Hercules Safety Microcontrollers TM Introduction to Hercules™ ARM® CortexTM-R4F MCUs Make the world a safer place with Hercules MCUs TM Electronics are proliferating in safety-critical applications DO-254 EN 50128 DO-178B (railway) (aerospace) IEC 60601 IEC 50156 (medical equipment) TM Hercules (furnaces) MCU IEC 60880 IEC 61511 (nuclear power stations) (process industry) IEC 62061 ISO 13849 (machinery) Hercules MCUs provide developers of safety-critical applications: ISO 26262 IEC 61508 (automotive) (safety) Protection against random and systematic failures Headroom for application differentiation Simplified development and system certification 2 TM TI Hercules MCU Platform ARM® Cortex Based Microcontrollers Hercules Platform RM4x High Performance Industrial and Medical Safety MCUs • Industrial Applications • Medical Applications • -40 to 105°C Operation • Ethernet, USB Connectivity • Developed to Safety Standards • IEC 61508 SIL-3 • Cortex-R – over 350 DMIPs TMS570 TMS470M High Performance Transportation and Safety MCUs Value Line Transportation and Safety MCUs • Transportation Applications • Automotive Q100 Qualification • -40 to 125°C Operation • FlexRay, CAN Connectivity • Developed to Safety Standards • ISO 26262 ASIL-D • IEC 61508 SIL-3 • Cortex-R – over 280 DMIPs • Transportation Applications • Automotive Q100 Qualification • -40 to 125°C Operation • LIN, CAN Connectivity • Supports Safety for • IEC 61508 Systems • Cortex-M – to 100 DMIPS 3 Hercules RM48 Safety MCUs TM Highest performance ARM® Microcontrollers Features • ARM® Cortex™-R4F floating-point CPU up to 220MHz (>350 DMIPS) • Developed specifically for safety critical industrial and medical systems • Scalable embedded Flash memory up to 3MB • CAN, Ethernet, USB Host/Device Communication Interfaces • - 40°C to 105°C Operation Ideal for applications requiring • High performance real time control • Protection against random and systematic failures • Safety certification and high reliability • And… • Scalability • System cost constraints • Software re-use and portability RM48 – A safe fit for Industrial and Medical 4 Hercules Cortex-R4F MCU safety features Logical / physical design optimized to reduce probability of common cause failure Dual Core Lockstep Cycle by Cycle CPU Fail Safe Detection • Safe Island Hardware diagnostics (RED) • Blended HW diagnostics (BLUE) • Non Safety Critical Functions (BLACK) ECC for flash / RAM / interconnect evaluated inside the Cortex R4F CPU Self Test Controller requires little S/W overhead Lockstep CPUs ARM® Cortex™R4F Memory Flash w/ ECC Power, Clock, & Safety OSC PLL PBIST/LBIST RAM w/ ECC POR ESM Flash EEPROM w/ ECC CRC RTI/DWWD Calibration Fail Safe Detection Memory Interface JTAG Debug Embedded Trace External Memory Parity or CRC in Serial and Network Communication Peripherals On-Chip Clock and Voltage Monitoring DMA Enhanced System Bus and Vectored Interrupt Module Parity on all Peripheral, DMA and Interrupt controller RAMS Memory BIST on all RAMS allows fast memory test at startup Serial Interfaces Network Interfaces Dual ADC Cores Dual High-end Timers GIO Error Signaling Module w/ External Error Pin IO Loop Back, ADC Self Test, … Dual ADC Cores with shared channels 5 1oo1D Dual Core Safety Concept • Unique design to reduce common cause failures (βIC) – Second CPU mirrored and rotated – Minimum distance 100µm between CPUs – Cycle delayed lockstep – Guard ring per CPU – Duplicated clock tree per CPU Compare Error Output + Control CCM Cycle Delay Self Test ARM® Cortex™-R4F > 100um • CPU Compare Module (CCM) – Self-test capability – Self-test error injection/error forcing – Output error injection Cycle Delay Input + Control 6 1oo1D Dual Core Lockstep Advantages • Advantages of lockstep CPUs vs. software and multi-core based solutions – Faster fault detection. Enables safety in systems with tight control loop timing. – Better fault coverage. Hard, transient, and AC fault types can be detected. – Little to no performance impact. Full CPU performance available for application tasks rather than CPU diagnostics. – Minimal memory impact. Flash and SRAM used for application rather than CPU diagnostics. – Easy integration. Improve time to market without need to integrate complex software. – Proven, easy to justify diagnostic coverage. Spend less time proving your CPU safety solution to auditors leaving more time to develop your application. 