1

Hercules™ Functional Safety Seminar

TÜV Rheinland / Texas Instruments China / November 2013

Functional Safety Seminar Agenda

TÜV Rheinland:

– Functional safety and standards applicable in China

– Functional safety standard certification requirement

Texas Instruments:

– Hercules platform Overview

– IEC 61508 / ISO 26262 and other Functional Safety (FS) standards

– Hercules MCU FS features

– Hercules MCU FS features vs. FS standards hardware requirements

– Hercules MCU product overview training and hands-on exercise

– Summary

2

HerculesTM MCUs Make the World a Safer Place

EN 50128

(railway)

DO-254 DO-178B (aerospace)

IEC 50156

(furnaces)

IEC 60880 (nuclear power

stations)

ISO 26262 (automotive)

IEC 62061 ISO 13849

(Industrial machinery)

IEC 61511 (process industry)

IEC 60601 (medical

equipment)

IEC 61508

(General safety critical

electronics)

Help to protect against random and systematic failures

Headroom for application differentiation

Simplified development and system certification

Hercules MCUs

provide

developers of

safety-critical

applications:

Electronics are proliferating in safety-critical applications

3

Hercules MCU

TM

Electric Power Steering

Radar / Collision Avoidance

(ADAS) Hybrid & Electric Vehicles

Airbag Braking / Stability Control

Chassis / Domain Control

Active Suspension

Anti-Skid Control

Industrial Motor

Control Manufacturing /

Robotics

Wind Power

Avionics / Autopilot

Industrial

Automation / PLC

Communications Gateway

Sensor & Communications

Gateway

Solar Power

Oxygen

Concentrators

Respirators

Anesthesia

Motor Control

4

Aerospace & Railway Industrial

Automotive

Infusion Pumps

Medical

Flight Control

Hercules™ MCU: End Equipment

Elevator

Escalator

TI HerculesTM

MCU Platform ARM® Cortex™ Based Microcontrollers

RM

Industrial and Medical Safety MCUs

• Industrial Applications

• Medical Applications

• -40 to 105°C Operation

• ENET, USB, CAN & UART

• Developed to Safety Standards

• IEC 61508 SIL-3

• Cortex-R – over 350 DMIPs

Hercules™ MCU

Platform

TMS570

Transportation and Safety MCUs

• Transportation Applications • Automotive Q100 Qualification • -40 to 125°C Operation • FlexRay, ENET, CAN, LIN/UART • Developed to Safety Standards

• 26262 ASIL-D • IEC 61508 SIL-3

• Cortex-R – over 280 DMIPs

TMS470M

Value Line Transportation & Safety MCUs

• Transportation Applications

• Automotive Q100 Qualification

• -40 to 125°C Operation

• CAN, LIN/UART Connectivity

• Developed as QM components for

IEC 61508 & ISO 26262 systems

• Cortex-M – to 100 DMIPS

5

Lockstep

CPUs

26262

ASIL-D Sampling Development

TMS570LS31x • 2*R4F LS • 3MB, 256kB • 180MHz

TMS570LS21x • 2MB, 192kB

61508

SIL3 Production

TMS570LS03x • 256KB, 32kB

TMS570LS04x • 2*R4 LS • 384KB, 32KB • 80MHz

Hercules MCU Product Offerings

ETHERNET

RM48L9x • 2*R4F LS • 3MB, 256kB • 220MHz

RM48L5x • 2MB, 192kB

ETHERNET

QEP

Ind

us

tria

l,

Med

ical, E

nerg

y

Au

tom

oti

ve

&

T

ran

sp

ort

ati

on

TMS570LS11x • 1MB, 128kB

TMS570LS12x

ETHERNET

• 2*R4F LS • 1.25MB, 192kB • 180MHz

QEP / PWM

RM42x • 2*R4LS • 384KB, 32KB • 100 MHz

RM46x

ETHERNET

• 2*R4F LS • 1.25MB, 192kB • 220MHz

QEP / PWM

QEP

• Performance • Memory • Peripherals

Railway Signaling

Avionics Systems

Off-road Vehicle

Stability Control

Power Steering

Vehicle Electrification

Safety Relays

ABS

Fuel Pumps

Passive Safety

CAN Communication

Industrial Drives

Safety PLCs

Solar / Wind Energy

Elevators / Escalators

Remote I/O Modules

Infusion Pumps

* Safety MCU = HerculesTM MCU

6

TI Position

TI Supports Safety Electronics Key Careabouts

Safety

Reliability

Quality

Production

Design • EMI

• Wide Temp Design

• Long Supply Life

• Large Scale

• ISO/TS16949 Certified

• AEC Q100

• 0 DPPM Initiatives

• ISO26262 ASIL-D

• IEC61508 SIL3

• Auto experienced design,

apps and test engineers

• Shipping MCUs for 20+ years

• Over 500M Auto MCUs

• Certified since 2005

• Q100 support since mid-90s

• Deployed for over a decade

• Component assessment planned

• First component certificate 2010

Functional Safety Hardware

Development Process

Certified

1Q13

7

IEC 61508 – Functional Safety of Electrical, Electronic, and Programmable Electronic (E/E/PE) Systems

• Basic Safety Publication used as basis for many IEC and ISO functional safety standards

• 1st edition in 1998, updated to 2nd edition in 2010.

• Performance based targets for both systematic and random failure management

• Covers safety management, system/HW design, SW design, production, and operation of safety critical E/E/PE systems

8

ISO 26262 – Functional Safety of Road Vehicles

• Automotive specific interpretation of IEC 61508 but replaces it rather than extending it.

• Aligns automotive life cycle and supply hierarchy.

• Separates component design from system design. Most complex components must comply to standard.

• TI participates in US and international working group as well as leading Semiconductor subgroup: – ISO/TC 022/SC 03/WG16

– ISO/NP PAS 19451

9

10

Functional Safety Standards

Standard Targeted End Equipment Applications

IEC 61508 Electrical, Electronic, Programmable Electronic Systems

ISO 26262 Passenger Cars up to 3500Kg

EN 50129 Railway Signaling

ISO 22201 Elevator / Escalator

IEC 61511 Process Industry (Chemical, Oil Refining etc.)

IEC 61800 Adjustable speed AC motor drive

IEC 62061 Industry Machinery (electronics)

ISO 13849 Industry Machinery

IEC 60730 Automatic Controls for Household use

Hercules™ TMS570LS / RM Safety Concept

11

Hercules TMS570LS / RM4 MCU safety features

• Safe Island Hardware diagnostics (RED)

• Blended HW diagnostics (BLUE)

• Non Functional Safety Critical Functions

(BLACK)

Dual Core Lockstep -

Cycle by Cycle CPU

Fault Detection

ECC for flash / RAM /

interconnect evaluated

inside the Cortex R4F

Parity on all

Peripheral, DMA and

Interrupt controller

RAMS

Memory BIST on all

RAMS allows fast

memory test at

startup

CPU Self Test

Controller requires

little S/W overhead

IO Loop Back, ADC

Self Test, …

Error Signaling

Module w/ External

Error Pin

On-Chip Clock and

Voltage Monitoring

Logical / physical

design optimized to

reduce probability of

common cause

failure

PBIST/LBIST OSC PLL

POR

CRC RTI/DWWD

ESM

Enhanced System Bus and Vectored Interrupt Module

DMA

Memory

Flash w/ ECC

Embedded Trace

RAM w/ ECC

Power, Clock, & Safety

Memory Interface

JTAG Debug

Calibration

Serial

Interfaces

Network

Interfaces

Dual

ADC

Cores

Available

Dual

High-end

Timers

Available

GIO

Flash EEPROM w/ ECC

CPU Fault Detection

Parity or CRC in

Serial and Network

Communication

Peripherals

Dual ADC Cores with

shared channels

12

External Memory

ARM®

Cortex™-

R4F

Lockstep

CPUs

Rationale of the Hercules™ Safety Concept

• “Safe Island” approach

• Region of component common to most safety functions is

heavily protected by hardware diagnostic measures

– CPU

– CPU Interrupts

– System control of power, reset, clock

– OS critical IP: DMA, OS timer

• Once the correct operation of a safe region is established, logic

in this region can be used to provide diagnostic coverage on other regions

• This partition provides a basis for effective functional safety

metrics while providing benefits to minimize overall system BOM

overhead cost

13

1oo1D Dual Core Safety Concept

• Unique design helps to reduce common cause failures

– Second CPU mirrored and rotated

– Cycle delayed lockstep

– Guard ring per CPU

– Duplicated clock tree per CPU

• CPU Compare Module (CCM)

– Self-test capability

– Self-test error injection/error forcing

– Output error injection

Output + Control

Cycle Delay

CCM

Compare

Error

Input + Control

Self

Test

14

ARM®

Cortex™-R4F

Cycle Delay

High Performance Cortex-R4F floating-point CPU

Up to 220 MHz CPU

Clock Speed with TCM

in 65nm Single / double

precision IEEE 754

floating-point

Superscalar, SIMD,

8 stage pipeline delivers

1.66 DMIPS/MHz

Fast MULT, DIV, and

SQRT enables model-

based control; simplifies

algorithm

implementation

12 region memory

protection

Floating point and

integer instructions

operate in parallel

• Over 365 DMIPS of performance

• High performance floating point

• ARM-based: broad industry adoption

ARM ® v7R CortexTM ISA

fully backward Compatible

to ARM7/9/11

Supports ARM, Thumb

and Thumb-2 instructions

Lockstep CPUs:

Single core programming

model – second core

checks the first.

ARM®

Cortex™-R4F Up to 220 MHz

15

Broad IDE/Compiler Support:

CCS, ARM, IAR, GHS, etc… Scalable ARM Based

Solutions from TI:

Stellaris®, Concerto™

Hercules™& Sitara™

16

STC

ROM

Clock

controller

ESM

PCR

Test

controller

ERR

ROM

interface

FSM

Clock cntrl

STC BYPASS/

ATE Interface

REG Block

&

Compare

Block

• Provides High Diagnostic Coverage

• Significantly Lowers S/W and Runtime Overhead

• No SW BIST (Built In Self Test) Code overhead in Flash

• Simple to configure and start BIST via register

CPU Self Test Controller (STC/LBIST)

ARM®

Cortex™-R4F

DBIST

CNTRL

DBIST

CNTRL

VBUS

Interface

17

Programmable Memory BIST (PBIST)

• All on-chip RAMS can be tested

• Simple register setup and

configuration

• Typically run at startup, but can

be executed during the application

• Multiple Memory Test Algorithms

• Detects multiple failure modes

PBIST

Controller

Data

Logger

Ext block

Cfg block

VBUS I/f

Tester I/f RAM

Data

path/

Collars

To / From

Memories

(RAM

groups)

ROM block

ROM I/f

Functional

Read/Write

Datapath

• Provides a mechanism to determine if runtime faults were caused by hard or soft error.

