The SafeTI

TI/TÜV Rheinland Functional Safety Seminar
China
Texas Instruments Inc.
Nov/2014
Agenda
• Overview of HerculesTM MCU and SafeTITM Design
package
• HerculesTM MCU Functional Safety How-To Workshop
– Safety Functions, Safety Goals, Safe State, SIL, Failure rate
– Safety Critical Elements identification and Diagnostic
Requirements
– Safety Manual and Diagnostics Selection
– Mission Profile and Failure Rate Estimation
– SafeTITM Diagnostic Library
– SafeTITM Diagnostic Library Compliance Support Package
(CSP) certification support
– Fault Injection with HITEX kit
• Summary
2
Agenda
• Overview of HerculesTM MCU and SafeTITM Design
package
• HerculesTM MCU Functional Safety How-To Workshop
– Safety Functions, Safety Goals, Safe State, SIL, Failure rate
– Safety Critical Elements identification and Diagnostic
Requirements
– Safety Manual and Diagnostics Selection
– Mission Profile and Failure Rate Estimation
– SafeTITM Diagnostic Library
– SafeTITM Diagnostic Library Compliance Support Package
(CSP) certification support
– Fault Injection with HITEX kit
• Summary
3
Functional Safety: Important for Many Industries
Automotive and
Transportation
HEV/EV Cars
EN 50155
EN 50128
(railway)
Industrial and
Medical
DO-254
DO-178B
(aerospace)
IEC
60601
IEC
50156
(medical
equipment)
(furnaces)
Hercules
Sensor &
communications
gateway
TM
Safety MCU
Radar / Collision
Avoidance (ADAS)
IEC 60880
IEC
61511
(nuclear
power
stations)
(process
industry)
Active suspension, ABS,
electric power steering,
airbag and more!
IEC 62061
ISO 13849
(machinery)
Manufacturing, robotics,
industrial automation,
motor control
ISO 26262
IEC 61508
(automotive)
(safety)
Wind Power
Railway Systems
 Safety critical systems are everywhere
 Systems need to manage hazardous failures
 Many systems need to be safety-certified
Anesthesia machines,
respirators, ventilators,
oxygen concentrators
Anti-skid control
4
Hercules™ MCU: End Equipment
Aerospace & Railway
Industrial
Communications Gateway
Flight Control
Industrial Motor
Control
Avionics / Autopilot
Manufacturing /
Robotics
Wind Power
Anti-Skid Control
Elevator
Escalator
Motor Control
Automotive
Industrial
Automation / PLC
Airbag
Braking / Stability Control
Sensor & Communications
Gateway
Solar Power
Hybrid & Electric Vehicles
Radar / Collision Avoidance
(ADAS)
Infusion Pumps
Oxygen
Concentrators
Active Suspension
Chassis / Domain Control
Electric Power Steering
Anesthesia
Respirators
Medical
5
TM
TI Hercules MCU Platform
ARM® Cortex® Based Microcontrollers
RM
Industrial and Medical
Safety MCUs
Hercules™
MCU
Platform
Lockstep
MCUs for
functional
Safety
TMS570
Transportation and
Automotive Safety
MCUs
•
•
•
•
•
80MHz to 330MHz
128KB to 4MB Flash
-40 to 105°C Operation
ENET, USB, CAN & UART
Developed to Safety Standards
• IEC 61508 SIL-3
• Cortex-R – up to 550 DMIPs
• 80MHz to 300MHz
• 128KB to 4MB Flash
• Automotive Q100 Qualification
• -40 to 125°C Operation
• FlexRay, ENET, CAN, LIN/UART
• Developed to Safety Standards
• ISO 26262 ASIL-D
• IEC 61508 SIL-3
• Cortex-R – up to 500 DMIPs
6
HerculesTM RM MCUs
Supporting Industrial & Medical safety
RMx
Benefits
• Lockstep ARM Cortex-R based MCU –with up to 550 peak
DMIPS and 384KB to 4MB Flash Memory
• Safety Integrated in HW – provides a high level of
diagnostic coverage to reduce safety software overhead
• SafeTI™ system design packages – makes it easier to
achieve safety certification and get to market quickly
• Developed to safety standards – developed for use in IEC
61508 SIL-3 safety applications
Temperatures
ARM
ARM
Cortex™-R5F
Cortex-R
Memory
Up to 4MB Flash
(w/ ECC)
80 to 330 MHz
Cache
(w/ECC)
FPU
MPU
Lockstep Fault Detection
Up to 512KB SRAM
(w/ ECC)
Up to 128KB Data Flash
(w/ECC)
External
Memory
Memory
Power & Clocking
OSC PLL
CLKMON
VMON
Debug
Real-time JTAG
32-bit Trace (ETM)
16-bit Parallel Interface
ePWM
Communication
eCAP
10/100 Ethernet
eQEP
CPU BIST
USB
SRAM BIST
CAN
DMA
N2HET Timer
Analog
Tools
UART
12-bit 1 MSPS ADC
Multi-Buffer SPI
Temperature Sensor
I2C
Software
Launchpad
105C
Control
Peripherals
Control
• Flexible Communication and Control – Ethernet, USB,
CAN. Up to 84 timer and 41 12-bit ADC channels.
Development Kit
-40C
Calibration
Safety & System
CRC
OS Timers
Windowed Watchdog
External INT / GPIO
Packages
• Drivers & Libraries – HALCoGen
peripheral driver generation tool, SafeTITM
Diagnostic Library, CMSIS DSP Library
• RTOS: SAFERTOS, Codesys
• IDEs: Code Composer Studio, IAR
• SafeTI Compiler Qualification Kit
• SafeTI
XDS560 Pro Trace
SafeTI Kit
Motor Control
3rd
Party Ecosystem
144p QFP
(20x20mm)
100p QFP 337p BGA
(14x14mm)
(16x16mm)
7
Hercules™ RM Cortex™-R Roadmap
2012
High
RM48L9x – 220MHz R4F
!
3MB Flash, 256kB RAM
SafeTI ISO & IEC
Features:
Lock Step
Architecture
RM48L5x – 200MHz R4F
2MB Flash, 192kB RAM
SafeTI ISO & IEC
2014
2013
Ethernet
QEP/PWM
4MB Flash, 512kB RAM
CAN CAN
CAN
USB
!
CAN
ISO ISO 13849
IEC IEC 61508
!
SafeTI
!
RM46L8x – 220MHz R4F
1.25MB Flash, 192kB RAM
SafeTI ISO & IEC
Mid
RM57Lx – 330MHz R5F
Next Gen Mid
SafeTI ISO & IEC
RM46L4x – 200MHz R4F
1MB Flash, 128kB RAM
SafeTI ISO & IEC
Low
CAN
Production
Sampling
RM42x – 100MHz R4
384kB Flash, 32kB RAM
SafeTI ISO & IEC
!
Next Gen Low
SafeTI ISO & IEC
CAN
Development
8
HerculesTM TMS570 MCUs
Supporting Automotive & Transportation safety
TMS570x
Benefits
• Lockstep ARM Cortex-R based MCU –with up to 480 peak
DMIPS and 256KB to 4MB Flash Memory
• Safety Integrated in HW – provides a high level of
diagnostic coverage to reduce safety software overhead
• SafeTI™ system design packages – makes it easier to
achieve safety certification and get to market quickly
Temperatures
ARM
ARM
Cortex™-R5F
Cortex-R
Memory
Up to 4MB Flash
(w/ ECC)
80 to 300 MHz
Cache
(w/ECC)
FPU
Up to512KB SRAM
(w/ ECC)
128KB Data Flash
(w/ECC)
MPU
Lockstep Fault Detection
-40C
Memory
External
Memory
• Developed to safety standards – developed for use in IEC
61508 SIL-3 and ISO 26262 ASIL-D safety applications
Control
Peripherals
Control
16-bit Parallel Interface
ePWM
• Flexible Communication and Control – Ethernet, Flexray,
CAN. Up to 84 timer and 41 12-bit ADC channels.
Communication
Comms
Peripherals
eCAP
Launchpad
OSC PLL
CLKMON
VMON
Debug
Real-time JTAG
32-bit Trace (ETM)
Calibration
Safety & System
CPU BIST
CAN
Flexray
UART (LIN)
12-bit ADC
Multi-Buffer SPI
Temperature Sensor
I2C
Software
Development Kit
Power & Clocking
SRAM BIST
eQEP
Analog
Q100
10/100 Ethernet
N2HET Timer
Tools
125C
DMA
CRC
OS Timers
Windowed Watchdog
External INT / GPIO
Packages
• Drivers & Libraries – HALCoGen
peripheral driver generation tool, SafeTITM
Diagnostic Library, CMSIS DSP Library,
• RTOS – SAFERTOS, AUTOSAR
• IDEs: Code Composer Studio, IAR
XDS560 Pro Trace
SafeTI Kit
Motor Control
• SafeTI Compiler Qualification Kit
144p QFP
• Mathworks Simulink
100p QFP 337p BGA
• SafeTI 3rd Party Ecosystem
(20x20mm)
(14x14mm)
(16x16mm)
9
Hercules™ TMS570 Cortex™-R Roadmap
2012
High
TMS570LS31x – 180MHz R4F
3MB Flash, 256kB RAM
SafeTI ISO & IEC
2013
!
2MB Flash, 192kB RAM
SafeTI ISO & IEC
Features:
Lock Step
Architecture
TMS570LS21x – 180MHz R4F
ISO ISO 26262
Ethernet
QEP/ePWM
CAN
FlexRay
IEC IEC 61508
!
!
SafeTI
TMS570LS12x – 180MHz R4F
1.25MB Flash, 192kB RAM
SafeTI ISO & IEC
Mid
TMS570LC – 300MHz R5F
4MB Flash, 512kB RAM
CAN CAN
CAN
2014
!
Next Gen Mid
SafeTI ISO & IEC
TMS570LS11x – 180MHz R4F
1MB Flash, 128kB RAM
SafeTI ISO & IEC
Low
CAN
Production
Sampling
Development
TMS570LS04x – 80MHz R4
384kB Flash, 32kB RAM
SafeTI ISO & IEC
TMS570LS03x – 80MHz R4
256kB Flash, 24kB RAM
SafeTI ISO & IEC
Next Gen Low
SafeTI ISO & IEC
!
