1Functional Safety Seminar & 1-Day HerculesTM Workshop

Embedded Processing Marketing MCU Industrial & Automotive

Marcus Frech m-frech2@ti.com

Josef Mieslinger j-mieslinger@ti.com

Arrow Roadshow

Silkeborg 2012

2Agenda Day 1

Introduction in Functional Safety Systematic and Random Failures Hazard and Risk Analysis IEC EN 61508 ISO 26262 Hercules (TMS570, RM4x and TMS470M) Overview Hercules Safety Concept and Peripherals Development Kits, SW Tools Safety Critical Motor Control Example

3Agenda Day 2 TMS570 Introduction and Roadmap Development Tools: Hardware kits, Software tools Safety Overview and Modules TMS570LS Architecture: Memory Map, Clocking, Exceptions Embedded Flash Memory tools: nowECC, nowFlash, API

Demo:TMS570 Safety MCU Demos Real Time Interrupt (RTI) Vectored Interrupt Manager (VIM) Direct Memory Access (DMA) General-purpose I/O (GIO) Programmable Timer Unit with Transfer Unit (NHET/HTU)

Demo: Using NHET as GIO Multi-Buffered Serial Peripheral Interface (MibSPI) Controller Area Network (DCAN) FlexRay Interface with Transfer Unit (ERAY/FTU) Local Interconnect Network (LIN) / Serial Communication Interface (SCI)

Demo: PC to SCI Communication External Memory Interface (EMIF) / Parameter Overlay (POM) Multi-buffered Analog-to-Digital Converter (MibADC) Support Structure: Web, Forum, WIKI

4Motivation

Safety ConcernsSpace Shuttle Challenger disaster (1986)

Space Shuttle broke apart (deaths of 7 crew members) Unqualified O-ring seal

Ariane 5 explosion (1996) No victims (unmanned flight), but loss of over 370 million $ SW design error (protection of integer overflow)

Laws / Claim damages

5Safety and Security

Safety

Security

Avoid system manipulation from outside world

No unacceptable risk from system to health of people or the system environment

System

6Definition of Functional Safety

IEC 61508 Definition:Safety is the freedom from unacceptable risk of physical injury or

of damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment.

Functional Safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs.

ISO 26262 Definition:Absence of unreasonable risk due to hazards caused by

malfunctioning behavior of E/E systems.

7Safety Standards

EN 50128 EN 50129

(railway)

DO-254DO-178B(aerospace)

IEC 50156

(furnaces)

IEC 60880 (nuclear power

stations)

ISO 26262 (automotive)

IEC 62061ISO 13849 (machinery)

IEC 61511 (process industry)

IEC 60601(medical

equipment)

IEC 61508(safety)

HerculesMCU

TM

8EnvironmentEnvironment

System

What is a System?

Input Circuit Logic SolverOutput Circuit

Sensor

ActuatorFinal Element

+

-

Common Circuitry

9EnvironmentEnvironment

MCU in an Functional Safety System

System components are generally classed E/E/PE Electrical/Electronic/Programmable Electronic.A MCU is a complex PE component.

MCU HW and SW functions may be safety critical and should be considered.

System

Sub-System Sub-System

PE Component

MCU HW

MCU SW

E/E/PE Component

E/E/PE Component

10

Functional Safety Basic Concepts

All systems will have some inherent, quantifiable failure rate.

For each application, there is some tolerable failure rate which does not lead to unacceptable risk.

Acceptable failure rates vary per application, based on the potential for direct or indirect physical injury in the event of system malfunction.

Categories can be developed for similar levels of risk. These are known as Safety Integrity Levels, or SILs.

11

Functional Safety Lifecycle

Concept

Verification

Management

Documentation

Assessment

Design

Prototype

Release for Manufacturing

Field Implementation

Removal from Field Usage

12

Fault, Error and Failure

FaultOperational issue in a system which may lead to an error.

ErrorDiscrepancy between expected and actual value.

FailureResult of a fault which leads to an inability to execute safety

critical functionality.

Fault Error Failure

13

Errors in Functional Safety Systems

PermanentSystem must be repaired.

TransientOccur for a short time.Disappears automatically or by reset.

14

Failures in Functional Safety Systems

Random FailuresResult from random defects.Can not be reduced, must be detected and handled by Application.Hazard and risk analyses.