This capability can be used to improve availability through inline recovery from soft error.

18

Flash / RAM ECC Protection

Cortex-R4

Flash RAM

• ECC evaluated in the Cortex R4 CPU

– Single Bit Error Correction and Double Bit Error Detection (SECDED)

– ECC evaluated in parallel to processing data/instructions

– No latency or performance impact

– Protects Busses from CPU to Flash and RAM

– Address / Control parity from CPU -> Memory

– Diagnostic in Flash / SRAM wrappers

4 ECC Bits 32 Data Bits

32 Data Bits

64 Inst.

8 ECC

ECC Logic

8 Stage

Pipeline

Error

64 Data

8 ECC

4 ECC Bits

19

Safety Aspects of Network Interfaces

• Networked peripherals (Ethernet, FlexRay, DCAN, and SCI/LIN) are typically implemented as black-channel communications at system level

• Information redundancy technique (end-to-end safing) are typically applied via software as the “black channel” diagnostics. This can provide coverage of the external network as well as the network peripherals inside the MCU

• Examples of common techniques include redundant transmissions, additional CRCs in data payload etc.

20

Error Signaling Module (ESM)

ESM

Errors for Group 1

Errors for Group 2

Errors for Group 3

To Interrupt

Manager INTEN INTLVL

Low Level Interrupt

Handling

High Level Interrupt

Handling

nERROR pin

ERROR

SIGNAL

CONTROL

LOW TIME

COUNTER PRELOAD

LOW TIME

COUNTER

Clock Monitoring • External clock prescaler (ECLK)

• Allows external monitoring of CPU clock frequency • Configurable pin (GIO or ECLK)

• Oscillator monitor • Detects failure if oscillator frequency exceeds defined min/max thresholds* • Selectable hardware response on oscillator fail

– Reset device – Switch to internal ‘low power oscillator’ (LPO) clock source

• FMPLL slip detector • Indicates PLL slip if phase lock is lost • Selectable hardware response on PLL slip

– Reset device – Switch to internal ‘low power oscillator’ (LPO) clock source – Switch to external oscillator clock source

Bypass on Slip

Input from

Oscillator

FMPLL

BPOS

Slip

Detector Reset on Slip

To Device Reset

CLK Signal to

CLK Control Module

LPO

BPOS

ROS

21

* Refer to device data sheet

Dual Clock Comparator (DCC) • The DCC module is used to measure the frequency of a clock signal

using a second clock signal as a reference. • Allows application to ensure that a fixed frequency ratio is maintained

between two clock signals

• Supports the definition of a programmable tolerance window in terms of

number of reference clock cycles

• Supports continuous monitoring without requiring application intervention

• Alternatively can be used in a single-sequence mode for spot measurements

• Flexible clock source selection for Counter 0 and Counter 1 resulting in

several specific use cases

PLLMUL

22

ERROR

Clock 0

Clock 1

Clock 0 Sources

Clock 0 Select

Clock 1 Sources

Clock 1 Select

Preload 1

Counter 0

Preload 0

=

0

Valid Counter 0

Valid Preload 0

=

0

Clock

Compare

Counter 1

Digital Windowed Watch Dog (DWWD) • The DWWD module will reset the MCU or generate a non maskable interrupt to

the CPU if the application fails to service the watchdog within the appropriate

time window. • Safety diagnostic that can detect a runaway CPU

• Includes a 25-bit down counter

• Alerts the Error Signaling Module when a CPU interrupt is generated

• Supports multiple service windows: 100%, 50%, 25%, 12.5%, 3.125%

• Servicing requires a specific two part key sequence

• Once enabled can only be disabled by a system or power on reset

•PLLMUL

23

RESET

Down

Counter

Down Counter

DWWD Preload

=

0

Digital

Windowed

Watch

Dog

100%

Window Window Open Window Open

50%

Window Window Open Window Open

25%

Window W Open W Open

12.5%

Window Open Open

6.25%

Window O O

3.125%

Window O O

INTERRUPT

ESM

• Bus masters include the CPU, DMA, HTU and the FTU

• A memory region is defined which

allows read and write access for the bus master

• Access outside the defined region

can be any of the mode

• Read Only: Read access allowed for the memory accesses outside the region. Write accesses are blocked

• No Access: Read and write access is blocked.

• In the event of a detected memory

protection violation an error is indicated

24

Memory Protection Unit (MPU) • A Dedicated Memory Protection Unit (MPU) is implemented for select bus masters

CPU Fault

Detection

POR OSC PLL

PBIST

LBIST RTI

CRC

Enhanced System Bus and Vectored Interrupt Management

DMA

Memory

Flash w/ ECC

Embedded Trace

RAM w/ ECC

Power, Clock, & Safety

Memory Interface

EMIF

Memory Protection

JTAG Debug

Calibration

ARM®

Cortex™-

R4F 160MHz

ARM®

Cortex™-

R4F 160MHz

Timers / IO

MibSPI 128 Buffers; 4 CS

Serial I/F Network I/F

CAN1 (64mb)

2 ch FlexRay 8K Message RAM

ADC

MibADC1 64 Buffers

12-bit, 16ch

(8ch shared)

GIOB (8)

CAN2 (64mb)

CAN3 (32mb) MibADC2 64 Buffers

12-bit, 16ch

(8ch shared) UART1 (LIN1)

High End

Timer (NHET)

128 words,

32 ch MibSPI 128 Buffers; 4 CS

MibSPIP 128 Buffers; 4 CS

GIOA/INTA (8)

UART2 (LIN2)

DMA

High End

Timer

Transfer Unit

(HTU)

FlexRay

Transfer Unit

(FTU)

ARM®

Cortex™-

R4F

Lockstep

CPUs

25

Dual Analog to Digital Converters

• Dual12-bit ADC Cores:

- MibADC 1 supports dedicated analog

inputs & shared inputs with MibADC 2

- Up to 16 analog channels can be shared between the 2 cores for safety critical conversions/comparison

- Internal ADC reference voltages can be used to check converter functionality.

- Self Test Mode helps to detect opens/shorts on ADC inputs

- ADC calibration logic can improve accuracy or be used to detect drift between multiple test results.

VccAD

VssAD

VrefHi

VrefLo

To

Perip

hera

l Bu

s

To

Perip

hera

l Bu

s

AD1EVT

AD2EVT

AD1IN[7..0]

AD2IN[15..0]

MibADC1 AD1IN[23..8] /

MibADC2

Self-Test & Calibration

Self-Test & Calibration

Note: Not all Hercules MCUs are available with dual ADCs

26

Voltage Monitor

• Supply Voltage Monitor (VMON)

– Holds reset until core and I/O rails in expected range (relaxes power sequencing requirements)

– Asserts reset if core or I/O supply exceeds defined min/max thresholds

– Asserts reset when core supply is below specified min voltage and asynchronously sets all I/O pins to high impedance mode

+ -

Managing Safety Failures with Hercules™

Failures

Systematic Random

“Deterministic failure in design or manufacturing” “Random defects inherent to usage condition”

27

Safety

Reliability

Quality

Production

Design

• ISO/TS16949

• AEC Q100

• 0 DPPM Initiatives

• ISO26262 ASIL-D

• IEC61508 SIL3

Quality Processes throughout TI product delivery Safe Island-based Hercules Safety Concept

PBIST/LBIST OSC PLL

POR

CRC RTI/DWWD

ESM

Enhanced System Bus and Vectored Interrupt Module

DMA

Memory Flash

w/ ECC

Embedded Trace

RAM w/ ECC

Power, Clock, & Safety

Memory Interface JTAG Debug

Calibration

Serial

Interfaces

Network

Interfaces

Dual

ADC

Cores

Dual

High-end

Timers

GIO

Flash EEPROM w/ ECC

Dual Core Compare

ARM®

Cortex™-

R4F

External Memory

• 20+ years automotive

supply experience

• Independent process &

component assessment

28

SafeTI™ Hardware Development Process Certification by TÜV SÜD

TÜV SÜD is an internationally recognized and accredited independent assessor of compliance to quality, safety, and security standards.

TÜV-SÜD has certified TI’s hardware functional safety development process for

SafeTI-61508

SafeTI-26262

The certification demonstrates TI’s commitment to have a process suitable for developing hardware components that are compliant to ISO 26262 and IEC 61508

Assessment to other standards is under consideration

EN 50219 – Railway

• Covers Railway safety systems

• Harmonizes safety integrity level to IEC 61508

• Provide diagnostic test examples of fault detection of large-scale integrated circuit -MCU

29

30

EN 50219 - Functional Safety HW requirements

Standard System Safety

Integrity

Architectural

Metric

Architectural

Requirement

Failure

Rate

Specific MCU self-test

requirements

IEC 61508 Programmable

E/E systems SIL – 1,2,3,4 SFF HFT>0 for SIL 4 PFD, PFH No

EN 50129 Railway SIL- 1,2,3,4 N/A Follow IEC

61508 THR CPU, Memory

• EN 50219 SIL and architectural requirements are

mostly harmonized to IEC 61508

• Specific CPU and Memory self tests are required.

These can be satisfied by Hercules MCU LBIST

and PBIST diagnostics

• Hercules MCU IEC 61508 hardware metrics can

be re-used to facilitate EN 50129 compliance

Error

Signal

TMS570

MCU

(SIL3)

TPS 65381

Health

SPI

SPI nError

TMS570

MCU

(SIL3)

TPS 65381

Health

SPI nError

TMS570

MCU

(SIL3)

TPS 65381

Health

SPI nError

Error

Signal Error

Signal

SPI SP

I

Health

SIL 2, 3

With HFT=0

SIL 4

With HFT=1

1oo1D 1oo2D

ISO 22201 – Elevators

• IEC 61508 is used as normative reference

• Covers Elevator and Escalator

• SIL level is established for specific elevator function

• Certification must be done by notified body

31

32

ISO 22201 Functional Safety HW requirements

Standard System Safety

Integrity

Architectural

Metric

Architectural

Requirement

Failure

Rate

Specific MCU self-test

requirements

IEC 61508 Programmable

E/E systems SIL – 1,2,3,4 SFF HFT>0 for SIL 4 PFD, PFH No

ISO 22201 Elevator SIL – 1,2,3 N/A Dual channels

for SIL3 N/A

CPU, Memory, Interrupt,

Clock, I/O, Comm

• Specific SIL targets are defined per elevator safety

function

• Specific system architecture structure requirements

per SIL

• Specific MCU self-tests are required for

CPU/Memory/Clock/IO & Comm/Program Sequence.

These can be satisfied by Hercules MCU safety

diagnostic features.

