Electric Power Steering Technology Demonstrator on TI Delfino with ASIL-D

CASE STUDY SNAPSHOT

Customer : A global Tier 1 automotive steering systems supplier
Size : > 10000
Project vertical : Automotive, Motor Control, Functional Safety
Challenge : Develop an Electric Power Steering technology demonstrator on a dual-core TI Delfino MCU with ASIL-D functional safety architecture, 400W PMSM motor control, and integration of proprietary torque and angle sensors.
Solution : EPS technology demonstrator on TI TMS320F28377D-EP dual-core real-time MCU featuring FOC-based PMSM motor control, proprietary torque and steering angle sensor integration, CAN-based vehicle speed input, ASIL-D safety architecture with watchdog supervision, and onboard power management.
Services & Products Availed :  Turnkey Product Engineering, Embedded Hardware Design, Embedded Firmware Development
Tools and Technologies :

• Target MCU: TI TMS320F28377D-EP (Dual-core TMS320C28x, 200MHz)
• Motor: 400W PMSM
• Control: Field Oriented Control (FOC), Space Vector PWM
• Sensors: Proprietary torque sensor (T1/T2), proprietary angle sensor (S/P), Hall sensor (current)
• Vehicle Interface: CAN
• Safety: ASIL-D, watchdog supervision
• Tools: TI Code Composer Studio, TI MotorControl SDK
• Languages: C

Introduction

Electric Power Steering is one of the most safety-critical systems in a modern vehicle. Unlike traditional hydraulic steering, EPS relies entirely on an embedded control system to sense driver steering intent, compute the appropriate assistance torque, and drive an electric motor to deliver that assistance, all in real time, continuously, and with no tolerance for failure. The functional safety requirements for EPS systems sit at ASIL-D, the highest level in the ISO 26262 automotive functional safety standard, reflecting the direct impact an EPS failure could have on vehicle controllability and occupant safety.

A global Tier 1 automotive steering systems supplier approached Embien to develop an EPS technology demonstrator on a Texas Instruments TMS320F28377D-EP dual-core Delfino real-time MCU. The demonstrator had to showcase a complete EPS control architecture, PMSM motor drive, proprietary torque and angle sensor integration, CAN-based vehicle speed input, and an ASIL-D functional safety framework, on hardware and software representative of a production EPS control unit. The objective was to validate the technical approach and establish a reference architecture for the customer's EPS product development programme.

Challenge

The primary challenge was implementing a complete ASIL-D safety architecture on the TMS320F28377D-EP's dual-core architecture while simultaneously delivering the real-time motor control performance that EPS demands. ASIL-D requires systematic and random hardware fault coverage, diagnostic coverage of safety-critical functions, and safe state handling for all identified failure modes, all of which must be achieved without compromising the closed-loop control bandwidth and response latency that determines steering feel.

The dual-core TMS320F28377D-EP provides natural architectural support for a safety-oriented decomposition, one core for the primary control function and one for safety monitoring, but exploiting this effectively requires careful partitioning of responsibilities, well-defined inter-core communication, and rigorous management of shared resources. Getting this partitioning right was fundamental to both the safety architecture and the control performance.

Integrating the customer's proprietary torque and angle sensors introduced additional complexity. Unlike standard off-the-shelf sensors with well-documented digital interfaces, proprietary sensors require bespoke signal conditioning, decoding, and validation logic. The torque sensor, delivering primary and secondary signals T1 and T2, had to be processed with cross-channel consistency checking as a safety diagnostic. The angle sensor, delivering primary and secondary signals S and P, similarly required redundant signal validation as part of the steering angle determination chain.

Motor current measurement using Hall sensors, Space Vector PWM generation at the switching frequency required for 400W PMSM drive, and the computational overhead of Field Oriented Control, all had to be scheduled deterministically within the real-time control loop budget of the primary CPU core, leaving sufficient headroom for safety diagnostics and CAN communication.

Solution

Dual-Core Safety Architecture

The TMS320F28377D-EP's dual TMS320C28x cores, each running at 200MHz, were partitioned according to an ASIL-D safety architecture. The primary core (CPU1) executes the complete EPS control function: torque sensor acquisition and processing, angle sensor acquisition and processing, Field Oriented Control computation, Space Vector PWM generation, and CAN communication. The secondary core (CPU2) runs independently as the safety monitor, performing independent diagnostic checks on safety-critical signals, monitoring the primary core's execution health through a cross-core challenge-response watchdog, and taking control of the safe state output path in the event of a detected fault.