CAN
10
Functional Safety Standards Hardware requirements
Standard
System
Safety
Integrity
Architectural
Metric
Architectural
Requirement
Failure
Rate
Specific MCU self-test
requirements
IEC 61508
Programmable
E/E systems
SIL – 1,2,3,4
SFF
HFT>0 for SIL 4
PFD, PFH
No
ISO 26262
Automotive
ASIL – A, B,
C, D
SPFM / LFM
No
PMHF
No
EN 50129
Railway
SIL- 1,2,3,4
N/A
Follow IEC
61508
THR
CPU, Memory
ISO 22201
Elevator
SIL – 1,2,3
N/A
Dual channels
for SIL3
N/A
CPU, Memory, Interrupt,
Clock, I/O, Comm
Drive
SIL – 1,2,3
SIL4 Apply
IEC 61508
SFF
Dependent on
function
PFH
(no PFD)
No
IEC 62061
Machinery
SIL – 1,2,3
SIL4 Apply
IEC 61508
SFF
Supports ISO
13849
categories
PFHD
No
IEC 61511
Process
Automation
SIL – 1,2,3
SIL4 Apply
IEC 61508
SFF
See IEC 61508
PFDavg
No
ISO 13849
Machinery
PL a,b,c,d,e
DCavg
CAT B,1,2,3,4
MTTFD
No
IEC 60730
Home
Appliances
Class A, B, C
No
Yes (Class C)
No
CPU, Memory, Interrupt,
Clock, I/O, Comms
IEC 61800
11
Typical Usage of Hercules MCU per Functional
Safety Standard*
Functional Safety
Standard
Typical Hercules MCU Usage
Specific Diagnostic
Requirements per
Standard
IEC 61508
Single MCU for SIL1 - SIL 3, Dual MCU for SIL 4
No
ISO 26262
Single Hercules MCU ASIL A to D
No
EN 50129
Single MCU for SIL1 - SIL 3, Dual MCU for SIL 4
Examples provided,
not requirements
ISO 22201
Single MCU for SIL1 - SIL 2, Dual MCU for SIL 3
Yes
IEC 61511
Single MCU for SIL1 - SIL 3, Dual MCU for SIL 4
No
IEC 61800
Single Hercules MCU for SIL1 - SIL 3
No
IEC 62061
Single Hercules MCU for SIL1 -SIL 3
No
ISO 13849
Single MCU for Cat B, 1, 2 from PL a to PLe
Dual MCU for Cat 3, 4 from PL a to PL e
Single MCU + TPS under evaluation for PL d CAT3
No
IEC 60730
Single MCU for Class A – C, Dual MCU for some Class C
Yes
* Items shown are typical examples. Achieved safety integrity level is the responsibility of the system developer.
12
Applying Functional Safety Standards
Functional Safety
SafeTI™ design packages help meet
functional safety requirements while
managing both systematic and
random failures.
Risk reduction
Safety Life Cycle
SIL - 1/2/3/4
糸統失效
Development Process
Systematic Failures
Safety Plan
Software
Documentation
Tools
Config Management
Process Certification
Software CSP
Compiler Qual. Kit
Random Failures
Change Management
Diagnostics
隨机失效
V&V
Architectural Metric
Personnel Competence
Failure Rate
Certification
HerculesTM
Architecture
(FMEDA)
CSP = Compliance Support Package
13
HerculesTM MCU safety features
Random
Safe Island Hardware diagnostics
CPU Self Test
Controller requires
little S/W overhead
Lockstep CPU &
Lockstep Interrupt
Fault Detection
Lockstep
CPU
ARM®
Cortex® R
w/ MPU
ARM®
Cortex® R
w/ MPU
Physical design
optimized to reduce
probability of common
cause failure
ECC for flash / RAM
evaluated inside the
Cortex R
Memory
Protection
Unit
Memory
Flash
w/ ECC
RAM
w/ ECC
Non Safety Critical Functions
Power, Clock, & Safety
OSC PLL
PBIST/LBIST
POR
ESM
CRC
RTI/DWWD
Flash
EEPROM w/ ECC
Compare Module for
Fault Detection
Blended HW diagnostics
Calibration
JTAG Debug
Memory Interface
Embedded Trace
External Memory
DMA
Enhanced System Bus and lockstep Vectored Interrupt Module
ECC or Parity on
select Peripheral,
DMA and Interrupt
controller RAMS
Parity or CRC in
Serial and Network
Communication
Peripherals
Serial
Interfaces
Network
Interfaces
Dual
ADC
Cores
Available
Dual
High-end
Timers
Available
GIO
Memory BIST on all
RAMS for fast
memory test
Error Signaling
Module w/ External
Error Pin
On-Chip Clock and
Voltage Monitoring
Protected Bus and
lockstep Interrupt
Manager
IO Loop Back, ADC
Self Test, …
Dual ADC Cores with
shared channels
Bold items are introduced with the new Cortex®-R5 devices
14
HerculesTM TMS570LS and RM4x Architecture
Concept Assessment
Random
15
SafeTITM Hitex Safety Kit (SafeTI™- HSK)
Random
 Cost effective entry into functional safety
related to ISO26262 and IEC61508
 Evaluate the use and performance of the
HerculesTM MCU safety features
 Easily apply the recommendations of the
HerculesTM MCU & TP 65381 Safety Manual
 Inject System & CPU faults and Monitor and
Measure the reaction via a GUI
 Includes:
 Evaluation Board with integrated debug, USB
cable and Power Supply
 Windows-based GUI
 Demo Application with full source code
 Code Composer StudioTM IDE
 HALCogen and SafeTI Diagnostic Library
 Evaluation version of SafeRTOS
 User Manual
16
HerculesTM Safety Documents
Random
Documents provided by TI some under NDA to assist in the
safety certification process:
– HerculesTM component Safety Manual (SM)
Details product safety architecture and recommended usage
NDA
– Safety Analysis Report Summary (SAR1)
Summary of FIT rate and FMEDA at component level for IEC 61508
and ISO 26262
NDA
– Detailed Safety Analysis Report (SAR2)
•
•
Full details of all safety analysis executed down to MODULE level for
IEC 61508 and ISO 26262
Software tool for customizing analysis results to customer use case
NDA
– Safety Report
Summary of compliance to IEC 61508 and/or ISO 26262
17
HerculesTM Safety Documents
Random
Safety Manual
•
•
•
•
Summary of Development Flow
Description of Safety Concept
List of diagnostics
List of assumptions
18
Detailed Safety Analysis Reports
Random
• Adapt failure rate estimation
model based on system usage
• Easily partition device into
safety related and non-safety
related functions
• Select applicable diagnostics
from safety manual or apply
your own diagnostics
• Automatic calculation of
summarized and detailed ISO
26262 & IEC 61508 safety
metrics
* FMEDA Developed with Yogitech
19
SafeTI™ Hardware Development Process
Certification
Systematic
TI’s hardware functional safety
development process has been certified
for:
 IEC 61508 SIL-3
 ISO 26262 ASIL-D
The certification demonstrates TI’s
commitment to have a process suitable
for developing hardware components
that are compliant to ISO 26262 and IEC
61508
20
HerculesTM and SafeTITM
Software and Tool Packages
Systematic
Hercules Software and Tools
 Production quality software to easily use Hercules MCU
 Includes GUI configurator (where relevant)
 Includes User Guide and Release Notes
SafeTI Compliance Support Package
 Provide evidence to safety standards
 Includes Test Reports, Quality Metrics, Safety Manual, etc.
 Software developed to IEC 61508 & ISO 26262 requirements
SafeTI Tool Qualification Kit
 Assists in qualifying the TI ARM Compiler to functional safety
standards
 Model-based tool qualification methodology
 Assessed to comply with both IEC 61508 and ISO 26262
21
SafeTI™ Compiler Qualification Kit
Systematic
•
Assists in qualifying the TI ARM C/C++
Compiler to functional safety standards
•
Qualification of customer specific use case can
be less restrictive than certified compilers
•
Application of kit assessed by TÜV Nord to
comply with both IEC 61508 and ISO 26262
•
Includes:
•
Qualification Support Tool (model-based)
•
Process specific documentation:
• Tool Classification Report
• Tool Qualification Plan
• Tool Qualification Report
• Tool Safety Manual
ACE SuperTestTM qualification suite
TI compiler validation test cases
Test Automation Unit (TAU)
24hrs of Validas consulting services
TÜV Nord assessment report
TI ARM Compiler
•
•
•
•
•
Approved by
IEC 61508
ISO 26262
22
Agenda
• Overview of HerculesTM MCU and SafeTITM Design package
• HerculesTM MCU Functional Safety How-To Workshop
– Safety Functions, Safety Goals, Safe State, SIL, Failure rate
– Safety Critical Elements identification and Diagnostic
Requirements
– Safety Manual and Diagnostics Selection
– Mission Profile and Failure Rate Estimation
– SafeTITM Diagnostic Library
– SafeTITM Diagnostic Library Compliance Support Package
(CSP) certification support
– Fault Injection with HITEX kit
• Summary
23
Applying Functional Safety Standards
Functional Safety
SafeTI™ design packages help meet
functional safety requirements while
managing both systematic and
random failures.
Risk reduction
Safety Life Cycle
SIL - 1/2/3/4
Workshop will address:
•
Development Process
Systematic Failures
•
Safety Plan
Software
Documentation
Tools
Config Management
•
How to manage MCU hardware
random failures
How to estimate failure rate vs SIL
requirements
Software support
Random Failures
Change Management
Diagnostics
V&V
Architectural Metric
Personnel Competence
Failure Rate
Certification
HerculesTM
Architecture
(FMEDA)
CSP = Compliance Support Package
24
Functional Safety Certification
System
Development
Process
MCU
Development
Process
Software
MCU
Software
Drivers, Library
Tool
Hardware
MCU
Hardware
Architecture
Failure rate
Show me evidence
25
IEC 61508
Hazard/Risk Analysis & SIL determination
Hazard & Risk
Analysis
Safety Function
Definition
SIL Determination
(SIL - 1/2/3/4)
Allocation of Safety
Requirements
HW Safety
Requirements
(SFF, PFH)
SW Safety
Requirements
Process Safety
Requirements
26
Safety Function / Safe State
Hazard analysis -> Safety Function &
Safe State
Safety Function: function to be
implemented by an E/E/PE safetyrelated system or other risk reduction
measures, that is intended to achieve
or maintain a safe state for the ECU, in
respect of a specific hazardous event
Sensor
MCU
Actuator
Safe State: State of the ECU when
safety is achieved
27
Safety Function / Safe State
Hazard: High gas flow pressure
Safety Function: Monitor the
pressure of gas flow.