Systematic FailuresResult from a failure in design or manufacturing.Reducible through quality management.Often a result of failure to follow best practices.

Failures

Physical (Random) Functional (Systematic)

15

Dependent Failures

Common Cause Failures:

Cascading Failures:FailureFault

Error

FailureFault

Error

Root Cause

FailureFault

Error

FailureFault

Error

16

How can a System Fail?

SafeEnters safe state.

DangerousMay cause a hazard.

OperationalRun in a degraded mode.

17

Example Fault PropagationEnvironmentEnvironment

System

Sub-System Sub-System

E/E/PE Component

E/E/PE Component

E/E/PE Component

E/E/PE Component

18

Reliability vs. Availability

Reliability Probability that a device will perform its required function under

stated conditions for a specific period of time. Reliability is qualified as:

Mean Time Between Failures (MTBF) for repairable systems andMean Time To Failure (MTTF) for non-repairable systems

AvailabilityProbability that a device will perform its required function under

stated conditions for a specific point of time.

19

Mean Time Between Failures

MTBF Mean Time Between FailuresMTTF Mean Time To FailureMTTR Mean Time To Restoration (Detect and repair time)

TBF

TTFTTR

t

Up

Down

tU+1tU

20

Failure Rate

The failure rate can be calculated as follows for a device with a constant failure rate

FIT = Failures In Time = 1 failure in 109 device hours

Example:What is the failure rate of 50 FIT in units failures per year?

0.00000005 failures per hour x 8760 hours per year = 0.000438 failures per year

21

What is a Hazard?

Hazard is a situation that poses a level of threat toLife,Health,Property orEnvironment.

HazardHazardous Eventn

Hazardous Event1

Accident

22

Functional Safety Basics

Identify system hazards. Classify system hazards. Determine methods to control system hazards. Define requirements for reliability and availability. Determine Safety Integrity Level SIL. Specify development methods according to SIL.

23

What is Risk?

Risk is a combination ofFrequency probability of hazardous eventConsequence

With this definition it is possible to analyze the risk qualitative or quantitative.

HazardHazardous Eventn

Hazardous Event1

Accident

Risk = f x C

24

Qualitative Analysis

Qualitative AnalysesUse word like probable, frequent, unlikely, etc. to describe the

likelihood of an hazardous event.Use words like minor, major, catastrophic, etc. to describe the

severity of an hazardous event.Qualitative numbers are introduced on how to interpret these

words. E.g. Unlikely may be defined: once every 10 to 100 years

Analyze technics Risk Graph FMEA

25

Quantitative Analysis

Quantitative AnalysisUse numbers to describe the likelihood and severity of a

hazardous event. E.g. Likelihood of frequency hazardous event is: < 10-3 per year. E.g. Likelihood of potential loss of life is: < 10-5 per year

Certain amount of uncertainty is associated with the prediction in numbers. Different analyze technics may end with different results. Some qualitative interpretation is necessary to decide if hazardous

event is in acceptable risk region.Analyze technics

Risk = (f x C) Probability of Failure on Demand PFD FMEDA

26

Risk Classes IEC 61508

Risk Class Definition

1 Intolerable risk

2Undesirable risk, and tolerable only if risk reduction is impracticable or if the costs are grossly disproportionate to the improvement gained.

3 Tolerable risk if the cost of risk reduction would exceed the improvement gained.

4 Negligible risk

27

Risk Classification IEC 61508

Frequency (f)Consequence (C)

Catastrophic Critical Marginal Negligible

Frequent 1 1 1 2

Probable 1 1 2 3

Occasional 1 2 3 3

Remote 2 3 3 4

Improbable 3 3 4 4

Incredible 4 4 4 4

28

Risk Graph

Decision tree in which a team considers some risk parameters to determine a safety integrity level.

Remember: R = f x CC may be considered as

Consequence risk parameter (C) f may be considered as

Frequency and exposure time risk parameter (F) Possibility of failing to avoid hazard risk parameter (P) Probability of the unwanted occurrence (W)

Every combination of risk parameter leads to an estimation of required risk reduction.

29

Risk Graph Parameter ExampleRisk

Parameter Classification

C1 Minor injury.C2 Serious permanent injury. Death to one person.C3 Death to several people.C4 Very many people killed.F1 Rare to more often exposure in the hazardous zone.F2 Frequent to permanent exposure in the hazardous zone.P1 Possible under certain conditions.P2 Almost impossible.W1 A very slight probability of unwanted occurrences.W2 A slight probability of unwanted occurrences.W3 A relatively high probability of unwanted occurrences.

