The SafeTI
Contents
1. Architecture Failure Rate FMEDA CSP Compliance Support Package wis TEXAS INSTRUMENTS 24 Functional Safety Certification Development Hardware Process User manual y Test Plan Show me evidence wis TEXAS INSTRUMENTS 25 IEC 61508 Hazard Risk Analysis amp SIL determination Hazard amp Risk oafety Function SIL Determination Analysis Definition SIL 1 2 3 4 Allocation of Safety Requirements HW Safety Requirements SFF PFH SW Safety Process Safety Requirements Requirements wis TEXAS INSTRUMENTS 26 oafety Function Safe State Hazard analysis gt Safety Function amp Safe State Safety Function function to be implemented by an E E PE safety related system or other risk reduction measures that is intended to achieve or maintain a safe state for the ECU in respect of a specific hazardous event m MCU E Actuator Safe State State of the ECU when safety is achieved wis TEXAS INSTRUMENTS 27 oafety Function Safe State Hazard High gas flow pressure Safety Function Monitor the pressure of gas flow Safe State 1 If gas flow pressure exceeds fixed limit shut off the gas flow valve Sensor m MCU E Actuator 2 If a dangerous fault is detected the system shut off the gas flow wis TEXAS INSTRUMENTS 28 Risk Analysis Safety Integrity Level Risk Analysis determines the performance requirement of the safety functio2. Sensor amp communications gateway HEV EV Cars IEC B IEC 60880 61511 4 nuclear process TEXAS stati industry 7 INSTRUMENTS Radar Collision Avoidance ADAS Manufacturing robotics industrial automation motor control IEC 62061 ISO 26262 ISO 13849 automotive machinery IEC 61508 bh T safety Active suspension ABS electric power steering airbag and more Railway Systems Safety critical systems are everywhere Systems need to manage hazardous failures Toe n esthesia machines Many systems need to be safety certified det Anti skid control wis TEXAS INSTRUMENTS 4 Hercules MCU End Equipment Aerospace amp Railway Industrial Flight Control Communications Gateway Industrial Motor Control Manufacturing EI r Robotics evalo Escalator Avionics Autopilot Anti Skid Control Motor Control Automotive Industrial Automation PLC Sensor amp Communications Gateway Radar Collision Avoidance Hybrid amp Electric Vehicles ADAS Anesthesia Oxygen Concentrators Chassis Domain Control Electric Power Steering Respirators Medical Active Suspension wi TEXAS INSTRUMENTS 5 TI Hercules MCU Platform ARMS Cortex Based Microcontrollers Industrial and Medical 802 to 330 2 Safety MCUs 128KB to 4MB Flash 40 to 105 C Operation
3. BUT RISO AUT BUS IB YT A XT T E e TI fei TH ARTE BRAS RT Ai TII ERROL AN RTE TRE v FEBR MH REI HRS 75 BR fei B rea AU AB ERE TI DUROS SUI AS RR ERAS TI EGRE E ee BoP TERT BRS Et ERIS v FE RR MF OS f UT RT Be E TI ATS JT P PUE 2c Die PT re e B e MU ART FP CY e JE ARS Hu rd De BUR A ERA H BA ACE EPI JAKOB ed ES DS TE MEZ ZZ OR BE Xp TI FERIA K Be HETRE Eze P VERI BU KE EE SR ITI 2 m ERAR TPA RI AE A e TI HFR HF FDA Class d M OS DT EA OTRO Be HREN RAIE Je T E HH 528 og TIE BM CAS TI ZEA ET ESB ES CAT REUS EP EHE PUR 73 E aS AEN PUR VETRO TA EK Tl CAA MITRE SEG ISO TS16949 KE
4. 1 wi TEXAS INSTRUMENTS 69 IEC61508 HW Metrics Calculation Industrial Mission Profiles Assumed Industrial mission profile 10 years service 365 days per year 24 hours per day outside ambient temp 70c ambient temp T4 PCB temp 90 5c assumption Ton 1 0 n 1 cycles AT chip junction temp increased vs 30c assumed worst case AT 90 5 70 30 5c Customer input for failure rate estimation Package Used Customer input for transient fault estimation Application specific Flux Factor coeff based on Jedec JESD89A Maximum power dissipation Application specific power dissipation in Watts 1 04W is based on maximum datasheet value Industrial Mission Profile Total raw permanent FIT 330 16 Assumed Lifetime in years Confidence Level Desired confidence level of FIT rates Based on RM48x v1 0 FMEDA worksheet Operational Profile from IEC TR 62380 2004 Echo use conditions T 1 2 Ratios on off Number of On off per year L9 rofile TEXAS INSTRUMENTS 70 Failure Rate Definitions Failure rate is represented with the Greek character lambda A and can be broken into many categories rate of safe failures which do not affect safety function Safe detected failure rate Safe undetected failure rate rate of dangerous failures which compromise the safety function App dangerous detected f
5. Stand By 3 User Commands Users Manual About Connerted on COMT Sahety cydes 10125 Saleby IC TMS57Ux TPS65 E wis TEXAS INSTRUMENTS 95 CCM R4F compares the outputs of two CPUs running in a 1001D lockstep configuration The ESM error flag compare is asserted whenever the CPU compare error is detected For diagnostic purposes the CCM RG4F also incorporates a self test capability and error forcing capability FMEDA requires gate level fault injection simulation work to prove effectiveness of on chip diagnostics TEXAS INSTRUMENTS E Ir E v e ECC controllers are located inside the CPU Interconnect between CPU and the memory is covered by the diagnostic ECC logic itself is checked on a cycle by cycle basis Single Error Correction Double Error Detection SECDED logic 8 bits of ECC for every 64 bits of data access from the CPU TEXAS INSTRUMENTS 97 The SafeTI HSK GUI settinas application Safety interval ms IRQ load 1 7 Safety Library Settings ESM Settings Parameter 1234 m Parameter 100 Parameter x41 3 Parameter B 153 1 Parameter C 0 Parameter C teac E Parameter 2 E Parameter D 066559999 2 Safety Features TSP5583x Settings Parameter XBABABABA Parameter Parameter C 1 enabled Paramete
6. xD s A A O X project tailoring CP1 Project Commissioning CP3A Design amp Implementation CP3B Unit Testing amp Integration Testing CP4 Safety Requirements Verification amp Release CP5 Project Closure 90 Agenda e Overview of Hercules MCU and SafeTI Design package e Hercules MCU Functional Safety How To Workshop Safety Functions Safety Goals Safe State SIL Failure rate Safety Critical Elements identification and Diagnostic Requirements Safety Manual and Diagnostics Selection Mission Profile and Failure Rate Estimation SafeTI Diagnostic Library SafeTI Diagnostic Library Compliance Support Package CSP certification support Fault Injection with HITEX kit e Summary Wi Texas INSTRUMENTS The SafeTI V HSK Hardware HSK hardware platform Safety application unit on which the Demo application is run This includes The oafety MCU or Safety Device Under Test SDUT 5570 or 48 Power supply WD companion chip 565381 Accelerometer Temperature Sensor HMI 4XLED potentiometer Pixel display CAN transceiver amp connector and motor control interface DIMM connector Control and Monitoring unit CMU This includes the control and monitor device RM48x to inject faults and monitor fault reaction Fault injection logic Error indication and power supply to the control monitor unit Host Debug interface This includes a U
7. Hardware Failure Package Die silicon Die silicon Permanent Permanent Transient 5 55 55 58 A ee ee wi TEXAS INSTRUMENTS 66 IEC TR 62380 Mission Profiles Examples source IEC TR 62380 Reliability Handbook Table 11 Mission profiles for automotive Mission profile Temp 1 Temp 2 Temp 3 Ratios 4 day light Non used phases on off starts vehicle tac tac a cycles PC cycle ycles P C cycle ycles ear year year Motor control 0 02 0 01 85 0 02 0 05 10 94 670 ATi 55 1340 ATi 45 10 0 9 3 8 2 3 3 Passenger 27 0 00 30 0 04 85 0 00 0 05 0 94 670 ATi 30 1340 ATi 20 30 10 compartment 6 6 6 8 2 3 3 Table 9 Mission profiles for Telecom Environment types Equipment types C cycle Ground benign 90 CC Ground benign Gg Transmitting Ground fixed Ge Transmitting and _ access TEXAS INSTRUMENTS 67 IEC61508 HW Metrics Calculation Automotive Motor Control Mission Profiles e Automotive Mission Profile in IEC TR 62380 FMEDA worksheet default 10 years service with phases per day night day not used e 2 night trips per day 4 day trips per day 30 days shut down temperature phases e Engine cold Engine warm Engine hot On Off ratio 0 058 0 942 Customer input for failure rate estimation Package Used Customer input for transient fault estimation Application specific Flux Factor coeff based on Jedec