Sensor
MCU
Actuator
Safe State:
1. If gas flow pressure exceeds a
fixed limit, shut off the gas flow
valve.
2. If a dangerous fault is detected in
the system, shut off the gas flow
28
Risk Analysis / Safety Integrity Level
Risk Analysis determines the
performance requirement of the
safety function, i.e. SIL level and
how much risk reduction?
Sensor
MCU
Actuator
Safety Integrity Level (SIL 1/2/3/4)
is determined by the consequence
and the frequency of hazardous
event. The higher the SIL level, the
higher the risk reduction
requirements
29
Safety Integrity Level
•
Safety Integrity Level is characterized by SFF and PFDAVG or PFH
•
Single Failure Fraction (SFF)
•
Probability of Fail on Demand Average (PFDAVG)
•
Probability of Fail per Hour (PFH)
•
SFF = (λSAFE + λDANGEROUS-DETECTED) / (λSAFE + λDANGEROUS-DETECTED+ λDANGEROUS-UNDETECTED)
•
PFH ≈ 1 / λDANGEROUS-UNDETECTED
30
Safety Integrity Level
Low demand functions have less stringent requirements on
PFDavg to achieve a specific SIL.
High demand and continuous demand functions have more
stringent requirements on PFH to achieve a specific SIL.
SIL
SFF (HFT=0)
PFH (FIT)
Type B products are complex products in which all failure modes
are not known. Most semiconductors are considered Type B.
SIL1
0% … <60%
<10000
SIL2
60% … <90%
<1000
HFT = Hardware Fault Tolerance where 0=No redundancy
SIL3
90% … <99%
<100
1 FIT = 1 failure in 1E9 hours
31
MCU Failure Mode and Failure Rate
• Permanent random failures:
• Tox integrity, Short, Open, Stuck At, Drift ….
• Source of permanent component failure rate data:
•
•
• MILHDBK 217F
• SN29500
• IEC/TR 62380
• Supplier reliability data
• …
TI uses IEC/TR 62380 where # of transistors, # of memory bits, temperature and package
effect can be modeled.
Failure rate is commonly expressed in FIT (Failure In Time)
• 1 FIT = 1 failure in 1E9 hours.
• Transient random failures:
• Cosmic Rays, EMC
• Failure rate data source is TI experiments in
Los Alamos lab and TI lab
32
MCU Failure Rate Estimation
MCU failure rate
(λMCU)
SRAM failure rate
(λSRAM)
CPU failure rate
(λCPU)
Flash failure rate
(λFlash)
Apply SRAM
Diagnostics
Apply CPU
Diagnostics
Apply Flash
Diagnostics
Failure rate analysis
λSRAM
λSAFE, λDD, λDU
Failure rate analysis
λCPU
λSAFE, λDD, λDU
Failure rate analysis
λFlash
λSAFE, λDD, λDU
Apply diagnostics to detect dangerous faults until appropriate SIL metrics (SFF, PFH) are met
λSAFE - Safe, λDD – Dangerous Detected, λDU – Dangerous Undetected
33
Agenda
• Overview of HerculesTM MCU and SafeTITM Design
package
• HerculesTM MCU Functional Safety How-To Workshop
– Safety Functions, Safety Goals, Safe State, SIL, Failure rate
– Safety Critical Elements identification and Diagnostic
Requirements
– Safety Manual and Diagnostics Selection
– Mission Profile and Failure Rate Estimation
– SafeTITM Diagnostic Library
– SafeTITM Diagnostic Library Compliance Support Package
(CSP) certification support
– Fault Injection with HITEX kit
• Summary
34
Application Example
Voltage
Regulator
Motor
Torque
Command
from
Remote
Host
1.2v 5v 3.3v
Pre Drivers
OSCIN OSCOUT
nPORRST
DCAN1
Safety Function Input (MCU)
Safe State (MCU)
Hercules MCU
Receive motor torque command
from remote host (CAN)
Safety Function Processing
(MCU)
Calculate necessary output
commands to motor based on
desired torque and current
position
Read current motor position
(feedback) via quadrature decoder
(eQEP)
Quadrature
Encoder
5-16MHz
Clock Crystal
System Reset
Safety Goal: The motor shall deliver torque as commanded by the external host.
eQEP
GIO
Warning
Lamp
1. Disable motor driver relay
(NHET)
2. Indicate fault to system via
warning lamp (GIO)
Safety Function Actuation
(MCU)
ePWM1
ePWM2
Pre Drivers
ePWM3
NHET1
H Bridge
Drivers
Drive three phase PWMs to
actuate motor (ePWM)
BLD
C
Motor
Motor Position Feedback
35
MCU Safety Critical Elements per Safety Function
1.25M
Flash
with
ECC
64K
64K
64K
DMA
Dual Cortex-R4F
CPUs in Lockstep
HTU1
POM
FTU
EMAC
HTU2
Safety Critical Elements are
elements within MCU the
implement the safety
function
•
Diagnostics are necessary
to detect safety related
failures
•
Sufficient diagnostics
coverage (DC) is needed to
meet required IEC 61508
HW metrics per SIL level
•
In this example, safety
critical elements are: CPU,
Flash, SRAM, Interconnect,
eQEP, eCAP, ePWM,
System, ESM… I2C
OHCI
Switched Central Resource Switched Central Resource Switched Central Resource
Main Cross Bar: Arbitration and Prioritization Control
CRC
•
192K
RAM
with
ECC
Switched Central Resource
Peripheral Central Resource Bridge
High Freq. Central Resource
64 KB Flash
for EEPROM
Emulation
with ECC
eQEP
1,2
EMAC Slaves
USB
MDIO
eCAP
1,2
System
DCAN1
ESM
DCAN2
IOMM
DCAN3
PMM
MibSPI1
MII
VIM
Host
ePWM
1..7
RTI
SPI2
PBIST
LBIST
MibSPI3
CCMR4
EMIF
Fuse
Farm
SPI4
Device
DCC1
DCC2
MibSPI5
LIN
MibADC1
MibADC2
N2HET1
N2HET2
GIO
FlexRay
I2C
SCI
36
Safety Function Definition
Safety Function ID
Equivalent Safety
Goal ID
Safety Function Input (MCU)
Receive motor torque command
from remote host (CAN)
SF_1
SG_1
Read current motor position
(feedback) via quadrature decoder
(eQEP)
Safety Function Processing
(MCU)
Safety Function Actuation
(MCU)
Calculate necessary output
commands to motor based on
desired torque and current
position
Drive three phase PWMs to
actuate motor (ePWM)
Equivalent Safety Goal
Safe State (MCU)
1. Disable motor driver relay
The motor shall deliver torque
(NHET)
as commanded by the external
2. Indicate fault to system via
host.
warning lamp (GIO)
SIL
3
Equivalent FTTI
10ms
10 ms
37
MCU Safety Diagnostic Requirements
per Safety Function
Safety Requirement ID
SFR_1
SFR_1.1
SFR_1.2
SFR_2
SFR_2.1
SFR_2.2
SFR_2.3
SFR_3
SFR_3.1
SFR_3.2
SFR_3.3
SFR_3.4
SFR_3.5
Satisfies
SF_1
SFR_1
SFR_1
SF_1
SFR_2
SFR_2
SFR_2
SF_1
SFR_3
SFR_3
SFR_3
SFR_3
SFR_3
Assumed Safety Diagnostic Requirement
MCU safety related functional input shall be considered safety critical
DCAN1 shall be considered safety critical
eQEP1 shall be considered safety critical
MCU safety related functional output shall be considered safety critical
ePWM1 shall be considered safety critical
ePWM2 shall be considered safety critical
ePWM3 shall be considered safety critical
MCU safety related processing shall be considered safety critical
Cortex R4F CPU shall be considered safety critical
TCM SRAM as needed to support the application shall be considered safety critical
TCM Flash as needed to support the application shall be considered safety critical
L2/L3 interconnect as needed to support the application shall be considered safety critical
VIM shall be considered safety critical
SIL
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SFR_4
SFR_4.1
SFR_4.2
SFR_4.3
SFR_4.4
SFR_4.5
SFR_4.6
SFR_4.7
SFR_4.8
SFR_4.9
SFR_4.10
SFR_5
SFR_5.1
SFR_5.2
SF_1
SFR_4
SFR_4
SFR_4
SFR_4
SFR_4
SFR_4
SFR_4
SFR_4
SFR_4
SFR_4
SF_1
SFR_5
SFR_5
MCU functions necessary to support safety related input, processing, and output shall be considered safety critical
Power supply shall be considered safety critical
PMM shall be considered safety critical
Clocking subsystem shall be considered safety critical
Reset logic shall be considered safety critical
I/O multiplexing (IOMM) shall be considered safety critical
RTI shall be considered safety critical
System control module shall be considered safety critical
ESM shall be considered safety critical
Fuse Farm shall be considered safety critical
OTP configuration shall be considered safety critical
MCU functions necessary to support the safe state shall be considered safety critical
NHET1 shall be considered safety critical
GIO shall be considered safety critical
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
38
MCU Diagnostic Tests
Start up diagnostics examples
• SRAM self test
• CPU self test
• ADC self test
• I/O loop back
Real-time diagnostics examples
• SRAM/Flash ECC
• CPU compare
• Clock monitor
• Power monitor
• MPU
39
What is Latent Diagnostics? Why it is important?