Inter-core communication is implemented through the device's shared memory with access arbitration, with message passing structured to avoid shared-resource contention that could compromise the determinism of either core's execution. The safety architecture was developed in accordance with ISO 26262 ASIL-D requirements, with hardware and software diagnostic coverage targets addressed through a combination of on-chip hardware safety mechanisms, memory protection units, CPU self-test, clock monitoring, and software diagnostic routines executed periodically within the safety monitor core's task schedule.

PMSM Motor Control - Field Oriented Control

The 400W PMSM drive is implemented using Field Oriented Control, the standard high-performance control strategy for PMSM motors, running on CPU1. The FOC control chain operates at the PWM switching frequency, executing the full Clarke and Park transform pipeline, PI current controllers in the d-q reference frame, inverse Park transform, and Space Vector PWM modulation within each control cycle. Motor phase currents are acquired from Hall sensors connected to the device's onboard ADCs, with the ADC conversion triggered synchronously with the PWM carrier to ensure consistent, noise-free current sampling.

The FOC implementation leverages TI's MotorControl SDK library functions for the core transform and modulation computations, with Embien developing the supervisory control layer, torque demand calculation from the steering assist map, speed-dependent assist gain scheduling, and transition management between active assist and safe state, on top of the SDK foundation. The result is a responsive, smooth steering assist characteristic across the full operating speed range.

Proprietary Sensor Integration

The torque sensor delivers primary and secondary analogue voltage signals, T1 and T2, proportional to the driver-applied steering torque. Both signals are acquired through dedicated ADC channels and processed through signal conditioning and range validation. Cross-channel consistency checking, comparing T1 and T2 for plausibility within a defined tolerance, is implemented as an ASIL-D safety diagnostic, with a disagreement between channels triggering a fault event and safe state transition. The conditioned torque signal feeds the steering assist demand calculation in the FOC supervisory layer.

The angle sensor delivers primary and secondary signals, S and P, from which the absolute steering angle is computed. Both signals are independently decoded and the resulting angle values compared for consistency as a redundant validation diagnostic. The steering angle is used for vehicle speed-dependent assist gain scheduling and for end-stop management, progressively reducing assist torque as the steering approaches the mechanical travel limits to prevent end-stop impact.

Vehicle Speed Input via CAN

Vehicle speed is received over the CAN interface as a periodic broadcast message from the vehicle's ABS or wheel speed sensor ECU. The CAN reception task on CPU1 maintains a live vehicle speed value with a timeout monitor, detecting loss of CAN communication and substituting a safe default speed value that results in a conservative, low-gain assist characteristic rather than a complete loss of assist. This degraded mode behaviour is defined as a safe state for the loss-of-vehicle-speed fault mode.

Power Management and Hardware Protection

The demonstrator hardware includes onboard DC-DC converters providing the regulated supply voltages required by the MCU, gate drivers, and sensor interfaces from the vehicle 12V supply. Isolation is provided between the power and signal domains to protect the MCU and sensors from the electrical transients associated with motor switching. Battery voltage monitoring is implemented as both a safety diagnostic, detecting undervoltage conditions that would compromise motor drive capability, and as an input to the assist gain schedule.

Benefits

• ASIL-D dual-core safety architecture - CPU1/CPU2 decomposition with cross-core challenge-response watchdog and independent safety monitor delivers ISO 26262 ASIL-D diagnostic coverage on the TMS320F28377D-EP platform
• High-performance FOC motor control - Full Field Oriented Control pipeline with synchronous ADC triggering delivers smooth, responsive 400W PMSM steering assist across the complete operating speed range
• Redundant proprietary sensor integration - Cross-channel consistency checking on both torque (T1/T2) and angle (S/P) sensor signals implemented as ASIL-D safety diagnostics with defined safe state transitions
• CAN-based degraded mode handling - Vehicle speed timeout detection with conservative assist fallback maintains steering assistance continuity during transient CAN communication loss
• Complete reference architecture - Demonstrator establishes a validated hardware and software EPS reference architecture directly applicable to the customer's production EPS control unit development programme

Conclusion

This Windows Embedded Compact 2013 BSP project demonstrates Embien's capability to deliver production-quality OS porting and BSP development for industrial automation applications, combining deep Windows CE platform expertise with the domain knowledge required to address the specific reliability, I/O, and connectivity requirements of industrial PC hardware. By enabling the customer's field-proven .NET Compact Framework application on a modern dual-core SoC platform through careful adaptation rather than rewrite, Embien delivered both a hardware platform upgrade and a preserved software investment, a combination that significantly reduced the customer's migration risk and time to market. This engagement was the beginning of a longer technology partnership, with the customer subsequently migrating from Windows CE to Linux,a journey that Embien supported through the next phase of their platform evolution.