8. loop back SW test Extracted from Safety Manual of RM42x spnu553 wis TEXAS INSTRUMENTS 58 IEC61508 HW Metrics Calculation Select Safety Features IO Loop Back e Hercules MCU I O supports loop back for self test Below are examples Figure 24 17 CAN Core In External Loop Back Mode CAN TX CAN RX pin pin Figure 24 16 CAN Core in Loop Back Mode CAN TX CAN RX Examples are extracted from TMS570LS31x 21x Technical Reference Manual SPNU499a wis TEXAS INSTRUMENTS 59 IEC61508 HW Metrics Calculation Select Safety Features IO Loop Back Flgure 25 22 l O Paths during l O Loopback Modes gt p exped oem pe LPBK Ms Checks the analogic loopback path through the transmit buffer 1 This diagram is intended to ilustrate loopback paths and therefore may omit some normakmode paths Examples are extracted from TMS570LS31x 21x Technical Reference Manual SPNU499a wis TEXAS INSTRUMENTS 60 Agenda e Overview of Hercules MCU and SafeTI Design package e Hercules MCU Functional Safety How To Workshop Safety Functions Safety Goals Safe State SIL Failure rate Safety Critical Elements identification and Diagnostic Requirements Safety Manual and Diagnostics Selection Mission Profile and Failure Rate Estimation SafeTI Diagnostic Library SafeTI I Diagnostic Library Compliance Support Package CSP certification support Fault Inject
9. ENET USB CAN amp UART Developed to Safety Standards EC 61508 SIL 3 Cortex R to 550 DMIPs TM Hercules Lem MCU 80MHz to 300MHz 128KB to 4MB Flash Platform Transportation and Automotive Safety 0100 lt 40 to 125 C Operation e FlexRay ENET CAN LIN UART Lockstep Developed to Safety Standards MCUs for p ISO 26262 ASIL D functional Safety nS SE z IEC 61508 SIL 3 9 Cortex R up to 500 DMIPs wi TEXAS INSTRUMENTS Supporting Industrial amp Medical safety C e Lockstep ARM Cortex R based MCU with up to 550 peak DMIPS and 384KB to 4MB Flash Memory Safety Integrated in HW provides a high level of diagnostic coverage to reduce safety software overhead e SafeTI system design packages makes it easier to achieve safety certification and get to market quickly Developed to safety standards developed for use in EC 61508 SIL 3 safety applications Flexible Communication and Control Ethernet USB CAN Up to 84 timer and 41 12 bit ADC channels Development Kit Launchpad Motor Control XD 350U Pro Irace SafeTI Kit safeTI Design Packages for Functional Safety AN w ECC Lockstep Fault Detection Control ePWM eCAP eQEP N2HET Timer 10 100 Ethernet WN C UART Analog
10. IEC Next Gen Low SafeTI ISO amp IEC Functional Safety Standards Hardware requirements Standard IEC 61508 ISO 26262 EN 50129 ISO 22201 IEC 61800 IEC 62061 IEC 61511 ISO 13849 IEC 60730 Programmable E E systems Automotive Railway Elevator Drive Machinery Process Automation Machinery Home Appliances Safety Integrity SIL 1 2 3 4 ASIL A B D SIL 1 2 3 4 SIL 1 2 3 SIL 1 2 3 5114 Apply IEC 61508 SIL 1 2 3 5114 Apply IEC 61508 SIL 1 2 3 5114 Apply IEC 61508 PL a b c d e Class A B C Architectural Metric SFF SPFM LFM SFF SFF SFF Architectural Requirement gt 0 for SIL 4 No Follow IEC 61508 Dual channels for SIL3 Dependent on function Supports ISO 13849 categories See IEC 61508 CAT B 1 2 3 4 Yes Class C wis TEXAS INSTRUMENTS Failure Rate PFD PFH PMHF THR N A PFH no PFD PFDavg MTTF No Specific MCU self test requirements No No CPU Memory CPU Memory Interrupt Clock I O Comm No No No No CPU Memory Interrupt Clock I O Comms Typical Usage of Hercules MCU per Functional Safety Standard Ec Typical Hercules MCU Usage Requirements per Standard 9026262 26262 SigeHecuesMCUASILAOD Hercules MCU ASIL A to D 30025 Single MCU
11. IEC61508 HW Metrics Calculation Select Safety Features Flash From Safety Manual Diagnostic Used in Device Partition Unique identifier Safety Feature or Diagnostic Feature Reccomendation Application Primary Flash and Level 1 L1 Interconnect Flash Data ECC Primary Flash and Level 1 L1 Interconnect Hard error cache and livelock Primary Flash and Level 1 L1 Interconnect Flash wrapper address ECC Primary Flash and Level 1 L1 Interconnect Address parity Primary Flash and Level 1 L1 Interconnect Boot time hardware CRC check of flash memory ontents Primary Flash and Level 1 L1 Interconnect Periodic hardware CRC check of flash memory ontents Primary Flash and Level 1 L1 Interconnect Bit multiplexing in flash array Primary Flash and Level 1 L1 Interconnect Flash sector protection Primary Flash and Level 4 L1 Interconnect Periodic SW readback of static configuration registers Primary Flash and Level 1 L1 Interconnect SW readback of written configuration Safety Mechanisms associated with Flash are selected 1 means the safety mechanism is assumed in the HW metrics calculation 0 means not assumed Based on RMA2x LS04x LSO3x v0 8 FMEDA worksheet wis TEXAS INSTRUMENTS 48 Flash RAM ECC Protection BOTCM CPU 2 Data Bits Core CU S 64 Inst 4 ECC Bits Flash 64 Data 32 Data Bits ogic _ 32 Data Bits 4 ECC Bits B1TCM ECC evaluated in the Cortex R CPU
12. L1 Interconnect Safety Mechanisms associated with SRAM are selected 1 means the safety mechanism is assumed in the HW metrics calculation 0 means not assumed Based on RMA2x LSOAXx LSO3x v0 8 FMEDA worksheet wis TEXAS INSTRUMENTS 50 Programmable Memory BIST PBIST Functional All on chip RAMS can be tested Read Write Datapath VBUS l f Simple register setup and lock configuration Tester I f B pus Controller ROM Typically run at startup but can be executed during the application RAM groups Multiple Memory Test Algorithms Detects multiple failure modes Provides a mechanism to determine if runtime faults were caused by hard or soft error This capability can be used to improve availability through inline recovery from soft error vis TEXAS INSTRUMENTS 51 IEC61508 HW Metrics Calculation Select Safety Features ESM From Safety Manual Unique Diagnostic E Safety Feature or Diagnostic Used in identifier Reccomendation Application Error Signaling Module ESM Hic of static Device Partition Error Signaling Module ESM ESM2A Boot time SW test of error path reporting Error Signaling Module ESM SM2B Periodic SW test of error path reporting Error Signaling Module ESM SM3 Use of status shadow registers Error Signaling Module ESM ESMA SW readback of written configuration Safety Mechanisms associated with ESM are selected 1 means th
13. Single Bit Error Correction and Double Bit Error Detection SECDED evaluated in parallel to processing data instructions Minimized latency and typically no performance impact Protects Busses from CPU to Flash and RAM Address Control parity from CPU gt Memory Diagnostic in Flash SRAM wrappers wis TEXAS INSTRUMENTS 64 Dat mores 49 IEC61508 HW Metrics Calculation Select Safety Features SRAM From Safety Manual Diagnostic Used in Device Partition Unique identifier Safety Feature or Diagnostic Feature Reccomendation Application SRAM and Level 1 L1 Interconnect RAM1 Data ECC SRAM and Level 1 L1 Interconnect RAM2 Hard error cache and livelock SRAM and Level 1 L1 Interconnect RAM3 Correctable ECC profiling SRAM and Level 1 L1 Interconnect RAM4 Address and control parity SRAM and Level 1 L1 Interconnect 5 Redundant address decode SRAM and Level 1 L1 Interconnect RAM6 Data ECC storage in multiple physical banks SRAM and Level 1 L1 Interconnect RAM7A Boot time PBIST check of RAM SRAM and Level 1 L1 Interconnect RAM7B Periodic PBIST check of RAM SRAM and Level 1 L1 Interconnect RAMS Bit multiplexing in SRAM array SRAM and Level 1 L1 Interconnect RAMOS Periodic hardware CRC check of SRAM contents SRAM and Level 1 L1 Interconnect RAM10 pus SRAM and Level 1 L1 Interconnect RAM11 SW readback of written configuration SRAM and Level 1
14. e External Memory Interface Exercise Error Signaling Module Parameter Overlay Module POM Compiler Exercise General Purpose l Os Supply e NHET High End Timer IDE Flash Overview Direct Memory Access Controller DMA NHET e Flash Tools nowFlash nowECC M Serial Communication Interface NEET Transfer Uni nowProfile SCI UART LIN Summary amp Questions wis TEXAS INSTRUMENTS 101 Thank You Contact Information Hoiman Low hm low ti com wis TEXAS INSTRUMENTS a _ E Y ZHCPO003 102 RESP fe HUS TI KA PUT SUR JESD46 WIERE MATE AIT m RU AS ETT SB IE DREW DO IFA UR JESD48 base rp mMMR APE PVT S i eh PIU f oe E Hoe Scr PUR P SERRE Pde EIT AT TI MERA E FE AG eri TI BEAR TS HEAR DUE TI RUE TRE I TI UA E HAAR eds RIRE AEM SE AT UAR Ff Bh Bee CT X E BL fr fA vr FAR A US MEDEE fS EN BCT ERNE A TED o TI TIEA S EHI Y TI AS ct LAS BEALS TI 57 IRIE BAE DUE SB 2 P7 in IRA NBER BOM UE m BR SS AE Bebo mA JE2 fes A Be SEES 77
15. 20E 10 5 22E 09 1000000 18 1 1 00E 06 6 57E 09 15 7 17 1 4 34 3 Elevator mission profile 5 5 00E 06 3 29E 10 20 4 22 3 2 0 44 7 10 1 00E 07 6 57E 10 40 7 44 7 3 9 89 4 Elevator mission profile 15 1 50E 07 9 86E 10 61 1 67 0 5 9 134 0 Pessimistic estimation Field data are orders of magnitude better 5 5 00E 06 3 29E 10 78 5 85 7 7 2 173 5 10 1 00E 07 6 57E 10 157 0 171 5 14 5 343 0 wis TEXAS INSTRUMENTS 15 1 50E 07 9 86E 10 235 5 257 2 21 7 514 4 20 2 00E 07 1 31 11 81 5 89 4 7 9 178 7 20 2 00 07 1 31 11 314 0 343 0 28 9 685 9 Based on 48 v1 0 FMEDA worksheet 73 FMEDA worksheet Product Function Tailoring Inputs for application specific tailoring of failure rates EIU Cortex RAF Central Processing Unit CPU CVectered interrupt Module VIM Primary Flash acd Lowel 1 TEE ress SYSTEM Control SYSTEM e Static Configuration rect Mamcony Access DM GOL NN E SS IL J I Contre etre Controller Area Network DC ANS Peripheral General InpatiDutput 040 _ NANI Multi Bulfared te Digital Converter Mib4ADC1 T Multi Buffered Peripheral interface Generation High End Timer NZHET 1 including HET Transfer HTUT Generation High End Timer NZHET2 Inc