• Memory content OK
• Memory single bit error • Memory single bit error
• No error detected by
• Error detected &
ECC
• Read to CPU OK
corrected by ECC
• Read to CPU OK
• Error NOT detected &
corrected by ECC
• Read to CPU NOT OK
The bug in the ECC block will only violate the safety goal IN COMBINATION with a
memory fault -> a latent fault
Need to test the diagnostic circuits such as ECC, Lock-Step Compare
40
Agenda
• Overview of HerculesTM MCU and SafeTITM Design package
• HerculesTM MCU Functional Safety How-To Workshop
– Safety Functions, Safety Goals, Safe State, SIL, Failure rate
– Safety Critical Elements identification and Diagnostic
Requirements
– Safety Manual and Diagnostics Selection
– Mission Profile and Failure Rate Estimation
– SafeTITM Diagnostic Library
– SafeTITMI Diagnostic Library Compliance Support Package
(CSP) certification support
– Fault Injection with HITEX kit
• Summary
41
How to implement Diagnostics?
HerculesTM Safety Manual
• An overview of the safety architecture for management
of random failures
• The details of architecture partitions, implemented
safety mechanisms, and recommended usage
• Failure modes and failure rates
42
IEC61508 HW Metrics Calculation
Select Safety Features - CPU
From Safety Manual
Device Partition
Cortex R4F Central Processing Unit
(CPU)
Cortex R4F Central Processing Unit
(CPU)
Cortex R4F Central Processing Unit
(CPU)
Cortex R4F Central Processing Unit
(CPU)
Cortex R4F Central Processing Unit
(CPU)
Cortex R4F Central Processing Unit
(CPU)
Cortex R4F Central Processing Unit
(CPU)
Cortex R4F Central Processing Unit
(CPU)
Cortex R4F Central Processing Unit
(CPU)
Cortex R4F Central Processing Unit
(CPU)
Cortex R4F Central Processing Unit
(CPU)
Unique
identifier
CPU1
Safety Feature or Diagnostic
Feature
Reccomendation
Lockstep compare
M
CPU2A
Boot time execution of LBIST STC
++
CPU2B
Periodic execution of LBIST STC
O
CPU3
MPU
++
CPU4
Online profiling using PMU
O
CPU5A
Internal watchdog -DWD
O
CPU5B
Internal watchdog -DWDD
O
CPU5C
External watchdog
+
CPU6
Illegal operation and instruction trapping
++
CPU7
SW readback of written configuration
++
CPU8
Lockstep compare (CCM) self-test
++
Diagnostic
Used in
Application?
1
1
0
1
0
0
0
1
1
1
1
• Safety Mechanisms associated with CPU are selected.
– ‘1’ means the safety mechanism is assumed in the HW metrics calculation
– ‘0’ means not assumed
Based on RM42x/LS04x/LS03x v0.8 FMEDA worksheet
43
Cortex-R: Ideal for safety critical applications
Lockstep implementation
Safety features
 Supports Lockstep
 Memory Protection Unit (MPU)
 Error-Correcting Code (ECC)
Compare
Error
Output + Control
CCM
Cycle Delay
Self
Test
Higher performance
Real-time / Determinism
 Tightly Coupled Memory (TCM)
 Fast interrupt response
 Deterministic interrupt response
ARM®
Cortex® -R
 8-stage processor pipeline
 Dual issue – two instructions can
execute in parallel
 Load store unit reduces stalling
 Pre-fetch and Branch Prediction Units
 Cached*
ARM®
Cortex® -R
Cycle Delay
Input + Control
*Cortex R5 based products
44
CPU Self Test Controller (STC/LBIST)
ROM
ROM
interface
Clock cntrl
FSM
STC BYPASS/
ATE Interface
Test
controller
STC
PCR
ARM®
Cortex® -R
ARM®
Cortex® -R
Clock
controller
VBUS
Interface
DBIST
CNTRL
REG Block
&
Compare
Block
DBIST
CNTRL
ERR
ESM
•
•
•
•
Provides High Diagnostic Coverage
Significantly Lowers S/W and Runtime Overhead
No SW BIST (Built In Self Test) Code overhead in Flash
Simple to configure and start BIST via register
45
Memory Protection Unit (MPU)
• A Dedicated Memory Protection Unit (MPU) is implemented for select bus masters
ARM®
Cortex® R
Lockstep ®
ARM
CPUs
Memory
Power, Clock, & Safety
Flash w/ ECC
OSC PLL
POR
RAM w/ ECC
PBIST
CRC
Memory Protection
LBIST
RTI
Bus masters include the CPU, DMA,
HTU and the FTU
™- ®
ARM
Cortex
Cortex™R4F
160MHz
®
ARM
R4F
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
Cortex®160MHz
R
CPU Fault
Detection
Calibration
Memory Interface
JTAG Debug
EMIF
Embedded Trace
DMA
DMA
Enhanced System Bus and Vectored Interrupt Management
Serial I/F
MibSPI
128 Buffers; 4 CS
Network I/F
FlexRay
2 ch FlexRay
Transfer
Unit
8K Message RAM
(FTU)
CAN1 (64mb)
MibSPI
128 Buffers; 4 CS
MibSPIP
128 Buffers; 4 CS
A memory region is defined which
allows read and write access for
the bus master
ADC
Timers / IO
MibADC1
High End
High
End
Timer
Timer
(NHET)
Transfer
Unit
128 words,
32 ch
(HTU)
64 Buffers
12-bit, 16ch
(8ch shared)
CAN2 (64mb)
CAN3 (32mb)
MibADC2
UART1 (LIN1)
64 Buffers
12-bit, 16ch
(8ch shared)
UART2 (LIN2)
GIOA/INTA (8)
GIOB (8)
Access outside the defined region
can be any of the mode
Read Only: Read access allowed for the
memory accesses outside the region.
Write accesses are blocked
No Access: Read and write access is
blocked.
In the event of a detected memory
protection violation an error is
indicated
Note: This is a simplified view. The programmer’s model differs between IP. CPU IP will have significantly more options to control access via the MPU.
46
Digital Windowed Watch Dog (DWWD)
• The DWWD module will reset the MCU or generate a non maskable interrupt to
the CPU if the application fails to service the watchdog within the appropriate
time window.
•
•
•
•
•
•
Safety diagnostic that can detect a runaway CPU
Includes a 25-bit down counter
Alerts the Error Signaling Module when a CPU interrupt is generated
Supports multiple service windows: 100%, 50%, 25%, 12.5%, 3.125%
Servicing requires a specific two part key sequence
Once enabled can only be disabled by a system or power on reset
Down
Counter
0
DWWD Preload
100%
Window
50%
Window
25%
Window
Window Open
Window Open
Window Open
Down Counter
Window Open
W Open
W Open
12.5%
Window
Open
Open
6.25%
Window
O
O
3.125%
Window
=
O
•PLLMUL
RESET
Digital
Windowed INTERRUPT
Watch
ESM
Dog
O
47
IEC61508 HW Metrics Calculation
Select Safety Features - Flash
From Safety Manual
Device Partition
Unique identifier
Safety Feature or Diagnostic
Feature Reccomendation
Diagnostic Used in
Application?
Primary Flash and Level 1 (L1) Interconnect
FLA1
Flash Data ECC
++
1
Primary Flash and Level 1 (L1) Interconnect
FLA2
Hard error cache and livelock
M
1
Primary Flash and Level 1 (L1) Interconnect
FLA3
Flash wrapper address ECC
++
Primary Flash and Level 1 (L1) Interconnect
FLA4
Address parity
++
1
1
Primary Flash and Level 1 (L1) Interconnect
FLA5A
Boot time hardware CRC check of flash memory
contents
++
1
Primary Flash and Level 1 (L1) Interconnect
FLA5B
Periodic hardware CRC check of flash memory
contents
+
1
Primary Flash and Level 1 (L1) Interconnect
FLA6
Bit multiplexing in flash array
M
1
Primary Flash and Level 1 (L1) Interconnect
FLA7
Flash sector protection
++
Primary Flash and Level 1 (L1) Interconnect
FLA8
Periodic SW readback of static configuration
registers
+
Primary Flash and Level 1 (L1) Interconnect
FLA9
SW readback of written configuration
++
1
1
1
• Safety Mechanisms associated with Flash are selected.
– ‘1’ means the safety mechanism is assumed in the HW metrics calculation
– ‘0’ means not assumed
Based on RM42x/LS04x/LS03x v0.8 FMEDA worksheet
48
Flash / RAM ECC Protection
B0TCM
Cortex-R
64 Data
8 ECC
32 Data Bits
4 ECC Bits
RAM
64 Inst.
Flash
CPU
Core
Error
32 Data Bits
4 ECC Bits
64 Data
8 ECC
ECC Logic
8 ECC
32 Data Bits
4 ECC Bits
RAM
32 Data Bits
4 ECC Bits
B1TCM
ECC evaluated in the Cortex-R CPU
– Single Bit Error Correction and Double Bit Error Detection (SECDED)
– ECC evaluated in parallel to processing data/instructions
– Minimized latency and typically no performance impact
– Protects Busses from CPU to Flash and RAM
– Address / Control parity from CPU -> Memory
– Diagnostic in Flash / SRAM wrappers
49
IEC61508 HW Metrics Calculation
Select Safety Features - SRAM
From Safety Manual
Device Partition
Unique identifier
Safety Feature or Diagnostic
Feature Reccomendation
Diagnostic Used in
Application?
SRAM and Level 1 (L1) Interconnect
RAM1
Data ECC
++
1
SRAM and Level 1 (L1) Interconnect
RAM2
Hard error cache and livelock
M
1
SRAM and Level 1 (L1) Interconnect
RAM3
Correctable ECC profiling
+
SRAM and Level 1 (L1) Interconnect
RAM4
Address and control parity
++
SRAM and Level 1 (L1) Interconnect
RAM5
Redundant address decode
++
1
1
1
SRAM and Level 1 (L1) Interconnect
RAM6
Data/ECC storage in multiple physical banks
M
1
SRAM and Level 1 (L1) Interconnect
RAM7A
Boot time PBIST check of RAM
++
SRAM and Level 1 (L1) Interconnect
RAM7B
Periodic PBIST check of RAM
O
1
0
SRAM and Level 1 (L1) Interconnect
RAM8
Bit multiplexing in SRAM array
M
1
SRAM and Level 1 (L1) Interconnect
RAM9
Periodic hardware CRC check of SRAM contents
O
SRAM and Level 1 (L1) Interconnect
RAM10
Periodic SW readback of static configuration
registers
+
SRAM and Level 1 (L1) Interconnect
RAM11
SW readback of written configuration
++
SRAM and Level 1 (L1) Interconnect
RAM12
SW driven RAM red.decoder and ECC test
++
0
1
1
1
• Safety Mechanisms associated with SRAM are selected.
