Arrow Roadshow Silkeborg 2012

Functional Safety Seminar & 1-Day HerculesTM Workshop

Embedded Processing Marketing MCU Industrial & Automotive Marcus Frech m-frech2@ti.com Josef Mieslinger j-mieslinger@ti.com
1

Agenda Day 1

Introduction in Functional Safety Systematic and Random Failures Hazard and Risk Analysis IEC EN 61508 ISO 26262 Hercules (TMS570, RM4x and TMS470M) Overview Hercules Safety Concept and Peripherals Development Kits, SW Tools Safety Critical Motor Control Example

Agenda Day 2

TMS570 Introduction and Roadmap Development Tools: Hardware kits, Software tools Safety Overview and Modules TMS570LS Architecture: Memory Map, Clocking, Exceptions Embedded Flash Memory tools: nowECC, nowFlash, API
Demo:TMS570 Safety MCU Demos

Real Time Interrupt (RTI) Vectored Interrupt Manager (VIM) Direct Memory Access (DMA) General-purpose I/O (GIO) Programmable Timer Unit with Transfer Unit (NHET/HTU)
Demo: Using NHET as GIO

Multi-Buffered Serial Peripheral Interface (MibSPI) Controller Area Network (DCAN) FlexRay Interface with Transfer Unit (ERAY/FTU) Local Interconnect Network (LIN) / Serial Communication Interface (SCI)
Demo: PC to SCI Communication

External Memory Interface (EMIF) / Parameter Overlay (POM) Multi-buffered Analog-to-Digital Converter (MibADC) Support Structure: Web, Forum, WIKI
3

Motivation

Safety Concerns
Space Shuttle Challenger disaster (1986)

Space Shuttle broke apart (deaths of 7 crew members) Unqualified O-ring seal No victims (unmanned flight), but loss of over 370 million $ SW design error (protection of integer overflow)

Ariane 5 explosion (1996)

Laws / Claim damages

Safety and Security

Safety No unacceptable risk from system to health of people or the system environment

System Security Avoid system manipulation from outside world

Definition of Functional Safety

IEC 61508 Definition:

Safety is the freedom from unacceptable risk of physical injury or of damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment. Functional Safety is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs.

ISO 26262 Definition:

Absence of unreasonable risk due to hazards caused by malfunctioning behavior of E/E systems.

Safety Standards
EN 50128 EN 50129
(railway)

DO-178B
(aerospace)

DO-254

(medical equipment)

IEC 60601

Hercules MCU

TM

(furnaces)

IEC 50156

(process industry)

IEC 61511

IEC 60880
(nuclear power stations)

IEC 62061 ISO 13849

(machinery)

IEC 61508
(safety)

ISO 26262
(automotive)

What is a System?
Environment System

+
Output Circuit Sensor Input Circuit Logic Solver
Common Circuitry

Actuator
Final Element

MCU in an Functional Safety System

Environment System Sub-System Sub-System

PE Component

MCU HW MCU SW

E/E/PE Component

E/E/PE Component

System components are generally classed E/E/PE Electrical/Electronic/Programmable Electronic.

A MCU is a complex PE component.

MCU HW and SW functions may be safety critical and should be considered.

9

Functional Safety Basic Concepts

All systems will have some inherent, quantifiable failure rate. For each application, there is some tolerable failure rate which does not lead to unacceptable risk. Acceptable failure rates vary per application, based on the potential for direct or indirect physical injury in the event of system malfunction. Categories can be developed for similar levels of risk. These are known as Safety Integrity Levels, or SILs.

10

Functional Safety Lifecycle

A s s e s s m e n t D o c u m e n t a t i o n M a n a g e m e n t V e r i f i c a t i o n

Concept Design Prototype Release for Manufacturing Field Implementation Removal from Field Usage

11

Fault, Error and Failure

Fault
Operational issue in a system which may lead to an error.

Error
Discrepancy between expected and actual value.

Failure
Result of a fault which leads to an inability to execute safety critical functionality.

Fault

Error

Failure

12

Errors in Functional Safety Systems

Permanent
System must be repaired.

Transient
Occur for a short time. Disappears automatically or by reset.

13

Failures in Functional Safety Systems

Failures Physical (Random) Functional (Systematic)

Random Failures
Result from random defects. Can not be reduced, must be detected and handled by Application. Hazard and risk analyses.