16. 4 8 Software integration testing 7 7 2 Software aspects of system safety validation 7 4 9 Safety Manual Software functional 8 safety assessment ISO 26262 Work products 6 5 1 Software safety requirements specification Verification Reports 7 5 1 Software architectural design specification 9 5 3 Software verification report refined 10 5 3 Embedded software 11 5 3 Software verification report refined Functional Safety Assessment Plan Functional Safety Assessment Report IEC61508 Work products Software safety requirements specification Forward and backward traceability software architecture design SW Module Test Report verified and tested integrated programmable electronics software safety validation results validated software Safety Manual software functional safety assessment plan software functional safety assessment report Work Products Customer Deliverable Software Requirements Document Traceability matrix SW Architecture Spec Unit Test amp Static Analysis Report Dynamic Coverage Analysis Report Test Manager Report SW User Guide Software Safety Manual Data sheet Safety Test Report SW Manual Functional Safety Assessment Plan in Safety Plan Functional Safety Assessment Report vis TEXAS INSTRUMENTS Generic Inputs Can modify during X TI SW Product Lifecycle c e A w D D gt
17. Application specific power dissipation in Watts 0 934W is based on maximum datasheet value Safety mechanims considered im the FMEDA Assumed Lifetime in years Confidence Level Desired confidence level of FIT rates Operational Profile from IEC TR 62380 2004 Memory size Type UserSize FLASHFEE 1 1 68 Modules used for Safety Function Safe Remensi Tamen Pul CPU SubSystem Cortex R4F Central Processing Unit Total FIT Raw 71 82 CPU SubSystem Vectored Interrupt Module VIM Safety related FIT 71 82 Probabilistic Metrics for random Hardware Failures in FIT 006 0 13 ERE Single Point Fault Metric 99 36 39 8196 99 81 DEBUG Joint Technical Action Group JTAG DI ISO 26262 categorization as in ISO 26262 2011 10 8 1 8 mE a SYSTEM System Contro 10 MultiPoint vsu Clock 3 Transient Permanent 11 82 11 82 19994158 amp 8 B EB die 2 5 OF 3 3 amp Random Adapt failure rate estimation model based on system usage Easily partition device into safety related and non safety related functions Select applicable diagnostics from safety manual or apply your own diagnostics e Automatic calculation of summarized and detailed ISO 26262 amp IEC 61508 safety metrics FMEDA Developed with Y
18. SafeTl Diagnostic Library Executable version of Safety Manual e Highlights Optimized API mapping to the MCU s Safety features as documented in the device Safety Manual Software abstraction for MCU s Safety features to an application developer Uniform API across various members of the Hercules family Developed compliant to an 15026262 and IEC61508 development process Hercules MCU Ji TEXAS INSTRUMENTS 79 Hercules SafeTI Diagnostic Library features 0D O D Initialization functions for the device Common functionality Core registers stack Safety measures RAM init enable ECC ESM init API to invoke PBIST on memories API to invoke LBIST self tests Boot time Run time verification of integrated HW safety diagnostics to prevent latent faults Create artificial faults Fault injection to allow testing of application fault handling Provide an Error Signaling Module ESM handler which can capture and report faults to the application through a callback routine Profiling for measuring time spent in diagnostic tests fault handling for enabling optimization of Run time safety measures by application developer Comprehensive documentation which explains mapping from Safety manual to SafeTI M Diagnostic Library API Released SafeTI Software Compliance Support Package SCSP which aids 13026262 or 61508 certificat
19. demand and continuous demand functions have more PFDavg to achieve a specific SIL stringent requirements on PFH to achieve a specific SIL Table 3 Maximum level for a ac Maximum Allowable SIL for Type B High Demand Systems 61508 2 Table 3 Safe Failure Fraction Hardware Fault Tolerance _ d 60 lt 90 SIL2 SIL3 90 lt 99 SIL2 SIL3 54 Type B products are complex products in which all failure modes are not known Most semiconductors are considered Type B 0802 o 60 lt 90 lt 1000 1 failure in 1E9 hours HFT Hardware Fault Tolerance where 0 redundancy wis TEXAS INSTRUMENTS 31 MCU Failure Mode and Failure Rate L weg Wes Se ee 1 U D 3 Q gt D gt Q gt 3 m D of e Source of permanent component failure rate data e MILHDBK 217F e SN29500 62380 e Supplier reliability data e TI uses IEC TR 62380 where of transistors of memory bits temperature and package effect can be modeled Failure rate is commonly expressed in FIT Failure In Time e 1FIT 1 failure in 1E9 hours Transient random failures e Cosmic Rays EMC Failure rate data source is experiments in Los Alamos lab and TI lab wis TEXAS INSTRUMENTS 32 MCU Failure Rate Estimation MCU failure rate Aucu SRAM failure rate CPU failure rate Flash failure rate
20. for SIL1 SIL 3 Dual MCU for SIL 4 provided not requirements Specific Diagnostic ELTE 61800 Single Hercules MCU for SIL1 SIL 3 Single MCU for Cat B 1 2 from PL a to PLe ISO 13849 Dual MCU for Cat 3 4 from PL a to PL e Single MCU TPS under evaluation for PL d CAT3 IEC 60730 Single MCU for Class A C Dual MCU for some Class Items shown are typical examples Achieved safety integrity level is the responsibility of the system developer Xi TEXAS INSTRUMENTS 12 Applying Functional Safety Standards SafeTI Design Packages for Functional Safety SafeTI design packages help meet functional safety requirements while managing both systematic and random failures Functional Safety Risk reduction Safety Life Cycle SIL 1 2 3 4 AREA RL Systematic Failures Random Failures Diagnostics c xalety Pasties Inr Fandom Tus Hercules eee Architecture ailure Rate FMEDA MEE NUS SECURUS Architectural Metric CSP Compliance Support Package vis TEXAS INSTRUMENTS Hercules MCU safety features Memory Protection Unit CPU Self Test Controller requires little S W overhead Memory Flash RAM w ECC Lockstep Physical design SP optimized t
21. snaM Actash Apply SRAM Apply CPU Apply Flash Diagnostics Diagnostics Diagnostics Failure rate analysis Failure rate analysis Failure rate analysis AsRAM AFlash AsarE App Apu AsarE App Apu AsarE App Apu Apply diagnostics to detect dangerous faults until appropriate SIL metrics SFF PFH are met Asare Safe App Dangerous Detected Apy Dangerous Undetected vis TEXAS INSTRUMENTS 33 Agenda e Hercules MCU Functional Safety How To Workshop eafety Critical Elements identification and Diagnostic Hequirements wis TEXAS INSTRUMENTS Application Example oafety Goal The motor shall deliver torque as commanded by the external host Voltage 5 16MHz ss Regulator Clock Crystal Moor Torque 1 2v 5v 3 3v OSCIN OSCOUT nPORRST Command Safe State MCU H 1 Disable motor driver relay NHET GIO Safety Function Input MCU 2 Indicate fault to system via Hercules MCU warning lamp GIO Receive motor torque command Safety Function Processing from remote host CAN MCU Safety Function Actuation Calculate necessary output MCU Read current motor position commands to motor based on ePWM1 feedback via quadrature decoder desired torque and current ePWM2 gs e abe dii eQEP position Pm actuate motor e NHET1 Motor Position Feedback wis TEXAS INSTRUMENTS 35 MCU oafety Critical Elements per Safety Function 1 25
22. 12 bit1 MSPS ADC Temperature Sensor Multi B uffer SP NR Temperatures 40C 105C Power amp Clocking Up to 4MB Flash OSC PLL w ECC CLKMON Up to 512KB SRAM w ECC VMON Up to 128KB Data Flash External Memory 16 bit Parallel Interface Communication Debug Real time TAG 32 bitTrace ETM Calibration Safety amp System CPU BIST SRAM BIST DMA C 20 05 Windowed Watchdog External INT GPIO RC GUN NS NEM GEM a EE IUE NS Tempers Sensor Software Drivers amp Libraries HALCoGen peripheral driver generation tool SafeTI Diagnostic Library CMSIS DSP Library RTOS SAFERTOS Codesys IDEs Code Composer Studio IAR SafeTI Compiler Qualification Kit SafeTI 3 Party Ecosystem TEXAS NSTRUMENTS 144p QFP 20x20mm 100p QFP 337p BGA 14x14mm 16 16 7 Hercules RM Cortex H Roadmap 2012 2013 2014 RM48L9x 220MHz R4F Features ad RM57Lx 330MHz R5F 4MB Flash 512kB RAM O RM48L5x 200MHz 2MB Flash 192kB RAM CAN CAN e USB ISO amp IEC ISO ISO13849 IEC IEC61508 N SafeTl RM46L8x 220MHz R4F 1 25MB Flash 192kB RAM SafeTI ISO amp IEC RM46L4x 200MHz R4F 1MB