– ‘1’ means the safety mechanism is assumed in the HW metrics calculation
– ‘0’ means not assumed
Based on RM42x/LS04x/LS03x v0.8 FMEDA worksheet
50
Programmable Memory BIST (PBIST)
Functional
Read/Write
Datapath
• All on-chip RAMS can be tested
VBUS I/f
• Simple register setup and
configuration
Cfg
block
Tester I/f
Ext
block
PBIST
Controller
Data
path/
ROM I/f
• Typically run at startup, but can
be executed during the
application
• Multiple Memory Test Algorithms
RAM
ROM
block
Collars
To / From
Memories
(RAM
groups)
Data
Logger
• Detects multiple failure modes
• Provides a mechanism to determine if runtime faults were caused by hard or soft error.
This capability can be used to improve availability through inline recovery from soft error.
51
IEC61508 HW Metrics Calculation
Select Safety Features - ESM
From Safety Manual
Device Partition
Unique
identifier
Feature
Reccomendation
Diagnostic
Used in
Application?
Periodic SW readback of static
configuration registers
+
1
Safety Feature or Diagnostic
Error Signaling Module (ESM)
ESM1
Error Signaling Module (ESM)
ESM2A
Boot time SW test of error path reporting
++
1
Error Signaling Module (ESM)
ESM2B
Periodic SW test of error path reporting
+
1
Error Signaling Module (ESM)
ESM3
Use of status shadow registers
++
1
Error Signaling Module (ESM)
ESM4
SW readback of written configuration
++
1
• Safety Mechanisms associated with ESM are selected.
– ‘1’ means the safety mechanism is assumed in the HW metrics calculation
– ‘0’ means not assumed
Based on RM42x/LS04x/LS03x v0.8 FMEDA worksheet
52
Error Signaling Module (ESM)
ESM
Low Level Interrupt
Handling
Errors for Group 1
INTEN
To Interrupt
Manager
INTLVL
High Level Interrupt
Handling
Errors for Group 2
ERROR
SIGNAL
CONTROL
LOW TIME
COUNTER PRELOAD
nERROR pin
LOW TIME
COUNTER
Errors for Group 3
53
Clock Monitoring
• External clock prescaler (ECLK)
• Allows external monitoring of CPU clock frequency
• Configurable pin (GIO or ECLK)
• Oscillator monitor
• Detects failure if oscillator frequency exceeds defined min/max thresholds*
• Selectable hardware response on oscillator fail
– Reset device
– Switch to internal ‘low power oscillator’ (LPO) clock source
• FMPLL slip detector
• Indicates PLL slip if phase lock is lost
• Selectable hardware response on PLL slip
– Reset device
– Switch to internal ‘low power oscillator’ (LPO) clock source
– Switch to external oscillator clock source
* Refer to device data sheet
LPO
Input from
Oscillator
CLK Signal to
CLK Control Module
FMPLL
Bypass on Slip
Slip
Detector
BPOS
Reset on Slip
BPOS
ROS
To Device Reset
54
Dual Clock Comparator (DCC)
• The DCC module is used to measure the frequency of a clock signal
using a second clock signal as a reference.
• Allows application to ensure that a fixed frequency ratio is maintained
between two clock signals
• Supports the definition of a programmable tolerance window in terms of
number of reference clock cycles
• Supports continuous monitoring without requiring application intervention
• Alternatively can be used in a single-sequence mode for spot measurements
• Flexible clock source selection for Counter 0 and Counter 1 resulting in
several specific use cases
0
Preload 0
Clock 0
Counter 0
Clock 0 Sources
Clock 0 Select
Preload 1
Clock 1 Sources
Clock 1
0
Valid Preload 0
=
Valid Counter 0
=
Clock
Compare
ERROR
Counter 1
Clock 1 Select
PLLMUL
55
IEC61508 HW Metrics Calculation
Select Safety Features - CAN
From Safety Manual
Device Partition
Unique
identifier
Safety Feature or Diagnostic
Feature
Reccomendation
Diagnostic
Used in
Application?
Controller Area Network (DCAN)
CAN1A
Controller Area Network (DCAN)
CAN1B
Controller Area Network (DCAN)
CAN2
Boot time SW test of function using I/O
loopback
Periodic SW test of function using I/O
loopback
Information redundancy techniques
including end to end safing
Controller Area Network (DCAN)
CAN3
DCAN SRAM Data Parity
++
Controller Area Network (DCAN)
CAN4A
Boot time PBIST check of DCAN RAM
++
Controller Area Network (DCAN)
CAN4B
Periodic PBIST check of DCAN RAM
O
1
0
1
1
1
0
Controller Area Network (DCAN)
CAN5
Bit multiplexing in DCAN RAM array
M
1
Controller Area Network (DCAN)
CAN6
O
Controller Area Network (DCAN)
CAN7
Controller Area Network (DCAN)
CAN8
Periodic hardware CRC check of DCAN
SRAM contents
Periodic SW readback of static
configuration registers
Software readback of written
configuration
0
1
1
++
O
++
+
++
• Safety Mechanisms associated with CAN are selected.
– ‘1’ means the safety mechanism is assumed in the HW metrics calculation
– ‘0’ means not assumed
Based on RM42x/LS04x/LS03x v0.8 FMEDA worksheet
56
IEC61508 HW Metrics Calculation
Select Safety Features – Power Supply
Device Partition
Unique
identifier
Safety Feature or Diagnostic
Feature
Reccomendation
Diagnostic
Used in
Application?
Power Supply
PWR1
Voltage monitor (VMON)
M
1
Power Supply
PWR2
External voltage supervisor
++
1
• Safety Mechanisms associated with Power Supply are selected.
– ‘1’ means the safety mechanism is assumed in the HW metrics calculation
– ‘0’ means not assumed
Based on RM42x/LS04x/LS03x v0.8 FMEDA worksheet
57
IEC61508 HW Metrics Calculation
Select Safety Features - Package
• High diagnostic coverage is assumed for the package via
detection of failure with existing diagnostics supplemented
by application level diagnostics.
– Examples:
• CAN - CAN2 Information Redundancy Technique and CAN1A Boot-time I/O loop
back SW test
• MIBSPI - MSP2 Information Redundancy Technique and MSP1A Boot-time I/O
loop back SW test
Extracted from Safety Manual of RM42x spnu553
58
IEC61508 HW Metrics Calculation
Select Safety Features – IO Loop Back
• Hercules MCU I/O supports loop back for self-test. Below
are examples:
Examples are extracted from TMS570LS31x/21x Technical Reference Manual SPNU499a
59
IEC61508 HW Metrics Calculation
Select Safety Features – IO Loop Back
Examples are extracted from TMS570LS31x/21x Technical Reference Manual SPNU499a
60
Agenda
• Overview of HerculesTM MCU and SafeTITM Design package
• HerculesTM MCU Functional Safety How-To Workshop
– Safety Functions, Safety Goals, Safe State, SIL, Failure rate
– Safety Critical Elements identification and Diagnostic
Requirements
– Safety Manual and Diagnostics Selection
– Mission Profile and Failure Rate Estimation
– SafeTITM Diagnostic Library
– SafeTITMI Diagnostic Library Compliance Support Package
(CSP) certification support
– Fault Injection with HITEX kit
• Summary
61
Estimate SFF / PFH per Safety Function
Now we have a safety function and SIL requirement,
→ How to estimate the SFF / PFH to determine if SIL requirement can be
met?
Hazard & Risk
Analysis
Safety Function
Definition
SIL Determination
(SIL - 1/2/3/4)
Allocation of Safety
Requirements
HW Safety
Requirements
(SFF, PFH)
SW Safety
Requirements
Process Safety
Requirements
62
Estimate MCU SFF / PFH per Safety Function
Use Hercules MCU Detailed Safety Analysis Report & FMEDA worksheet
Set Up Mission Profile
of System
Apply Diagnostics to
Used Modules per
Safety Function
What is the total
failure rate per used
conditions?
Evaluate IEC61508
Failure Rate Summary
N
SFF/PFH
met?
Y
What Self-Test should
be implemented?
Done
63
Detailed Safety Analysis Report & FMEDA worksheet
Detailed Safety Analysis Report
• Assumptions of use applied in calculation of
safety metrics
• Summary of IEC 61508 or ISO 26262 standard
safety metrics at the MCU component level
• A fault model used to estimate device failure
rates and an example of customizing this model
for use with the example application.