• A single Hercules MCU is designed to support ISO

22201 up to SIL 2 compliance

• Dual Hercules MCU can support ISO 22201 SIL 3

(dual channels with comparison)

TMS570

MCU

ISO 22201 SIL 3 ISO 22201 SIL 1, 2

TMS570

MCU

TMS570

MCU

S

P

I

S

P

I

Health

表9：针对SIL1的特定措施

33

元器件和功能 要求注 措施 表12条款

GB/T

20438.7-

2006 条款

Hercules MCU

TMS570LS04/03x

Safety Manual

结构 结构应当是一旦检测到任何一个随机故障，则系统就应当进入一个安全状态。

具有自检功能的单通道结构，或

具有比较功能的双通道或多通道结构

M 1.1

M 1.3

A.3.1

A.2.5

CPU2A/B

处理单元 处理单元中能导致错误结果的故障应当能被检测出来。

如果这样的故障会导致危险状态，那么系统应当进入一个安全状态。

故障更正的硬件，或

软件自检，或

双通道结构的比较器，或

双通道结构的软件相互比较

M 2.1

M 2.2

M 2.4

M 2.5

A.3.4

A.3.1

A.1.3

A.3.5

CPU1

不变的存储区 不正确的信息修改，例如，所有的1位或2位故障，以及部分3位和多位故障应当最迟在电梯下一次运行之前被检测到。

下面的措施仅针对单通道结构：

一位冗余（奇偶校验位），或

具有一字冗余的块安全

M 3.5

M 3.1

A.5.5

A.4.3

FLA1

FLA5A/B

可变的存储区 在寻址、写入、存储和读出期间的全局性故障，以及所有1位、2位故障，部分3位和多位故障应当最迟在电梯下一次运行之前被检测到。

下面的措施仅针对单通道结构：

具有多位冗余的字保存，或

通过测试模式检测静态或动态故障

M 3.2

M 4.1

A.5.6

A.5.2

RAM1

RAM7A/B

I/O单元和包括通讯连接的接口

I/O线上的静态故障和干扰以及数据流中的随机和系统故障应当最迟在电梯下一次运行之前被检测到。

代码安全，或

测试模式

M 5.4

M 5.5

A.6.2

A.6.1

SPI3/SCI2

GIO2 etc

(Information

redundancy

technique)

时钟 用于处理单元的时钟发生器故障，如频率改变或停顿，应当最迟在电梯下一次运行之前被检测到。

具备独立时钟基准的看门狗，或

相互监控功能

M 6.1

M 6.2

A.9.4 CLK5A/B/C

CLK1

程序序列 安全相关功能错误的程序序列和不恰当的执行时序最迟应在下次运行前被检测到。

程序序列的时序和逻辑监视的组合

M 7.1 A.9.4 CLK5A/B/C

表10：针对SIL2的特定措施

34

元器件和功能 要求注 措施 表12条款

GB/T

20438.7-

2006 条款

Hercules MCU

TMS570LS04/03x

Safety Manual

结构 结构应当是在考虑了系统反应时间的前提下，一旦检测到任何一个随机故障，则系统就应当进入一个安全状态。

具有自检和监控功能的单通道结构，或

具有比较功能的双通道或多通道结构

M 1.2

M 1.3

A.3.3

A.2.5

CPU2A/B

处理单元 处理单元中能导致错误结果的故障应当在考虑了系统反应时间的前提下能被检测出来。

如果这样的故障会导致危险状态，那么系统应当进入一个安全状态。

可更正故障的硬件，和

单通道结构的有硬件支持的软件自检，或

双通道结构的比较器，或

双通道结构的软件相互比较

M 2.1

M 2.3

M 2.4

M 2.5

A.3.4

A.3.3

A.1.3

A.3.5

CPU1

不变的存储区 不正确的信息修改，例如，所有的1位或2位故障，以及部分3位和多位故障应当在考虑了系统反应时间的前提下被检测到。

下面的措施仅针对单通道结构：

具有一字冗余的块安全，或

具有多位冗余的字保存

M 3.1

M 3.2

A.4.3

A.5.6

FLA5A/B

FLA1

可变的存储区 在寻址、写入、存储和读出期间的全局性故障，以及所有1位、2位故障，部分3位和多位故障应当在考虑了系统反应时间的前提下被检测到。

下面的措施仅针对单通道结构：

具有多位冗余的字保存，或

通过测试模式检测静态或动态故障

M 3.2

M 4.1

A.5.6

A.5.2

RAM1

RAM7A/B

I/O单元和包括通讯连接的接口

I/O线上的静态故障和干扰以及数据流中的随机和系统故障应当在考虑了系统反应时间的前提下被检测到。注2

代码安全，或

测试模式

M 5.4

M 5.5

A.6.2

A.6.1

SPI3/SCI2

GIO2 etc

Information redundancy

techniques

时钟 用于处理单元的时钟发生器故障，如频率改变或停顿，应当在考虑了系统反应时间的前提下被检测到

具备独立时钟基准的看门狗，或

相互监控功能

M 6.1

M 6.2

A.9.4 CLK1

CLK5A/B

CLK3

程序序列 安全相关功能错误的程序序列和不恰当的执行时序应当在考虑了系统反应时间的前提下被检测到

程序序列的时序和逻辑监视的组合

M 7.1 A.9.4 CLK5B

35

Table A.4：specific measures for SIL1 – ISO 22201

Components

and functions Requirements Measures

Table7

reference

IEC61508-7:

2000

reference

Hercules MCU

TMS570LS04/03x

Safety Manual

Structure The structure shall be such that any single

random failure is detected and the system

shall go into a safe state.

One channel structure with

self-test, or

two channels or more with

comparison

M 1.1

M 1.3

A.3.1

A.2.5

CPU2A/B

Processing

units

Failures in processing units that can

lead to incorrect results, shall be detected.

If such a failure can lead to a dangerous

situation, the system shall go into a safe state.

Failure-correcting hardware, or

self-test by software, or

comparator for two-channel

structure, or

reciprocal comparison by

software for two-channel

structure

M 2.1

M 2.2

M 2.4

M 2.5

A.3.4

A.3.1

A.1.3

A.3.5

CPU1

Invariant

Memory

ranges

Incorrect information modification, i.e. all odd-

bit or 2-bit failures and some 3-bit and multi-bit

failures shall be detected, at the latest, before

the next travel of the lift.

The following measures refer

only to a one-channel structure:

one-bit redundancy (parity bit),

or block safety with one-word

redundancy

M 3.5

M 3.1

A.5.5

A.4.3

FLA1

FLA5A/B

Variant

memory

ranges

Global failures during addressing,

writing, storing and reading as well as all odd-

bit and 2-bit failures and some 3-bit failures

and multi-bit failures shall be detected, at the

latest, before the next travel of the lift.

The following measures refer

only to a one-channel structure:

word-saving with multi-bit

redundancy, or

check via test pattern against

static or dynamic faults

M 3.2

M 4.1

A.5.6

A.5.2

RAM1

RAM7A/B

I/O units and

Interfaces incl.

Communication

links

Static failures and cross talk on I/O lines, as

well as random and systematic failures in the

data flow shall be detected, at the latest,

before the next travel of the lift.

Code safety, or

test pattern

M 5.4

M 5.5

A.6.2

A.6.1

SPI3/SCI2

GIO2 etc

(Information redundancy

technique)

Clock Failures in clock generation for processing

units like frequency modification or break-

down shall be detected, at the latest, before

the next travel of the lift.

Watchdog with separate time

base, or reciprocal monitoring

M 6.1

M 6.2

A.9.4 CLK5A/B/C

CLK1

Program

sequence

Wrong program sequence and inappropriate

execution time of the safety-related functions

shall be detected, at the latest, before the next

travel of the lift.

Combination of timing and

logical monitoring of program

sequence

M 7.1 A.9.4 CLK5A/B/C

36

Table A.5：specific measures for SIL2 – ISO 22201

Components

and functions Requirements Measures

Table7

reference

IEC61508-7:2000

reference

Hercules MCU

TMS570LS04/03x

Safety Manual

Structure The structure shall be such that any single

random failure is detected and the system

shall go into a safe state.

One channel with self-test and

monitoring, or two channels or

more with comparison

M 1.2

M 1.3

A.3.3

A.2.5

CPU2A/B

Processing

units

Failures in processing units that can

lead to incorrect results, shall be detected.

If such a failure can lead to a dangerous

situation, the system shall go into a safe

state.

Failure correcting hardware,

And software self-test

supported by hardware for one-

channel structure, or

comparator for 2-channel

structure, or reciprocal

comparison by software for 2-

channel structure

M 2.1

M 2.3

M 2.4

M 2.5

A.3.4

A.3.3

A.1.3

A.3.5

CPU1

Invariant

Memory

ranges

Incorrect information modification, i.e. all

odd-bit or 2-bit failures and some 3-bit and

multi-bit failures shall be detected, at the

latest, before the next travel of the lift.

The following measures refer

only to a one-channel structure:

block safety with one-word

redundancy, or word saving

with multi-bit redundancy

M 3.1

M 3.2

A.4.3

A.5.6

FLA5A/B

FLA1

Variant

memory

ranges

Global failures during addressing,

writing, storing and reading as well as all

odd-bit and 2-bit failures and some 3-bit

failures and multi-bit failures shall be

detected, at the latest, before the next

travel of the lift.

The following measures refer

only to a one-channel structure:

word-saving with multi-bit

redundancy, or check via test

pattern against static or

dynamic faults

M 3.2

M 4.1

A.5.6

A.5.2

RAM1

RAM7A/B

I/O units and

Interfaces incl.

Communication

links

Static failures and cross talk on I/O lines, as

well as random and systematic failures in

the data flow shall be detected, at the

latest,

before the next travel of the lift.

Code safety or test pattern M 5.4

M 5.5

A.6.2

A.6.1

SPI3/SCI2

GIO2 etc

Information redundancy

techniques

Clock Failures in clock generation for processing

units like frequency modification or break-

down shall be detected, at the latest, before

the next travel of the lift.

Watchdog with separate time

base or reciprocal monitoring

M 6.1

M 6.2

A.9.4 CLK1

CLK5A/B

CLK3

Program

sequence

Wrong program sequence and

inappropriate execution time of the safety-

related functions shall be detected, at the

latest, before the next travel of the lift.

Combination of timing and

logical monitoring of program

sequence

M 7.1 A.9.4 CLK5B

IEC 61511 – Process Industry Safety

• Based on industry standard ISA

84

• First Edition published in 2003

• Focuses on systems and relies on

IEC 61508 for hardware and

software component requirements

37

IEC 61511 – Process Industry Connection to Related Standards

38

Relies on IEC 61508 for hardware component requirements

IEC 62061 – Functional Safety of E/E/PE Machinery

• Addresses industrial machinery safety standard building on IEC 61508 basis

• Incorporates designated architectures from earlier EN954 standard

• First published in 2005.

