 Ω and load capacitance within ±1 ppm of the crystal's specified load (typically 10–18 pF). Do not use an external oscillator module (XO) unless its startup jitter specification is verified against the FlexRay Physical Layer spec (ISO 17458-3, Clause 8.2.2).
PLL lock sequence: TI recommends enabling PLL1 first, waiting for CLKCNTRL:PLLRDY1 with a 1 ms software timeout, then enabling PLL2. Switching directly to PLL output before the lock flag is set causes a transient overspeed that the FM will flag as an error — a common cause of spurious ESM Group 1 events during cold-boot bring-up.
Fail-safe clock: When PLL1 loses lock during operation, the FM switches the CPU to the OSCIN reference automatically. Your safe-state handler should detect the GBLSTAT:OSCFAIL and GBLSTAT:PLLFAIL bits and use a hardware watchdog to trigger a reset within the fault-tolerance time interval (FTTI) defined by your safety concept.
4. FlexRay 2.1A Integration
The TMS5704357BZWTQQ1 integrates a full FlexRay 2.1A communication controller (E-Ray IP), supporting both static and dynamic segments on two independent bus channels. FlexRay is commonly used in automotive chassis control (EPS, ABS, active suspension) where deterministic latency < 1 ms is mandatory.
Clock configuration for E-Ray: E-Ray requires VCLK3 = 80 MHz. Ensure CLKDIV2:VCLK3R divides PLL1 output to exactly 80 MHz before enabling the E-Ray module. Mis-configuration causes the controller to report BAD_OFFSET in the protocol status vector — a symptom that is frequently confused with a bus wiring fault.
Buffer configuration: Static segment buffers must be allocated before starting the POC (Protocol Operation Control). TI recommends configuring at least one static transmit buffer per node before issuing CMD_RUN. Omitting a transmit buffer in a static slot causes SLOT_STATUS_ERROR, triggering a bus guardian violation on adjacent nodes.
Bus guardian: For ASIL-D, connect the TMS5704357BZWTQQ1's bus guardian output (BGE) to the external transceiver BGE input on both channels. This provides hardware isolation of the FlexRay bus during a runaway transmit condition. Validate bus guardian timing using the OBCR register sequence per TI AN SPRABN1.
5. CAN-FD and MibSPI Configuration
The device offers two CAN-FD controllers (DCAN1, DCAN2) using the Bosch M_CAN IP block, fully compliant with ISO 11898-1:2015. CAN-FD enables data-phase bit rates up to 5 Mbps, which is used in OBD-II gateway and domain controller applications.
Bit-timing calculation: At 40 MHz CAN clock (VCLK4), achieving 500 kbps nominal / 2 Mbps data requires NBTP = {NBRP=4, NTSEG1=63, NTSEG2=16, NSJW=16} and DBTP = {DBRP=4, DTSEG1=7, DTSEG2=2, DSJW=2}. These values must be recalculated for each CAN clock frequency; use TI's CAN bit-time calculator tool (SLOC065).
Transceiver isolation: Connect DCAN TX/RX through an ISO 11898-2 compliant transceiver with an integrated common-mode choke when run over > 1 m harness. Do not connect DCAN directly to the harness without ESD protection — the M_CAN IP does not include bus-pin ESD clamps.
MibSPI for external sensors: The multi-buffered SPI (MibSPI) controller on the TMS5704357BZWTQQ1 supports up to 128-entry transfer groups with hardware-triggered DMA. For ADAS sensor interfaces (e.g., radar SPI, angle sensor SPI), configure MibSPI in compatibility mode (legacy SPI) only if the sensor requires CS toggling between each byte; otherwise use transfer-group mode for lowest CPU overhead.
6. IOMM Peripheral Mux and Safe IO Configuration
The I/O Multiplexing Module (IOMM) controls which peripheral is connected to each ball on the 337-ball NFBGA package. Misconfigured IOMM settings are the most common cause of first-spin hardware failures on TMS5704357BZWTQQ1 designs.
IOMM lock register: After HALCoGen initializes the IOMM at startup, lock the IOMM_LOCK register to prevent accidental reconfiguration by errant code. A write of 0x0000000F to IOMM_LOCK activates the protection. TI Safety Manual SPNU503B, Section 3.6, lists this step as a mandatory safety action for ASIL-D.
Pin functional mode: Each ball supports up to four functional modes (PINMMR fields). HALCoGen's "I/O Port" view assigns these automatically, but verify the generated pinmux_config.c against your schematic — HALCoGen defaults may not match your board layout for multi-function balls.