• FMEDA with details to the sub-module level of
the MCU, that enables calculation of safety
metrics based on customized application of
diagnostics
Available under NDA
64
IEC61508 HW Metrics Calculation
Failure Rate
Random
Failure
Hardware
Failure
Package
Permanent
Die (silicon)
Permanent
Die (silicon)
Transient
Multiple Ways for Random failure rate estimation:
•
•
•
•
MIL-HDBK-217F, "Military Handbook - Reliability Prediction of
Electronic Equipment”
Siemens Norm SN29500:2010, "Failure Rates of
Components”
Supplier reliability data from similar products already in
production and deployed under similar operating conditions
IEC/TR 62380:2004, "Reliability Data Handbook - Universal
Model for Reliability Prediction of Electronics, PCBs, and
Equipment”
•
TI has selected to use IEC/TR
62380 because it is more aligned
to semiconductor physics models
•
Failure rate is measured in FIT
where 1 FIT is 1 fail in 109
operating hours
65
IEC61508 HW Metrics Calculation
Failure Rate / Mission Profiles
Random
Failure
Hardware
Failure
Package
Permanent
Die (silicon)
Permanent
Die (silicon)
Transient
66
IEC/TR 62380 Mission Profiles Examples
Source: IEC/TR 62380 Reliability Handbook
67
IEC61508 HW Metrics Calculation
Automotive Motor Control Mission Profiles
• Automotive Mission Profile in IEC/TR 62380 (FMEDA worksheet default):
– 10 years service with 3 phases per day – night, day, not used
• 2 night trips per day, 4 day trips per day, 30 days shut down
– 3 temperature phases
• Engine cold, Engine warm, Engine hot
– On/Off ratio: 0.058 / 0.942
Customer input for failure rate estimation
Package Used
TI PBGA
Customer input for transient fault estimation
Application specific Flux Factor coeff. based on Jedec JESD89A
1
Maximum power dissipation
Application specific power dissipation in Watts
(1.04W is based on maximum datasheet value)
Automotive Mission Profile:
Total raw die permanent FIT: 9.48
1.04
Assumed Lifetime
in years
10
Confidence Level
Desired confidence level of FIT rates
70%
Based on RM48x v1.0 FMEDA worksheet
Operational Profile from IEC/TR 62380:2004
Temp1
(tac)1 °C
Profile
32
Temp2
τ1
0.02
(tac)2 °C
60
Temp3
τ2
0.015
(tac)3 °C
85
Ratios on/off
τ3
0.023
Τon
2 night starts
Τoff
0.058
ΔT1 °C
n1
0.942
670
ΔTj/3+55
4 day light
starts
n2
1340
ΔT2
ΔTj/3+45
Non used
vehicle
n3
30
ΔT3
10
68
IEC61508 HW Metrics Calculation
Elevator Mission Profiles
• Assumed Elevator/Escalator mission profile:
–
–
–
–
–
–
–
10 years service, 365 days per year, 18 hours on and 6 hours off per day
Tae outside ambient temp = 25c (indoor ambient temp)
Tac PCB temp = 60c
Ton = 0.75, Toff = 0.25
N = 1 x 365 cycles
∆Tj (chip junction temp increased vs Tac) = 30c (assumed worst case)
∆T = ∆Tj/3 + (60-25)c = 55c
Customer input for failure rate estimation
Package Used
TI PBGA
Customer input for transient fault estimation
Application specific Flux Factor coeff. based on Jedec JESD89A
1
Maximum power dissipation
Application specific power dissipation in Watts
(1.04W is based on maximum datasheet value)
Elevator Mission Profile:
Total raw permanent FIT: 103.37
1.04
Assumed Lifetime
in years
10
Confidence Level
Desired confidence level of FIT rates
70%
Based on RM48x v1.0 FMEDA worksheet
Operational Profile from IEC/TR 62380:2004
Temp1
(tac)1 °C
Profile
32
Temp2
τ1
0
(tac)2 °C
60
Temp3
τ2
0.75
(tac)3 °C
85
Ratios on/off
τ3
0
Τon
Daily on/off
Τoff
0.75
ΔT1 °C
n1
0.25
365
0
69
IEC61508 HW Metrics Calculation
Industrial Mission Profiles
• Assumed Industrial mission profile:
–
–
–
–
–
–
–
10 years service, 365 days per year, 24 hours per day
Tae outside ambient temp = 70c (ambient temp)
Tac PCB temp = 90.5c (assumption)
Ton = 1, Toff = 0
n = 1 cycles
∆Tj (chip junction temp increased vs Tac) = 30c (assumed worst case)
∆T = ∆Tj/3 + (90.5-70)c = 30.5c
Customer input for failure rate estimation
Package Used
TI PBGA
Customer input for transient fault estimation
Application specific Flux Factor coeff. based on Jedec JESD89A
1
Maximum power dissipation
Application specific power dissipation in Watts
(1.04W is based on maximum datasheet value)
1.04
Assumed Lifetime
in years
Industrial Mission Profile:
Total raw permanent FIT: 330.16
10
Confidence Level
Desired confidence level of FIT rates
70%
Based on RM48x v1.0 FMEDA worksheet
Operational Profile from IEC/TR 62380:2004 Echo use conditions
Temp1
(tac)1 °C
Profile
92.5
Temp2
τ1
1
(tac)2 °C
0
Temp3
τ2
0
(tac)3 °C
0
Ratios on/off
τ3
0
Τon
Number of
0n/off per year
Τoff
1
ΔT1 °C
n1
0
1
0
70
Failure Rate Definitions
• Failure rate is represented with the Greek character lambda, λ, and can
be broken into many categories.
– λS: rate of safe failures which do not affect safety function
• λSD : safe, detected failure rate
• λSU : safe, undetected failure rate
– λD: rate of dangerous failures which compromise the safety function
• λDD : dangerous, detected failure rate
• λDU : dangerous, undetected failure rate
• Note: a failure which results in the system changing mode of operation
to a safe state is by definition a safe failure.
• Failure rate is often expressed in FITs. One FIT (Failure In Time) = 1
failure per billion hours of operation (1x 10-9 failures/hour)
71
IEC61508 HW Metrics vs Mission Profiles
IEC61508 HW metrics with Automotive Mission Profile (70% confidence level):
Numbers are normalized to Die Permanent Total RAW FIT
IEC61508 HW metrics with Elevator Mission Profile (70% confidence level):
Numbers are normalized to Automotive Mission Profile Die Permanent Total RAW FIT
IEC61508 HW metrics with Industrial Mission Profile (70% confidence level):
Numbers are normalized to Automotive Mission Profile Die Permanent Total RAW FIT
• Higher raw permanent FIT rate because of much longer ‘on’ time
• No significant difference of Safe Failure Fraction (SFF)
• Probability of Hardware Failure (PFH) increases in proportion to raw rate rate
increase.
Based on RM48x v1.0 FMEDA worksheet
72
IEC61508 HW Metrics Calculation
Impact of Confidence Level
Confidence level
Permanent FIT
Transient FIT
Package FIT
Overall FIT
70%
6.20E-10
6.80E-10
6.00E-11
1.36E-09
Number of units in field
Number of device hours per day
1000000
18
Device operating year
Total number of device operating year
Total number of device operating hours
Estimated number of failures due to Permanent fault
Estimated number of failures due to Transient fault
Estimated number of failures due to Package fault
Estimated number of failures due to Overall fault
1
1.00E+06
6.57E+09
4.1
4.5
0.4
8.9
Confidence level
Permanent FIT
Transient FIT
Package FIT
Overall FIT
99%
2.39E-09
2.61E-09
2.20E-10
5.22E-09
Number of units in field
Number of device hours per day
1000000
18
Device operating year
Total number of device operating year
Total number of device operating hours
Estimated number of failures due to Permanent fault
Estimated number of failures due to Transient fault
Estimated number of failures due to Package fault
Estimated number of failures due to Overall fault
1
1.00E+06
6.57E+09
15.7
17.1
1.4
34.3
Elevator mission profile
5
5.00E+06
3.29E+10
20.4
22.3
2.0
44.7
10
1.00E+07
6.57E+10
40.7
44.7
3.9
89.4
15
1.50E+07
9.86E+10
61.1
67.0
5.9
134.0
20
2.00E+07
1.31E+11
81.5
89.4
7.9
178.7
Elevator mission profile
Pessimistic estimation
Field data are orders of magnitude better
5
5.00E+06
3.29E+10
78.5
85.7
7.2
171.5
10
1.00E+07
6.57E+10
157.0
171.5
14.5
343.0
15
1.50E+07
9.86E+10
235.5
257.2
21.7
514.4
20
2.00E+07
1.31E+11
314.0
343.0
28.9
685.9
Based on RM48x v1.0 FMEDA worksheet
73
FMEDA worksheet – Product Function Tailoring
• Allow customization of failure rate
estimation
• Include only MCU modules used by
application
• Include actual Flash and SRAM
memory size used
74
FMEDA worksheet – Safety Mechanisms Tailoring
• Allow customization of diagnostics
selection.
• For example, CPU lock-step compare
and boot time LBIST are used, while
periodic LBIST is not used.
75
FMEDA worksheet – Package/Pin Tailoring
Allow customer to adjust the number of
pins used by module in its application
• Example: 31 NHET1 pins are
available, if only 20 pins are used,
change to 20
Allow customer to input pinlevel application diagnostic
with its own diagnostic
coverage number
76
FMEDA worksheet – Metrics Summary / Details
Summary of IEC 61508 Metrics Examples – Permanent/Transient & Die/Package:
Numbers are normalized to Die Permanent Total RAW FIT
Details of IEC 61508 Metrics:
• For Permanent and
Transient faults
• By modules (CPU,
Flash, SRAM, DCAN,
ADC…)
Based on RM48x v1.0 FMEDA worksheet
77
Agenda
• Overview of HerculesTM MCU and SafeTITM Design package
• HerculesTM MCU Functional Safety How-To Workshop
– Safety Functions, Safety Goals, Safe State, SIL, Failure rate
– Safety Critical Elements identification and Diagnostic
Requirements
– Safety Manual and Diagnostics Selection
– Mission Profile and Failure Rate Estimation
– SafeTITM Diagnostic Library
– SafeTITM Diagnostic Library Compliance Support Package
(CSP) certification support
– Fault Injection with HITEX kit
• Summary
78
Hercules™ SafeTI™ Diagnostic library
• SafeTI™ Diagnostic Library = Executable version of Safety Manual.
• Highlights
• Optimized API mapping to the MCU’s Safety features as documented in the device
Safety Manual.
• Software abstraction for MCU’s Safety features to an application developer.
• Uniform API across various members of the Hercules family.
• Developed compliant to an ISO26262 and IEC61508 development process.
79
Hercules™ SafeTI™ Diagnostic Library features
 Initialization functions for the device
 Common functionality (Core registers, stack)
 Safety measures (RAM init, enable ECC, ESM init)
 API to invoke PBIST on memories.
 API to invoke LBIST self tests.
 Boot time/Run time verification of integrated HW safety diagnostics to prevent latent faults.
 Create artificial faults (Fault injection) to allow testing of application fault handling.
 Provide an Error Signaling Module (ESM) handler which can capture and report faults to the
application through a callback routine.
 Profiling for measuring time spent in diagnostic tests/fault handling, for enabling optimization of Run time
safety measures by application developer.