• IEC 62061 relies on IEC 61508 for hardware and software component requirements

• Cannot be applied to hydraulic, pneumatic or mechanical control systems – instead apply ISO 13849

39

40

IEC 61800* / 62061 / 61511 Functional Safety HW requirements

Standard System Safety

Integrity

Architectural

Metric

Architectural

Requirement

Failure

Rate

Specific MCU self-test

requirements

IEC 61508 Programmable

E/E systems SIL – 1,2,3,4 SFF HFT>0 for SIL 4 PFD, PFH No

IEC 61800 Drive

SIL – 1,2,3

SIL4 Apply

IEC 61508

SFF Dependent on

function

PFH

(no PFD) No

IEC 62061 Machinery

SIL – 1,2,3

SIL4 Apply

IEC 61508

SFF

Supports ISO

13849

categories

PFHD No

IEC 61511 Process

Automation

SIL – 1,2,3

SIL4 Apply

IEC 61508

SFF See IEC 61508 PFDavg No

• IEC 61800, IEC 62061 and IEC 61511 hardware component requirements are harmonized with IEC

61508 with no other specific requirements.

• Hercules MCU is developed for up to IEC 61508 SIL-3. IEC 61508 hardware metrics can be re-used for

IEC 61800, IEC 62061 and IEC 61511 directly.

• IEC 61800, IEC 62061, and IEC 61511 focus on system level and refer hardware component

requirements to IEC 61508.

* 61800 = 61800-5-2

ISO 13849 – Safety of Industrial Machinery

• Addresses industrial machinery safety standard building on IEC 61508 basis

• Incorporates some probabilistic metrics, though not aligned to IEC 61508

• First published in 2006

• ISO 13849 focuses on machinery safety at system level. Hardware and software component are indirectly addressed

• Can be used for all types of control systems

• But not recommended for complex E/E/PE controls

41

Harmonizing IEC 62061 and ISO 13849

42

ISO 13849 – Industrial Machinery Designated Architectures

• Category B – “basic” 1oo1 with no diagnostics

• Category 1 – 1oo1 using high reliability (low fail

rate) components

• Category 2 – 1oo1 with diagnostics (1oo1D)

• Category 3 – 1oo2 with low effectiveness

diagnostics per channel

• Category 4 – 1oo2 with high effectiveness

diagnostics per channel

43

44

ISO 13849 Functional Safety HW requirements

Standard System Safety

Integrity

Architectural

Metric

Architectural

Requirement

Failure

Rate

Specific MCU self-test

requirements

IEC 61508 Programmable

E/E systems SIL – 1,2,3,4 SFF HFT>0 for SIL 4 PFD, PFH No

ISO 13849 Machinery PL a,b,c,d,e DCavg CAT B,1,2,3,4 MTTFD No

• ISO 13849 Safety Integrity is defined by Performance Level (PL), where PLb,c are

equivalent to SIL1, PLd -> SIL2 and Ple -> SIL3.

• ISO 13849 specifies architectural requirements in terms of designated architectures

category (Cat) B, 1, 2, 3, 4.

• For Cat 3and Cat 4, physical or logical redundancy is required (two channels)

• Single channel Hercules MCU can satisfy Categories B, 1, 2 for most designs.

• Dual channel Hercules MCU can satisfy categories 3, 4 for most designs.

• Additional options may be possible dependent on safety function and system design.

• Evaluation underway for Hercules + TPS for Cat3, PL D in an STO safety function

IEC 60730 – System Safety of Household Electronics

• 4th edition released in 2010

• Applies diagnostic recommendation from IEC 61508 as requirements on hardware

• Prescriptive – no performance based metrics to illustrate effectiveness of architecture or diagnostics

45

IEC 60730 – System Classification

• IEC 60730 classification:

– Class A: Control functions not intended to be relied upon for the

safety of the equipment

– Class B: Control functions intended to prevent unsafe operation of

the controlled equipment (e.g., thermal cut-outs and door locks for

laundry equipment)

– Class C: Control functions intended to prevent special hazards, such

as explosion of the controlled equipment

46

IEC 60730 Faults/Errors Detection Requirements

47

Component Fault/Error

Class

IEC60730-B IEC60730-C

1. CPU

1.1 Registers Stuck-at X

DC fault X

1.2 Instruction decoding and execution Wrong decoding and execution X

1.3 Program counter Stuck-at X

DC fault X

1.4 Addressing DC fault X

1.5 Data paths DC fault X

2. Interrupt handling and execution No interrupt or too frequent interrupt X

No interrupt or too frequent interrupt and interrupt related to different sources X

3. Clock Wrong frequency X X

4. Memory

4.1 Non-volatile memory All single-bit faults X

All single and double bit errors X

4.2 Volatile memory DC fault X

DC fault and dynamic cross links X

4.3 Addressing Stuck-at X

DC fault X

5. Internal data path

5.1 Data Stuck-at X

DC fault X

5.2 Addressing Wrong address X

Wrong and multiple addressing X

6 External communication

6.1 Data All single-bit faults X

All single and double bit errors X

6.2 Addressing Wrong address X

Wrong and multiple addressing X

6.3 Timing Wrong point in time X X

Wrong sequence X X

7. Input/output periphery

7.1 Digital I/O X X

7.2 Analog I/O

7.2.1 AD and DA converter Open and Short circuit X X

47

IEC 60730 Hercules MCU Measures to Control faults/errors

48

Component / Functions from Table A2.1 Examples of Acceptable Measures with

Hercules MCU

Hardware

Or

Software

1 CPU (registers, Instructions decoding and execution,

program counter, addressing, data paths)

Lock-step CPU with HW compare

Internal and external Watchdog

CPU LBIST

HW

2 Interrupt handling and execution VIM SRAM data parity

Internal and external watchdog

VIM SRAM PBIST

HW

3 Clock LPO Clock Detect, DCC

PLL Slip detector

HW

4 Memory ECC with address for SRAM/Flash

CRC

PBIST for SRAM

HW

5 Internal data Paths Memory with ECC

Lock-step CPU with HW compare

HW

6 External communication Information redundancy technique

Periodic CRC check of memory

Memory with parity

HW / SW

7 Input/Output ADC converter calibration, ADC self-test

Information redundancy technique

HW / SW

Faults detection mechanism within TI’s Hercules MCU are HW based vs some SW approaches used by several competing solutions

Details can be found in SafeTITM Hercules MCU product safety manual

49

IEC 60730 Functional Safety HW requirements

Standard System Safety

Integrity

Architectural

Metric

Architectural

Requirement

Failure

Rate

Specific MCU self-test

requirements

IEC 61508 Programmable

E/E systems SIL – 1,2,3,4 SFF HFT>0 for SIL 4 PFD, PFH No

IEC 60730 Home

Appliances Class A, B, C No Yes (Class C) No

CPU, Memory, Interrupt,

Clock, I/O, Comms

• Typically IEC60730 compliance for class B

compliance is achieved by software self test to

detect MCU failures and errors.

• Advantages of Hardware based Diagnostic:

– Higher coverage and faster fault detection time

– Free up code space and processor bandwidth for

application

– Simplify certification process with less software

• Hercules MCU with its hardware based

diagnostic features is designed to meet IEC

61508 requirements and can facilitate IEC 60730

compliance

50

Functional Safety Standards Hardware requirements

Standard System Safety

Integrity

Architectural

Metric

Architectural

Requirement

Failure

Rate

Specific MCU self-test

requirements

IEC 61508 Programmable

E/E systems SIL – 1,2,3,4 SFF HFT>0 for SIL 4 PFD, PFH No

ISO 26262 Automotive ASIL – A, B,

C, D SPFM / LFM No PMHF No

EN 50129 Railway SIL- 1,2,3,4 N/A Follow IEC

61508 THR CPU, Memory

ISO 22201 Elevator SIL – 1,2,3 N/A Dual channels

for SIL3 N/A

CPU, Memory, Interrupt,

Clock, I/O, Comm

IEC 61800 Drive

SIL – 1,2,3

SIL4 Apply

IEC 61508

SFF Dependent on

function

PFH

(no PFD) No

IEC 62061 Machinery

SIL – 1,2,3

SIL4 Apply

IEC 61508

SFF

Supports ISO

13849

categories

PFHD No

IEC 61511 Process

Automation

SIL – 1,2,3

SIL4 Apply

IEC 61508

SFF See IEC 61508 PFDavg No

ISO 13849 Machinery PL a,b,c,d,e DCavg CAT B,1,2,3,4 MTTFD No

IEC 60730 Home

Appliances Class A, B, C No Yes (Class C) No

CPU, Memory, Interrupt,

Clock, I/O, Comms

51

Typical Usage of Hercules MCU per Functional Safety Standard*

Functional Safety

Standard Typical Hercules MCU Usage

Specific Diagnostic

Requirements per

Standard

IEC 61508 Single MCU for SIL1 - SIL 3, Dual MCU for SIL 4 No

ISO 26262 Single Hercules MCU ASIL A to D No

EN 50129 Single MCU for SIL1 - SIL 3, Dual MCU for SIL 4 Examples provided,

not requirements

ISO 22201 Single MCU for SIL1 - SIL 2, Dual MCU for SIL 3 Yes

IEC 61511 Single MCU for SIL1 - SIL 3, Dual MCU for SIL 4 No

IEC 61800 Single Hercules MCU for SIL1 - SIL 3 No

IEC 62061 Single Hercules MCU for SIL1 -SIL 3 No

ISO 13849

Single MCU for Cat B, 1, 2 from PL a to PLe

Dual MCU for Cat 3, 4 from PL a to PL e

Single MCU + TPS under evaluation for PL d CAT3

No

IEC 60730 Single MCU for Class A – C, Dual MCU for some Class C Yes

* Items shown are typical examples. Achieved safety integrity level is the responsibility of the system developer.

TMS570 Roadmap & Block Diagrams

52

Hercules™ TMS570 Roadmap 2012 2014+

Lo

w

Mid

H

igh

TMS570LS11x – 180MHz R4F 1MB Flash, 128kB RAM

SafeTI ISO & IEC

TMS570LS12x – 180MHz R4F 1.25MB Flash, 192kB RAM

SafeTI ISO & IEC

TMS570LS03x – 80MHz R4 256kB Flash, 24kB RAM

SafeTI ISO & IEC

TMS570LS04x – 80MHz R4 384kB Flash, 32kB RAM

SafeTI ISO & IEC

TMS570LS21x – 180MHz R4F 2MB Flash, 192kB RAM

SafeTI ISO & IEC

TMS570LS31x – 180MHz R4F 3MB Flash, 256kB RAM

SafeTI ISO & IEC

2013

Next Gen Mid

SafeTI ISO & IEC

Next Gen High

SafeTI ISO & IEC

Next Gen Low

SafeTI ISO & IEC

53

Sampling

Development

Production

CAN

!

