1Functional Safety Seminar & 1-Day HerculesTM Workshop
Embedded Processing Marketing MCU Industrial & Automotive
Marcus Frech [email protected]
Josef Mieslinger [email protected]
Arrow Roadshow
Silkeborg 2012
2Agenda Day 1
Introduction in Functional Safety Systematic and Random Failures Hazard and Risk Analysis IEC EN 61508 ISO 26262 Hercules (TMS570, RM4x and TMS470M) Overview Hercules Safety Concept and Peripherals Development Kits, SW Tools Safety Critical Motor Control Example
3Agenda Day 2 TMS570 Introduction and Roadmap Development Tools: Hardware kits, Software tools Safety Overview and Modules TMS570LS Architecture: Memory Map, Clocking, Exceptions Embedded Flash Memory tools: nowECC, nowFlash, API
Demo:TMS570 Safety MCU Demos Real Time Interrupt (RTI) Vectored Interrupt Manager (VIM) Direct Memory Access (DMA) General-purpose I/O (GIO) Programmable Timer Unit with Transfer Unit (NHET/HTU)
Demo: Using NHET as GIO Multi-Buffered Serial Peripheral Interface (MibSPI) Controller Area Network (DCAN) FlexRay Interface with Transfer Unit (ERAY/FTU) Local Interconnect Network (LIN) / Serial Communication Interface (SCI)
Demo: PC to SCI Communication External Memory Interface (EMIF) / Parameter Overlay (POM) Multi-buffered Analog-to-Digital Converter (MibADC) Support Structure: Web, Forum, WIKI
4Motivation
Safety ConcernsSpace Shuttle Challenger disaster (1986)
Space Shuttle broke apart (deaths of 7 crew members) Unqualified O-ring seal
Ariane 5 explosion (1996) No victims (unmanned flight), but loss of over 370 million $ SW design error (protection of integer overflow)
Laws / Claim damages
5Safety and Security
Safety
Security
Avoid system manipulation from outside world
No unacceptable risk from system to health of people or the system environment
System
6Definition of Functional Safety
IEC 61508 Definition:Safety is the freedom from unacceptable risk of physical injury or
of damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment.
Functional Safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs.
ISO 26262 Definition:Absence of unreasonable risk due to hazards caused by
malfunctioning behavior of E/E systems.
7Safety Standards
EN 50128 EN 50129
(railway)
DO-254DO-178B(aerospace)
IEC 50156
(furnaces)
IEC 60880 (nuclear power
stations)
ISO 26262 (automotive)
IEC 62061ISO 13849 (machinery)
IEC 61511 (process industry)
IEC 60601(medical
equipment)
IEC 61508(safety)
HerculesMCU
TM
8EnvironmentEnvironment
System
What is a System?
Input Circuit Logic SolverOutput Circuit
Sensor
ActuatorFinal Element
+
-
Common Circuitry
9EnvironmentEnvironment
MCU in an Functional Safety System
System components are generally classed E/E/PE Electrical/Electronic/Programmable Electronic.A MCU is a complex PE component.
MCU HW and SW functions may be safety critical and should be considered.
System
Sub-System Sub-System
PE Component
MCU HW
MCU SW
E/E/PE Component
E/E/PE Component
10
Functional Safety Basic Concepts
All systems will have some inherent, quantifiable failure rate.
For each application, there is some tolerable failure rate which does not lead to unacceptable risk.
Acceptable failure rates vary per application, based on the potential for direct or indirect physical injury in the event of system malfunction.
Categories can be developed for similar levels of risk. These are known as Safety Integrity Levels, or SILs.
11
Functional Safety Lifecycle
Concept
Verification
Management
Documentation
Assessment
Design
Prototype
Release for Manufacturing
Field Implementation
Removal from Field Usage
12
Fault, Error and Failure
FaultOperational issue in a system which may lead to an error.
ErrorDiscrepancy between expected and actual value.
FailureResult of a fault which leads to an inability to execute safety
critical functionality.
Fault Error Failure
13
Errors in Functional Safety Systems
PermanentSystem must be repaired.
TransientOccur for a short time.Disappears automatically or by reset.
14
Failures in Functional Safety Systems
Random FailuresResult from random defects.Can not be reduced, must be detected and handled by Application.Hazard and risk analyses.