Systematic Failures
Result from a failure in design or manufacturing. Reducible through quality management. Often a result of failure to follow best practices.
14

Dependent Failures

Common Cause Failures:

Fault Error Fault Error Failure

Root Cause

Failure

Cascading Failures:
Fault Error Failure Fault Failure

Error

15

How can a System Fail?

Safe
Enters safe state.

Dangerous
May cause a hazard.

Operational
Run in a degraded mode.

16

Example Fault Propagation

Environment

System

Sub-System E/E/PE Component E/E/PE Component

Sub-System

E/E/PE Component

E/E/PE Component

17

Reliability vs. Availability

Reliability
Probability that a device will perform its required function under stated conditions for a specific period of time.

Reliability is qualified as:

Mean Time Between Failures (MTBF) for repairable systems and Mean Time To Failure (MTTF) for non-repairable systems

Availability
Probability that a device will perform its required function under stated conditions for a specific point of time.

18

Mean Time Between Failures

Up TTR Down tU TTF

TBF tU+1

MTBF Mean Time Between Failures MTTF Mean Time To Failure MTTR Mean Time To Restoration (Detect and repair time)

19

Failure Rate

The failure rate can be calculated as follows for a device with a constant failure rate

FIT = Failures In Time = 1 failure in 109 device hours Example:

What is the failure rate of 50 FIT in units failures per year?

0.00000005 failures per hour x 8760 hours per year = 0.000438 failures per year

20

What is a Hazard?

Hazard is a situation that poses a level of threat to

Life, Health, Property or Environment.
Accident Hazardous Event1 Hazardous Eventn

Hazard

21

Functional Safety Basics

Identify system hazards. Classify system hazards. Determine methods to control system hazards. Define requirements for reliability and availability. Determine Safety Integrity Level SIL. Specify development methods according to SIL.

22

What is Risk?

Risk is a combination of
Frequency probability of hazardous event Consequence
Accident Hazardous Event1 Hazardous Eventn

Hazard

Risk = f x C

With this definition it is possible to analyze the risk qualitative or quantitative.

23

Qualitative Analysis

Qualitative Analyses
Use word like probable, frequent, unlikely, etc. to describe the likelihood of an hazardous event. Use words like minor, major, catastrophic, etc. to describe the severity of an hazardous event. Qualitative numbers are introduced on how to interpret these words.

E.g. Unlikely may be defined: once every 10 to 100 years Risk Graph FMEA

Analyze technics

24

Quantitative Analysis

Quantitative Analysis
Use numbers to describe the likelihood and severity of a hazardous event.

E.g. Likelihood of frequency hazardous event is: < 10-3 per year. E.g. Likelihood of potential loss of life is: < 10-5 per year

Certain amount of uncertainty is associated with the prediction in numbers.

Different analyze technics may end with different results. Some qualitative interpretation is necessary to decide if hazardous event is in acceptable risk region. Risk = (f x C) Probability of Failure on Demand PFD FMEDA
25

Analyze technics

Risk Classes IEC 61508

Risk Class 1 2 3 4 Intolerable risk Undesirable risk, and tolerable only if risk reduction is impracticable or if the costs are grossly disproportionate to the improvement gained. Tolerable risk if the cost of risk reduction would exceed the improvement gained. Negligible risk Definition

26

Risk Classification IEC 61508

Frequency (f) Frequent Probable Occasional Remote Improbable Incredible Consequence (C) Catastrophic 1 1 1 2 3 4 Critical 1 1 2 3 3 4 Marginal 1 2 3 3 4 4 Negligible 2 3 3 4 4 4

27

Risk Graph

Decision tree in which a team considers some risk parameters to determine a safety integrity level. Remember: R = f x C
C may be considered as

Consequence risk parameter (C) Frequency and exposure time risk parameter (F) Possibility of failing to avoid hazard risk parameter (P) Probability of the unwanted occurrence (W)

f may be considered as

Every combination of risk parameter leads to an estimation of required risk reduction.