23. 54 ATBEXBE ATB8Z357 47809844 477858551 AT149503 zi 1 m ses amp d L5 dd ut ad dh de db v dm ds pb cd in ES me Ps in m 2 in C c mom J Rb D i J 4h xDPIJgonmagog OxDPDOOEADU JxDDUIDEEZEE UEP 2 0 0 0102001005000 QJxCOOOAFTE 00 48043545 48023547 48008627 179506545 47343516 47243541 47223235 97909510 4 524 DxBE UNIC DiS Ox4H Ox70 OxBA Ome Gab Gabe OxAE DETU DEO Osi Oxz4 90 13 Oniz 0 Fo oo Gabi Ox OXIE OxEEF Dx6E OxBE Cart Dx55 RD SAFETY STAT 5 RD SAFETY CHECK CTRL RD SAFETY ERR RD SAFETY STA RD DIAG Diagnestic Settings ESE Connected on COMI Safety cycles 2079 Saleby MC TMS5S7Ux TPS amp S TX Xi TEXAS INSTRUMENTS The SafeTI V HSK GUI Validation and Calibration zii xj EI 79 9 9 Desconnect on Validating amp 276000 278000 Calibration Global Settings Settings Hagnastic EE E Privieged mode access and program sequence control registers i Application
24. 7515358 ISO TS16949 Zr d www ti com cn audio 38 fei 5 Ff www ti com cn telecom CK SEIZE PE BSE www ti com cn amplifiers www ti com cn computer Fe eaS www ti com cn dataconverters HAET www ti com consumer apps DLP ih www dlp com HE Js www ti com energy DSP 715 Mb EE as www ti com cn dsp TLD A www ti com cn industrial www ti com cn clockandtimers HR www ti com cn medical www ti com cn interface www ti com cn security www ti com cn logic AEAT www ti com cn automotive E www ti com cn power ALATA S www ti com cn video Ada Hill as MCU www ti com cn microcontrollers RFID AZ www ti com cn rfidsys OMAP Hl AE FE as WWW ti com omap JG HE www ti com cn wirelessconnectivity 4 amp M 3S TEZE TUN RPL EK www deyisupport com ERTS RAR had Aw 1568 5 XIE32 200122 Copyright 2014 EIX 57
25. E L n HALCogen and SafeTl Diagnostic Library Evaluation version of SateRTOS B User Manual wis TEXAS INSTRUMENTS 16 Hercules Safety Documents Documents provided by some under to assist in the safety certification process NENNEN UN Hercules component Safety Manual SM Details product safety architecture and recommended usage Safety Analysis Report Summary SAH1 Summary of FIT rate and FMEDA at component level for IEC 61508 and ISO 26262 Detailed Safety Analysis Report SAR2 Full details of all safety analysis executed down to MODULE level for IEC 61508 and ISO 26262 e Software tool for customizing analysis results to customer use case Safety Report summary of compliance to IEC 61508 and or ISO 26262 wis TEXAS INSTRUMENTS 17 Hercules M Safety Documents oafety Manual oummary of Development Flow 5370 521 Hercules ARM Safety Critica Description of Safety Concept MEM List of diagnostics e List of assumptions User s Guide Table 2 Summary of Safety Features and Diagnostics recommendation Possible GO 260822011 Latent Diagnostics premi Voge Seni wis TEXAS INSTRUMENTS 18 Detailed Safety Analysis Reports Customer input for failure rate estimation Package Used Customer input for transient fault estimation Application specific Flux Factor coeff based on Jedec JESD89A Maximum power dissipation
26. Flash 128kB RAM Next Gen Mid SafeTlI ISO amp IEC SafeTl ISO amp IEC Next Gen Low RM42x 100MHz R4 N 384kB Flash 32kB RAM ISO amp IEC SafeTl ISO amp IEC CAN Ji TEXAS INSTRUMENTS Supporting Automotive amp Transportation safety C e Lockstep ARM Cortex R based MCU with up to 480 peak DMIPS and 256KB to 4MB Flash Memory Safety Integrated in HW provides a high level of diagnostic coverage to reduce safety software overhead e SafeTI system design packages makes it easier to achieve safety certification and get to market quickly e Developed to safety standards developed for use in IEC 61508 SIL 3 and ISO 26262 ASIL D safety applications Flexible Communication and Control Ethernet Flexray CAN Up to 84 timer and 41 12 bit ADC channels Development Kit Launchpad XDS350U Pro Irace SafeTI Kit Motor Control SafeTI Design Packages C for Functional Safety TMS570x Temperatures Up to 4MB Flash w ECC Up to512KB SRAM w ECC 128KB Data Flash w ECC Cache w ECC Lockstep Fault Detection Control External Memory 16 bit P arallel Interface Communication N2HET Timer 10 100 Ethernet CA Flexray UART LIN Multi Buffer SP 12 bit ADC Temperature Sensor 26 40C 125C Q100 Power amp Clocking OSC P
27. Instruments Incorporated 12201580uthwest Freeway atafford TX 77477 USA Report 84873 Revision 1 0 of 2014 03 28 Test Laboratory TUY SUD Rail GMBH Generic Safety Systems Barthstrasse 16 D 80339 Munich repart rae ius wegen Dt uis Koi rada aria Fun of m urrqoa irezigaton c bus prodioc Saray meae quud phases sin Chusailatama d a ORS barriles ri OP Dua techno rezcri gt be by bet acd agency 2 Basis of Evaluation The regulations and guidelines which form the basis of the type testing are listed below 4 1 Functional Safety no Standard 81508 2 2010 SIL 3 Functional safety of electricallelectronic programmable alec tronic safety related systems Part 2 Requirements for electrical electronic programmable electronic safety related systems Road vehicles Functional safety Part 5 Product development at the hardware level ISO 26262 5 2011 ASIL D Table 2 Functional Safety 5 Result of the concept review 5 1 Concept review based on IP FMEAs To evaluate the Platform Architecture according to the required fallure modes defined in N1 and M2 for SIL 3 and ASIL D the analysis method Failure Mode and Effects Analysis FMEA was used For each IP own FMEA was crea
28. JESD89A Maximum power dissipation Application specific power dissipation in Watts 1 04W is based on maximum datasheet value Automotive Mission Profile Total raw die permanent FIT 9 48 Assumed Lifetime in years Confidence Level Desired confidence level of FIT rates Based on RM48x v1 0 FMEDA worksheet Operational Profile from IEC TR 62380 2004 Temp1 Temp2 emp3 Ratios on off night starts day light Non used starts ehicle rofile wis TEXAS INSTRUMENTS 68 IEC61508 HW Metrics Calculation Elevator Mission Profiles e Assumed Elevator Escalator mission profile 10 years service 365 days per year 18 hours on and 6 hours off per day outside ambient temp 25c indoor ambient temp T4 PCB temp 60c Ton 0 75 0 25 1 x 365 cycles AT chip junction temp increased vs T 30c assumed worst case AT 60 25 c 55c Customer input for failure rate estimation Package Used TIPBGA Customer input for transient fault estimation Application specific Flux Factor coeff based on Jedec JESD89A Maximum power dissipation Application specific power dissipation in Watts 7104 Elevator Mission Profile 1 04W is based on maximum datasheet value Total raw permanent FIT 103 37 Assumed Lifetime in years 10 Confidence Level Desired confidence level of FIT rates 70 Based RM48x v1 0 FMEDA worksheet Operational Profile from IEC TR 62380 2004
29. LL CLKMON VMON Debug Real time J TAG 32 bit Trace ETM Calibration Safety amp System CPU BIST SRAM BIST lt gt C 20 05 Windowed Watchdog External INT GPIO Software Drivers amp Libraries HALCoGen peripheral driver generation tool SafeTI Diagnostic Library CMSIS DSP Library RTOS SAFERTOS AUTOSAR IDEs Code Composer Studio IAR SafeTI Compiler Qualification Kit Mathworks Simulink 3 Party Ecosystem TEXAS INSTRUMENTS 144p QFP 20x20mm 100p QFP 337p BGA 14x14mm 16 16 9 Hercules TMS570 Cortex V H Roadmap 2012 2013 Features r a Lock Step Architecture QEP ePWM mu Ethernet 3MB Flash 256kB RAM SafeTI ISO amp IEC TMS570LS21x 180MHz R4F Rigor 2MB Flash 192kB RAM SafeTI ISO amp IEC GAN CAN CAN FlexRay ISO 15026262 IEC IEC61508 N SafeTl 1 55701512 180MHz R4F A 1 25MB Flash 192 RAM EE SafeTI ISO amp IEC 1 Flash 128kB RAM SafeTI ISO amp IEC TMS570LS04x 80MHz R4 384kB Flash 32kB RAM SafeTI ISO amp IEC 8 TMS570LS03x 80MHz R4 256kB Flash 24kB RAM SafeTI ISO amp IEC Ji TEXAS INSTRUMENTS TMS570LS11x 180MHz R4F As 2014 ES TMS570LC 300MHz E 4MB Flash 512kB 2 Next Gen Mid SafeTI ISO amp
30. M 192K Flash with 64K ECC with Dual in T T T T T T Lh Central _ xL L xL Central _ Main Cross Bar Arbitration and Prioritization Control 64 KB Flash for EEPROM Emulation with ECC Switched Central Resource Peripheral Central Resource Bridge High Freq Central Resource MDIO EMAC Slaves MibADC1 MibADC2 N2HET2 GIO FlexRay DCAN1 DCAN2 DCAN3 MibSPI1 MibSPI3 MibSPI5 LIN SCI wis TEXAS INSTRUMENTS Safety Critical Elements are elements within MCU the implement the safety function Diagnostics are necessary to detect safety related failures Sufficient diagnostics coverage DC is needed to meet required IEC 61508 HW metrics per SIL level In this example safety critical elements are CPU Flash SRAM Interconnect eQEP eCAP ePWM system ESM 12C 36 Safety Function Definition Equivalent Safety Safety Function Processing Safety Function Actuation Safety Function ID Goal ID Safety Function Input MCU MCU MCU Receive motor torque command from remote host CAN Calculate necessary output commands to motor based on Drive three phase PWMs to desired torque and current actuate motor ePWM Read current motor position M position feedback via qu