Systematic FailuresResult from a failure in design or manufacturing.Reducible through quality management.Often a result of failure to follow best practices.
Failures
Physical (Random) Functional (Systematic)
15
Dependent Failures
Common Cause Failures:
Cascading Failures:FailureFault
Error
FailureFault
Error
Root Cause
FailureFault
Error
FailureFault
Error
16
How can a System Fail?
SafeEnters safe state.
DangerousMay cause a hazard.
OperationalRun in a degraded mode.
17
Example Fault PropagationEnvironmentEnvironment
System
Sub-System Sub-System
E/E/PE Component
E/E/PE Component
E/E/PE Component
E/E/PE Component
18
Reliability vs. Availability
Reliability Probability that a device will perform its required function under
stated conditions for a specific period of time. Reliability is qualified as:
Mean Time Between Failures (MTBF) for repairable systems andMean Time To Failure (MTTF) for non-repairable systems
AvailabilityProbability that a device will perform its required function under
stated conditions for a specific point of time.
19
Mean Time Between Failures
MTBF Mean Time Between FailuresMTTF Mean Time To FailureMTTR Mean Time To Restoration (Detect and repair time)
TBF
TTFTTR
t
Up
Down
tU+1tU
20
Failure Rate
The failure rate can be calculated as follows for a device with a constant failure rate
FIT = Failures In Time = 1 failure in 109 device hours
Example:What is the failure rate of 50 FIT in units failures per year?
0.00000005 failures per hour x 8760 hours per year = 0.000438 failures per year
21
What is a Hazard?
Hazard is a situation that poses a level of threat toLife,Health,Property orEnvironment.
HazardHazardous Eventn
Hazardous Event1
Accident
22
Functional Safety Basics
Identify system hazards. Classify system hazards. Determine methods to control system hazards. Define requirements for reliability and availability. Determine Safety Integrity Level SIL. Specify development methods according to SIL.
23
What is Risk?
Risk is a combination ofFrequency probability of hazardous eventConsequence
With this definition it is possible to analyze the risk qualitative or quantitative.
HazardHazardous Eventn
Hazardous Event1
Accident
Risk = f x C
24
Qualitative Analysis
Qualitative AnalysesUse word like probable, frequent, unlikely, etc. to describe the
likelihood of an hazardous event.Use words like minor, major, catastrophic, etc. to describe the
severity of an hazardous event.Qualitative numbers are introduced on how to interpret these
words. E.g. Unlikely may be defined: once every 10 to 100 years
Analyze technics Risk Graph FMEA
25
Quantitative Analysis
Quantitative AnalysisUse numbers to describe the likelihood and severity of a
hazardous event. E.g. Likelihood of frequency hazardous event is: < 10-3 per year. E.g. Likelihood of potential loss of life is: < 10-5 per year
Certain amount of uncertainty is associated with the prediction in numbers. Different analyze technics may end with different results. Some qualitative interpretation is necessary to decide if hazardous
event is in acceptable risk region.Analyze technics
Risk = (f x C) Probability of Failure on Demand PFD FMEDA
26
Risk Classes IEC 61508
Risk Class Definition
1 Intolerable risk
2Undesirable risk, and tolerable only if risk reduction is impracticable or if the costs are grossly disproportionate to the improvement gained.
3 Tolerable risk if the cost of risk reduction would exceed the improvement gained.
4 Negligible risk
27
Risk Classification IEC 61508
Frequency (f)Consequence (C)
Catastrophic Critical Marginal Negligible
Frequent 1 1 1 2
Probable 1 1 2 3
Occasional 1 2 3 3
Remote 2 3 3 4
Improbable 3 3 4 4
Incredible 4 4 4 4
28
Risk Graph
Decision tree in which a team considers some risk parameters to determine a safety integrity level.
Remember: R = f x CC may be considered as
Consequence risk parameter (C) f may be considered as
Frequency and exposure time risk parameter (F) Possibility of failing to avoid hazard risk parameter (P) Probability of the unwanted occurrence (W)
Every combination of risk parameter leads to an estimation of required risk reduction.
29
Risk Graph Parameter ExampleRisk
Parameter Classification
C1 Minor injury.C2 Serious permanent injury. Death to one person.C3 Death to several people.C4 Very many people killed.F1 Rare to more often exposure in the hazardous zone.F2 Frequent to permanent exposure in the hazardous zone.P1 Possible under certain conditions.P2 Almost impossible.W1 A very slight probability of unwanted occurrences.W2 A slight probability of unwanted occurrences.W3 A relatively high probability of unwanted occurrences.