28

Risk Graph Parameter Example

Risk Parameter C1 C2 C3 C4 F1 F2 P1 P2 W1 W2 W3 Minor injury. Serious permanent injury. Death to one person. Death to several people. Very many people killed. Rare to more often exposure in the hazardous zone. Frequent to permanent exposure in the hazardous zone. Possible under certain conditions. Almost impossible. A very slight probability of unwanted occurrences. A slight probability of unwanted occurrences. A relatively high probability of unwanted occurrences. Classification

29

Risk Graph
W3
C1 P1 F1 C2 Start F2 P2 F1 C3 F2 C4 P2 P1

W2 1 2 3 4 5 6 7

W1 1 2 3 4 5 6 Requirement Classes

1 2 3 4 5 6 7 8

Assign assessment criteria to requirement Classes.

Random failures, systematic failures, manipulation,

Requirement classes are a measure for necessary risk reduction

30

Necessary Risk Reduction

Remaining Risk Acceptable Risk Low Risk of Hazard

Risk
Necessary risk reduction

High

Emergency shutdown External/Passive actions User manuals Warning signs Trainings

(Re-)Spec/(Re-)Design of function

Quality Management Maturity Processes and Methods SPICE, CMMI, ISO 9001,

Add safety functions

Functional Safety Hazard Analyses Reduce probability of failure

Actual risk reduction

31

Safety Functions

Additional functionality to avoid or control hazards. Separated from system to protect.
Accident Hazardous Event1 Hazardous Eventn

Hazard

Risk = f x C

Safety Function1 Safety Functionn

32

Safety Function Aspects

Diagnostic:
What needs to be measured How to measure

Action:
Maximum time to react How to react

Hazardous Event

Time
Diagnostic Action

Hazard

33

Safety Integrity

IEC 61508 Definition:

probability of a safety-related system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time.

34

Safety Integrity Level SIL

Specifies safety integrity requirements of safety functions. Failure rates are defined for each SIL.
Classed

Continues or high demand (PFH). Low demand (PFD).

IEC 61508 Failure Rate Example:

SIL 1 2 3 4 PFH 10-6 to < 10-5 10-7 to < 10-6 10-8 to < 10-7 10-9 to < 10-8 PFD 10-2 to < 10-1 10-3 to < 10-2 10-4 to < 10-3 10-5 to < 10-4
35

Risk Graph
W3 1
P1 F1 C2 Start F2 P2 F1 C3 F2 C4 P2 P1

C1

W2 1 2 3 4 5 6 7

W1 1 2 3 4 5 6

Necessary Risk Reduction

1 2, 3 4 5, 6 7 8

SIL
No safety requirements No special safety requirements SIL 1 SIL 2 SIL 3 SIL 4 An E/E/PE SRS is not sufficient

2 3 4 5 6 7 8

36

Qualitative Analysis FMEA

FMEA Failure Mode and Effect Analysis Systematic method to identify and prevent product and process issues before they occur. Used in design and manufacturing processes Team based approach
Resource heavy (Time and people). 4 to 6 experienced and non-experienced people.

Evaluating the risk of failure

Severity Consequence of failure Occurrence Probability of failure Detection Probability of failure being detected before occurrence

37

FMEDA

FMEDA = FMEA extension to identify:
Online diagnostic techniques and Failure modes relevant to safety instrumented system design.

Generate failure rates for

Safe detected Safe undetected Dangerous detected Dangerous undetected

38

Functional Safety Hardware Architectures

1oo1 System Architecture

Minimal system. No fault redundancy. No internal diagnostics.

Output Circuit Sensor Input Circuit Logic Solver

Common Circuitry

Actuator
Final Element

40

1oo2 System Architecture

Two independent channels.
One channel can cause safety function. Both channels must fail for undesired output.

Airbag systems 32-bit main and 8-bit secondary MCU used to energize squib charges. +

Output Circuit Input Circuit Logic Solver

Common Circuitry

Sensor Output Circuit Input Circuit Logic Solver

Common Circuitry

Actuator
Final Element

41

1oo1D System Architecture

1oo1 system with diagnostic channel. Diagnostic channel can inhibit system output. Additional failure rate potential due to failure in the diagnostic circuits (annunciation failure). TMS570LS processor implementations are a 1oo1D system. +
Diagnostic Circuit