30

Risk Graph

Assign assessment criteria to requirement Classes.Random failures, systematic failures, manipulation,

Requirement classes are a measure for necessary risk reduction

W3 W2 W11 - -2 1 -3 2 14 3 25 4 36 5 47 6 58 7 6

P1

P1

P2

P2

F1

F1

F2

F2

C1

C2

C3

C4

StartRequirement Classes

31

Necessary Risk Reduction

RiskLow High

Acceptable Risk Risk of Hazard

External/Passive actions

(Re-)Spec/(Re-)Design of function

Add safety functions

Necessary risk reduction

Emergency shutdown

User manuals

Warning signs

Trainings

Remaining Risk

Actual risk reduction

Quality Management

Maturity Processes and Methods

SPICE, CMMI, ISO 9001,

Functional Safety

Hazard Analyses

Reduce probability of failure

32

Safety Functions

Additional functionality to avoid or control hazards. Separated from system to protect.

HazardHazardous Eventn

Hazardous Event1

Accident

Risk = f x C

Safety Function1

Safety Functionn

33

Safety Function Aspects

Diagnostic:What needs to be measuredHow to measure

Action:Maximum time to reactHow to react

Time HazardHazardous Event

Diagnostic Action

34

Safety Integrity

IEC 61508 Definition:probability of a safety-related system satisfactorily performing the

required safety functions under all the stated conditions within a stated period of time.

35

Safety Integrity Level SIL

Specifies safety integrity requirements of safety functions.

Failure rates are defined for each SIL.Classed

Continues or high demand (PFH). Low demand (PFD).

IEC 61508 Failure Rate Example:SIL PFH PFD

1 10-6 to < 10-5 10-2 to < 10-1

2 10-7 to < 10-6 10-3 to < 10-2

3 10-8 to < 10-7 10-4 to < 10-3

4 10-9 to < 10-8 10-5 to < 10-4

36

Risk Graph

W3 W2 W11 - -2 1 -3 2 14 3 25 4 36 5 47 6 58 7 6

P1

P1

P2

P2

F1

F1

F2

F2

C1

C2

C3

C4

NecessaryRisk Reduction SIL

- No safety requirements

1 No special safety requirements

2, 3 SIL 1

4 SIL 2

5, 6 SIL 3

7 SIL 4

8An E/E/PE SRS is

notsufficient

Start

37

Qualitative Analysis FMEA

FMEA Failure Mode and Effect Analysis Systematic method to identify and prevent product

and process issues before they occur. Used in design and manufacturing processes Team based approach

Resource heavy (Time and people).4 to 6 experienced and non-experienced people.

Evaluating the risk of failureSeverity Consequence of failureOccurrence Probability of failureDetection Probability of failure being detected before occurrence

38

FMEDA

FMEDA = FMEA extension to identify: Online diagnostic techniques and Failure modes relevant to safety instrumented system design.

Generate failure rates forSafe detectedSafe undetectedDangerous detectedDangerous undetected

Functional SafetyHardware Architectures

40

1oo1 System Architecture Minimal system. No fault redundancy. No internal diagnostics.

Input Circuit Logic SolverOutput Circuit

Sensor

ActuatorFinal Element

+

-

Common Circuitry

41

1oo2 System Architecture Two independent channels.

One channel can cause safety function. Both channels must fail for undesired output.

Airbag systems 32-bit main and 8-bit secondary MCU used to energize squib charges.

Input Circuit Logic SolverOutput Circuit

Sensor

+

Common Circuitry

Input Circuit Logic SolverOutput Circuit

Common CircuitryActuator

Final Element

42

1oo1D System Architecture 1oo1 system with diagnostic channel. Diagnostic channel can inhibit system output. Additional failure rate potential due to failure in the diagnostic

circuits (annunciation failure). TMS570LS processor implementations are a 1oo1D system.

Diagnostic Circuit

Sensor

+

Input Circuit

Logic SolverOutput Circuit

Common Circuitry ActuatorFinal Element

43

2oo3 Safety Architecture 3 independent channels with voting circuit.