30
Risk Graph
Assign assessment criteria to requirement Classes.Random failures, systematic failures, manipulation,
Requirement classes are a measure for necessary risk reduction
W3 W2 W11 - -2 1 -3 2 14 3 25 4 36 5 47 6 58 7 6
P1
P1
P2
P2
F1
F1
F2
F2
C1
C2
C3
C4
StartRequirement Classes
31
Necessary Risk Reduction
RiskLow High
Acceptable Risk Risk of Hazard
External/Passive actions
(Re-)Spec/(Re-)Design of function
Add safety functions
Necessary risk reduction
Emergency shutdown
User manuals
Warning signs
Trainings
Remaining Risk
Actual risk reduction
Quality Management
Maturity Processes and Methods
SPICE, CMMI, ISO 9001,
Functional Safety
Hazard Analyses
Reduce probability of failure
32
Safety Functions
Additional functionality to avoid or control hazards. Separated from system to protect.
HazardHazardous Eventn
Hazardous Event1
Accident
Risk = f x C
Safety Function1
Safety Functionn
33
Safety Function Aspects
Diagnostic:What needs to be measuredHow to measure
Action:Maximum time to reactHow to react
Time HazardHazardous Event
Diagnostic Action
34
Safety Integrity
IEC 61508 Definition:probability of a safety-related system satisfactorily performing the
required safety functions under all the stated conditions within a stated period of time.
35
Safety Integrity Level SIL
Specifies safety integrity requirements of safety functions.
Failure rates are defined for each SIL.Classed
Continues or high demand (PFH). Low demand (PFD).
IEC 61508 Failure Rate Example:SIL PFH PFD
1 10-6 to < 10-5 10-2 to < 10-1
2 10-7 to < 10-6 10-3 to < 10-2
3 10-8 to < 10-7 10-4 to < 10-3
4 10-9 to < 10-8 10-5 to < 10-4
36
Risk Graph
W3 W2 W11 - -2 1 -3 2 14 3 25 4 36 5 47 6 58 7 6
P1
P1
P2
P2
F1
F1
F2
F2
C1
C2
C3
C4
NecessaryRisk Reduction SIL
- No safety requirements
1 No special safety requirements
2, 3 SIL 1
4 SIL 2
5, 6 SIL 3
7 SIL 4
8An E/E/PE SRS is
notsufficient
Start
37
Qualitative Analysis FMEA
FMEA Failure Mode and Effect Analysis Systematic method to identify and prevent product
and process issues before they occur. Used in design and manufacturing processes Team based approach
Resource heavy (Time and people).4 to 6 experienced and non-experienced people.
Evaluating the risk of failureSeverity Consequence of failureOccurrence Probability of failureDetection Probability of failure being detected before occurrence
38
FMEDA
FMEDA = FMEA extension to identify: Online diagnostic techniques and Failure modes relevant to safety instrumented system design.
Generate failure rates forSafe detectedSafe undetectedDangerous detectedDangerous undetected
Functional SafetyHardware Architectures
40
1oo1 System Architecture Minimal system. No fault redundancy. No internal diagnostics.
Input Circuit Logic SolverOutput Circuit
Sensor
ActuatorFinal Element
+
-
Common Circuitry
41
1oo2 System Architecture Two independent channels.
One channel can cause safety function. Both channels must fail for undesired output.
Airbag systems 32-bit main and 8-bit secondary MCU used to energize squib charges.
Input Circuit Logic SolverOutput Circuit
Sensor
+
Common Circuitry
Input Circuit Logic SolverOutput Circuit
Common CircuitryActuator
Final Element
42
1oo1D System Architecture 1oo1 system with diagnostic channel. Diagnostic channel can inhibit system output. Additional failure rate potential due to failure in the diagnostic
circuits (annunciation failure). TMS570LS processor implementations are a 1oo1D system.
Diagnostic Circuit
Sensor
+
Input Circuit
Logic SolverOutput Circuit
Common Circuitry ActuatorFinal Element
43
2oo3 Safety Architecture 3 independent channels with voting circuit.