Sensor

Input Circuit

Output Circuit Logic Solver

Common Circuitry

Actuator
Final Element

42

2oo3 Safety Architecture

3 independent channels with voting circuit. +

Input Circuit Logic Solver
Common Circuitry

Output Circuit 1 Output Circuit 2

A Sensor Input Circuit Logic Solver

Common Circuitry

A C

B C

Output Circuit 1 Output Circuit 2

Voting Circuit

Input Circuit Logic Solver

Common Circuitry

Output Circuit 1 Output Circuit 2

Actuator
Final Element

43

Processing Function Protection

Method
Single 32b device with 8/16b checker device

Diagram
CHK CPU

Advantages
Relatively low cost Safety through diverse hardware

Disadvantages
SIL may be limited by processing capacity of simple checker micro Processing power limited by frequent on-line diagnostics Increased complexity for safety SW synchronization Additional cost, board space

Dual devices with external compare of safety outputs and optional SW message passing

Compare

CPU

CPU

SIL3 generally possible Can double performance for nonsafety critical tasks Simplicity of sourcing Potential for redundancy SIL3 generally possible Reduction in board space Reduced S/W complexity

Device with internal safety logic (CPU) in lock-step

CPU

Compare

CHK CPU

Customized implementation Same performance as single CPU

Single device dual CPU with internal self test.

CPU 1 M

CPU 2

SIL3 generally possible Multi-core performance for nonsafety critical tasks

Customized implementation Increased complexity for safety SW synchronization

44

Hardware Fault Tolerance HFT

The Hardware Fault Tolerance HFT

Sensors, actuators and MCUs of a safety function must have a minimum HFT. Description of the safety function design. HFT of x means x+1 faults may lead to loss of safety function.

HFT = 0 (single channel)

1 Fault may lead to loss of safety function. 1oo1, 1oo1D, 2oo2

HFT = 1 (redundant)
2 or multiple faults needed to loss of safety function. 1oo2, 2oo3

45

IEC 61508

What is IEC EN 61508?

Consensus standard for general market functional safety application. Preliminary designed for system level application.
Also applied to product and component level.

Distinguish between:
Systems with continues or high demand and Systems with low demand

Provides measures for

management and reduction of systematic failures and detection of random failures.

Structured flow and guide to develop function safety system.

47

Standard Documentation

Part 0: Overview of Functional Safety Part 1: General requirements. Part 2: Requirements for E/E/PE safety-related systems. Part 3: Software requirements Part 4: Definitions and abbreviations. Part 5: Examples of methods for the determination of SILs. Part 6: Guidelines on the application of part 2 and 3. Part 7: Overview of techniques and measures.

48

Safety Life Cycle

49

E/E/PES Safety Life Cycle

A s s e s s m e n t

D o c u m e n t a t i o n

M a n a g e m e n t

V e r i f i c a t i o n

E/E/PES safety requirement specification E/E/PES safety validation planning E/E/PES design and development E/E/PES integration E/E/PES safety validation E/E/PES operation and maintenance procedures

50

SW Safety Life Cycle

A s s e s s m e n t

D o c u m e n t a t i o n

M a n a g e m e n t

V e r i f i c a t i o n

SW safety requirement specification SW safety validation planning SW design and development PE integration (HW/SW) SW safety validation SW operation and modification procedures

51

Failure Rates and Diagnostics

S Safe failure rate

No impact on safety function SD Safe detected failure rate SU Safe undetected failure rate

D Dangerous failure rate

Impact on safety function DD Dangerous detected failure rate DU Dangerous undetected failure rate

52

Safe Failure Fraction SFF

Relative measure for implemented diagnostics. SFF Types
Type A All failure mechanisms are known, e.g. switch. Type B Not all of the failure mechanisms are known, e.g. MCU.

53

Exercise SFF

Calculate the Safe Failure Fraction for:

Start System:
DU

= 20 FIT and

= 2000FIT

Improved System:

DU

= 10 FIT and

= 200FIT

Optimized System:

DU

= 10 FIT and

= 20FIT

54

Solution SFF

Calculate the Safe Failure Fraction for:

Start System:
DU

= 20 FIT and

= 2000 FIT

Improved System:

DU

= 10 FIT and

= 200 FIT

Optimized System:

DU

= 10 FIT and

= 20 FIT

55

SIL determination from SFF

Safe Failure Fraction Type A [%] 0 < 60 60 < 90 90 Type B [%] 0 < 60 60 < 90 90 < 99 99 Hardware Fault Tolerance HFT = 0 SIL1 SIL2 SIL3 HFT = 1 SIL1 SIL2 SIL3 SIL4 HFT = 2 SIL2 SIL3 SIL4 SIL4

56

Probability of Failure

Probability of failure due to random hardware failures must be quantified for each safety function. PFD Probability of Failure on Demand
Assumes low demand for safety function.
PFD depends on repair time and test interval.