Input Circuit Logic Solver

Sensor

+

Common Circuitry

Input Circuit Logic SolverOutput Circuit 1

Common Circuitry

ActuatorFinal Element

Input Circuit Logic SolverCommon Circuitry

Output Circuit 2

Output Circuit 1

Output Circuit 2

Output Circuit 1

Output Circuit 2

A

B

A

C

B

C

Voting Circuit

44

Processing Function Protection

Method Diagram Advantages DisadvantagesSingle 32b device with 8/16b checker device

Relatively low cost Safety through diverse hardware

SIL may be limited by processing capacity of simple checker micro

Processing power limited by frequent on-line diagnostics

Dual devices with external compare of safety outputs and optional SW message passing

SIL3 generally possible Can double performance for non-

safety critical tasks Simplicity of sourcing Potential for redundancy

Increased complexity for safety SW synchronization

Additional cost, board space

Device with internal safety logic (CPU) in lock-step

SIL3 generally possible Reduction in board space Reduced S/W complexity

Customized implementation Same performance as single

CPU

Single device dual CPU with internal self test.

SIL3 generally possible Multi-core performance for non-

safety critical tasks

Customized implementation Increased complexity for safety

SW synchronization

CHKCPU CompareCPU

CPUCHK

Compare

CPUCPU

CPU 2CPU 1

M

45

Hardware Fault Tolerance HFT

The Hardware Fault Tolerance HFTSensors, actuators and MCUs of a safety function must have a

minimum HFT.Description of the safety function design.HFT of x means x+1 faults may lead to loss of safety function.

HFT = 0 (single channel)1 Fault may lead to loss of safety function.1oo1, 1oo1D, 2oo2

HFT = 1 (redundant)2 or multiple faults needed to loss of safety function.1oo2, 2oo3

IEC 61508

47

What is IEC EN 61508?

Consensus standard for general market functional safety application.

Preliminary designed for system level application.Also applied to product and component level.

Distinguish between:Systems with continues or high demand andSystems with low demand

Provides measures for management and reduction of systematic failures and detection of random failures.

Structured flow and guide to develop function safety system.

48

Standard Documentation Part 0: Overview of Functional Safety Part 1: General requirements. Part 2: Requirements for E/E/PE safety-related systems. Part 3: Software requirements Part 4: Definitions and abbreviations. Part 5: Examples of methods for the determination of SILs. Part 6: Guidelines on the application of part 2 and 3. Part 7: Overview of techniques and measures.

49

Safety Life Cycle

50

E/E/PES Safety Life Cycle

E/E/PES safety requirement specification

Verification

Management

Documentation

Assessment

E/E/PES design and development

E/E/PES safety validation planning

E/E/PES integration

E/E/PES safety validation

E/E/PES operation and maintenance procedures

51

SW Safety Life Cycle

SW safety requirement specification

Verification

Management

Documentation

Assessment

SW design and development

SW safety validation planning

PE integration (HW/SW)

SW safety validation

SW operation and modification procedures

52

Failure Rates and Diagnostics

S Safe failure rateNo impact on safety functionSD Safe detected failure rateSU Safe undetected failure rate

D Dangerous failure rate Impact on safety functionDD Dangerous detected failure rate DU Dangerous undetected failure rate

53

Safe Failure Fraction SFF

Relative measure for implemented diagnostics. SFF Types

Type A All failure mechanisms are known, e.g. switch.Type B Not all of the failure mechanisms are known, e.g. MCU.

54

Exercise SFF

Calculate the Safe Failure Fraction for: Start System: DU = 20 FIT and = 2000FIT

Improved System: DU = 10 FIT and = 200FIT

Optimized System: DU = 10 FIT and = 20FIT

55

Solution SFF

Calculate the Safe Failure Fraction for: Start System: DU = 20 FIT and = 2000 FIT

Improved System: DU = 10 FIT and = 200 FIT

Optimized System: DU = 10 FIT and = 20 FIT

56

SIL determination from SFF

Safe Failure Fraction Hardware Fault Tolerance

Type A [%] Type B [%] HFT = 0 HFT = 1 HFT = 2

- 0 < 60 - SIL1 SIL2

0 < 60 60 < 90 SIL1 SIL2 SIL3

60 < 90 90 < 99 SIL2 SIL3 SIL4

90 99 SIL3 SIL4 SIL4

57

Probability of Failure

Probability of failure due to random hardware failures must be quantified for each safety function.