Input Circuit Logic Solver
Sensor
+
Common Circuitry
Input Circuit Logic SolverOutput Circuit 1
Common Circuitry
ActuatorFinal Element
Input Circuit Logic SolverCommon Circuitry
Output Circuit 2
Output Circuit 1
Output Circuit 2
Output Circuit 1
Output Circuit 2
A
B
A
C
B
C
Voting Circuit
44
Processing Function Protection
Method Diagram Advantages DisadvantagesSingle 32b device with 8/16b checker device
Relatively low cost Safety through diverse hardware
SIL may be limited by processing capacity of simple checker micro
Processing power limited by frequent on-line diagnostics
Dual devices with external compare of safety outputs and optional SW message passing
SIL3 generally possible Can double performance for non-
safety critical tasks Simplicity of sourcing Potential for redundancy
Increased complexity for safety SW synchronization
Additional cost, board space
Device with internal safety logic (CPU) in lock-step
SIL3 generally possible Reduction in board space Reduced S/W complexity
Customized implementation Same performance as single
CPU
Single device dual CPU with internal self test.
SIL3 generally possible Multi-core performance for non-
safety critical tasks
Customized implementation Increased complexity for safety
SW synchronization
CHKCPU CompareCPU
CPUCHK
Compare
CPUCPU
CPU 2CPU 1
M
45
Hardware Fault Tolerance HFT
The Hardware Fault Tolerance HFTSensors, actuators and MCUs of a safety function must have a
minimum HFT.Description of the safety function design.HFT of x means x+1 faults may lead to loss of safety function.
HFT = 0 (single channel)1 Fault may lead to loss of safety function.1oo1, 1oo1D, 2oo2
HFT = 1 (redundant)2 or multiple faults needed to loss of safety function.1oo2, 2oo3
IEC 61508
47
What is IEC EN 61508?
Consensus standard for general market functional safety application.
Preliminary designed for system level application.Also applied to product and component level.
Distinguish between:Systems with continues or high demand andSystems with low demand
Provides measures for management and reduction of systematic failures and detection of random failures.
Structured flow and guide to develop function safety system.
48
Standard Documentation Part 0: Overview of Functional Safety Part 1: General requirements. Part 2: Requirements for E/E/PE safety-related systems. Part 3: Software requirements Part 4: Definitions and abbreviations. Part 5: Examples of methods for the determination of SILs. Part 6: Guidelines on the application of part 2 and 3. Part 7: Overview of techniques and measures.
49
Safety Life Cycle
50
E/E/PES Safety Life Cycle
E/E/PES safety requirement specification
Verification
Management
Documentation
Assessment
E/E/PES design and development
E/E/PES safety validation planning
E/E/PES integration
E/E/PES safety validation
E/E/PES operation and maintenance procedures
51
SW Safety Life Cycle
SW safety requirement specification
Verification
Management
Documentation
Assessment
SW design and development
SW safety validation planning
PE integration (HW/SW)
SW safety validation
SW operation and modification procedures
52
Failure Rates and Diagnostics
S Safe failure rateNo impact on safety functionSD Safe detected failure rateSU Safe undetected failure rate
D Dangerous failure rate Impact on safety functionDD Dangerous detected failure rate DU Dangerous undetected failure rate
53
Safe Failure Fraction SFF
Relative measure for implemented diagnostics. SFF Types
Type A All failure mechanisms are known, e.g. switch.Type B Not all of the failure mechanisms are known, e.g. MCU.
54
Exercise SFF
Calculate the Safe Failure Fraction for: Start System: DU = 20 FIT and = 2000FIT
Improved System: DU = 10 FIT and = 200FIT
Optimized System: DU = 10 FIT and = 20FIT
55
Solution SFF
Calculate the Safe Failure Fraction for: Start System: DU = 20 FIT and = 2000 FIT
Improved System: DU = 10 FIT and = 200 FIT
Optimized System: DU = 10 FIT and = 20 FIT
56
SIL determination from SFF
Safe Failure Fraction Hardware Fault Tolerance
Type A [%] Type B [%] HFT = 0 HFT = 1 HFT = 2
- 0 < 60 - SIL1 SIL2
0 < 60 60 < 90 SIL1 SIL2 SIL3
60 < 90 90 < 99 SIL2 SIL3 SIL4
90 99 SIL3 SIL4 SIL4
57
Probability of Failure
Probability of failure due to random hardware failures must be quantified for each safety function.