7 CPU Self Test Controller (STC/LBIST) Clock controller ROM ROM interface CPU_nRESET FSM CPU1 STC BYPASS/ ATE Interface Test controller STC PCR Clock cntrl VBUSP interface DBIST CNTRL REG Block & Compare Block misr_in1 ERR misr_in2 DBIST CNTRL CCM CPU2 ESM • • • • Provides High Diagnostic Coverage Significantly Lowers S/W and Runtime Overhead No SW BIST (Built In Self Test) Code overhead in Flash Simple to configure and start BIST via register 8 Programmable Memory BIST (PBIST) • All on-chip RAMS can be tested • Simple register setup and configuration Functional Read/Write Datapath VBUS I/f Tester I/f Cfg block Ext block PBIST Controller Data path/ Collars ROM I/f • Typically run at startup, but can be executed during the application • Multiple Memory Test Algorithms RAM ROM block To / From Memories (RAM groups) Data Logger • Detects multiple failure modes • Provides a mechanism to determine if runtime faults were caused by hard or soft error. This capability can be used to improve availability through inline recovery from soft error. 9 Hardware BIST Advantages • Advantages of Hardware BIST over software test – Faster test execution. SW tests require 10x-100x runtime for equivalent test coverage. – Better fault coverage. Addresses multiple fault models and achieves higher coverage possible than with SW only solutions. – Minimal memory impact. Leaves your flash and SRAM for application usage rather than memory and CPU tests. – Easy integration. Improve time to market without need to integrate complex software. – Proven, easy to justify diagnostic coverage. Spend more time on your application and less time proving your CPU safety solution to auditors 10 Flash / RAM ECC Protection Cortex-R4F 64 Inst. Flash 8 Stage Pipeline 64 Data Error 8 ECC 8 ECC 32 Data Bits 4 ECC Bits RAM ECC Logic 32 Data Bits 4 ECC Bits • ECC evaluated in the Cortex R4F CPU – Single Bit Error Correction and Double Bit Error Detection (SECDED) – ECC evaluated in parallel to processing data/instructions – No latency or performance impact – Protects Busses from CPU to Flash and RAM 11 Safety Aspects of Network Interfaces • Networked peripherals (Ethernet, FlexRay, DCAN, and SCI/LIN) are considered grey-channel / black-channel communications • In such communications application level protocols (time redundancy, CRC in data packet, etc.) are necessary • When such assumption is made, the Dangerous Undetected Failure from the network is effectively not measurable (<0.001 Failure In Time (FIT)) 12 Error Signaling Module (ESM) ESM Low Level Interrupt Handling Errors for Group 1 INTEN To Interrupt Manager INTLVL High Level Interrupt Handling Errors for Group 2 ERROR SIGNAL CONTROL LOW TIME COUNTER PRELOAD nERROR pin LOW TIME COUNTER Errors for Group 3 13 ESM Features • ESM functions – Up to 96 error channels, divided into 3 different groups • 32 channels with configurable output for interrupt and error behavior • 32 channels with predefined output for interrupt and error behavior • 32 channels with predefined output for error behavior – Error pin to signal severe device failure – Configurable timebase for error signal – Error forcing capability for self test • ESM hardware – Indicates severe device failure at an external pin (nERROR) – Hardware assistance for prioritizing error sources 14 Clock Monitoring • External clock prescaler (ECLK) • Allows external monitoring of CPU clock frequency • Configurable pin (GIO or ECLK) • Oscillator monitor • Detects failure if oscillator frequency exceeds defined min/max thresholds • Selectable hardware response on oscillator fail – Reset device – Switch to internal ‘low power oscillator’ (LPO) clock source • FMPLL slip detector • Indicates PLL slip if phase lock is lost • Selectable