PFD Probability of Failure on Demand Assumes low demand for safety function. PFD depends on repair time and test interval.

PFH Probability of Failure on per HourAssumes high or continuous demand for safety function.

58

PFDAvg Example 1oo1 TI2Years17520h

DU_Sensor 300FITPFDAvg_Sensor2,6*103 DU_Input 10FITPFDAvg_Input0,087*103 DU_Cpu 5FITPFDAvg_Cpu0,044*103 DU_Output 1FITPFDAvg_Output0,0087*103 DU_Actuator 300FITPFDAvg_Actuator2,6*103

PFDAvg_System 5,34*103

Input Circuit Logic SolverOutput Circuit

Sensor

ActuatorFinal Element

+

-

Common Circuitry

59

Exercise PFDAvg Determine safety integrity level for our example.

PFDAvg_System 5,34*103

SIL =

SIL PFD

1 10-2 to < 10-1

2 10-3 to < 10-2

3 10-4 to < 10-3

4 10-5 to < 10-4

60

Solution PFDAvg Determine safety integrity level for our example.

PFDAvg_System 5,34*103

SIL = 2

SIL PFD

1 10-2 to < 10-1

2 10-3 to < 10-2

3 10-4 to < 10-3

4 10-5 to < 10-4

ISO 26262

62

What is different/new in ISO 26262?

Adaption of IEC 61508 for road vehicles Safety functions replaced with safety goals

Safety function concept was based on the idea of defining a system under control and then bolting-on risk reduction measures

Safety goal concept requires that risk reduction be part of the initial control system design

Adapted for common automotive lifecycle ISO 26262 has hazard and risk analysis, failure rates

and metrics adapted for Automotive use cases. Work products are clearly defined

63

SIL and ASIL Comparison

ISO 26262 categories of risk are Automotive Safety Integrity Levels ASILs.

DIN EN 61508SIL

ISO 26262ASIL Description

QMSIL 1 ASIL ASIL 2 ASIL B SIL 2 is not fully equivalent ASIL B

ASIL C SIL 2 Development requirementsSIL 3 Verification requirements

SIL 3 ASIL D SIL 3 is not fully equivalent ASIL DSIL 4

Note: There is no direct correlation between SIL and ASIL

64

Risk in ISO 26262

S = Severity E = Exposure C = Controllability

Hazard Risk = S x (E * C)

Safety Goal1

Safety Goaln

Accident

Hazardous Eventn

Hazardous Event1

65

Severity Classification

Class DescriptionS0 No injuriesS1 Light and moderate injuriesS2 Severe and life-threatening injuries (survival probable)S3 Life-threatening injuries (survival uncertain), fatal injuries

66

Probability of Exposure Classification

Class DescriptionE1 IncredibleE2 Very low probabilityE3 Low probabilityE4 Medium probabilityE5 High probability

67

Controllability Classification

Class DescriptionC0 Controllable in generalC1 Simply controllableC2 Normally controllableC3 Difficult to control or uncontrollable

68

ASIL Determination

C1 C2 C3

S1

E1 QM QM QME2 QM QM QME3 QM QM ASIL AE4 QM ASIL A ASIL B

S2

E1 QM QM QME2 QM QM ASIL AE3 QM ASIL A ASIL BE4 ASIL A ASIL B ASIL C

S3

E1 QM QM ASIL AE2 QM ASIL A ASIL BE3 ASIL A ASIL B ASIL CE4 ASIL B ASIL C ASIL D

69

HW Failures Modes

Failure Modes of HW

Non Safety Related Safety Related

Safe FaultResidual /

Single Point Fault

Latent Multiple

Point Fault

Perceived Multiple

Point Fault

Detect Multiple

Point FaultSafe Fault

70

Failure Rates OverviewSPF Single Point FaultsRF Residual FaultsMPFDP Detected or Perceived Multi Point FaultsMPFL Latent Multi Point FaultsMPF = MPFDP + MPFL Multi Point FaultsS Safe Faults = SPF+ RF + MPF + S Total Faults

FIT = Failures In Time = 1 failure in 109 device hours

71

Metrics

LFMLatentFaultsMetric

PVSGProbability ofViolation ofSafety Goal

SPFMSinglePointFaultsMetric

Metrics

Hercules Overview

73

What is Hercules?