CAN

!

CAN

!

Roadmap Compatibility • Software

• Package

• Safety Concept

Key Differentiation

Lock Step

Architecture

ISO ISO 26262 IEC IEC 61508

Ethernet

FlexRay

QEP/ePWM

CAN

Features

TMS570LS31x

Control Peripherals

High End Timer 1

(N2HET1 = 32ch)

High End Timer 2

(N2HET2 = 14ch)

Communications

10/100 EMAC

2ch FlexRay

3x CAN (64mb)

3x Multi-Buffer SPI , 2x SPI

2x UART (1 LIN capable)

I2C

Analog

12-bit MibADC1 – 24ch (16 shared channels)

12-bit MibADC2 – 16ch (16 shared channels)

Power & Clocking

OSC/PLL

CLKMON, DCC

VMON

Safety & System

CPU BIST

SRAM BIST

CRC

OS Timers

Windowed Watchdog

Memory

Up to 3MB

Flash (w/ ECC)

Up to 256KB

SRAM (w/ ECC)

64KB EEPROM (emulated)

Debug

JTAG

ETM, RTP, DMM, POM

ARM

Cortex™-R4F

ARM

Cortex-R4F Up to 180 MHz

Memory Protection Unit

Temperature -40°C - 125°C AEC Q100

Lockstep CPU Fault

Detection

IEC

TMS570LS31x/21x Block Diagram Dual Core Lockstep ARM Cortex-R4F w/ Floating Point

Performance / Memory • Up to 180 MHz ARM Cortex-R4F w/ SP/DP Floating

Point

• Up to 3MB Flash and 256KB Data SRAM

• Dedicated 64KB Data Flash (EEPROM Emulation)

• 16 Channel DMA

Safety • Dual CPUs in Lockstep • CPU Logic Built in Self Test (LBIST) • Up to 12 CPU MPU regions • Flash & RAM w/ ECC (w/ bus diagnostics) • Memory Built-in Self Test (PBIST) • Cyclic redundancy checker module (CRC) • Select peripheral RAMs with Parity

Communication Networks • 10/100 MAC • FlexRay w/ dedicated DMA • 3 CAN Interfaces • 5 SPI (3 Multi-Buffered) • 2 UART (1 LIN capable), 1 I2C

Enhanced I/O Control • Up to 44 pins plus 6 monitor channels • Pins can be used as Hi-Res PWM or Input Capture • 2 x12-bit Multi-Buffered ADC • 24 total input channels (16 shared) • Calibration and Self Test • Up to 120 GPIO pins (16 dedicated)

Packages

DMA w/ Memory Protection Unit

Enhanced System Bus and Vectored Interrupt Manager

Input / Output

GIO/INT (16)

CAN

144p QFP (20x20mm)

337p BGA (16x16mm)

Memory Interface

SDRAM/ASYNC EMIF

Targeted Applications IEC 61508 and ISO

26262 Safety

Applications

Automotive, Rail,

Aerospace (COTS), Off

Road

54

Memory Power & Clocking

Debug

Safety & System

Note: Above reflects max configuration of each module – some functions are multiplexed.

Analog

Memory Interface

Communications

Input / Output

Control Peripherals

ISO

Features

TMS570LS12x

Control Peripherals

2x High End Timer (N2HET)

ePWM (14ch)

eCAP (6x)

eQEP (2x)

Communications

10/100 EMAC

2ch FlexRay

3x CAN (64mb)

3x Multi-Buffer SPI , 2x SPI

2x UART (1 LIN capable)

I2C

Analog

12-bit MibADC1 – 24ch (16 shared channels)

12-bit MibADC2 – 16ch (16 shared channels)

Power & Clocking

OSC/PLL

CLKMON, DCC

VMON

Safety & System

CPU BIST

SRAM BIST

CRC

OS Timers

Windowed Watchdog

Memory

Up to 1.25MB

Flash (w/ ECC)

Up to 192KB

SRAM (w/ ECC)

64KB EEPROM (emulated)

Debug

JTAG

RTP, DMM

ARM

Cortex™-R4F

ARM

Cortex-R4F Up to 180 MHz

Memory Protection Unit

Lockstep CPU Fault

Detection

TMS570LS12x/11x Block Diagram Dual Core Lockstep ARM Cortex-R4F w/ Floating Point

Performance / Memory • Up to 180 MHz ARM Cortex-R4F w/ SP/DP Floating

Point

• Up to 1.25MB Flash and 192KB Data SRAM w/ECC

• Dedicated 64KB Data Flash (EEPROM Emulation)

• 16 Channel DMA Safety

• Dual CPUs in Lockstep • CPU Logic Built in Self Test (LBIST) • Up to 12 CPU MPU regions • Flash & RAM w/ ECC (w/ bus diagnostics) • Memory Built-in Self Test (PBIST) • Cyclic redundancy checker module (CRC) • Select peripheral RAMs with Parity Communication Networks • 10/100 MAC • FlexRay w/ dedicated DMA • 3 CAN Interfaces • 5 SPI (3 Multi-Buffered) • 2 UART (1 LIN capable), 1 I2C Enhanced I/O Control • 2x High End Timer Coprocessor (N2HET) w/

dedicated DMA • Up to 40 pins plus 6 monitor channels • Pins can be used as Hi-Res PWM or Input Capture

• Motor Control Timers • 7x ePWM (14 ch), 6x eCAP, 2x eQEP

• 2 x12-bit Multi-Buffered ADC • 24 total input channels (16 shared) • Calibration and Self Test

• Up to 101 GPIO pins (16 dedicated)

Packages

DMA w/ Memory Protection Unit

Enhanced System Bus and Vectored Interrupt Manager

Input / Output

GIO/INT (16)

144p QFP (20x20mm)

337p BGA (16x16mm)

Memory Interface

SDRAM EMIF

55

Memory Power & Clocking

Debug

Safety & System

Note: Above reflects max configuration of each module – some functions are multiplexed.

Analog

Memory Interface

Communications

Input / Output

Control Peripherals

Temperature -40°C - 125°C AEC Q100

Targeted Applications IEC 61508 and ISO

26262 Safety

Applications

Automotive, Rail,

Aerospace (COTS), Off

Road

IEC CAN ISO

Features

Control Peripherals

High End Timer (N2HET)

eQEP (2x)

Communications

CAN1 (32 mb)

CAN2 (16mb)

Multi-Buffer SPI (4 CS)

2x SPI (1 CS)

UART (LIN capable)

Analog

12-bit MibADC

16 channels (64 Buffers)

Power & Clocking

OSC/PLL

CLKMON, DCC

VMON

Safety & System

CPU BIST

SRAM BIST

CRC

OS Timers

Windowed Watchdog

Memory

Up to 384KB

Flash (w/ ECC)

Up to 32KB

SRAM (w/ ECC)

16KB EEPROM (emulated)

Debug

JTAG

ARM

Cortex™-R4

ARM

Cortex-R4 Up to 80MHz

Memory Protection Unit

Lockstep CPU Fault

Detection

IEC

TMS570LS04x/03x Block Diagram Dual Core Lockstep ARM Cortex-R4 Microcontroller

Performance / Memory • Up to 80 MHz ARM Cortex-R4 CPU

• Up to 384KB Flash and 32KB Data SRAM w/ECC

• Dedicated 16KB Data Flash (EEPROM Emulation) Safety

• Dual CPUs in Lockstep • CPU Logic Built in Self Test (LBIST) • Up to 12 CPU MPU regions • Flash & RAM w/ ECC (w/ bus diagnostics) • Memory Built-in Self Test (PBIST) • Cyclic redundancy checker module (CRC) • Select peripheral RAMs with Parity Communication Networks • 2 CAN Interfaces • 3 SPI (1 Multi-Buffered) • 1 UART (LIN capable) Enhanced I/O Control • High End Timer Coprocessor (NHET)

• Up to 19 channels • Pins can be used as PWM or Input Capture

• Motor Control Timers • 2x QEP

• 12-bit Multi-Buffered ADC • 16 total input channels • Calibration and Self Test

• Up to 45 GPIO pins (8 dedicated)

Packages

Enhanced System Bus and Vectored Interrupt Manager

Input / Output

GIO/INT (8)

CAN

100p QFP (14x14mm)

56

Memory Power & Clocking

Debug

Safety & System

Note: Above reflects max configuration of each module – some functions are multiplexed.

Analog Communications

Input / Output

Control Peripherals

Temperature -40°C - 125°C AEC Q100

Targeted Applications IEC 61508 and ISO

26262 Safety

Applications

Automotive, Rail,

Aerospace (COTS), Off

Road

ISO

TMS570LS04x

RM Roadmap & Block Diagrams

57

Hercules™ RM Roadmap

2012 2013 2014

Lo

w

Mid

H

igh

RM46L4x – 200MHz R4F 1MB Flash, 128kB RAM

SafeTI IEC

RM46L8x – 220MHz R4F 1.25MB Flash, 192kB RAM

SafeTI IEC

RM42x – 100MHz R4 384kB Flash, 32kB RAM

SafeTI IEC

RM48L5x – 200MHz R4F 2MB Flash, 192kB RAM

SafeTI IEC

RM48L9x – 220MHz R4F 3MB Flash, 256kB RAM

SafeTI IEC

Next Gen Mid

SafeTI IEC

Next Gen High

SafeTI IEC

Next Gen Low

SafeTI IEC

58

Sampling

Development

Production

!

CAN

CAN

!

!