PFD Probability of Failure on Demand Assumes low demand for safety function. PFD depends on repair time and test interval.
PFH Probability of Failure on per HourAssumes high or continuous demand for safety function.
58
PFDAvg Example 1oo1 TI2Years17520h
DU_Sensor 300FITPFDAvg_Sensor2,6*103 DU_Input 10FITPFDAvg_Input0,087*103 DU_Cpu 5FITPFDAvg_Cpu0,044*103 DU_Output 1FITPFDAvg_Output0,0087*103 DU_Actuator 300FITPFDAvg_Actuator2,6*103
PFDAvg_System 5,34*103
Input Circuit Logic SolverOutput Circuit
Sensor
ActuatorFinal Element
+
-
Common Circuitry
59
Exercise PFDAvg Determine safety integrity level for our example.
PFDAvg_System 5,34*103
SIL =
SIL PFD
1 10-2 to < 10-1
2 10-3 to < 10-2
3 10-4 to < 10-3
4 10-5 to < 10-4
60
Solution PFDAvg Determine safety integrity level for our example.
PFDAvg_System 5,34*103
SIL = 2
SIL PFD
1 10-2 to < 10-1
2 10-3 to < 10-2
3 10-4 to < 10-3
4 10-5 to < 10-4
ISO 26262
62
What is different/new in ISO 26262?
Adaption of IEC 61508 for road vehicles Safety functions replaced with safety goals
Safety function concept was based on the idea of defining a system under control and then bolting-on risk reduction measures
Safety goal concept requires that risk reduction be part of the initial control system design
Adapted for common automotive lifecycle ISO 26262 has hazard and risk analysis, failure rates
and metrics adapted for Automotive use cases. Work products are clearly defined
63
SIL and ASIL Comparison
ISO 26262 categories of risk are Automotive Safety Integrity Levels ASILs.
DIN EN 61508SIL
ISO 26262ASIL Description
QMSIL 1 ASIL ASIL 2 ASIL B SIL 2 is not fully equivalent ASIL B
ASIL C SIL 2 Development requirementsSIL 3 Verification requirements
SIL 3 ASIL D SIL 3 is not fully equivalent ASIL DSIL 4
Note: There is no direct correlation between SIL and ASIL
64
Risk in ISO 26262
S = Severity E = Exposure C = Controllability
Hazard Risk = S x (E * C)
Safety Goal1
Safety Goaln
Accident
Hazardous Eventn
Hazardous Event1
65
Severity Classification
Class DescriptionS0 No injuriesS1 Light and moderate injuriesS2 Severe and life-threatening injuries (survival probable)S3 Life-threatening injuries (survival uncertain), fatal injuries
66
Probability of Exposure Classification
Class DescriptionE1 IncredibleE2 Very low probabilityE3 Low probabilityE4 Medium probabilityE5 High probability
67
Controllability Classification
Class DescriptionC0 Controllable in generalC1 Simply controllableC2 Normally controllableC3 Difficult to control or uncontrollable
68
ASIL Determination
C1 C2 C3
S1
E1 QM QM QME2 QM QM QME3 QM QM ASIL AE4 QM ASIL A ASIL B
S2
E1 QM QM QME2 QM QM ASIL AE3 QM ASIL A ASIL BE4 ASIL A ASIL B ASIL C
S3
E1 QM QM ASIL AE2 QM ASIL A ASIL BE3 ASIL A ASIL B ASIL CE4 ASIL B ASIL C ASIL D
69
HW Failures Modes
Failure Modes of HW
Non Safety Related Safety Related
Safe FaultResidual /
Single Point Fault
Latent Multiple
Point Fault
Perceived Multiple
Point Fault
Detect Multiple
Point FaultSafe Fault
70
Failure Rates OverviewSPF Single Point FaultsRF Residual FaultsMPFDP Detected or Perceived Multi Point FaultsMPFL Latent Multi Point FaultsMPF = MPFDP + MPFL Multi Point FaultsS Safe Faults = SPF+ RF + MPF + S Total Faults
FIT = Failures In Time = 1 failure in 109 device hours
71
Metrics
LFMLatentFaultsMetric
PVSGProbability ofViolation ofSafety Goal
SPFMSinglePointFaultsMetric
Metrics
Hercules Overview
73
What is Hercules?