31. Quality Review and Unit Test Reports wis TEXAS INSTRUMENTS 88 SafeTI Compliance Support Packages 8 Test Results Report 1 unit tests L safety functional tests L performance tests resource usage tests L interface tests 1 fault injection tests 9 Traceability report 1 requirements to design L requirements to source code 1 requirements to test case 1 backwards traceability 10 Software Safety Manual describes how to integrate safely into end user application software 11 ISO 26262 IEC 61508 assessment report shows review of entire development process internal assessment 12 Executable test cases HALCoGen only L setup for user defined configuration 13 Test Automation Unit HALCoGen only 1 for executing unit tests with user defined configuration wis TEXAS INSTRUMENTS 89 Software Compliance Support Package Deliverables ISO 26262 Clause 6 Specification of software safety requirements Bi Directional Traceability 7 Software architectural design 9 Software unit testing 10 Software integration and testing 11 Verification of software safety requirements 6 4 9 Safety Assessment ISO 26262 1 61508 Standards IEC 61508 Clause 7 2 2 Software safety requirements specification Forward and Backward Traceability at all stages 7 4 3 Requirements for SW Architecture Design development 7 4 5 Detailed design and development individual software module design 7
32. SB HUB controller to manage USB communication between the Host workstation and onboard MCU s and Serial communication port converters FTDI from the USB HUB to the Safety DUT JT AG and CMU device JT AG and UART for the GUI The board utilizes an industry standard DIMM form factor Uses the standard 100 pin connector foot print to plug into selected Tl s motor control kits standard 20 pin external JT AG header to facilitate expandability Non CCS IDE s like IAR and Keil wis TEXAS INSTRUMENTS 92 The SafeTI V HSK GUI Communicates permanently with the kit to request status information Monitors different voltages of power supply ranges Possibilty to inject faults disturb power supply or simulate errors in the appication The system reaction is monitored with timestamps fault injection fault indication enter safe state Measure runtime execution of safety tests This gives the user a clear picture how to configure or calibrate his application Ability to configure settings for Error Signalling Module and 56538 Application information is visualized e g acceleration temperature and some task state information wis TEXAS INSTRUMENTS 93 The SafeTI V HSK GUI Overview GUI overview Camnect 82000 Tine ied Validating amp Calibration TP5553Hv communication ABDUBE 47943536 47949543 ATOZSESE ATSDSBEBID amp TBE SE 47873
33. TI TUV Rheinland Functional Safety Seminar China Texas Instruments Inc Nov 2014 TEXAS INSTRUMENTS Agenda e Overview of Hercules MCU and SafeT I Design package e Hercules MCU Functional Safety How To Workshop eafety Functions Safety Goals Safe State SIL Failure rate eafety Critical Elements identification and Diagnostic Hequirements eafety Manual and Diagnostics Selection Mission Profile and Failure Rate Estimation SafeTI Diagnostic Library SafeTI M Diagnostic Library Compliance Support Package CSP certification support Fault Injection with HI TEX kit e Summary wis TEXAS INSTRUMENTS Agenda e Overview of Hercules M MCU and SafeTI M Design package e Hercules MCU Functional Safety How To Workshop Safety Functions Safety Goals Safe State SIL Failure rate Safety Critical Elements identification and Diagnostic Requirements Safety Manual and Diagnostics Selection Mission Profile and Failure Rate Estimation SafeTI Diagnostic Library SafeTI Diagnostic Library Compliance Support Package CSP certification support Fault Injection with HITEX kit e Summary i Texas INSTRUMENTS Functional Safety Important for Many Industries Industrial and Automotive and Transportation 50155 DO 254 50128 DO 178B railway me aerospace IEC IEC 60601 50156 Nue I NEC Hercules 8 oafety
34. adrature decoder eQEP Process safety time PST m Equivalent Safety Goal Safe State MCU time between occurrence of a potential dangerous failure and the hazardous event 1 Disable motor driver relay NHET 2 Indicate fault to system via warning lamp GIO The motor shall deliver torque as commanded by the external host in au Process safety time hazardous event aS u ui wis TEXAS INSTRUMENTS 37 MCU Safety Diagnostic Requirements per Safety Function SFR L1 561 pCANishalbeconsideredsafetycritical 21 7 BFR2 gPWMishallbeconsideredsafetycriical 513 SFR3 41 MCU safety related processing shall be considered safety critical SIL 3 E shall be considered VIM shall be considered safety critical critical o LE functions necessary to input processing and output shall be considered safety critical m 3 Reset ogicshal be considered safety critical 3 fens TE rishalbeconsderedsteyeed wis TEXAS INSTRUMENTS 38 MCU Diagnostic Tests otart up diagnostics examples e SRAM self test CPU self test e ADC self test Oloop back Kemio W ERETTA iata i i 1 ii dns a examples CPU compare e Clock monitor Power monitor e MPU XE qase za i Texas INSTRUMENTS 39 What is Latent Diagnostics Why it is important Single E
35. afety related FIT 347 09 734 71 2 69 1084 48 Probability of Hardware Failures PFH in FIT 220 o8 2 316 Higher raw permanent FIT rate because of much longer on time No significant difference of Safe Failure Fraction SFF Probability of Hardware Failure PFH increases in proportion to raw rate rate Increase Based on RMA8x v1 0 FMEDA worksheet wis TEXAS INSTRUMENTS 72 IEC61508 HW Metrics Calculation Impact of Confidence Level Confidence level Permanent FIT Transient FIT Package FIT Overall FIT Number of units in field Number of device hours per day Device operating year Total number of device operating year Total number of device operating hours Estimated number of failures due to Permanent fault Estimated number of failures due to Transient fault Estimated number of failures due to Package fault Estimated number of failures due to Overall fault Confidence level Permanent FIT Transient FIT Package FIT Overall FIT Number of units in field Number of device hours per day Device operating year Total number of device operating year Total number of device operating hours Estimated number of failures due to Permanent fault Estimated number of failures due to Transient fault Estimated number of failures due to Package fault Estimated number of failures due to Overall fault 6 20E 10 6 80E 10 6 00E 11 1 36E 09 1000000 18 1 1 00E 06 6 57E 09 4 1 4 5 0 4 8 9 2 39E 09 2 61E 09 2
36. ailure rate dangerous undetected failure rate Note a failure which results in the system changing mode of operation to a safe state Is by definition a safe failure e Failure rate is often expressed in Fills One FIT Failure In Time 1 failure per billion hours of operation 1x 10 failures hour wis TEXAS INSTRUMENTS 71 IEC61508 HW Metrics vs Mission Profiles IEC61508 HW metrics with Automotive Mission Profile 70 confidence level Numbers are normalized to Die Permanent Total RAW FIT gt Overall Permanent Transient Permanent Sum Total FIT Raw FIT 2100 76440 6989 84430 Probability of Hardware Failures PFH inFIT 006 _ IEC61508 HW metrics with Elevator Mission Profile 7096 confidence level Package Overall Permanent Transient Permanent Numbers are normalized to Automotive Mission Profile Die Permanent Total RAW FIT Total FIT Raw FIT 108 99 76444 1312 886 55 Safety related FIT 108 67 73461 1295 856 24 Probability of Hardware Failures PFH in FIT 069 082 oo 15 Safe Failure Fraction SFF 99 36 99 89 99 54 99 82 IEC61508 HW metrics with Industrial Mission Profile 70 confidence level Die Package Permanent Transient Permanent Sum Numbers are normalized to Automotive Mission Profile Die Permanent Total RAW FIT Total FIT Raw FIT 76453 29 11533 S