CAN

Roadmap Compatibility • Software

• Package/Pinout

• Safety Concept

Key Differentiation

Lock Step

Architecture QEP/PWM

IEC IEC 61508

Ethernet

USB CAN

Features

RM48x

Control Peripherals

High End Timer 1

(N2HET1 = 32ch)

High End Timer 2

(N2HET2 = 14ch)

Communications

10/100 EMAC

USB Host & Device

3x CAN (64mb)

3x Multi-Buffer SPI , 2x SPI

2x UART

I2C

Analog

12-bit MibADC1 – 24ch (16 shared channels)

12-bit MibADC2 – 16ch (16 shared channels)

Power & Clocking

OSC/PLL

CLKMON, DCC

VMON

Safety & System

CPU BIST

SRAM BIST

CRC

OS Timers

Windowed Watchdog

Memory

Up to 3MB

Flash (w/ ECC)

Up to 256KB

SRAM (w/ ECC)

64KB EEPROM (emulated)

Debug

JTAG

ETM, RTP, DMM, POM

ARM

Cortex™-R4F

ARM

Cortex-R4F Up to 220 MHz

Memory Protection Unit

Temperature Range -40°C - 105°C

Lockstep CPU Fault

Detection

IEC

RM48x Block Diagram Dual Core Lockstep ARM Cortex-R4F w/ Floating Point

Performance / Memory • Up to 220 MHz ARM Cortex-R4F w/ SP/DP Floating

Point

• Up to 3MB Flash and 256KB Data SRAM w/ECC

• Dedicated 64KB Data Flash (EEPROM Emulation)

• 16 Channel DMA

Safety • Dual CPUs in Lockstep • CPU Logic Built in Self Test (LBIST) • Up to 12 CPU MPU regions • Flash & RAM w/ ECC (w/ bus diagnostics) • Memory Built-in Self Test (PBIST) • Cyclic redundancy checker module (CRC) • Select peripheral RAMs with Parity Communication Networks • 10/100 MAC • USB: Host and Device • 3 CAN Interfaces • 5 SPI (3 Multi-Buffered) • 2 UART, 1 I2C Enhanced I/O Control • 2x High End Timer Coprocessor (N2HET) w/

dedicated DMA • Up to 44 pins plus 6 monitor channels • Pins can be used as Hi-Res PWM or Input Capture

• 2 x12-bit Multi-Buffered ADC • 24 total input channels (16 shared) • Calibration and Self Test

• Up to 120 GPIO pins (16 dedicated)

Packages

DMA w/ Memory Protection Unit

Enhanced System Bus and Vectored Interrupt Manager

Input / Output

GIO/INT (16)

CAN

144p QFP (20x20mm)

337p BGA (16x16mm)

Memory Interface

SDRAM/ASYNC EMIF

Targeted Applications General IEC61508

Safety Applications

Industrial, Medical,

Energy

59

Memory Power & Clocking

Debug

Safety & System

Note: Above reflects max configuration of each module – some functions are multiplexed.

Analog

Memory Interface

Communications

Input / Output

Control Peripherals

Features

RM46x

Control Peripherals

2x High End Timer (N2HET)

ePWM (14ch)

eCAP (6x)

eQEP (2x)

Communications

10/100 EMAC

USB Host & Device

3x CAN (64mb)

3x Multi-Buffer SPI , 2x SPI

2x UART

I2C

Analog

12-bit MibADC1 – 24ch (16 shared channels)

12-bit MibADC2 – 16ch (16 shared channels)

Power & Clocking

OSC/PLL

CLKMON, DCC

VMON

Safety & System

CPU BIST

SRAM BIST

CRC

OS Timers

Windowed Watchdog

Memory

Up to 1.25MB

Flash (w/ ECC)

Up to 192KB

SRAM (w/ ECC)

64KB EEPROM (emulated)

Debug

JTAG

RTP, DMM

ARM

Cortex™-R4F

ARM

Cortex-R4F Up to 220 MHz

Memory Protection Unit

Temperature Range -40°C - 105°C

Lockstep CPU Fault

Detection

IEC

RM46x Block Diagram Dual Core Lockstep ARM Cortex-R4F w/ Floating Point

Performance / Memory • Up to 220 MHz ARM Cortex-R4F w/ SP/DP Floating

Point

• Up to 1.25MB Flash and 192KB Data SRAM w/ECC

• Dedicated 64KB Data Flash (EEPROM Emulation)

• 16 Channel DMA Safety

• Dual CPUs in Lockstep • CPU Logic Built in Self Test (LBIST) • Up to 12 CPU MPU regions • Flash & RAM w/ ECC (w/ bus diagnostics) • Memory Built-in Self Test (PBIST) • Cyclic redundancy checker module (CRC) • Select peripheral RAMs with Parity Communication Networks • 10/100 MAC • USB: Host and Device • 3 CAN Interfaces • 5 SPI (3 Multi-Buffered) • 2 UART, 1 I2C Enhanced I/O Control • 2x High End Timer Coprocessor (N2HET) w/

dedicated DMA • Up to 44 pins plus 6 monitor channels • Pins can be used as Hi-Res PWM or Input Capture

• Motor Control Timers • 7x ePWM (14 ch), 6x eCAP, 2x eQEP

• 2 x12-bit Multi-Buffered ADC • 24 total input channels (16 shared) • Calibration and Self Test

• Up to 101 GPIO pins (16 dedicated)

Packages

DMA w/ Memory Protection Unit

Enhanced System Bus and Vectored Interrupt Manager

Input / Output

GIO/INT (16)

CAN

144p QFP (20x20mm)

337p BGA (16x16mm)

Memory Interface

SDRAM EMIF

Targeted Applications General IEC61508

Safety Applications

Industrial, Medical,

Energy

60

Memory Power & Clocking

Debug

Safety & System

Note: Above reflects max configuration of each module – some functions are multiplexed.

Analog

Memory Interface

Communications

Input / Output

Control Peripherals

Features RM42x

Control Peripherals

High End Timer (N2HET)

eQEP (2x)

Communications

CAN1 (32 mb)

CAN2 (16mb)

Multi-Buffer SPI (4 CS)

2x SPI (1 CS)

UART

Analog

12-bit MibADC

16 channels (64 Buffers)

Power & Clocking

OSC/PLL

CLKMON, DCC

VMON

Safety & System

CPU BIST

SRAM BIST

CRC

OS Timers

Windowed Watchdog

Memory

384KB

Flash (w/ ECC)

32KB

SRAM (w/ ECC)

16KB EEPROM (emulated)

Debug

JTAG

ARM

Cortex™-R4

ARM

Cortex-R4 100MHz

Memory Protection Unit

Temperature Range -40°C - 105°C

Lockstep CPU Fault

Detection

IEC

RM42x Block Diagram Dual Core Lockstep ARM Cortex-R4 Microcontroller

Performance / Memory • 100 MHz ARM Cortex-R4 CPU

• 384KB Flash and 32KB Data SRAM w/ECC

• Dedicated 16KB Data Flash (EEPROM Emulation) Safety

• Dual CPUs in Lockstep • CPU Logic Built in Self Test (LBIST) • Up to 12 CPU MPU regions • Flash & RAM w/ ECC (w/ bus diagnostics) • Memory Built-in Self Test (PBIST) • Cyclic redundancy checker module (CRC) • Select peripheral RAMs with Parity Communication Networks • 2 CAN Interfaces • 3 SPI (1 Multi-Buffered) • 1 UART Enhanced I/O Control • High End Timer Coprocessor (NHET)

• Up to 19 channels • Pins can be used as PWM or Input Capture

• Motor Control Timers • 2x QEP

• 12-bit Multi-Buffered ADC • 16 total input channels • Calibration and Self Test

• Up to 45 GPIO pins (8 dedicated)

Packages

Enhanced System Bus and Vectored Interrupt Manager

Input / Output

GIO/INT (8)

CAN

100p QFP (14x14mm)

Targeted Applications General IEC61508

Safety Applications

Industrial, Medical,

Energy

61

Memory Power & Clocking

Debug

Safety & System

Note: Above reflects max configuration of each module – some functions are multiplexed.

Analog Communications

Input / Output

Control Peripherals

SafeTITM Design Packages

62

SafeTI™ Design Packages for Functional Safety Help Speed Certification

Standards-specific SafeTI solution bundles

www.ti.com/safeti

63

Functional Safety System Example

Hercules

Safety

MCU

Power Supply

Connectivity

TPS65381

Multi-Rail

Supply

• Voltage Signals, Voltage Rail Monitor/Protection (GREEN)

• Communications/Safety Features (RED)

Safe Motor Control

Driver &

Control

Monitor

Safety

Diagnostics

DRV3201

Bridge Driver

Error Signaling

Reset

SPI

ADC

GIO

Safety

Diagnostics

M

Sensor Interface

Components developed to target IEC61508 and ISO26262

64

SafeTI-61508 Design Package for Motor Control

Dual Core Lockstep -

Cycle by Cycle CPU

Fault Detection

ECC for flash / RAM /

interconnect evaluated

inside the Cortex-R

CPU & Memory

Self Test to check

for Latent Faults

Motor Control

Software Loop

On-Chip Clock

and Voltage

Monitoring

PBIST/LBIST OSC PLL

POR

CRC RTI/DWWD

ESM

Enhanced System Bus and Vectored Interrupt Module

Memory

Flash w/ ECC

RAM w/ ECC

Power, Clock, & Safety

Dual

ADC High-end

Timers

Flash EEPROM w/ ECC

65

ARM®

Cortex™-R

ePWM eQEP

eCAP

“virtual encoder”

for sensor

feedback check

Self-capture

PWMs for

request check

Dual ADC

for feedback

check

TPS65381-Q1

power supply

Voltage

monitor

MCU error

monitor

Q-A

watchdog

MCU reset

/enable

Overtemp

shutdown

DRV3201

Gate driver

VDS

monitor

Phase

compare

On -chip

self-test

Overtemp

shutdown

Bridge

enable

PO

RS

T

Hardware techniques Software techniques

Hercules MCU

66

Hercules Safety Documents • Documents provided by TI some under NDA to assist in the

safety certification process:

– Safety Report Summary of compliance to IEC 61508 and/or ISO 26262

– Detailed Safety Analysis Report (SAR2) • Full details of all safety analysis executed down to MODULE level for

IEC 61508 and ISO 26262

• Software tool for customizing analysis results to customer use case

– Safety Analysis Report Summary (SAR1) Summary of FIT rate and FMEDA at component level for IEC 61508

and ISO 26262

– Hercules component Safety Manual (SM) Details product safety architecture and recommended usage

NDA

NDA

NDA

67

HerculesTM and SafeTITM Software and Tool Packages

Hercules Software and Tools

Hercules standard software and tools packages

Assists in software development on Hercules MCUs

Provides the actual software/tool with source code, GUI, …

User guides, datasheets, release notes, …

Regular updates for enhancements, fixes, …

Free / click wrap license agreement

SafeTI Compliance Support Package

SafeTI Tool Qualification Kit

SafeTI software documentation and testing

Assists customer to comply to functional safety standards

Safety Requirements Document, Code Review and Coverage

Reports, Unit Test Results, Software Safety Manual, ….

Unit Test capability using LDRAunit (if applicable)

See Pricing / signed license agreement

SafeTI tool documentation and qualification

Assists customer to qualify tool to functional safety standards

Tool Classification Report, Tool Qualification Plan and Report,

Tool Safety Manual, …

TI Test Automation Unit

See pricing / signed license agreement

FREE!!

Hercules Software Offering RTOS Support

Real-Time Operating Systems:

• FreeRTOS: FreeRTOS.org

Portable, open source, royalty free, mini

Real Time Kernel.