PFH Probability of Failure on per Hour

Assumes high or continuous demand for safety function.

57

PFDAvg Example 1oo1

TI 2 Years 17520 h
DU_Sensor DU_Input DU_Cpu DU_Output DU_Actuator

300 FIT 10 FIT 5FIT 1FIT 300 FIT

PFDAvg_Sensor PFDAvg_Input PFDAvg_Cpu PFDAvg_Output PFDAvg_Actuator

2,6 * 103 0,087 * 103 0,044 * 103 0,0087 * 103 2,6 * 103 5, 34 * 103

PFDAvg_System

Output Circuit Sensor Input Circuit Logic Solver

Common Circuitry

Actuator
Final Element

58

Exercise PFDAvg

Determine safety integrity level for our example.

PFDAvg_System 5, 34 * 103 SIL =
SIL 1 2 3 4 PFD 10-2 to < 10-1 10-3 to < 10-2 10-4 to < 10-3 10-5 to < 10-4

59

Solution PFDAvg

Determine safety integrity level for our example.

PFDAvg_System 5, 34 * 103 SIL = 2
SIL 1 2 3 4 PFD 10-2 to < 10-1 10-3 to < 10-2 10-4 to < 10-3 10-5 to < 10-4

60

ISO 26262

What is different/new in ISO 26262?

Adaption of IEC 61508 for road vehicles Safety functions replaced with safety goals
Safety function concept was based on the idea of defining a system under control and then bolting-on risk reduction measures Safety goal concept requires that risk reduction be part of the initial control system design

Adapted for common automotive lifecycle ISO 26262 has hazard and risk analysis, failure rates and metrics adapted for Automotive use cases. Work products are clearly defined

62

SIL and ASIL Comparison

ISO 26262 categories of risk are Automotive Safety Integrity Levels ASILs.
ISO 26262 ASIL QM SIL 1 SIL 2 ASIL A ASIL B ASIL C SIL 3 SIL 4 ASIL D SIL 2 is not fully equivalent ASIL B SIL 2 Development requirements SIL 3 Verification requirements SIL 3 is not fully equivalent ASIL D Description

DIN EN 61508 SIL

Note: There is no direct correlation between SIL and ASIL 63

Risk in ISO 26262

S = Severity E = Exposure C = Controllability
Accident Hazardous Event1 Hazardous Eventn

Hazard

Risk = S x (E * C)
Safety Goal1 Safety Goaln

64

Severity Classification
Class S0 S1 S2 S3 No injuries Light and moderate injuries Severe and life-threatening injuries (survival probable) Life-threatening injuries (survival uncertain), fatal injuries Description

65

Probability of Exposure Classification

Class E1 E2 E3 E4 E5 Incredible Very low probability Low probability Medium probability High probability Description

66

Controllability Classification
Class C0 C1 C2 C3 Controllable in general Simply controllable Normally controllable Difficult to control or uncontrollable Description

67

ASIL Determination
C1 E1 S1 E2 E3 E4 E1 S2 E2 E3 E4 E1 S3 E2 E3 E4 QM QM QM QM QM QM QM ASIL A QM QM ASIL A ASIL B C2 QM QM QM ASIL A QM QM ASIL A ASIL B QM ASIL A ASIL B ASIL C C3 QM QM ASIL A ASIL B QM ASIL A ASIL B ASIL C ASIL A ASIL B ASIL C ASIL D

68

HW Failures Modes
Failure Modes of HW

Non Safety Related

Safety Related

Safe Fault

Safe Fault

Detect Multiple Point Fault

Perceived Multiple Point Fault

Latent Multiple Point Fault

Residual / Single Point Fault

69

Failure Rates Overview

SPF RF MPFDP MPFL MPF = MPFDP + MPFL S = SPF + RF + MPF + S Single Point Faults Residual Faults Detected or Perceived Multi Point Faults Latent Multi Point Faults Multi Point Faults Safe Faults Total Faults