 Comprehensive documentation which explains mapping from Safety manual to SafeTITM Diagnostic
Library API.
 Released in a SafeTITM Software Compliance Support Package (SCSP) which aids in ISO26262 or
IEC61508 certification of customer product.
 Current implementation is limited to “safe island” set of peripherals.
80
Safety Manual to API mapping
81
Hercules MCU safety features and
SafeTITM Diagnostic Library
•API for running LBIST on the
CPU by the STC.
•API also supports selfcheck
feature of STC, which tests the
signature compare logic .
Logical / physical design
optimized to reduce probability
of common cause failure
•API to test the CCM
Diagnostic feature.
•API to test error forcing
capabilities of the CCM
Many API also provide
a “fault injection”
mode
•API to perform test on the ECC diagnostic feature.
•API to run the diagnostic modes on Flash memories.
•API to perform CRC calculation on memory ranges.
ARM®
Cortex™R4F
Memory
Flash
w/ ECC
RAM
w/ ECC
Power, Clock, & Safety
Flash
EEPROM w/ ECC
Calibration
CPU Fault Detection
OSC PLL
PBIST/LBIST
POR
ESM
CRC
RTI/DWWD
Memory Interface
JTAG Debug
Embedded Trace
External Memory
DMA
•API’s to test the parity
diagnostics for peripheral
memories and perform SRAM
data parity fault injections
•API to perform CRC
calculation on memory
ranges.
• Safe Island Hardware diagnostics (RED)
• Blended HW diagnostics (BLUE)
• Non Safety Critical Functions (BLACK)
Enhanced System Bus and Vectored Interrupt Module
Serial
Interfaces
Network
Interfaces
Dual
ADC
Cores
Multiple
Timers
GIO
•API to run PBIST algorithms
on all memories.
•Includes ESM handler and
provides an example
application with an abort
handler.
•Allows application to register
a callback for the fault handling
•On-Chip Clock and Voltage
Monitoring
•API for testing the safety
diagnostics on PSCON.
•API for testing the safety
diagnostics on EFUSE.
•IO Loop Back, ADC Self Test,
…
Dual ADC Cores with shared
channels
82
User examples
• SafeTITM Diagnostic Library is integrated into the Hitex Safety Kit.
83
Hitex Kit
84
Agenda
• Overview of HerculesTM MCU and SafeTITM Design package
• Hercules MCU Functional Safety How-To Workshop
– Safety Functions, Safety Goals, Safe State, SIL, Failure rate
– Safety Critical Elements identification and Diagnostic
Requirements
– Safety Manual and Diagnostics Selection
– Mission Profile and Failure Rate Estimation
– SafeTITM Diagnostic Library
– SafeTI Diagnostic Library Compliance Support Package (CSP)
certification support
– Fault Injection with HITEX kit
• Summary
85
HerculesTM and SafeTITM
Software and Tool Packages
Hercules Software and Tools
Hercules standard software and tools packages
 Assists in software development on Hercules Safety MCUs
 Provides the actual software/tool with source code, GUI, …
 User guides, datasheets, release notes, …
FREE!!
 Regular updates for enhancements, fixes, …
Free / click wrap license agreement
SafeTI Compliance Support Package
SafeTI software documentation and testing
 Assists customer to comply to functional safety standards
 Safety Requirements Document, Code Review and Coverage
Reports, Unit Test Results, Software Safety Manual, ….
 Unit Test capability using LDRAunit (if applicable)
See Pricing / signed license agreement
SafeTI Tool Qualification Kit
SafeTI tool documentation and qualification
 Assists customer to qualify tool to functional safety standards
 Tool Classification Report, Tool Qualification Plan and Report,
Tool Safety Manual, …
 TI Test Automation Unit or LDRAunit (if applicable)
See pricing / signed license agreement
86
86
Hercules Software and Tool Packages
Standard Package
Compliance Support Package
Tool Qualification Kit
Code in source form (see note)
Software Safety Requirements Document
Tool Safety Requirements Document
GUI for user configuration (if applicable)
Software Safety Architecture Document
Tool Safety Architecture Document
Software/Tool user guide
Code Review Report (w/ MISRA-C)
Code Review Report (w/ MISRA-C)
Data sheet
Quality Review Report
Quality Review Report
Release notes
Dynamic Coverage Analysis Report
Dynamic Coverage Analysis Report
Unit Test Regression Report
Unit Test Regression Report
Traceability report
Traceability report
Test Results Report
Test Results Report
Software Safety Manual
Tool Safety Manual
Safety Assessment Report (Internal)
Safety Assessment Report (Internal)
Compliance Level Tool
Templates for Compliance Documentation
Executable Test Cases*
Executable Test Cases*
Click Wrap License
Signed License Agreement
Signed License Agreement
Free
See Pricing Table
See Pricing Table
* - these are provided for software that is configurable by user (ie; HALCoGen and CCS Compiler)
87
SafeTITM Compliance Support Packages
Following artifacts are provided as part of a SafeTITM Compliance
Support Package:
1. Software/Tool Safety Requirements document
 Defines both functional and safety requirements of the software/tool
2. Software/Tool Safety Architecture Document
 Defines the architecture of the software/tool including safety provisions
3. Code Review Report
 Provides the MISRA-C:2004 violations for the file
4. Quality Review Report
 Provides the HIS Quality metrics for the file.
5. Dynamic Coverage Analysis Report
 Provides the Statement, Branch, and MC/DC Coverage information
6. Unit Test Regression Report
 Shows the unit tests performed and the result of each unit test.
7. Test Manager report
 Summary of the Code Review, Quality Review and Unit Test Reports.
88
SafeTITM Compliance Support Packages
8. Test Results Report
 unit tests
 safety functional tests
 performance tests/resource usage tests
 interface tests
 fault injection tests
9. Traceability report
 requirements to design
 requirements to source code
 requirements to test case
 backwards traceability
10. Software Safety Manual
 describes how to integrate safely into end user application software
11. ISO 26262 / IEC 61508 assessment report
 shows review of entire development process (internal assessment)
12. Executable test cases (HALCoGen only)
 setup for user defined configuration
13. Test Automation Unit (HALCoGen only)
 for executing unit tests with user defined configuration
89
Software Compliance Support Package Deliverables
6 Specification of software
safety requirements
7.2.2 Software safety
requirements specification
6.5.1 Software safety
requirements specification
Software safety
requirements specification
Software Requirements
Document
X
Bi-Directional Traceability
Forward and Backward
Traceability at all stages
Verification Reports
Forward and backward
traceability
Traceability matrix
X
7 Software architectural
design
7.4.3 Requirements for SW
Architecture Design
development
7.5.1 Software architectural
design specification
software
architecture
design;
SW Architecture Spec
9 Software unit testing
7.4.5 Detailed design and
development (individual
software module design):
9.5.3 Software verification
report (refined)
SW Module Test Report
Unit Test & Static Analysis
Report, Dynamic Coverage
Analysis Report, Test
Manager Report
X
10 Software integration and
testing
7.4.8 Software integration
testing:
10.5.3 Embedded software
verified and tested
integrated programmable
electronics
SW User Guide, Software
Safety Manual,
Data sheet
X
11 Verification of software
safety requirements
7.7.2 Software aspects of
system safety validation
11.5.3 Software verification
report (refined)
software safety validation
results; validated software
Safety Test Report
X
Safety Manual
SW Manual
X
software functional safety
assessment plan
software functional safety
assessment report
Functional Safety
Assessment Plan in Safety,
Plan, Functional Safety
Assessment Report
7.4.9- Safety Manual
6.4.9 Safety Assessment
Software
functional
8 safety assessment
Functional Safety
Assessment Plan
Functional Safety
Assessment Report
CP5- Project Closure
CP4- Safety Requirements Verification
& Release
Customer Deliverable
CP3B- Unit Testing & Integration
Testing
IEC61508 Work products
CP3A- Design & Implementation
ISO 26262 Work products
CP2- Safety Requirements & Planning
IEC 61508 Clause
TI SW Product Lifecycle
CP1-Project Commissioning
ISO 26262 Clause
TI Work Products
Generic Inputs- (Can modify during
project tailoring)
ISO 26262 and IEC61508 Standards
X
X
X
X
X
X
X
X
X
90
Agenda
• Overview of HerculesTM MCU and SafeTITM Design package
• HerculesTM MCU Functional Safety How-To Workshop
– Safety Functions, Safety Goals, Safe State, SIL, Failure rate
– Safety Critical Elements identification and Diagnostic
Requirements
– Safety Manual and Diagnostics Selection
– Mission Profile and Failure Rate Estimation
– SafeTITM Diagnostic Library
– SafeTITM Diagnostic Library Compliance Support Package
(CSP) certification support
– Fault Injection with HITEX kit
• Summary
91
The SafeTI™- HSK Hardware
HSK hardware platform:
• Safety application unit on which the Demo application is run. This includes The
Safety MCU or Safety Device Under Test(SDUT) -- TMS570 or RM48, Power
supply/WD companion chip (TPS65381), Accelerometer, Temperature Sensor, HMI
(4XLED, potentiometer, Pixel display..), CAN (transceiver & connector) and motor
control interface (DIMM connector)
• Control and Monitoring unit(CMU) : This includes the control and monitor device
(RM48x) to inject faults and monitor fault reaction, Fault injection logic, Error
indication and power supply to the control monitor unit
• Host/Debug interface: This includes a USB HUB controller (to manage USB
communication between the Host workstation and onboard MCU’s) and Serial
communication port converters (FTDI ) from the USB HUB to the Safety DUT (JTAG)
and CMU device (JTAG and UART(for the GUI))
• The board utilizes an industry standard DIMM form factor. Uses the standard 100-pin
connector foot print to plug into selected TI’s motor control kits
• Standard 20 pin external JTAG header to facilitate expandability Non-CCS IDE’s like
IAR and Keil
92
The SafeTI™- HSK GUI
– Communicates permanently with the kit to request status information
– Monitors different voltages of power supply ranges
– Possibilty to inject faults (disturb power supply or simulate errors in the
appication)
The system reaction is monitored with timestamps (fault injection, fault
indication, enter safe-state)
– Measure runtime execution of safety tests. This gives the user a clear
picture how to configure or calibrate his application
– Ability to configure settings for Error Signalling Module and TPS6538x
– Application information is visualized e.g. acceleration, temperature and
some task state information
93
The SafeTI™- HSK GUI Overview
• GUI overview
94
The SafeTI™- HSK GUI Validation and
Calibration
95
The SafeTI™- HSK
CPU Lock-Step Compare Fault Injection
• CCM-R4F compares the outputs
of two CPUs running in a 1oo1D
lockstep configuration
• The ESM error flag “CCM-R4F compare” is asserted whenever
the CPU compare error is
detected.