37. allback ESM Application Callback Not applicable Not applicable Not applicable Not applicable SL SW Reset Not applicable No software control always enabled in hardware SL Init ResetReason 81 Hercules MCU safety features and SafeTI Diagnostic Library API for running LBIST on the CPU by the STC also supports selfcheck feature of STC which tests the signature compare logic Many API also provide a fault injection mode API to perform test on the ECC diagnostic feature to run the diagnostic modes on Flash memories p API to perform CRC calculation on memory ranges Memory Power Clock amp Safety to run PBIST algorithms Flash on all memories w ECC OSC PLL d RAM eIncludes ESM handler w ECC POR ESM 7 provides an example Flash application with abort EEPROM w ECC CRC RTI DWWD handler Tilton E Allows application to register API to test the CCM Memory Interface callback for the fault handling Diagnostic feature CPU Fault Detection D 2 to test error forcing boc Eternal Memory On Chip Clock and Voltage capabilities of the CCM Monitoring eAPI for testing the safety API s to test the parity Enhanced System Bus Interrupt Module diagnostics on PSCON diagnostics for peripheral CC for testin
38. ary of Safety Features and Diagnostics Uniq Unique Feature ER n puc mmn pd Voltage monitor VMON um de Extemal Voltage Supervisor supervisor Voltage monitor monitor VMON PECON ses Privileged mode access and multi bit keys for Software test of register configuration and error control registers response Periodic software readback of static configuration registers Sofware readback of wien configuration 5 PSCON Sekestamcweps e An overview of the safety architecture for management of random failures e he details of architecture partitions implemented safety mechanisms and recommended usage e Failure modes and failure rates wis TEXAS INSTRUMENTS 42 IEC61508 HW Metrics Calculation Select Safety Features CPU From Safety Manual p Unique Feature Device Partition Safety Feature or Diagnostic E R4F Central Processing Unit dpi DE CPU2A Boottime execution of LBIST STC an CPU2B Periodic execution of LBIST STC Cortex R4F Central Processing Unit CPU qus Cortex R4F Central Processing Unit CPUA Online profiling using PMU CPU Diagnostic Used in Application Safety Mechanisms associated with CPU are selected 1 means the safety mechanism is assumed in the HW metrics calculation 0 means not assumed EO RAF Central Processing Unit CPUSA Inter
39. ay Controller Area Network DCAN CANG Periodic hardware CRC check of DCAN contents Controller Area Network DCAN can7 Periodic SW readback of static configuration registers Controller Area Network DCAN Poftware readback of written configuration Safety Mechanisms associated with CAN are selected 1 means the safety mechanism is assumed in the HW metrics calculation 0 means not assumed Based on RMA2x LSOAXx LSO3x v0 8 FMEDA worksheet wis TEXAS INSTRUMENTS 56 IEC61508 HW Metrics Calculation Select Safety Features Power Supply Unique Diagnostic Safety Feature or Diagnostic Used in identifier Device Partition Reccomendation Pas Application Power Supply PWR1 Voltage monitor VMON Power Supply PWR2 External voltage supervisor Safety Mechanisms associated with Power Supply are selected 1 means the safety mechanism is assumed in the HW metrics calculation 0 means not assumed Based on RMA2x LSOAXx LSO3x v0 8 FMEDA worksheet wis TEXAS INSTRUMENTS 57 IEC61508 HW Metrics Calculation Select Safety Features Package e High diagnostic coverage is assumed for the package via detection of failure with existing diagnostics supplemented by application level diagnostics Examples e CAN Information Redundancy Technique and Boot time 1 0 loop back SW test MIBSPI MSP2 Information Redundancy Technique and MSP1A Boot time
40. d which A allows read and write access for Cortex R the bus master Access outside the defined region can be any of the mode Read Only Read access allowed for the memory accesses outside the region Write accesses are blocked No Access Head and write access Is blocked In the event of a detected memory protection violation an error is J indicated Note This is a simplified view The programmer s model differs between IP CPU IP will have significantly more options to control access via the MPU vis TEXAS INSTRUMENTS 46 Digital Windowed Watch Dog DWWD e The DWWD module will reset the MCU or generate a non maskable interrupt to the CPU if the application fails to service the watchdog within the appropriate time window e Safety diagnostic that can detect a runaway CPU Includes a 25 bit down counter Alerts the Error Signaling Module when a CPU interrupt is generated e Supports multiple service windows 100 5096 25 12 5 3 125 e Servicing requires a specific two part key sequence e Once enabled can only be disabled by a system or power on reset Down 0 DWWD Preload 4 I 1 00 i Window Window Open Window Open Down Counter 50 e Window Window Open Window Open 25 Window W Open W Open 12 5 E Window Li Te 9 T3 INTERRUPT 6 2596 Window 5 3 125 H Window wis TEXAS INSTRUMENTS 47
41. e e Communication Interfaces UART LIN CAN FlexRay Safety Standards Overview e Development Tools HW kits SW tools Multi Buffered Serial Peripheral Interface MIbSPI 61508 Safety Standard e Embedded Flash Memory tools Lab 3 PC to SCI Communication ISO 26262 Safety Standard Real Time Interrupt RTI External Memory Interface EMIF Parameter Overlay e Random Fault Management e Vectored Interrupt Manager VIM Multi buffered Analog to Digital Converter MibADC Safety System Architectures e Direct Memory Access Support Structure Web Forum WIKI Hercules Safety Concept General purpose GIO amp NHET Who should attend E e Hardware and Software Developers 3 Day Training Class Project Managers Safety Critical Design and Programming with Safety Specialists Cortex R4F based Hercules MCUs Anyone interested in Hercules MCUs and functional safety Welcome and Intro e Summary Questions e Summary Questions Hercules Product Overview MCU ARM Cortex R4F CPU Architecture Multi Buffer Serial Peripheral Interface Roadmap Overview SPI MIBSPI P Safety Standards and Hercules Safety System Module Overview e DCAN Features Device setup startup Real Time Interrupt e FlexRay Transfer Unit e HALCoGen Exercise Module Vectored Interrupt Manager Multi Buffer ADC MIBADC Code Composer Studio Demonstration e CRC Controller CPU Compare Module
42. e safety mechanism is assumed in the HW metrics calculation 0 means not assumed Based on RMA2x LSOAXx LSO3x v0 8 FMEDA worksheet wis TEXAS INSTRUMENTS 52 Error Signaling Module ESM ESM Low Level Interrupt Errors for Group 1 Handling High Level Interrupt Handling LOW TIME Errors for Group 2 ERROR COUNTER PRELOAD SIGNAL CONTROL LOW TIME COUNTER Errors for Group 3 wis TEXAS INSTRUMENTS To Interrupt Manager nERROR pin 53 Clock Monitoring External clock prescaler Allows external monitoring of CPU clock frequency e Configurable pin GIO Oscillator monitor Detects failure if oscillator frequency exceeds defined min max thresholds Selectable hardware response on oscillator fail Heset device Switch to internal low power oscillator LPO clock source e FMPLL slip detector Indicates PLL slip if phase lock is lost Selectable hardware response on PLL slip Reset device Switch to internal low power oscillator LPO clock source Switch to external oscillator clock source Refer to device data sheet Input from CLK Signal to Oscillator CLK Control Module Bypass on Slip Slip Reset on Slip Detector ROS To Device Reset Xi TEXAS INSTRUMENTS 54 Dual Clock Comparator DCC e The DCC module is used to measure the frequency of a clock signal using a second clock signal as a reference All
43. ease notes gt Regular updates for enhancements fixes Free click wrap license agreement SafeTI Compliance Support Package SafeTl software documentation and testing gt Assists customer to comply to functional safety standards Safety Requirements Document Code Review and Coverage Reports Unit Test Results Software Safety Manual gt Unit Test capability using LDRAunit if applicable See Pricing signed license agreement SafeTI Tool Qualification Kit SafeTl tool documentation and qualification gt Assists customer to qualify tool to functional safety standards gt Tool Classification Report Tool Qualification Plan and Report Tool Safety Manual gt Test Automation Unit or LDRAunit if applicable See pricing signed license agreement wis TEXAS INSTRUMENTS 86 86 Hercules Software and Tool Packages Standard Package Compliance Support Package n Tool Qualification Kit Code in source form see note ooftware Safety Requirements Document Tool Safety Requirements Document GUI for user configuration if applicable ooftware Safety Architecture Document Code Review Report w MISRA C Tool Safety Architecture Document ooftware Tool user guide Code Review Report w MISRA C Data sheet Quality Review Report Quality Review Report Release notes Dynamic Coverage Analysis Report Dynamic Coverage Analysis Report Unit Test Regression Repor