73

Value Line Transportation and

Safety MCUs

Hercules Platform

TMS470M TMS570 RM4x

High Performance Industrial and Medical

Safety MCUsIndustrial ApplicationsMedical ApplicationsTMS Qualification-40 to 85/105C OperationEthernet, USB ConnectivityDeveloped to Safety Standards

IEC 61508 SIL-3 Cortex-R over 320 MIPs

High Performance Transportation and

Safety MCUsTransportation ApplicationsAutomotive Q100 Qualification-40 to 125C OperationFlexRay, CAN ConnectivityDeveloped to Safety Standards

ISO26262 ASIL-DIEC 61508 SIL-3

Cortex-R over 280 MIPs

Transportation ApplicationsAutomotive Q100 Qualification-40 to 125C OperationLIN, CAN ConnectivitySupports Safety for

IEC 61508 Systems Cortex-M to 100 MIPS

74

Hercules Safety MCU Roadmap

Stability ControlPower

SteeringVehicle

Electrification

ABSPower SteeringPassive Safety

V

a

l

u

e

T

r

a

n

s

p

o

r

t

a

t

i

o

n

Lockstep CPUs

26262 supportSampling Development

TMS570 1MB, 160kB

TMS570 2*R4F LS

2MB, 160kB 160MHz

TMS470M 320kB, 16kB

TMS470M ARM Cortex-M3

640kB, 48kB 80MHz

TMS470M 448kB, 24kB

TMS570 2*R4F LS

3MB, 256kB 180MHz

TMS570 2MB, 192kB

Smaller memory options

New peripherals Lower cost

61508 SIL3Production

H

i

g

h

-

p

e

r

f

o

r

m

a

n

c

e RM4x 2*R4F LS

3MB, 256kB 220MHz

RM4x 2MB, 192kB

ETHERNET

Safe Motor Control

Industrial Automation

Safe Connectivity

Medical

More memory options

New peripherals

More memory options

New peripherals

T

M

S

4

7

0

M

T

M

S

5

7

0

R

M

4

x

ETHERNET

75

TMS570LS20216 Block Diagram

76

TMS570LS31x

77

RM48x

78

TMS470M Block Diagram

Hercules Safety Concept

80

Rational of Hercules Safety Concept

Once a known safe region can be guaranteed, logic in this region can be used to provide diagnostic coverage on other regions.

LS CoreCPU self test

MPU

Flash ECC

RAMECC

PBIST

CRC

PBIST

Interrupt Table Parity

CRC

VMON

CMON

DCC

ECLK

RAM Parity

DWWD

Fault Injection

SW Check

Timing Protection

IO LoopbackSelf Test

CRC

Safe island approach Core Memory Interrupts Clock & Power Other

System Peripheral

81

Rationale of Hercules Safety Concept

Memory

Embedded Trace

Power, Clock, & Safety

Memory Interface

External Memory JTAG Debug

Peripherals

CPU Core

Dual Core Lockstep -Cycle by Cycle CPU Fail Safe Detection

CPU Self Test Controller requires little S/W overhead

Logical / physical design optimized to reduce probability of

common cause failure

A

R

M

C

o

r

t

e

x

-

R

4

FARMCortex-

R4F

Fail Safe Detection

Safe Island Hardware diagnostics (RED) Blended HW diagnostics (BLUE) Non Safety Critical Functions (BLACK)

ECC for Flash / RAM / interconnect evaluated inside the Cortex R4F

MemoryFlash

w/ ECCRAM

w/ ECCFlash

EEPROM w/ ECCMemory Protection

Memory BIST on all RAMS allows fast

memory test at startup

Error SignalingModule w/ External

Error Pin

On-Chip Clock and Voltage Monitoring

PBIST/LBISTOSC PLL

POR

CRC RTI/DWWD

ESM

Enhanced System Bus and Vectored Interrupt ModuleParity on all

Peripheral, DMA and Interrupt controller

RAMS IO Loop Back, ADC Self Test,

DMA

Serial Interfaces

Network Interfaces

DualADC

Cores

Dual High-end Timers

GIO

Parity or CRC in Serial and Network

Communication Peripherals

Dual ADC Cores with shared channels

Cortex-R4F Safety Features

83

ARM Cortex-R4F CPU

Up to 220 MHz CPU Clock Speed Single / double

precision IEEE 754 floating-point

Superscalar, SIMD,8 stage pipeline delivers

1.6 DMIPS/MHz

Fast MULT, DIV, and SQRT enables model-

based control; simplifies algorithm

implementation

12 region memoryprotection

Floating point and integer instructions operate in parallel

Over 350 DMIPS of performance High performance floating point

ARM-based: broad industry adoption

ARM v7R CortexTM ISA fully backward Compatible

to ARM7/9/11

Supports ARM, Thumb and Thumb-2 instructions

Lockstep CPUs: Single core programming

model second core checks the first.