FIT = Failures In Time = 1 failure in 109 device hours

70

Metrics

Metrics

SPFM Single Point Faults Metric

LFM Latent Faults Metric

PVSG Probability of Violation of Safety Goal

71

Hercules Overview

What is Hercules?
Hercules Platform
TMS470M TMS570 RM4x

Value Line Transportation and Safety MCUs

Transportation Applications Automotive Q100 Qualification -40 to 125C Operation LIN, CAN Connectivity Supports Safety for IEC 61508 Systems Cortex-M to 100 MIPS

High Performance Transportation and Safety MCUs

Transportation Applications Automotive Q100 Qualification -40 to 125C Operation FlexRay, CAN Connectivity Developed to Safety Standards ISO26262 ASIL-D IEC 61508 SIL-3 Cortex-R over 280 MIPs

High Performance Industrial and Medical Safety MCUs

Industrial Applications Medical Applications TMS Qualification -40 to 85/105C Operation Ethernet, USB Connectivity Developed to Safety Standards IEC 61508 SIL-3 Cortex-R over 320 MIPs

73
73

Hercules Safety MCU Roadmap

Highperformance

RM4x

2*R4F LS 3MB, 256kB 220MHz

ETHERNET

RM4x

2MB, 192kB

RM4x

More memory options New peripherals

Safe Motor Control Industrial Automation Safe Connectivity

Transportation

TMS570
2*R4F LS 2MB, 160kB 160MHz

TMS570

2*R4F LS 3MB, 256kB 180MHz

TMS570

Medical Stability Control

ETHERNET

TMS570
1MB, 160kB

2MB, 192kB

TMS570

More memory options New peripherals

Power Steering Vehicle Electrification

TMS470M

Value

ARM Cortex-M3 640kB, 48kB 80MHz 448kB, 24kB 320kB, 16kB

TMS470M

TMS470M

Smaller memory options New peripherals Lower cost

ABS Power Steering Passive Safety

TMS470M

Production

Sampling

Development

Lockstep CPUs

61508 SIL3

26262 support

74

TMS570LS20216 Block Diagram

75

TMS570LS31x

76

RM48x

77

TMS470M Block Diagram

78

Hercules Safety Concept

Rational of Hercules Safety Concept

Safe island approach Core Memory Interrupts Clock & Power Other
System Peripheral
Fault Injection SW Check VMON Interrupt Table Parity MPU CRC RAM Parity

CRC

ECLK

Flash LS Core RAM ECC CPU self test ECC

CRC

CMON DWWD

PBIST PBIST DCC

Self Test

IO Loopback

Timing Protection

Once a known safe region can be guaranteed, logic in this region can be used to provide diagnostic coverage on other regions.
80

Rationale of Hercules Safety Concept

CPU Self Test Controller requires little S/W overhead Logical / physical design optimized to reduce probability of common cause failure Dual Core Lockstep Cycle by Cycle CPU Fail Safe Detection Parity on all Peripheral, DMA and Interrupt controller RAMS Parity or CRC in Serial and Network Communication Peripherals ECC for Flash / RAM / interconnect evaluated inside the Cortex R4F
Memory Flash w/ ECC RAM w/ ECC Flash EEPROM w/ ECC Memory Protection JTAG Debug Embedded Trace DMA Enhanced System Bus and Vectored Interrupt Module

Safe Island Hardware diagnostics (RED) Blended HW diagnostics (BLUE) Non Safety Critical Functions (BLACK)

Power, Clock, & Safety OSC PLL POR CRC PBIST/LBIST ESM RTI/DWWD

ARM CortexR4F

ARM

CortexCPU CoreR4F

Memory BIST on all RAMS allows fast memory test at startup On-Chip Clock and Voltage Monitoring Error Signaling Module w/ External Error Pin IO Loop Back, ADC Self Test, Dual ADC Cores with shared channels