73
Value Line Transportation and
Safety MCUs
Hercules Platform
TMS470M TMS570 RM4x
High Performance Industrial and Medical
Safety MCUsIndustrial ApplicationsMedical ApplicationsTMS Qualification-40 to 85/105C OperationEthernet, USB ConnectivityDeveloped to Safety Standards
IEC 61508 SIL-3 Cortex-R over 320 MIPs
High Performance Transportation and
Safety MCUsTransportation ApplicationsAutomotive Q100 Qualification-40 to 125C OperationFlexRay, CAN ConnectivityDeveloped to Safety Standards
ISO26262 ASIL-DIEC 61508 SIL-3
Cortex-R over 280 MIPs
Transportation ApplicationsAutomotive Q100 Qualification-40 to 125C OperationLIN, CAN ConnectivitySupports Safety for
IEC 61508 Systems Cortex-M to 100 MIPS
74
Hercules Safety MCU Roadmap
Stability ControlPower
SteeringVehicle
Electrification
ABSPower SteeringPassive Safety
V
a
l
u
e
T
r
a
n
s
p
o
r
t
a
t
i
o
n
Lockstep CPUs
26262 supportSampling Development
TMS570 1MB, 160kB
TMS570 2*R4F LS
2MB, 160kB 160MHz
TMS470M 320kB, 16kB
TMS470M ARM Cortex-M3
640kB, 48kB 80MHz
TMS470M 448kB, 24kB
TMS570 2*R4F LS
3MB, 256kB 180MHz
TMS570 2MB, 192kB
Smaller memory options
New peripherals Lower cost
61508 SIL3Production
H
i
g
h
-
p
e
r
f
o
r
m
a
n
c
e RM4x 2*R4F LS
3MB, 256kB 220MHz
RM4x 2MB, 192kB
ETHERNET
Safe Motor Control
Industrial Automation
Safe Connectivity
Medical
More memory options
New peripherals
More memory options
New peripherals
T
M
S
4
7
0
M
T
M
S
5
7
0
R
M
4
x
ETHERNET
75
TMS570LS20216 Block Diagram
76
TMS570LS31x
77
RM48x
78
TMS470M Block Diagram
Hercules Safety Concept
80
Rational of Hercules Safety Concept
Once a known safe region can be guaranteed, logic in this region can be used to provide diagnostic coverage on other regions.
LS CoreCPU self test
MPU
Flash ECC
RAMECC
PBIST
CRC
PBIST
Interrupt Table Parity
CRC
VMON
CMON
DCC
ECLK
RAM Parity
DWWD
Fault Injection
SW Check
Timing Protection
IO LoopbackSelf Test
CRC
Safe island approach Core Memory Interrupts Clock & Power Other
System Peripheral
81
Rationale of Hercules Safety Concept
Memory
Embedded Trace
Power, Clock, & Safety
Memory Interface
External Memory JTAG Debug
Peripherals
CPU Core
Dual Core Lockstep -Cycle by Cycle CPU Fail Safe Detection
CPU Self Test Controller requires little S/W overhead
Logical / physical design optimized to reduce probability of
common cause failure
A
R
M
C
o
r
t
e
x
-
R
4
FARMCortex-
R4F
Fail Safe Detection
Safe Island Hardware diagnostics (RED) Blended HW diagnostics (BLUE) Non Safety Critical Functions (BLACK)
ECC for Flash / RAM / interconnect evaluated inside the Cortex R4F
MemoryFlash
w/ ECCRAM
w/ ECCFlash
EEPROM w/ ECCMemory Protection
Memory BIST on all RAMS allows fast
memory test at startup
Error SignalingModule w/ External
Error Pin
On-Chip Clock and Voltage Monitoring
PBIST/LBISTOSC PLL
POR
CRC RTI/DWWD
ESM
Enhanced System Bus and Vectored Interrupt ModuleParity on all
Peripheral, DMA and Interrupt controller
RAMS IO Loop Back, ADC Self Test,
DMA
Serial Interfaces
Network Interfaces
DualADC
Cores
Dual High-end Timers
GIO
Parity or CRC in Serial and Network
Communication Peripherals
Dual ADC Cores with shared channels
Cortex-R4F Safety Features
83
ARM Cortex-R4F CPU
Up to 220 MHz CPU Clock Speed Single / double
precision IEEE 754 floating-point
Superscalar, SIMD,8 stage pipeline delivers
1.6 DMIPS/MHz
Fast MULT, DIV, and SQRT enables model-
based control; simplifies algorithm
implementation
12 region memoryprotection
Floating point and integer instructions operate in parallel
Over 350 DMIPS of performance High performance floating point
ARM-based: broad industry adoption
ARM v7R CortexTM ISA fully backward Compatible
to ARM7/9/11
Supports ARM, Thumb and Thumb-2 instructions
Lockstep CPUs: Single core programming
model second core checks the first.