ARMCortex-R4Fup to 220 MHz

ARMCortex-R4Fup to 220 MHz

Broad ARM IDE/CompilerSupport:

CCS, KEIL, IAR, etcScalable ARM Based

Solutions from TI:Stellaris, TMS470M,

TMS570 & Sitara

84

1oo1D Dual Core Safety Concept 3rd generation HW lockstep

design. Unique design to reduce

common cause failures (IC). CPU Compare Module:

Self-test capability. Self-test error injection/error forcing. Output error injection.

Advantages to SW solution: Faster fault detection. Better fault coverage. Little to no performance impact. Minimal memory impact. Easy to integrate in application. Proven, easy to justify diagnostic

coverage.

Output + Control

Cortex R4

C

o

r

t

e

x

R

4

Cycle Delay

Spatialseparation

Dedicated Power Ring

Cycle DelayCCM

CompareError

Input + Control

SelfTest

85

CPU Self Test Controller

Easy integration. Proven, easy to justify diagnostic coverage.

STCDBISTCNTRL

CPU1

ROM

Clockcontroller

ESM

PCR

Testcontroller

CPU_nRESET

misr_in1

ERR

DBISTCNTRL CPU2

CCM

misr_in2

ROM

interface FSMClock cntrl

STC BYPASS/

ATE Interface

REG Block

&Compare

BlockVBUSP

interface

Advantages to SW solution: Faster test execution. Better fault coverage.Minimal memory impact.

Errors

87

Error Handling Processor core aborts:

Bus errors for CPU initiated transactions (addressing, timeout, ).MPU errors (data violation, program violation, ). ECC errors (double bit, single bit correctable if programmed, ).Unimplemented opcode.

HW device errors are aggregated in Error Signaling Module: Peripheral parity Logic BIST PBIST (SRAM)

Certain other critical failures will directly generate reset: VMON failureOscillator failure

88

ESM Block Diagram

89

Example CCM-R4 Error

ESM

Master

Core

Diagnostic

Core

CCM-R4

Peripheral

VIM

NFIQIRQ

Key Safety Documentation

91

Key Safety Documentation

Deliverable Contents Confidentiality Availability

Safety Product Preview

Overview of safety considerations in product development and product architecture. Delivered ahead of public

product announcement.NDA required

Removed from circulation after release to market due to availability of Safety Manual

Safety Manual User guide for the safety features of the product, including system level assumptions of use.Public, no NDA

required Available

Safety Analysis Report

Summary

Summary of FIT rates and device safety metrics according to ISO 26262 and/or IEC 61508 at device level. NDA required Available

Detailed Safety Analysis Report

Full results of all available safety analysis - FMEA, FTA, FMEDA, ... - documented in a format which allows

computation of custom metricsNDA required In development

Safety Case Report

Summary of the conformance of the product to the ISO 26262 and/or IEC 61508 standards. NDA required In development

Safety Case Database

Clause by clause detail of compliance to ISO 26262 and/or IEC 61508 standards NDA required In development

Development Kits and SW Tools

93

Development Kit Roadmap Evaluation and Development Kit SW:

CCS-IDE 4.x: C/C++ Compiler/Linker/Debugger HALCoGen: Peripheral Driver Generation Tool nowFlashTM: Flash Programming Tools HET Assembler

HET Simulator Demo Project Code Examples

TMS570LS2x TMS470M TMS570LS3x RM4x

E

a

r

l

y

D

e

v

e

l

o

p

m

e

n

t

Wiki Daughter Card ExampleAttaches to any HDK

TMS470M HDK

$695

$79

$199

$99

$79 $79

E

v

a

l

u

a

t

i

o

n

TMS570 MDK

$199

TMS570 HDK

$99Control Card

Order: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1

RM4x HDK

$199

$99

94

3rd Party Tools Roadmap

External Tools: IDEs:

IAR, Keil/ARM, Lauterbach, iSystems Compiler:

IAR, ARM, GCC, Emulator:

Spectrum Digital, Lauterbach, iSystems, IAR, Keil, Blackhawk, Segger, Signum Systems

Operating System: Express Logic, Wittenstein, Micrium, ETAS, Vector, Sciopta

AutoSAR: Vector, ElectroBit

Trace / Calibration: Lauterbach, iSystems, Vector, ETAS, Sophia Systems

Production Flash Programming: BP Microsystems, Data-IO

Rapid Prototyping: Matlab/Simulink, dSpace

More: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1

95

Trusted 3rd Party Safety Support

Safety Training Services

Safety Consulting

Safety Critical ECUs

Safety Critical Software Modules

Safety AssessmentSafety Critical RTOS

96

Software Tool Overview

Download: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1

97

HALCoGen HALCoGen

Hardware Abstraction Layer Code Generator

User Input on High Abstraction Level

Generates C Source Peripheral and safety driver set FreeRTOS

Supported Tool Chains TI tools Keil/ARM Tools IAR

Interactive Help System Describes tool features and functions Provides detailed dependency graphs Provides useful example code Tool tip help available

Download: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1

98

Graphical Programming Environment Output Simulation Tool Generates CCS-ready SW modules Includes functional examples from TI

NHET - Simulator Graphical Waveform Viewer Input Generation Tool Seamless interface to coding tool Upgradable to Full SynaptiCAD

NHET ASM Code

Pin Selection

AlgorithmLibrary

Drag & Drop Instructions

WaveformView

NHET Registers

Download: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1

Support and Trainings

100

Support Web Page:

Hercules: www.ti.com/hercules Data sheets Technical reference manual Application notes Software & tools downloads and updates. Order evaluation and development Kits.

E2E Forums: Hercules: http://www.ti.com/hercules-support News and announcements. Useful links. Ask technical questions. Search for technical content.

WIKI: Hercules: www.ti.com/hercules-wiki How to guides, intro videos and general information.

101

E2E Forum OverviewForum Flow:

Forum

TI E2E forum for questions about

Herculesdevices

Answer Known ?

YES

Post Answer Within 24hrs

NO

Post Question Received Confirmation

Within 24hrs

Forward Question to World Wide

Team

World Wide Apps Team:

-United States- Europe-India

Post Answer

Forum Guidelines: At least one person will monitor the forum at all times (work days) All questions posted in the forum will have a response in 24hrs or less

102

3-Day Training

Training Home: http://focus.ti.com/general/docs/traininghome.tsp

Safety Critical Motor ControlExample

104

Safety Base Hercules and TPS6538x

HerculesSafety MCUTPS65381

e.g. CANTransceiver

3.3V/5V uC Supply

0.8V3.3V uCCore Supply

5V Supply

AMUX / DMUX

ERROR Signal Monitor /

Q&A Watchdog

Reset/Enable Interface

ClockMonitor

VoltageMonitor

BIST CRC

3.3V9.5VSensor Supply

Multi-RailSupply

TempProt.

CurrentLimit

Clock monitoring on internal oscillators

Voltage monitoring on all Power Supplies

and internal supply voltages

Window or Q/A watchdog support

Reset circuit for the MCU integrated in

power supply

Multiple supply rails to power the MCU, CAN/FlexRay, and

external sensor

6V asynch switch-mode pre-regulator, integrated

current limit

4.5V to 36V Operating Range

Microcontroller Error-Signal Monitor

Voltage Signals (GREEN) Communications/Safety Features (RED)

5V linear regulator (internal FET) with

temp protection and current limit

105

EPS Chipset

DRV3201/TPIC7312

Hercules, ideal for Safety Applications

107

Hercules, ideal for Safety Applications

TI has been building product for automotive safety for over 20 years.

TI is participating and contributing to ISO 26262 standard development.

HW Safety features advantages to SW solution:Faster test execution.Better fault coverage.Minimal memory impact.Easy integration.Proven, easy to justify diagnostic coverage.

SIL3 capable today. ASILD capable planned.

108

Thank You for your Attention

Who to contact

Frank Forster f-forster@ti.com +49 8161804270 TMS570 Marketing & SysAppsJosef Mieslinger j-mieslinger@ti.com +49 8161803077 TMS570 MarketingMarcus Frech m-frech2@ti.com +49 8161803431 TMS570 SysApps