Memory Interface External Memory

Fail Safe Detection

Serial Interfaces

Dual Network ADC Peripherals Interfaces Cores

Dual High-end Timers GIO

81

Cortex-R4F Safety Features

ARM Cortex-R4F CPU

ARM v7R CortexTM ISA fully backward Compatible to ARM7/9/11 Up to 220 MHz CPU Clock Speed Fast MULT, DIV, and SQRT enables modelbased control; simplifies algorithm implementation 12 region memory protection Broad ARM IDE/Compiler Support: CCS, KEIL, IAR, etc Lockstep CPUs: Single core programming model second core checks the first. Supports ARM, Thumb and Thumb-2 instructions

ARM Cortex-R4F
up to 220 MHz

Single / double precision IEEE 754 floating-point Floating point and integer instructions operate in parallel Superscalar, SIMD, 8 stage pipeline delivers 1.6 DMIPS/MHz Scalable ARM Based Solutions from TI: Stellaris, TMS470M, TMS570 & Sitara

Over 350 DMIPS of performance High performance floating point ARM-based: broad industry adoption

83

1oo1D Dual Core Safety Concept

3rd generation HW lockstep design. Unique design to reduce common cause failures (IC). CPU Compare Module:
Output + Control Cycle Delay
Dedicated Power Ring

Compare Error

CCM
Self Test

Advantages to SW solution:
Faster fault detection. Better fault coverage. Little to no performance impact. Minimal memory impact. Easy to integrate in application. Proven, easy to justify diagnostic coverage.

Cortex R4
Spatial separation

Cycle Delay

Input + Control

Cortex R4

Self-test capability. Self-test error injection/error forcing. Output error injection.

84

CPU Self Test Controller

Advantages to SW solution:
Easy integration. Faster test execution. Proven, easy to justify diagnostic coverage. Better fault coverage. Minimal memory impact.
Clock controller

ROM

ROM interface

Clock cntrl

FSM

CPU_nRESET

Test controller

STC BYPASS/ ATE Interface

CPU1
DBIST CNTRL misr_in1 DBIST CNTRL

STC
PCR
VBUSP interface

REG Block & Compare Block ERR

CCM

misr_in2

CPU2

ESM
85

Errors

Error Handling

Processor core aborts:

Bus errors for CPU initiated transactions (addressing, timeout, ). MPU errors (data violation, program violation, ). ECC errors (double bit, single bit correctable if programmed, ). Unimplemented opcode.

HW device errors are aggregated in Error Signaling Module:

Peripheral parity Logic BIST PBIST (SRAM)

Certain other critical failures will directly generate reset:

VMON failure Oscillator failure

87

ESM Block Diagram

88

Example CCM-R4 Error

CCM-R4

Peripheral

Master Core

Diagnostic Core

IRQ

NFIQ

ESM

VIM

89

Key Safety Documentation

Key Safety Documentation

Deliverable Contents
Overview of safety considerations in product development and product architecture. Delivered ahead of public product announcement. User guide for the safety features of the product, including system level assumptions of use. Summary of FIT rates and device safety metrics according to ISO 26262 and/or IEC 61508 at device level. Full results of all available safety analysis - FMEA, FTA, FMEDA, ... - documented in a format which allows computation of custom metrics Summary of the conformance of the product to the ISO 26262 and/or IEC 61508 standards. Clause by clause detail of compliance to ISO 26262 and/or IEC 61508 standards

Confidentiality

Availability
Removed from circulation after release to market due to availability of Safety Manual Available

Safety Product Preview

NDA required

Safety Manual Safety Analysis Report Summary Detailed Safety Analysis Report Safety Case Report Safety Case Database

Public, no NDA required

NDA required

Available

NDA required

In development

NDA required

In development

NDA required

In development

91

Development Kits and SW Tools

 Evaluation and Development Kit SW:

Development Kit Roadmap

CCS-IDE 4.x: C/C++ Compiler/Linker/Debugger HALCoGen: Peripheral Driver Generation Tool nowFlashTM: Flash Programming Tools HET Assembler
Wiki Daughter Card Example Attaches to any HDK