Recommended Solutions
Three representative design configurations are commonly used with the TMS5704357BZWTQQ1:
| Configuration | Target Use Case | Key Peripherals | Regulatory Level |
|---|---|---|---|
| A — FlexRay + CAN Gateway | Automotive Domain Controller | E-Ray, DCAN1/2, EMAC | ISO 26262 ASIL-D |
| B — CAN-FD only Safety ECU | Motor Control, EPS | DCAN1/2, MibADC, NHET | ISO 26262 ASIL-D |
| C — Industrial Safety Controller | IEC 61508 SIL-3 machinery | DCAN1, SCI, GIO, NHET | IEC 61508 SIL-3 |
Configuration A — Automotive FlexRay + CAN-FD Domain Controller
Overview: Use the TMS5704357BZWTQQ1 as a central domain controller that bridges a FlexRay chassis backbone to CAN-FD subsystem nodes, also routing Ethernet to the vehicle's central gateway.
Recommended Components:
- TMS5704357BZWTQQ1 — Host safety MCU (lockstep Cortex-R5F, 300 MHz, 4 MB flash)
- TMS5701115CZWTQQ1 — Companion node MCU for FlexRay branch with lower BOM cost
- TMS5700332BPZQQ1 — Entry-level Hercules for ASIL-B subnodes
Pros: Maximum peripheral density, single-chip FlexRay + CAN-FD + Ethernet; reduces PCB area vs. multi-chip gateway.
Cons: 337-ball NFBGA requires 6-layer PCB minimum; BOM cost premium over smaller TMS570 variants.
Applicable when: You need ASIL-D with both FlexRay and Ethernet on a single SoC, e.g., next-generation domain ECU.
Configuration B — Standalone ASIL-D CAN-FD Safety ECU
Overview: Drive a safety-critical actuator (EPS motor, brake caliper) using the TMS5704357BZWTQQ1 without the FlexRay overhead. CAN-FD provides 2–5 Mbps data for fast torque commands.
Recommended Components:
- TMS5704357BZWTQQ1 — Primary safety MCU
- TMS5700432BPZQQ1 — Companion MCU for monitoring-only channel
- TMS5700914APZQQ1 — Suitable for ASIL-B monitoring tasks at reduced cost
Pros: Smaller footprint for pure motor-control applications; saves power vs. full FlexRay bring-up.
Cons: No deterministic static-slot timing — CAN-FD event-triggered latency is non-deterministic under bus overload.
Applicable when: Your safety concept permits E2E protection over CAN-FD (e.g., ISO 11898-1 error detection is sufficient) and the FTTI > 5 ms.
Configuration C — Industrial IEC 61508 SIL-3 Controller
Overview: Replace a PLC safety module in a servo-drive or industrial robot with the TMS5704357BZWTQQ1, using SCI (RS-422) for PROFIBUS/Modbus gateway and CAN for CANopen safety.
Recommended Components:
- TMS5704357BZWTQQ1 — Core safety processor
- TMS5702124DPGEQQ1 — Optional expansion node for IEC 61508 SIL-2 I/O
- TMS5700914APGEQQ1 — LQFP-144 variant for PCB space constraints
Pros: IEC 61508 SIL-3 certified safety manual (TI SPNU503B) available; reduces certification effort significantly.
Cons: Industrial variants require extended -40 °C to +125 °C screening; lead time for industrial quantity can be 16–26 weeks — source via FindMyChip's /quote for competitive pricing from 200+ verified distributors.
Common Pitfalls and Troubleshooting
Pitfall 1: Skipping LBIST in Production Firmware
Error: Development firmware disables LBIST to shorten power-on reset time. Production builds shipped without re-enabling LBIST will fail ISO 26262 Part 4 hardware test coverage requirements.
Consequence: The diagnostic coverage credit for LBIST (97% CPU logic) is not achieved, pushing PMHF above ASIL-D limits. Certification auditors will reject the safety case.
Fix: In HALCoGen, check "Enable LBIST at startup" in the TMS570 device configuration panel. Verify using the LBISTCTRL register state in your post-reset debugger script.
Pitfall 2: PLL Startup Race Condition
Error: The main loop starts executing from PLL-clocked flash before PLLRDY is asserted.
Consequence: The CPU runs at an indeterminate frequency (often 2–10x the oscillator frequency) during the PLL lock window, causing undefined instruction execution and unpredictable ESM faults.
Fix: Poll SYS1_CSDIS:CLKSR_READY bits and add a software timeout of ≥ 1 ms per PLL. Never rely solely on a fixed delay — crystal startup time varies with temperature between -40 °C and +125 °C.
Pitfall 3: FlexRay E-Ray VCLK3 Frequency Error
Error: CLKDIV2:VCLK3R is left at reset default (divide-by-1), supplying 300 MHz to E-Ray instead of the required 80 MHz.
Consequence: E-Ray reports INIT_ERROR during POC startup and never transitions to NORMAL_ACTIVE. This is often mistaken for a PCB wiring fault, leading to extensive board-level debugging.