• SafeRTOS: High Integrity Systems

Design assurance package for IEC61508,

others

• µC/OS: Micrium

Certifiable design package for IEC61508,

others

• SCIOPTA: SCIOPTA RTOS

Kernel certified by TUV for IEC 61508

and EN50128 Hercules to SIL-3

• CoDeSys: Smart Software Solutions

Control and safety runtime system for

Industrial PLCs

• SMXRTOS: Micro Digital

Modular RTOS that meets the needs of

small to medium-size embedded systems

• AUTOSAR OS/RTE:

- Vector MICROSAR Safe

- ElektroBit tresos

- ETAS RTA-OS & RTA-RTE

TI Peripheral Drivers and Libraries

Peripheral Drivers • HALCoGen – Hardware Abstraction

Layer. GUI based code generation

• TI MCAL for AUTOSAR v4.0.3

Libraries • SafeTI Diagnostic Library –

executable form of safety manual

• MotorWare – InstaSPIN BLDC

• CMSIS library – DSP + Math

functions

MiddleWare

• MISRA-compliant embedded TCP/IP stack

that supports both IPv4 and IPv6 protocols.

• USB Host & Device, File systems, etc…

• MISRA-compliant CANopen real-time

protocol and device driver used in medical

automation and automotive equipment.

• Ethernet Driver and light weight IP Stack

• USB Device Driver & CDC Class

• Many MiddleWare options available from

RTOS providers

lwIP

USB

MotorWare™

68

10100011100010001000111011000100001110101000010010101010

101001010100001110110100100110010110

1000101010010100101

SafeTITM Software Framework:

Customer Application

Application Libraries

M a t h

D S P F l a s h

SAFETY RTOS or AUTOSAR RTE

CAN FlexRay Ethernet USB

• SafeTI Software is developed

according to ISO 26262 and

IEC 61508

• Intended for integration into

customer end application

software

• SafeTI Software Compliance

Support Packages provide

support documentation

according to ISO 26262 and

IEC 61508 standards.

• Software development process

assessment by independent 3rd

party planned

SafeTI Compliance Support Packages – Coming Soon!

69

The SafeTI™ Diagnostic Library: Hercules MCUs

Provides simple interfaces and a

framework for

– Initializing and Enabling Safety

diagnostics/Features prescribed

by the Hercules Safety Manual.

– Fault injection to allow testing of

application fault handling

– Error Signaling Module (ESM)

handler callback routine.

– Profiling for measuring time

spent in diagnostic test/fault

handling

Application layer E

xc

ep

tion

&

Erro

r Ha

nd

ler

Initialization & startup

diagnostics Periodic diagnostics

I/O diagnostics Internal/external

watch dog

RTO

S

SafeTI Diagnostic Library

Hardware Abstraction Layer (HALCoGen/MCAL)

70

SafeTI Compliance Support Package

Functions map

directly to the

Hercules

Safety Manual

Device Partition Unique

Identifier Safety Feature or Diagnostic API Name

Cortex-R4F CPU

CPU1 Lockstep compare SL_SelfTest_CCMR4F

CPU2A Boot time execution of LBIST STC SL_SelfTest_STC

CPU2B Periodic execution of LBIST STC SL_SelfTest_STC

CPU7 Software readback of written configuration SL_Read_Compare

Error Signaling

ESM1 Periodic software readback of static

configuration registers SL_Read_Compare

ESM3 Use of status shadow registers SL_Init_ResetReason_XInfo

ESM4 Software readback of written configuration SL_Read_Compare

71

HALCoGen: Hardware Abstraction Layer Code Generator

Features • User Input on High Abstraction Level

• Graphical-based code generation

• Easy configuration

• Quick start for new projects

• Generates C Source Code • ANSI Conforming

• Clear, structured, coding style

• Customizable code for user maintenance

• Supported Drivers • System Modules

• Safety Init, MPU, PMU, PMM, PCR

• LBIST, PBIST, VIM, ESM, CRC

• EMIF, POM, DMA, PINMUX

• Peripheral Modules

• RTI, GIO, ADC

• SCI/LIN, CAN, MIBSPI / SPI, I2C

• USB, Ethernet

• Timer Co-processor (nHET)

• eCAP, eQEP, ePWM

• Interactive Help System • Describes tool features and functions

• Provides detailed dependency graphs

• Provides useful example code

• Tool tip help available

• Native support for CCS, ARM, IAR

and GHS IDEs

SafeTI Compliance Support Package

Hercules Development Tools

Flash Programming

JTAG Emulators & Trace • TI Code Composer Studio – compiler

qualification kit

• Embedded Workbench for ARM is

certified by TÜV SÜD as suitable for use

to IEC 61508 and ISO 26262

• ARM Development Studio (DS-5) and

C/C++ Compilation Tools

• MULTI IDE and Green Hills Compiler

certified to ISO 26262 and IEC 61608

• Tantino-Cortex-R4 with professional

HiTOP Debugger/IDE

• CoDeSys programming system and

runtime system for IEC 61131-3

programmable logic controllers

• TargetLink code from MathWorks

Simulink/Stateflow, certified for IEC 61508

• Embedded Coder Cortex-M/R optimized

code from MATLAB, Simulink, Stateflow;

Processor-In-the-Loop (PIL) testing;

certified to IEC 61508 and ISO 26262

• HET IDE with Synapticad WaveViewer or

WaveFormer Pro

IDEs & Compilers

Automated offline Programmers:

• Data I/O

• BP Micro Systems

In Circuit JTAG Programmers:

• SMH Technologies

• Checksum

• XJTAG

• CCS UniFlash + JTAG Emulator

• Spectrum Digital XDS510 & XDS560

• Blackhawk XDS510 & XDS560

• Segger J-Link

• TI XDS100v2

• Lauterbach TRACE32 PowerView for

program and data trace

• iSYSTEM winIDEA IDE, iC5000

emulator and trace hardware

72

SafeTI™ Compiler Qualification Kit – Available Now!

• Assists in qualifying the TI ARM C/C++ Compiler to functional safety standards

• Qualification of customer specific use case can be less restrictive than certified compilers

• Application of kit assessed by TÜV Nord to comply with both IEC 61508 and ISO 26262

• Includes:

• Qualification Support Tool (model-based)

• Process specific documentation:

• Tool Classification Report • Tool Qualification Plan • Tool Qualification Report • Tool Safety Manual

• ACE SuperTestTM qualification suite

• TI compiler validation test cases

• Test Automation Unit (TAU)

• 24hrs of Validas consulting services

• TÜV Nord assessment report

http://www.ti.com/tool/safeti_cqkit

TI ARM Compiler

IEC 61508

73

Approved by

ISO 26262

NEW!

74

HerculesTM

Kits (www.ti.com/hercules)

SafeTI™-HSK Motor Control Kit

LaunchPad

Spin 3 phase Brushless DC and

Brushless AC Motors

Evaluate Hercules MCU and

TPS65381 Combination for Safety-

critical Applications

Initial Software Development and

Short-run Builds for System

Prototypes

Get Started on Development with

Hercules MCU Platform

USB Stick

Low-cost Option to Evaluate

Hercules MCU Platform

Lowest cost Option to Evaluate

Hercules MCU Platform

HDK controlCARD

RM48, RM46

TMS570LS31, LS12

RM48

TMS570LS31

RM48, RM46

TMS570LS31, LS12

LS31, LS12, LS04

RM48, RM46, RM42

TMS470M

RM48

TMS570LS31

TMS470M

LS04

RM48

Starting at $499 $599

Starting at $79 $19.99

$199 Starting at $99

NEW!

NEW!

74

Hercules™ LaunchPad

LaunchPad Demos

Kit Overview

75

• USB powered

• On board USB XDS100v2 JTAG debug

• On board SCI to PC serial communication

• GIO & NHET LEDs

• Ambient Light sensor

• 40 pin BoosterPack XL Header

• Footprint for an Expansion header (not

populated) to bring out all MCU Pins

• USB Cable

• Quick Start Guide

• LAUNCHXL-RM42

• LAUNCHXL-TMS57004

Hercules™ MCU

$19.99

On Board JTAG (XDS100v2)

BoosterPack XL Interface

GIO Push Button

Ambient Light Sensor

SafeTI™ Hitex Safety Kit

Hitex Safety Kit Software

Kit Overview

76

• Cost effective entry into functional safety

related to ISO26262 and IEC61508

• Evaluation board supporting key safety

features according to the safety manual

• Error injection and reaction monitoring by

second µC connected to GUI

• Full source code available for modification

of the application or including the library in

your own application

• Evaluation version of compiler and

debugger included

• Evaluation version of SafeRTOS included

• User friendly documentation

• •

On Board Display

Hercules™ MCU

TPS65381 Power Supply & Safety Monitor

ControlCard Interface

$599

http://www.hitex.com/safeti

• SAFETI-HSK-RM48

• SAFETI-HSK-570LS31

77

HerculesTM Safety Support & Certification

Safety Certification

Safety Documentation

Documents provided by TI assist in the safety certification process:

– Component Safety Manual (SM) Details product safety architecture and

recommended usage

– Safety Analysis Report (SAR) FIT rate and component FMEDA

– Safety Report Summary of compliance to target functional

safety standard(s)

Hercules SafeTI Tools & Software

Hardware Development process and device certification:

– TÜV-SÜD certification for functional

safety hardware development process

• SafeTI-61508

• SafeTI-26262

– Architecture & component safety

assessment and certificates • Exida

• TÜV-SÜD ongoing

SafeTI™ & Companion ICs

SafeTI design packages for functional safety provide standards specific solution bundles:

http://www.ti.com/safeti

• SafeTI-61508

• SafeTI-26262

• SafeTI-60730

• SafeTI-QM

Power Management

TPS65381

Hercules MCU

TM

TI ARM Compiler

– SafeTI Compiler Qualification Kit

– SafeTI Diagnostic Library

– SafeTI Compliance Support Packages

(Coming Soon)

TI's SafeTITM Packages for Functional Safety Applications Save Customers Development Time, Effort, and Cost

18 MM* (per component)

12 MM

~6 MM (per component)

~9 MM

6-12 MM Per SW component

6-12 MM

MM* – Man Months

Highly differentiated –

Silicon, SW,

Documentation &

certification….