44. estrictive than certified compilers Application of kit assessed by TUV Nord to comply with both IEC 61508 and ISO 26262 Includes e Qualification Support Tool model based n r a es gt e Process specific documentation Tool Classification Report Tool Qualification Plan Tool Qualification Report Tool Safety Manual e SuperTest qualification suite e Tl compiler validation test cases e Test Automation Unit TAU e 24hrs of Validas consulting services TUV Nord assessment report E Code pomposo Studio TI ARM Compiler pas enr R T Approved by 61508 ISO 26262 vis TEXAS INSTRUMENTS 22 Agenda e Hercules MCU Functional Safety How To Workshop eafety Functions Safety Goals Safe State SIL Failure rate wis TEXAS INSTRUMENTS SafeTI Design Packages for Functional Safety Functional Safety SafeTI design packages help meet functional safety requirements while Risk reduction managing both systematic random failures Applying Functional Safety Standards SIL 1 2 3 4 orkshop will address Howto manage MCU hardware Systematic Failures random failures Howto estimate failure rate vs SIL Software requirements XT ooftware support Random Failures Diagnostics Aarne HOI Posture Inr andar Architectural Metric
45. g the safety memories and perform SRAM diagnostics on EFUSE data parity fault injections to perform CRC Multiple calculation memory Dual Ti ranges Network Imers Loop Back ADC Self Test ADC Interfaces Interfaces Safe Island Hardware diagnostics RED Cores Blended HW diagnostics BLUE Non Safety Critical Functions BLACK Ji TEXAS INSTRUMENTS User examples e SafeTI Diagnostic Library is integrated into the Hitex Safety Kit Safety Device Under Test Monitor amp Control Application Application Monitor Conte Monitor amp Control Control Hercules Hercules vis TEXAS INSTRUMENTS 83 Example User Application SAFERTOS TI Safety Library j Hercules Safety Companio TPS65381 Safety MCU 1 INSTRUMENTS Hercules MCU Power Supply Control MCU TEXAS INSTRUMENTS TEXAS INSTRUMENTS Agenda Hercules MCU Functional Safety How To Workshop eafeTl Diagnostic Library Compliance Support Package CSP certification support wis TEXAS INSTRUMENTS 85 Hercules and SafeTI M Software and Tool Packages Hercules Software Tools Hercules standard software and tools packages gt Assists in software development on Hercules Safety MCUs Provides the actual software tool with source code GUI gt User guides datasheets rel
46. hading Transfer Urt 2 Peripheral Serial Peripheral Inserfaca 12 Serial Peripheral interface SPi4 Real Time RTI Operating System Timer SYSTEM RAM System INTERCDONNECT vi n il Eihernat External Memory interiaca E Mif U reversa Serial Bus U58 Irter integrated Circuit Power POM Latin Cana Fear uma Ce ie GRE Lain H Flash ke EE rM bikiei HETI FTU ira Pacis Conical Reece np Peripheral Car Hascurce Bridge Allow customization of failure rate estimation Include only MCU modules used by application Include actual Flash and SRAM memory size used vis TEXAS INSTRUMENTS 74 FMEDA worksheet Safety Mechanisms Tailoring Safety mechanisms considered in the FMEDA rx CPU Pres Parke of LEIST STE Power Management Module EE Power Management Module regisbers Power Management Module SW readback of written configura
47. ion of diagnostics 42 Summary of IEC 61508 Safety Metrics at Device Level BGA Package Table 3 provides estimates of FIT rates and calculated safety metrics per IEC 61508 22010 using previously noted assumptions for the device in BGA package Available under NDA Total FIT Raw FIT Safety Related FIT Total dangerous faults User s Guide dy Total non safety related faults Probability of Hardware Failures in FIT Total dangerous detected faults Safe Failure Fraction Total dangerous undetected faults wis TEXAS INSTRUMENTS 64 IEC61508 HW Metrics Calculation Failure Rate Handom Failure Hardware Failure Package Die silicon Die silicon Permanent Permanent Transient Multiple Ways for Random failure rate estimation MIL HDBK 217F Military Handbook Reliability Prediction of has selected to use IEC TR quien 62380 because it is more aligned Siemens Norm SN29500 2010 Failure Rates of Components to semiconductor physics models Supplier reliability data from similar products already in production and deployed under similar operating conditions Failure rate is measured in FIT IEC TR 62380 2004 Reliability Data Handbook Universal 2 Model for Reliability Prediction of Electronics PCBs and where 1 FIT is 1 fail in 10 Equipment operating hours i Texas INSTRUMENTS 65 IEC61508 HW Metrics Calculation Failure Rate Mission Profiles Failure
48. ion of customer product Current implementation is limited to safe island set of peripherals wis TEXAS INSTRUMENTS 80 Safety Manual to API mapping SafeTI Diagnostic Library 102 SafeTI Diagnostic Library for the Hercules processors Main Page Related Pages Modules Data Structures Files Safety manual to API mapping Unique Device Partition Identifier Safety Feature or Diagnostic Voltage monitor VMON Power Supply External voltage supervisor PMM1 Lockstep PSCON Power Management 2 Privileged mode access and multi bit keys for control registers Module PMM PMM3 Periodic software readback of static configuration registers PMMA Software readback of written configuration LPOCLKDET PLL slip detector Dual Clock Comparator DCC CLK1 CLK2 CLK3 CLKA External monitoring via ECLK CLKSA Internal watchdog DWD CLKSB Internal watchdog DWWD External watchdog Periodic software readback of static clock configuration registers CLK6 Software readback of written configuration External monitoring of warm reset Software check of last reset Software warm reset generation Glitch filtering on reset pins Use of status shadow registers vis TEXAS INSTRUMENTS Remarks Not applicable No software control always enabled in hardware Not applicable External monitoring SL SelfTest PSCON SL SelfTest PSCON SL Read Compare SL Read Compare Not applicable ESM Application C
49. ion with HITEX kit Summary Wi Texas INSTRUMENTS Estimate SFF PFH per Safety Function Now we have a safety function and SIL requirement How to estimate the SFF PFH to determine if SIL requirement can be met Hazard amp Risk Safety Function SIL Determination Analysis Definition SIL 1 2 3 4 Allocation of Safety Hequirements HW Safety Hequirements SFF PFH oW Safety Process Safety Hequirements Requirements wis TEXAS INSTRUMENTS 62 Estimate MCU SFF PFH per Safety Function Use Hercules MCU Detailed Safety Analysis Report amp FMEDA worksheet Apply Diagnostics to Used Modules per Safety Function Evaluate IEC61508 Failure Rate Summary oet Up Mission Profile of System What 1 the total failure rate per used conditions What Self Test should be implemented Done wis TEXAS INSTRUMENTS 63 Detailed Safety Analysis Report amp FMEDA worksheet Detalled Safety Analysis Report for safety metrics at the MCU component level Detailed Safety Analysis Report Assumptions of use applied in calculation of safety metrics oummary of IEC 61508 or ISO 26262 standard A fault model used to estimate device failure rates and an example of customizing this model for use with the example application FMEDA with details to the sub module level of the MCU that enables calculation of safety metrics based on customized applicat
50. n i e SIL level and how much risk reduction Safety Integrity Level SIL 1 2 3 4 is determined by the consequence and the frequency of hazardous m MCU E Actuator event The higher the SIL level the higher the risk reduction requirements wis TEXAS INSTRUMENTS 29 Safety Integrity Level e Safety Integrity Level is characterized by SFF and PFDAyc e Single Failure Fraction SFF e Probability of Fail on Demand Average Probability of Fail per Hour PFH SFF sarE ADANGEROUS DETECTED sarE ADANGEROUS DETECTED ApANGEROUS UNDETECTED 1 ApANGEROUS UNDETECTED to calculate all these wis TEXAS INSTRUMENTS 30 Safety Integrity Level Table 2 Safety integrity levels target failure measures for a safety function Table 3 Safety integrity levels target failure measures for a safety function operating in low demand mode of operation operating in high demand mode of operation or continuous mode of operation Safety integrity Average probability of a dangerous failure on SPORE ON demand of the safety function safety function h gt avg SIL PFH gt 10 5 to lt 10 4 level PFD gt 10 9 to 10 8 gt 107 to lt 10 3 gt 10 8 to lt 10 7 gt 1073 to 107 gt 10 to lt 1078 gt 1072 to 107 gt 10 to 10 5 Low demand functions have less stringent requirements High