hardware response on PLL slip – Reset device – Switch to internal ‘low power oscillator’ (LPO) clock source – Switch to external oscillator clock source LPO Input from Oscillator CLK Signal to CLK Control Module FMPLL Bypass on Slip Slip Detector BPOS Reset on Slip BPOS ROS To Device Reset PLLMUL 15 Dual Clock Comparator (DCC) • The DCC module is used to measure the frequency of a clock signal using a second clock signal as a reference. • Allows application to ensure that a fixed frequency ratio is maintained between two clock signals • Supports the definition of a programmable tolerance window in terms of number of reference clock cycles • Supports continuous monitoring without requiring application intervention • Alternatively can be used in a single-sequence mode for spot measurements • Flexible clock source selection for Counter 0 and Counter 1 resulting in several specific use cases 0 Preload 0 Clock 0 Sources • • • Clock 0 Counter 0 Clock 0 Select Preload 1 Clock 1 Sources • • • Clock 1 0 Valid Preload 0 = Valid Counter 0 = Clock Compare ERROR Counter 1 Clock 1 Select PLLMUL 16 Digital Windowed Watch Dog (DWWD) • The DWWD module will reset the MCU or generate a non maskable interrupt to the CPU if the application fails to service the watchdog to within the appropriate time window. • • • • • • Optional safety diagnostic that can detect a runaway CPU Includes a 25-bit down counter Alerts the Error Signaling Module when a CPU interrupt is generated Supports multiple service windows: 100%, 50%, 25%, 12.5%, 3.125% Servicing requires a specific two part key sequence Once enabled can only be disabled by a system or power on reset Down Counter 0 DWWD Preload 100% Window 50% Window 25% Window Window Open Window Open Down Counter Window Open W Open W Open 12.5% Window Open Open 6.25% Window O O 3.125% Window = Window Open O RESET Digital Windowed INTERRUPT Watch ESM Dog O PLLMUL 17 Memory Protection Unit (MPU) • A Dedicated Memory Protection Unit (MPU) is implemented for each bus master Lockstep ® ARM CPUs ™- ® ARM Cortex Cortex™R4F 160MHz ® R4F ARM Cortex™160MHz R4F Fail Safe Detection Memory Power, Clock, & Safety Flash w/ ECC OSC PLL POR RAM w/ ECC PBIST CRC Memory Protection LBIST RTI Calibration Memory Interface EMIF Embedded Trace Enhanced System Bus and Vectored Interrupt Management MibSPI 128 Buffers; 4 CS Network I/F FlexRay 2 ch FlexRay Transfer Unit 8K Message RAM (FTU) CAN1 (64mb) MibSPI 128 Buffers; 4 CS MibSPIP 128 Buffers; 4 CS • A memory region is defined which allows read and write access for the bus master JTAG Debug DMA DMA Serial I/F • Bus masters include the CPU, DMA, HTU and the FTU ADC Timers / IO MibADC1 High End High End Timer Timer (NHET) Transfer Unit 128 words, 32 ch (HTU) 64 Buffers 12-bit, 16ch (8ch shared) CAN2 (64mb) CAN3 (32mb) MibADC2 UART1 (LIN1) 64 Buffers 12-bit, 16ch (8ch shared) UART2 (LIN2) GIOA/INTA (8) GIOB (8) • Access outside the defined region can be any of the mode • Read Only: Read access allowed for the memory accesses outside the region. Write accesses are blocked • No Access: Read and write access is blocked. • In the event of a memory protection violation the Error Signaling Module (ESM) is notified 18 Voltage Monitor • Supply Voltage Monitor (VMON) – Holds reset until core and I/O rails in expected range (removes power sequencing requirements) – Asserts reset if core or I/O supply exceeds defined min/max thresholds – Asserts reset when core supply is below specified min voltage and asynchronously sets all I/O pins to high impedance mode + - 19 Dual Analog to Digital Converters • Dual12-bit ADC Cores: Self-Test & Calibration AD1EVT AD1IN[7..0] – Up to 16 analog channels can be shared between the 2 cores for safety critical conversions/comparison (1oo2 safety redundancy) – Self Test Mode enables in application detection of opens/shorts on ADC inputs AD1IN[23..8] / AD2IN[15..0] VccAD VssAD VrefHi VrefLo MibADC2 AD2EVT To Peripheral Bus – Internal ADC reference voltages can be used to check converter functionality. MibADC1 To Peripheral Bus – Core 1 supports 24 analog inputs & Core 2 supports 16 analog inputs Self-Test & Calibration – ADC calibration logic can improve accuracy or be used to detect drift between multiple test results. 