ARMCortex-R4Fup to 220 MHz
ARMCortex-R4Fup to 220 MHz
Broad ARM IDE/CompilerSupport:
CCS, KEIL, IAR, etcScalable ARM Based
Solutions from TI:Stellaris, TMS470M,
TMS570 & Sitara
84
1oo1D Dual Core Safety Concept 3rd generation HW lockstep
design. Unique design to reduce
common cause failures (IC). CPU Compare Module:
Self-test capability. Self-test error injection/error forcing. Output error injection.
Advantages to SW solution: Faster fault detection. Better fault coverage. Little to no performance impact. Minimal memory impact. Easy to integrate in application. Proven, easy to justify diagnostic
coverage.
Output + Control
Cortex R4
C
o
r
t
e
x
R
4
Cycle Delay
Spatialseparation
Dedicated Power Ring
Cycle DelayCCM
CompareError
Input + Control
SelfTest
85
CPU Self Test Controller
Easy integration. Proven, easy to justify diagnostic coverage.
STCDBISTCNTRL
CPU1
ROM
Clockcontroller
ESM
PCR
Testcontroller
CPU_nRESET
misr_in1
ERR
DBISTCNTRL CPU2
CCM
misr_in2
ROM
interface FSMClock cntrl
STC BYPASS/
ATE Interface
REG Block
&Compare
BlockVBUSP
interface
Advantages to SW solution: Faster test execution. Better fault coverage.Minimal memory impact.
Errors
87
Error Handling Processor core aborts:
Bus errors for CPU initiated transactions (addressing, timeout, ).MPU errors (data violation, program violation, ). ECC errors (double bit, single bit correctable if programmed, ).Unimplemented opcode.
HW device errors are aggregated in Error Signaling Module: Peripheral parity Logic BIST PBIST (SRAM)
Certain other critical failures will directly generate reset: VMON failureOscillator failure
88
ESM Block Diagram
89
Example CCM-R4 Error
ESM
Master
Core
Diagnostic
Core
CCM-R4
Peripheral
VIM
NFIQIRQ
Key Safety Documentation
91
Key Safety Documentation
Deliverable Contents Confidentiality Availability
Safety Product Preview
Overview of safety considerations in product development and product architecture. Delivered ahead of public
product announcement.NDA required
Removed from circulation after release to market due to availability of Safety Manual
Safety Manual User guide for the safety features of the product, including system level assumptions of use.Public, no NDA
required Available
Safety Analysis Report
Summary
Summary of FIT rates and device safety metrics according to ISO 26262 and/or IEC 61508 at device level. NDA required Available
Detailed Safety Analysis Report
Full results of all available safety analysis - FMEA, FTA, FMEDA, ... - documented in a format which allows
computation of custom metricsNDA required In development
Safety Case Report
Summary of the conformance of the product to the ISO 26262 and/or IEC 61508 standards. NDA required In development
Safety Case Database
Clause by clause detail of compliance to ISO 26262 and/or IEC 61508 standards NDA required In development
Development Kits and SW Tools
93
Development Kit Roadmap Evaluation and Development Kit SW:
CCS-IDE 4.x: C/C++ Compiler/Linker/Debugger HALCoGen: Peripheral Driver Generation Tool nowFlashTM: Flash Programming Tools HET Assembler
HET Simulator Demo Project Code Examples
TMS570LS2x TMS470M TMS570LS3x RM4x
E
a
r
l
y
D
e
v
e
l
o
p
m
e
n
t
Wiki Daughter Card ExampleAttaches to any HDK
TMS470M HDK
$695
$79
$199
$99
$79 $79
E
v
a
l
u
a
t
i
o
n
TMS570 MDK
$199
TMS570 HDK
$99Control Card
Order: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1
RM4x HDK
$199
$99
94
3rd Party Tools Roadmap
External Tools: IDEs:
IAR, Keil/ARM, Lauterbach, iSystems Compiler:
IAR, ARM, GCC, Emulator:
Spectrum Digital, Lauterbach, iSystems, IAR, Keil, Blackhawk, Segger, Signum Systems
Operating System: Express Logic, Wittenstein, Micrium, ETAS, Vector, Sciopta
AutoSAR: Vector, ElectroBit
Trace / Calibration: Lauterbach, iSystems, Vector, ETAS, Sophia Systems
Production Flash Programming: BP Microsystems, Data-IO