• For diagnostic purposes, the
CCM-R4F also incorporates a
self-test capability and error
forcing capability.
• FMEDA requires gate-level fault
injection (simulation) work to
prove effectiveness of on chip
diagnostics
96
The SafeTI™- HSK
SRAM DATA ECC Fault Injection
• ECC controllers are located
inside the CPU
– Interconnect between CPU
and the memory is covered
by the diagnostic
– ECC logic itself is checked
on a cycle by cycle basis
– Single Error Correction
Double Error Detection
(SECDED) logic
• 8 bits of ECC for every 64
bits of data access from the
CPU
97
The SafeTI™- HSK GUI
settings/application
98
Agenda
• Overview of HerculesTM MCU and SafeTITM Design package
• HerculesTM MCU Functional Safety How-To Workshop
– Safety Functions, Safety Goals, Safe State, SIL, Failure rate
– Safety Critical Elements identification and Diagnostic
Requirements
– Safety Manual and Diagnostics Selection
– Mission Profile and Failure Rate Estimation
– SafeTITM Diagnostic Library
– SafeTITM Diagnostic Library Compliance Support Package
(CSP) certification support
– Fault Injection with HITEX kit
• Summary
99
Hercules MCUs: Accelerating Safety Products to Market
• Software
• Development Tools
• Consulting & Training
Broad
Eco-system
Hercules
• Ease development
• Aid certification
Unique Tools
for Safety
Development
• Usable by customer
• Certification Ready
• ISO 26262, IEC 61508
compliant
Production
Quality Safety
Software
• Pre-approved for ISO 26262,
IEC 61508
• Proven in use
• Device FMEDA, FIT reports
Certified
Safety
Hardware
Architecture
TM
Safety MCU
Only Lockstep
ARM supplier
Comprehensive
Portfolio
Complementary
Analog
• Non-proprietary
• Market accepted
• Respected heritage
• Pin & SW Compatible
• Safety Chipset
• SafeTI Program
100
TM
Hercules Training
www.ti.com/herculestraining
1 Day Training Class:
Hercules 1 Day Safety Seminar
• Introduction
• What is Functional Safety?
• Safety Standards Overview
• IEC 61508 Safety Standard
• ISO 26262 Safety Standard
• Random Fault Management
• Safety System Architectures
• Hercules Safety Concept
• Lab 1: Hercules MCU Demos
• Hercules Architecture
• Development Tools: HW kits, SW tools
• Embedded Flash Memory tools
• Real Time Interrupt (RTI)
• Vectored Interrupt Manager (VIM)
• Direct Memory Access (DMA)
• General-purpose I/O (GIO) & NHET
3 Day Training Class:
Safety Critical Design and Programming with
ARM® Cortex®-R4F based Hercules MCUs
• Lab 2: Using NHET as GIO
• Communication Interfaces: UART, LIN, CAN, FlexRay,
Multi-Buffered Serial Peripheral Interface (MibSPI)
• Lab 3: PC to SCI Communication
• External Memory Interface (EMIF) / Parameter Overlay
• Multi-buffered Analog-to-Digital Converter (MibADC)
• Support Structure: Web, Forum, WIKI
Who should attend:
• Hardware and Software Developers
• Project Managers
• Safety Specialists
• Anyone interested in Hercules MCUs and
functional safety
Day 1
Day 2
• Welcome and Intro
• Hercules Product Overview / MCU
Roadmap
• Safety Standards and Hercules Safety
Features
• HALCoGen / Exercise
• Code Composer Studio / Demonstration /
Exercise
• Compiler / Exercise
• Flash Overview
• Flash Tools: nowFlashTM, nowECCTM,
nowProfileTM
• Summary / Questions
• ARM ® Cortex®-R4F CPU Architecture
Overview
• System Module Overview
• Device setup/startup, Real Time Interrupt
Module, Vectored Interrupt Manager
• CRC Controller, CPU Compare Module,
Error Signaling Module)
• General Purpose I/Os / Supply
• Direct Memory Access Controller (DMA)
• Serial Communication Interface
(SCI/UART/LIN)
Day 3
• Summary / Questions
• Multi-Buffer Serial Peripheral Interface
(SPI / MIBSPI-P)
• DCAN
• FlexRay / Transfer Unit
• Multi-Buffer ADC (MIBADC)
• External Memory Interface (EMIF) /
Parameter Overlay Module (POM)
• NHET (High End Timer) IDE
• NHET
• NHET Transfer Unit
• Summary & Questions
101
Thank You
Contact Information:
Hoiman Low: hm-low@ti.com
ZHCP003
102
重要声明
德州仪器(TI) 及其下属子公司有权根据 JESD46 最新标准, 对所提供的产品和服务进行更正、修改、增强、改进或其它更改, 并有权根据
JESD48 最新标准中止提供任何产品和服务。客户在下订单前应获取最新的相关信息, 并验证这些信息是否完整且是最新的。所有产品的销售
都遵循在订单确认时所提供的TI 销售条款与条件。
TI 保证其所销售的组件的性能符合产品销售时 TI 半导体产品销售条件与条款的适用规范。仅在 TI 保证的范围内,且 TI 认为 有必要时才会使
用测试或其它质量控制技术。除非适用法律做出了硬性规定,否则没有必要对每种组件的所有参数进行测试。
TI 对应用帮助或客户产品设计不承担任何义务。客户应对其使用 TI 组件的产品和应用自行负责。为尽量减小与客户产品和应 用相关的风险,
客户应提供充分的设计与操作安全措施。
TI 不对任何 TI 专利权、版权、屏蔽作品权或其它与使用了 TI 组件或服务的组合设备、机器或流程相关的 TI 知识产权中授予 的直接或隐含权
限作出任何保证或解释。TI 所发布的与第三方产品或服务有关的信息,不能构成从 TI 获得使用这些产品或服 务的许可、授权、或认可。使用
此类信息可能需要获得第三方的专利权或其它知识产权方面的许可,或是 TI 的专利权或其它 知识产权方面的许可。
对于 TI 的产品手册或数据表中 TI 信息的重要部分,仅在没有对内容进行任何篡改且带有相关授权、条件、限制和声明的情况 下才允许进行
复制。TI 对此类篡改过的文件不承担任何责任或义务。复制第三方的信息可能需要服从额外的限制条件。
在转售 TI 组件或服务时,如果对该组件或服务参数的陈述与 TI 标明的参数相比存在差异或虚假成分,则会失去相关 TI 组件 或服务的所有明
示或暗示授权,且这是不正当的、欺诈性商业行为。TI 对任何此类虚假陈述均不承担任何责任或义务。
客户认可并同意,尽管任何应用相关信息或支持仍可能由 TI 提供,但他们将独力负责满足与其产品及在其应用中使用 TI 产品 相关的所有法
律、法规和安全相关要求。客户声明并同意,他们具备制定与实施安全措施所需的全部专业技术和知识,可预见 故障的危险后果、监测故障
及其后果、降低有可能造成人身伤害的故障的发生机率并采取适当的补救措施。客户将全额赔偿因 在此类安全关键应用中使用任何 TI 组件而
对 TI 及其代理造成的任何损失。
在某些场合中,为了推进安全相关应用有可能对 TI 组件进行特别的促销。TI 的目标是利用此类组件帮助客户设计和创立其特 有的可满足适用
的功能安全性标准和要求的终端产品解决方案。尽管如此,此类组件仍然服从这些条款。
TI 组件未获得用于 FDA Class III(或类似的生命攸关医疗设备)的授权许可,除非各方授权官员已经达成了专门管控此类使 用的特别协议。
只有那些 TI 特别注明属于军用等级或“增强型塑料”的 TI 组件才是设计或专门用于军事/航空应用或环境的。购买者认可并同 意,对并非指定面
向军事或航空航天用途的 TI 组件进行军事或航空航天方面的应用,其风险由客户单独承担,并且由客户独 力负责满足与此类使用相关的所有
法律和法规要求。
TI 已明确指定符合 ISO/TS16949 要求的产品,这些产品主要用于汽车。在任何情况下,因使用非指定产品而无法达到 ISO/TS16949 要
求,TI不承担任何责任。
产品
应用
数字音频
www.ti.com.cn/audio
通信与电信
www.ti.com.cn/telecom
放大器和线性器件
www.ti.com.cn/amplifiers
计算机及周边
www.ti.com.cn/computer
数据转换器
www.ti.com.cn/dataconverters
消费电子
www.ti.com/consumer-apps
DLP® 产品
www.dlp.com
能源
www.ti.com/energy
DSP - 数字信号处理器
www.ti.com.cn/dsp
工业应用
www.ti.com.cn/industrial
时钟和计时器
www.ti.com.cn/clockandtimers
医疗电子
www.ti.com.cn/medical
接口
www.ti.com.cn/interface
安防应用
www.ti.com.cn/security
逻辑
www.ti.com.cn/logic
汽车电子
www.ti.com.cn/automotive
电源管理
www.ti.com.cn/power
视频和影像
www.ti.com.cn/video
微控制器 (MCU)
www.ti.com.cn/microcontrollers
RFID 系统
www.ti.com.cn/rfidsys
OMAP应用处理器
www.ti.com/omap
无线连通性
www.ti.com.cn/wirelessconnectivity
德州仪器在线技术支持社区
www.deyisupport.com
IMPORTANT NOTICE
邮寄地址: 上海市浦东新区世纪大道1568 号,中建大厦32 楼邮政编码: 200122
Copyright © 2014, 德州仪器半导体技术(上海)有限公司
Download PDF