China Safety

System Cooperation:

TÜV Rheinland

Y&Y

Hitex

Tsinghua University

www.ti.com/hercules

78

Hercules MCUs:

79

are the only lockstep safety automotive MCU based on the open ARM

architecture

have shipped for over 20+ years into long life safety critical products

Capable of meeting high safety integrity

provide a safety features, package/pinout, code compatible, scalable

portfolio

have broad third party support for development tools, RTOS, emulators

are supported in every geography as well as the online community

are part of the SafeTI™ initiative and SafeTI™ design solutions

can save you up to 5 years of development effort per safety development

80

练习：Hercules 安全 MCU 演示

Hercules™ Software Install Instructions

需要安装的软件：

在该培训的实验环节，我们需要使用到三款相应的开发软件。他们分别是： Hercules Safety MCU Demos, Code Composer Studio v5.x, HALCoGen

软件的下载以及安装路径: • Hercules Safety MCU Demos • 该演示软件可以通过下面的链接下载:

Hercules Safety MCU Demos LINK

• 在该软件的安装过程中，需要选择Standard install的模式

• Code Composer Studio • CCS 可以通过下面的链接下载:

CCSv5 Download LINK • 安装过程中，你可以选择 full install (Complete Feature Set),

但是如果选择最小安装模式的话， ‘Cortex-R4F MCUs’必须得安装。

81

Herc

ule

s S

afe

ty M

CU

s

• HALCoGen • HALCoGen 可以通过下面的链接下载:

HALCoGen Download LINK • 该软件需要按标准流程安装。

• 如果是第一次运行CCS，可以选择如图所示的free license版本:

82

Lab1: Hercules™ Safety MCU Demos • 启动Hercules Safety Demo的具体方式:

• → Programs → Texas Instruments → Hercules → Hercules Safety

MCU Demos

83

练习 2： 使用 N2HET 的 PWM 生成

84

概况： • 在这练习中，我们将会做以下操作:

– 创建一个新的HALCoGen 工程

– 配置ＨＡＬＣoＧen工程以生成：

• 一个具有一秒周期，占空比位７５％的ＰＷＭ波

– 只用ＰＷＭ波的输出来翻转板子上NHET[08] 所接的ＬＥＤ灯

– 生成代码并将其导入到CCS的工程内

– 编译工程并将可执行的代码下载到MCU中

• 所需硬件:

– Windows操作系统的PC(WinXP, Vista, 7)

– TMS570 LaunchPad 或 RM4 LaunchPad

• 所需软件:

– HALCoGen

– Code Composer Studio

85

HALCoGen GUI 概况

输出/状态

菜单和图标

设备功能框图

模块选择/配置

帮助

86

HALCoGen 帮助文档

• HALCoGen内嵌的帮助窗口可以完整的提供每个通信模块的驱动、应用函数、独立的各种文档以及相关的案例程序。

87

HALCoGen 相关文件和函数列表

文件信息控制

相关文件框图

函数列表

文件浏览框

创建一个新的HALCoGen工程：

88

• 启动HALCoGen软件:

• → Programs → Texas Instruments → Hercules → HALCoGen

• 建立一个新工程:

• File → New → Project

• TMS570开发套件:

– Family：选择 TMS570LS04x

– Device: 选择TMS570LS0432PZ

• RM4X开发套件: – Family: 选择 RM42x

– Device: 选择RM42L432PZ

• 然后定义工程名: ‘PWM’

• 工程路径: “C:\myWorkspace”

1

4

2

3

驱动使能 • 在 ‘Driver Enable’ 标签页面下使能 HET 驱动.

89

1

2

3

NHET PWM 配置 • 在 ‘HET’标签下 ‘PWM 0-7’ 子标签:

• 配置在PIN8上生成占空比为75%，周期为1000000.00uS的方波

90

N2HET 输出配置

• 在‘HET’标签下 ‘Pin 8-15’ 子标签:

• 使能Pin 8管脚的输出

• 生成代码: File → Generate Code

91

建立CCS

• 启动 Code Composer Studio (CCS)

– Start → Programs → Texas Instruments → Code Composer Studio v5

→ Code Composer Studio v5

• 当初次启动CCS时，它会要求你选择一个workspace，你可以选 “C:\myWorkspace”

• 一旦CCS加载完成, 在页面中点击

File → New → CCS Project

92

建立我们的工程 • CCS的项目工程名需要和我们刚建立的HALCOGEN的工程名相一致:‘PWM’

• 确保你工程选择的‘Family’参数是ARM

93

• 然后在‘Variant’框中选择

“Cortex R”

• 对于TMS570 套件: – 选择: TMS570LS0432

• 对于RM4 套件:

– 选择: RM42L432

• 最后点击‘Finish’

1

3 2

• 然后在 ‘Connection’ 选项中选择

Texas Instruments XDS100v2

• 然后再选择‘Empty Project

4

6

5

• 接下来我们要在工程浏览框中，为我们的CCS工程添加‘include’路径

建立我们的工程

94

1

2

• 在工程浏览框中右击工程名 ‘PWM’

• 然后选择‘Properties’

建立我们的工程

95

1

3

2

• 然后在 ‘Properties’

窗口中 展开‘Build ->

ARM Compiler’ 组别，并选择‘Include

Options’

• 然后点击‘+’按钮添

加我们所需要的头文件路径

• 在添加目录路径的对话框中点击

‘Workspace…’按钮

• 最后选择该工程下的‘include’目录，它包含了HALCOGEN生成的所有头文件

4

• 在工程浏览框中展开工程，并打开source目录下的the “sys_main.c”文件

在CCS工程中输入代码

96

2

3

1

97

Code Composer Studio

• 在CCS的sys_main.c文件中输入以下代码 :

– 在 User Code 1中间插入以下代码.

– 然后在User Code 3中间输入一下代码.

/* USER CODE BEGIN (1) */

#include "het.h"

/* USER CODE END */

/* USER CODE BEGIN (3) */

hetInit();

while(1);

/* USER CODE END */

• 代码输入完成，接下来我们要做的是编译我们的工程文件

– 右击工程名，选择 Build Project

• 编译成功后，CCS会生成.out文件，然后我们需要做的就是将这个文件下载到MCU的FLASH memory中。

编译工程

98

Flash编程

• 我们接下来要做的是针对flash的编程.

– 点击菜单中 Run选项，然后选择Debug

– 当对Flash进行编程时，会有一个新的窗口出现来显示进度。

• 整个过程会持续一段时间.

99

• 在调试菜单中点击绿色的箭头来运行我们的程序。

– 如果按下LaunchPad 板上的PORRST按钮，整个程序也能在不连接调试器的情况下正常工作。

• 点击调试菜单中的红色方块可以终结调试器和板子间的连接。

• 按下板子上的重置按钮，并观察NHET管脚上的LED的工作情况

• 恭喜你! 你已经完成了整个练习.

测试我们的程序

100

可能遇到的错误

101

• RM42x 套件:

当你在使用某些版本的CCS编译工程时，有一个类似下面所示的错误有可能会出现：

这个错误的出现是因为某些版本的CCS在默认情况下并不包含支持小端模式下不带浮点功能的Cortex-R4的 RTS (Run Time Support Library)。

如何解决这个问题:

1) 右击工程项目并选择 “Properties”

1) 在“General” 设置的页面中:

• “Device endianness:” 选择“little”

• 设置“Runtime support library:” 为“<automatic>”

• 重新编译CCS工程文件

NOTE: 由于RTS库文件的改变，该编译过程有可能会持续3到5分钟。

可能遇到的错误

102

• TMS570 套件:

当你在使用某些版本的CCS编译工程时，有一个类似下面所示的错误有可能会出现

这个错误的出现是因为某些版本的CCS在默认情况下并不包含支持小端模式下不带浮点功能的Cortex-R4的 RTS (Run Time Support Library)。

如何解决这个问题:

1) 右击工程项目并选择 “Properties”

1) 在“General” 设置的页面中:

• “Device endianness:” 选择“be32”

• 设置“Runtime support library:” 为

“<rtsv7R4_T_be_eabi.lib>”

NOTE由于RTS库文件的改变，该编译过程有可能会持续3到5分钟。

HerculesTM MCU 软件和支持

Hercules 网页:

www.ti.com/hercules

– Data sheets

– Technical reference manual

– Application notes

– Evaluation and development kits

工程师交流论坛:

www.ti.com/hercules-support

– Ask Technical Questions

– Search for Technical Content

– News and Announcements

– Useful Links

WIKI:

www.ti.com/hercules-wiki

– How to guides

– Intro Videos

– General Information

Hercules 软件资源:

Software Product Page

• RTOS partners

• Flash API

MotorWare Software

• InstaSPIN™-BLDC

• FOC Encoder with SMO

DSP Library Page

• 60+ fixed and float functions

• CMSIS compliant

Example Code Repository

• Initialization

• Bootloader

• CAN, Ethernet, FlexRay & more

HALCoGen Peripheral Drivers

• GUI-based HAL create/config

103

1 Day Training Class: Hercules 1 Day Safety Seminar 3 Day Training Class: Safety Critical Design and Programming with ARM® CortexTM-R4F based Hercules MCUs Day 1 Day 2 Day 3

• Welcome and Intro

• Hercules Product Overview / MCU

Roadmap

• Safety Standards and Hercules Safety

Features

• HALCoGen / Exercise

• Code Composer Studio / Demonstration /

Exercise

• Compiler / Exercise

• Flash Overview

• Flash Tools: nowFlashTM, nowECCTM,

nowProfileTM

• Summary / Questions

• ARM ® Cortex™ -R4F CPU Architecture

Overview

• System Module Overview

• Device setup/startup, Real Time Interrupt

Module, Vectored Interrupt Manager

• CRC Controller, CPU Compare Module,

Error Signaling Module)

• General Purpose I/Os / Supply

• Direct Memory Access Controller (DMA)

• Serial Communication Interface

(SCI/UART/LIN)

• Summary / Questions

• Multi-Buffer Serial Peripheral Interface

(SPI / MIBSPI-P)

• DCAN

• FlexRay / Transfer Unit

• Multi-Buffer ADC (MIBADC)

• External Memory Interface (EMIF) /

Parameter Overlay Module (POM)

• NHET (High End Timer) IDE

• NHET

• NHET Transfer Unit

• Summary & Questions

Who should attend:

• Hardware and Software Developers

• Project Managers

• Safety Specialists

• Anyone interested in Hercules MCUs and

functional safety

HerculesTM

Training www.ti.com/herculestraining

• Introduction

• What is Functional Safety?

• Safety Standards Overview

• IEC 61508 Safety Standard

• ISO 26262 Safety Standard

• Random Fault Management

• Safety System Architectures

• Hercules Safety Concept

• Lab 1: Hercules MCU Demos

• Hercules Architecture

• Development Tools: HW kits, SW tools

• Embedded Flash Memory tools

• Real Time Interrupt (RTI)

• Vectored Interrupt Manager (VIM)

• Direct Memory Access (DMA)

• General-purpose I/O (GIO) & NHET

• Lab 2: Using NHET as GIO

• Communication Interfaces: UART, LIN, CAN, FlexRay,

Multi-Buffered Serial Peripheral Interface (MibSPI)

• Lab 3: PC to SCI Communication

• External Memory Interface (EMIF) / Parameter Overlay

• Multi-buffered Analog-to-Digital Converter (MibADC)

• Support Structure: Web, Forum, WIKI

谢谢!

105