20 TMS570LS20216S Safety Documents • Documents provided by TI under NDA to assist in the safety certification process: – IEC 61508 SIL3 Certificate from Exida – IEC 61508 Functional Safety Assessment Report from Exida – FMEDA: Failure Modes, Effects and Diagnostic Analysis – TMS570LS20216 Safety Manual 21 High Performance Cortex-R4F floating-point CPU ARM ® v7R CortexTM ISA fully backward Compatible to ARM7/9/11 Lockstep CPUs: Single core programming model – second core checks the first. Supports ARM, Thumb and Thumb-2 instructions Up to 220 MHz CPU Clock Speed Fast MULT, DIV, and SQRT enables modelbased control; simplifies algorithm implementation Single / double precision IEEE 754 floating-point ARM® Cortex™-R4F 220 MHz Superscalar, SIMD, 8 stage pipeline delivers 1.6 DMIPS/MHz 12 region memory protection Broad ARM IDE/Compiler Support: CCS, KIEL, IAR, etc… Floating point and integer instructions operate in parallel • Over 350 DMIPS of performance • High performance floating point • ARM-based: broad industry adoption Scalable ARM Based Solutions from TI: Stellaris, Concerto, Hercules & Sitara 22 RM48x Block Diagram Dual Core Lockstep ARM Cortex-R4F w/ Floating Point Performance / Memory • Up to 220 MHz ARM Cortex-R4 w/ Floating Point • Up to 3MB Flash and 256KB Data SRAM • 16 Channel DMA Features • Safety • Dual CPU’s in Lockstep • CPU Logic Built in Self Test (LBIST) • Flash & RAM w/ ECC • Memory Built-in Self Test (PBIST) • Cyclic redundancy checker module (CRC) • Peripheral RAMs protected by Parity • Communication Networks • 10/100 EMAC • USB: Host and Device • 3 CAN Interfaces • 3 Muti-Buffered SPI s+ 2 Std. SPIs • 2 UARTs • 1 I2C • Enhanced I/O Control 2x High End Timer Coprocessor (NHET) • Up to 40 pins plus 6 monitor channels • All pins can be used as Hi-Res PWM or Input Capture • Dedicated DMA for HET 2 x12-bit Muti-Buffered ADC • 24 total input channels • Continuous Conversion Mode • Calibration and Self Test 16 Dedicated GIO pins • All pins are External Interrupt Capable Targeted Applications Industrial Safety and Control Critical Care Medical RM48x ARM® ™- ® ARM Cortex Cortex™R4F 160MHz R4F Up to 220 MHz Fail Safe Detection Memory 3MB Flash w/ ECC 256 KB RAM w/ ECC 64KB Data Flash EEPROM w/ ECC Power, Clock, & Safety OSC PLL POR PBIST CRC LBIST RTI/DWWD Memory Protection Memory Interface JTAG Debug SDR / ASYNC EMIF Calibration & Trace DMA DMA Enhanced Enhanced System System Bus Bus and and Vectored Vectored Interrupt Interrupt Module Module Serial I/F Network I/F MibSPI1 128 Buffers; 6 CS 10/100 EMAC MibSPI3 128 Buffers; 6 CS MibSPIP5 128 Buffers; 6 CS SPI2 (2CS) SPI4 (1CS) USB 1.1 Host & Device 3x CAN (64mbx) 2x UART (LIN1) I2C ADC MibADC1 64 Buffers 12-bit, 24ch (16ch shared) MibADC2 64 Buffers 12-bit, 16ch (16ch shared) Timers / IO 2x High End Timer (NHET) 160 words NHET1 - 32 ch NHET2 – 14 ch GIOA/INTA (8) GIOB/INTB (8) Packages: LQFP: 144pin -20x20; nfBGA: 337 pin-16x16, 0.8mm; -40 to 105°C Temperature Range Note :Above reflects max configuration of each module – some functions are multiplexed. 23 TM Development Evaluation Hercules Development Kits TMDXRM48USB – RM48 USB Stick Kit TMDX570LS31USB – TMS570 USB Stick Kit TMDX470MF066USB – TMS470M USB Stick Kit • • • • • • • TMDXRM48HDK – RM48 Development Kit TMDX570LS31HDK – TMS570 Development Kit TMDX470MF066HDK – TMS470M Development Kit • • • • • • • • $79 USB Powered On Board USB XDS100v2 JTAG Debug On Board SCI to PC Serial Communication Access to Select Signal Pin Test Points LEDs, Temp Sensor & Light Sensor Accelerometer (TMS570 & RM) CAN transceiver $199 On Board USB XDS100v2 JTAG Debug External high speed emulation via JTAG TRACE pads for ETM/RTP/DMM LEDs, Temp Sensor & Light Sensor CAN Transceivers RJ45 10/100 Ethernet Interface (TMS570 & RM) USB-A Host Interface (RM) USB-B Device Interface (RM) Software Included in Each Kit: • CCStudio v4.x IDE: C/C++ Compiler/Linker/Debugger • HALCoGen Peripheral Driver Generation Tool • CCS and nowFlash Flash Programming Tools • HET GUI/Simulator/Assembler • GUI Demo with Project/Code Examples 24 Hercules Software Tools TM IDEs (compilers & debuggers) Program/debug code using these IDEs: • Code Composer Studio • IAR Workbench • KEIL µVision RTOS Support Real Time Operating System Support: • SAFERTOS: High Integrity Systems • µC/OS: Micrium • ThreadX: Express Logic: • AUTOSAR: Vector Microsar and EB tresos GUI-based Code Generation Tools and Other SW Tools Safety MCU Demos • Safety Feature Highlight • Ambient Light & Temperature Demo • LED Light Show • Maze Game • Source Code Viewable via CCS PLL Calculators Easily configure the FMzPLL and FPLLs in the Hercules platform Phase Lock Loop modules. HET IDE • Graphical Programming Environment • Output Simulation Tool • Generates CCS-ready software modules • Includes functional examples from TI HALCoGen • User Input on High Abstraction Level • Graphical-based code generation • Easy configuration • Quick start for new projects • Supports CCS, IAR & KEIL IDEs now ECC ECC Generation Tool Command line program for generating Error Correction Code for Hercules devices. Can be used in conjunction with CCSv4 now Flash Flash Programming Tool GUI and command line programmer for loading code into Hercules devices without an IDE. 25 ™ Hercules Support Structure Hercules Web Page: www.ti.com/hercules RM4 Web Page: www.ti.com/rm4 TMS570 Web Page: www.ti.com/tms570 TMS470M Web Page: www.ti.com/tms470m – – – – – Data Sheets Technical Reference Manual Application Notes Software & Tools Downloads and Updates Order Evaluation and Development Kits Engineer 2 Engineer Support Forum: www.ti.com/hercules-support – – – – News and Announcements Useful Links Ask Technical Questions Search for Technical Content Hercules WIKIs: RM4 WIKI: www.ti.com/hercules-rm4-wiki TMS570 WIKI: www.ti.com/hercules-tms570-wiki TMS470M WIKI: www.ti.com/hercules-tms470m-wiki – How to guides – Intro Videos – General Information 26 TM More Hercules Training 1 Day Training Class: Hercules 1 Day Safety Seminar • Introduction • What is Functional Safety? • Safety Standards Overview • IEC 61508 Safety Standard • ISO 26262 Safety Standard • Random Fault Management • Safety System Architectures • Hercules Safety Concept • Lab 1: Hercules Safety MCU Demos • Hercules Architecture • Development Tools: HW kits, SW tools • Embedded Flash Memory tools • Real Time Interrupt (RTI) • Vectored Interrupt Manager (VIM) • Direct Memory Access (DMA) • General-purpose I/O (GIO) & NHET • Lab 2: Using NHET as GIO • Communication Interfaces: UART, LIN, CAN, FlexRay, Multi-Buffered Serial Peripheral Interface (MibSPI) • Lab 3: PC to SCI Communication • External Memory Interface (EMIF) / Parameter Overlay • Multi-buffered Analog-to-Digital Converter (MibADC) • Support Structure: Web, Forum, WIKI 3 Day Training Class: Safety Critical Design and Programming with ARM® CortexTM-R4F based Hercules MCUs Who should attend: • Hardware and Software Developers • Project Managers • Safety Specialists • Anyone interested in Hercules MCUs and functional safety Day 1 Day 2 • Welcome and Intro • Hercules Product Overview / MCU Roadmap • Safety Standards and Hercules Safety Features • HALCoGen / Exercise • Code Composer Studio / Demonstration / Exercise • Compiler / Exercise • Flash Overview • Flash Tools: nowFlashTM, nowECCTM, nowProfileTM • Summary / Questions • ARM ® Cortex™ -R4F CPU Architecture Overview • System Module Overview • Device setup/startup, Real Time Interrupt Module, Vectored Interrupt Manager • CRC Controller, CPU Compare Module, Error Signaling Module) • General Purpose I/Os / Supply • Direct Memory Access Controller (DMA) • Serial Communication Interface (SCI/UART/LIN) Day 3 • Summary / Questions • Multi-Buffer Serial Peripheral Interface (SPI / MIBSPI-P) • DCAN • FlexRay / Transfer Unit • Multi-Buffer ADC (MIBADC) • External Memory Interface (EMIF) / Parameter Overlay Module (POM) • NHET (High End Timer) IDE • NHET • NHET Transfer Unit • Summary & Questions 27