HET Simulator Demo Project Code Examples

Early Development

$99
Control Card

$99

$695 $199 $199

$199

TMS570 MDK

TMS470M HDK

TMS570 HDK

RM4x HDK

Evaluation

$79

$79

$79

$99

TMS570LS2x

TMS470M

TMS570LS3x

RM4x

Order: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1

93

3rd Party Tools Roadmap

External Tools: IDEs: IAR, Keil/ARM, Lauterbach, iSystems Compiler: IAR, ARM, GCC, Emulator: Spectrum Digital, Lauterbach, iSystems, IAR, Keil, Blackhawk, Segger, Signum Systems Operating System: Express Logic, Wittenstein, Micrium, ETAS, Vector, Sciopta AutoSAR: Vector, ElectroBit Trace / Calibration: Lauterbach, iSystems, Vector, ETAS, Sophia Systems Production Flash Programming: BP Microsystems, Data-IO Rapid Prototyping: Matlab/Simulink, dSpace

More: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1

94

Trusted 3rd Party Safety Support

Safety Training Services Safety Critical ECUs

Safety Consulting

Safety Critical Software Modules

Safety Assessment

Safety Critical RTOS

95

Software Tool Overview

Download: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1

96

HALCoGen

HALCoGen
Hardware Abstraction Layer Code Generator

User Input on High Abstraction Level Generates C Source

Peripheral and safety driver set FreeRTOS

Supported Tool Chains

TI tools Keil/ARM Tools IAR

Interactive Help System

Describes tool features and functions Provides detailed dependency graphs Provides useful example code Tool tip help available

Download: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1

97

NHET - Simulator

Graphical Programming Environment Output Simulation Tool Generates CCS-ready SW modules Includes functional examples from TI

Graphical Waveform Viewer Input Generation Tool Seamless interface to coding tool Upgradable to Full SynaptiCAD

Algorithm Library Drag & Drop Instructions NHET ASM Code Waveform View Pin Selection NHET Registers
Download: http://focus.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1

98

Support and Trainings

Support

Web Page:
Hercules: www.ti.com/hercules

Data sheets Technical reference manual Application notes Software & tools downloads and updates. Order evaluation and development Kits.

E2E Forums:
Hercules: http://www.ti.com/hercules-support

News and announcements. Useful links. Ask technical questions. Search for technical content.

WIKI:
Hercules: www.ti.com/hercules-wiki How to guides, intro videos and general information.

100

E2E Forum Overview

Forum Flow:
Forum
TI E2E forum for questions about Hercules devices Post Question Received Confirmation Within 24hrs Post Answer

Answer Known ? NO YES Forward Question to World Wide Team World Wide Apps Team: -United States - Europe -India

Post Answer Within 24hrs

Forum Guidelines: At least one person will monitor the forum at all times (work days) All questions posted in the forum will have a response in 24hrs or less
101

3-Day Training

Training Home: http://focus.ti.com/general/docs/traininghome.tsp

102

Safety Critical Motor Control Example

Safety Base Hercules and TPS6538x

Microcontroller ErrorSignal Monitor
Voltage Signals (GREEN) Communications/Safety Features (RED)

6V asynch switch-mode pre-regulator, integrated current limit 4.5V to 36V Operating Range
3.3V9.5V Sensor Supply

Temp Prot.

Current Limit

5V Supply

e.g. CAN Transceiver

5V linear regulator (internal FET) with temp protection and current limit Multiple supply rails to power the MCU, CAN/FlexRay, and external sensor Reset circuit for the MCU integrated in power supply Window or Q/A watchdog support

Multi-Rail Supply

3.3V/5V uC Supply 0.8V3.3V uC Core Supply

TPS65381
Clock Monitor BIST Voltage Monitor CRC

Hercules Safety MCU

Clock monitoring on internal oscillators Voltage monitoring on all Power Supplies and internal supply voltages

Reset/Enable Interface ERROR Signal Monitor / Q&A Watchdog AMUX / DMUX

104

EPS Chipset

DRV3201/TPIC7312

105

Hercules, ideal for Safety Applications

Hercules, ideal for Safety Applications

TI has been building product for automotive safety for over 20 years. TI is participating and contributing to ISO 26262 standard development. HW Safety features advantages to SW solution:
Faster test execution. Better fault coverage. Minimal memory impact. Easy integration. Proven, easy to justify diagnostic coverage.

SIL3 capable today. ASILD capable planned.

107

for your Attention

Thank You

Who to contact
Frank Forster Josef Mieslinger Marcus Frech f-forster@ti.com +49 8161804270 TMS570 Marketing & SysApps j-mieslinger@ti.com +49 8161803077 TMS570 Marketing m-frech2@ti.com +49 8161803431 TMS570 SysApps

108