Rapid Prototyping: Matlab/Simulink, dSpace
More: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1
95
Trusted 3rd Party Safety Support
Safety Training Services
Safety Consulting
Safety Critical ECUs
Safety Critical Software Modules
Safety AssessmentSafety Critical RTOS
96
Software Tool Overview
Download: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1
97
HALCoGen HALCoGen
Hardware Abstraction Layer Code Generator
User Input on High Abstraction Level
Generates C Source Peripheral and safety driver set FreeRTOS
Supported Tool Chains TI tools Keil/ARM Tools IAR
Interactive Help System Describes tool features and functions Provides detailed dependency graphs Provides useful example code Tool tip help available
Download: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1
98
Graphical Programming Environment Output Simulation Tool Generates CCS-ready SW modules Includes functional examples from TI
NHET - Simulator Graphical Waveform Viewer Input Generation Tool Seamless interface to coding tool Upgradable to Full SynaptiCAD
NHET ASM Code
Pin Selection
AlgorithmLibrary
Drag & Drop Instructions
WaveformView
NHET Registers
Download: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1
Support and Trainings
100
Support Web Page:
Hercules: www.ti.com/hercules Data sheets Technical reference manual Application notes Software & tools downloads and updates. Order evaluation and development Kits.
E2E Forums: Hercules: http://www.ti.com/hercules-support News and announcements. Useful links. Ask technical questions. Search for technical content.
WIKI: Hercules: www.ti.com/hercules-wiki How to guides, intro videos and general information.
101
E2E Forum OverviewForum Flow:
Forum
TI E2E forum for questions about
Herculesdevices
Answer Known ?
YES
Post Answer Within 24hrs
NO
Post Question Received Confirmation
Within 24hrs
Forward Question to World Wide
Team
World Wide Apps Team:
-United States- Europe-India
Post Answer
Forum Guidelines: At least one person will monitor the forum at all times (work days) All questions posted in the forum will have a response in 24hrs or less
102
3-Day Training
Training Home: http://focus.ti.com/general/docs/traininghome.tsp
Safety Critical Motor ControlExample
104
Safety Base Hercules and TPS6538x
HerculesSafety MCUTPS65381
e.g. CANTransceiver
3.3V/5V uC Supply
0.8V3.3V uCCore Supply
5V Supply
AMUX / DMUX
ERROR Signal Monitor /
Q&A Watchdog
Reset/Enable Interface
ClockMonitor
VoltageMonitor
BIST CRC
3.3V9.5VSensor Supply
Multi-RailSupply
TempProt.
CurrentLimit
Clock monitoring on internal oscillators
Voltage monitoring on all Power Supplies
and internal supply voltages
Window or Q/A watchdog support
Reset circuit for the MCU integrated in
power supply
Multiple supply rails to power the MCU, CAN/FlexRay, and
external sensor
6V asynch switch-mode pre-regulator, integrated
current limit
4.5V to 36V Operating Range
Microcontroller Error-Signal Monitor
Voltage Signals (GREEN) Communications/Safety Features (RED)
5V linear regulator (internal FET) with
temp protection and current limit
105
EPS Chipset
DRV3201/TPIC7312
Hercules, ideal for Safety Applications
107
Hercules, ideal for Safety Applications
TI has been building product for automotive safety for over 20 years.
TI is participating and contributing to ISO 26262 standard development.
HW Safety features advantages to SW solution:Faster test execution.Better fault coverage.Minimal memory impact.Easy integration.Proven, easy to justify diagnostic coverage.
SIL3 capable today. ASILD capable planned.
108
Thank You for your Attention
Who to contact
Frank Forster [email protected] +49 8161804270 TMS570 Marketing & SysAppsJosef Mieslinger [email protected] +49 8161803077 TMS570 MarketingMarcus Frech [email protected] +49 8161803431 TMS570 SysApps