Fix: Set VCLK3R = 0x2 (divide-by-4 from 320 MHz PLL) before enabling E-Ray in HALCoGen's clock configuration tree.
Pitfall 4: Unlocked IOMM Registers
Error: IOMM lock register is never written, leaving IOMM reconfigurable throughout runtime.
Consequence: A safety analysis must cover the scenario where an errant write to IOMM silently reroutes a safety-critical pin (e.g., an ESM error output) to a different peripheral. This creates an unintended fault in the safety concept that is very difficult to detect.
Fix: Write 0x0000000F to IOMM_LOCK at the end of startup initialization, before releasing the watchdog.
Pitfall 5: CAN-FD Bit-Time Miscalculation after VCLK4 Change
Error: The project changes VCLK4 late in development to save power, but the NBTP/DBTP register values are not recalculated.
Consequence: CAN node operates at the wrong bit-rate, causing network-level errors (BEC > 127) and eventual bus-off. The symptom appears only when communicating with external nodes, so bench-only testing may miss it.
Fix: Treat VCLK4 as a frozen parameter early in design. If it must change, regenerate all CAN bit-timing values using TI's SLOC065 calculator and verify with a CAN analyzer.
FAQ
Q1: What is the difference between the TMS5704357BZWTQQ1 and TMS5703137 for ASIL-D?
The TMS5704357BZWTQQ1 uses a dual-core lockstep ARM Cortex-R5F at 300 MHz with 4 MB flash, FlexRay 2.1A, and Ethernet MAC. The TMS5703137 uses a single-core Cortex-R4F at 160 MHz with 3 MB flash and no FlexRay or Ethernet. Both carry TI's ASIL-D safety manual, but the TMS5703137 requires additional external monitoring hardware to reach ASIL-D at the system level, while the TMS5704357BZWTQQ1 achieves it with the integrated lockstep CCM-R5.
Q2: Does the TMS5704357BZWTQQ1 require an external safety companion IC (like TPS65381)?
For ASIL-D system certification, TI recommends pairing the TMS5704357BZWTQQ1 with a safety power-management IC such as the TPS65381-Q1. The companion PMIC provides independent voltage and clock monitoring, watchdog supervision, and an error signal monitor that is physically separate from the MCU — a defense-in-depth requirement for ISO 26262 Part 6 dependent failure analysis (DFA).
Q3: How does ECC SRAM initialization affect startup time?
SRAM ECC must be initialized before first read to prevent false double-bit errors. The TMS5704357BZWTQQ1's DMA controller can zero-initialize and write ECC for all 512 KB in approximately 3–5 ms at 300 MHz using DMA burst mode. HALCoGen's startup code performs this automatically in _sys_startup() — do not bypass it.
Q4: Can the TMS5704357BZWTQQ1 run FreeRTOS or a full RTOS for ASIL-D applications?
The device is compatible with FreeRTOS with the ARM Cortex-R5F port. For ASIL-D, the OS itself must be qualified or its safety impact analyzed. TI supports AUTOSAR OS integration through certified tool chains (HighTec, Green Hills INTEGRITY RTOS). For lower-cost designs, a simple cooperative scheduler with documented cycle-time analysis often carries less certification overhead than a preemptive RTOS.
Q5: How do I source TMS5704357BZWTQQ1 when lead times exceed 26 weeks?
The TMS5704357BZWTQQ1 is an AEC-Q100 automotive part with constrained allocations. Use FindMyChip's /search to check real-time stock across 200+ verified global distributors, or submit a /quote request for volume pricing and lead-time negotiation. FindMyChip's 5-point authentication process screens for counterfeits, which are increasingly common for high-demand automotive MCUs.
Conclusion
The TI Hercules TMS5704357BZWTQQ1 is a mature, well-documented platform for ISO 26262 ASIL-D automotive ECUs and IEC 61508 SIL-3 industrial safety controllers. Its hardware lockstep CCM-R5, SECDED ECC memories, integrated FlexRay 2.1A, and TI's comprehensive safety manual (SPNU503B) substantially reduce the per-project certification effort compared to assembling safety mechanisms from discrete components.
The critical integration points are: enabling LBIST before user mode, sequencing PLL startup correctly, setting VCLK3 to exactly 80 MHz before enabling E-Ray, locking the IOMM after initialization, and recalculating CAN-FD bit-timing whenever VCLK4 changes. Addressing these points during initial bring-up prevents the most common sources of project delays.
For sourcing, search available stock at FindMyChip /search or request a competitive quote via /quote. Bulk procurement of automotive-grade parts benefits from FindMyChip's 200+ verified distributor network and 24-hour response SLA for safety-critical supply chain needs.