51. nal watchdog DWD Based on RMA2x LSOAXx LSO3x v0 8 FMEDA worksheet wis TEXAS INSTRUMENTS 43 Cortex R Ideal for safety critical applications Lockstep implementation Compare safety features Output Control RII L Supports Lockstep 1 Memory Protection Unit MPU Cycle Delay 1 Error Correcting Code ECC Higher performance L 8 stage processor pipeline Dual issue two instructions can execute in parallel Cortex R 1 Load store unit reduces stalling 1 Pre fetch and Branch Prediction Units 1 Cached Real time Determinism Tightly Coupled Memory TCM L Fast interrupt response 1 Deterministic interrupt response Cycle Delay Input Control Cortex R5 based products wis TEXAS INSTRUMENTS 44 CPU Self Test Controller STC LBIST Clock controller ARM E p Clock cntrl Cortex R interface FSM H E STC BYPASS ATE Interface Test controller gt gt REG Block amp Compare Interface Block Provides High Diagnostic Coverage e Significantly Lowers S W and Runtime Overhead No SW BIST Built In Self Test Code overhead in Flash Simple to configure and start BIST via register vis TEXAS INSTRUMENTS 45 Memory Protection Unit MPU e A Dedicated Memory Protection Unit MPU is implemented for select bus masters Bus masters include the CPU DMA Lockstep HIU and the FTU CPUs A memory region is define
52. o reduce probability of common cause failure 3 M X9HOo9 eiNHV ARMS Cortex R Lockstep CPU amp Lockstep Interrupt Fault Detection Compare Module for Fault Detection ECC or Parity on select Peripheral DMA and Interrupt controller RAMS Serial Network Interfaces Interfaces Parity or CRC in Serial and Network Communication Peripherals Bold items are introduced with the new Cortex R5 devices Calibration J TAG Debug Embedded Trace Power Clock amp Safety ECC for flash RAM evaluated inside the Cortex R OSC PLL Flash EEPROM w ECC Dual ADC Cores NEED POR CRC RTIDWWD Memory Interface External Memory Enhanced System Bus Vectored Interrupt Module Dual High end Timers NEED GIO 5 TEXAS INSTRUMENTS On Chip Clock and Voltage Monitoring Safe Island Hardware diagnostics E Blended HW diagnostics NEN Non Safety Critical Functions Memory BIST on all RAMS for fast memory test Error Signaling Module w External Error Pin Protected Bus and lockstep Interrupt Manager IO Loop Back ADC Self Test Dual ADC Cores with shared channels Hercules TMS570LS and 4 Architecture Concept Assessment Q Technical Report 3 on the Concept of the Hercules TMS570LSx and RM4x Platform Architecture Manufacturer Texas
53. ogitech wis TEXAS INSTRUMENTS 19 oafeTI Hardware Development Process Certification w a id lt 79 gt o X a 9 ZERTIFIKAT CERTIFICATE 2 TI s hardware functional safety development process has been certified for gt IEC 61508 SIL 3 gt 150 26262 ASIL D The certification demonstrates TI s commitment to have a process suitable for developing hardware components that are compliant to ISO 26262 and IEC 61508 wis TEXAS INSTRUMENTS 20 Hercules and SafeTI 13 Software and Tool Packages Hercules Software and Tools 1 Production quality software to easily use Hercules MCU LI Includes GUI configurator where relevant Includes User Guide and Release Notes Compliance Support Package 1 Provide evidence to safety standards Includes Test Reports Quality Metrics Safety Manual etc L Software developed to IEC 61508 amp ISO 26262 requirements SafeTl Tool Qualification Kit Assists in qualifying the TI ARM Compiler to functional safety standards 1 Model based tool qualification methodology 1 Assessed to comply with both IEC 61508 and ISO 26262 Jia TEXAS INSTRUMENTS 21 SafeTI Compiler Qualification Kit Assists in qualifying the TI ARM Compiler to functional safety standards Qualification of customer specific use case can be less r
54. ows application to ensure that a fixed frequency ratio is maintained between two clock signals e Supports the definition of a programmable tolerance window in terms of number of reference clock cycles e Supports continuous monitoring without requiring application intervention Alternatively can be used in a single sequence mode for spot measurements e Flexible clock source selection for Counter 0 and Counter 1 resulting in several specific use cases Preload 0 d Valid Preload O 0 Clock 0 Sources Counter 0 Valid Counter 0 Clock 0 Select Clock Compare Preload 1 Clock 1 Clock 1 Sources Counter 1 Clock 1 Select wis TEXAS INSTRUMENTS 55 IEC61508 HW Metrics Calculation Select Safety Features CAN From Safety Manual Unique Diagnostic As Safety Feature or Diagnostic Used in identifier Reccomendation Application Controller Area Network DCAN CAN1A Boot time SW test of function using I O loopback Controller Area Network DCAN CAN1B Periodic SW test of function using loopback Controller Area Network DCAN CAN2 Information redundancy techniques including end to end safing Controller Area Network DCAN CAN3 SRAM Data Parity Controller Area Network DCAN Boot time PBIST check of DCAN RAM Controller Area Network DCAN Periodic PBIST check of RAM Device Partition Controller Area Network DCAN Bit multiplexing in DCAN RAM arr
55. r D 123 45 Acceleration 210s gt Curent value X 0 45 gt Curent value Y 0 21 vis TEXAS INSTRUMENTS 98 Agenda Overview of Hercules MV MCU and SafeTI Design package e Hercules MCU Functional Safety How To Workshop Safety Functions Safety Goals Safe State SIL Failure rate eafety Critical Elements identification and Diagnostic Hequirements eafety Manual and Diagnostics Selection Mission Profile and Failure Rate Estimation SafeTI Diagnostic Library SafeTI M Diagnostic Library Compliance Support Package CSP certification support Fault Injection with HI TEX kit e Summary v3 Texas INSTRUMENTS 99 Hercules MCUs Accelerating Safety Products to Market Pre approved for ISO 26262 Software i IEC 61508 e Development Tools e Proven in use e Consulting amp Training Device FMEDA FIT reports Hercules 3 4 Safety MCU Non proprietary ke Market accepted e Respected heritage Ease development e Aid certification e Usable by customer Pin amp SW Compatible Certification Ready e Safety Chipset e ISO 26262 IEC 61508 e SafeTl Program compliant TEXAS INSTRUMENTS 100 H e rc es T ra i n n www ti com herculestraining 1 Day Training Class Hercules 1 Day Safety Seminar Introduction Lab 1 Hercules MCU Demos Lab 2 Using NHET as GIO What is Functional Safety Hercules Architectur
56. rmanent Sum Total FIT Raw FIT 1000 764 40 69 89 844 30 Safety related FIT 734 58 68 95 813 49 Probability of Hardware Failures PFH in FIT 000 08 013 Safe Failure Fraction SFF 99 36 99 89 99 82 99 88 IEC 61508 categorization Package Overall Transient Permanent Sum Total faults 1000 76440 844 30 Total non safety related faults 003 094 300 Total Safe faults 524 328 47250 Total dangerous faults Total dangerous Detected faults 34 35 03 Total dangerous UnDetected faults Details of IEC 61508 Metrics For Permanent and Transient faults e By modules CPU Flash SRAM DCAN ADC 5 TEXAS INSTRUMENTS 77 Agenda e Overview of Hercules MCU and SafeTI Design package e Hercules MCU Functional Safety How To Workshop Safety Functions Safety Goals Safe State SIL Failure rate Safety Critical Elements identification and Diagnostic Requirements Safety Manual and Diagnostics Selection Mission Profile and Failure Rate Estimation SafeTI Diagnostic Library SafeTI Diagnostic Library Compliance Support Package CSP certification support Fault Injection with HITEX kit Summary i Texas INSTRUMENTS 78 Hercules SafeTI Diagnostic library
57. rror Correct Double Error Detect ECC Single Error Correct Double Error Detect ECC Single Error Correct Double Error Detect ECC SECDED ECC SECDED ECC SECDED ECC 3 e Memory content OK e Memory single bit error Memory single bit error e No error detected by Error detected amp e Error NOT detected amp ECC corrected by ECC corrected by ECC e Head to CPU OK e Head to CPU OK e Head to CPU NOT OK 2 The bug in the ECC block will only violate the safety goal IN COMBINATION with a memory fault gt a latent fault Need to test the diagnostic circuits such as ECC Lock Step Compare wis TEXAS INSTRUMENTS 40 Agenda Overview of Hercules MCU and SafeTI Design package e Hercules MCU Functional Safety How To Workshop Safety Functions Safety Goals Safe State SIL Failure rate Safety Critical Elements identification and Diagnostic Requirements Safety Manual and Diagnostics Selection Mission Profile and Failure Rate Estimation SafeTI Diagnostic Library SafeTI I Diagnostic Library Compliance Support Package CSP certification support Fault Injection with HITEX kit Summary i Texas INSTRUMENTS 41 How to implement Diagnostics Safety Manual Microcontrollers User s Guide Safety Manual for TMS570L531x and TMS570LS21x Hercules ARM Safety Critical a 3375 ILS Ea rs INFO SAFETY MANUAL Table 2 Summ
58. t Unit Test Regression Report Traceability report Traceability report Test Results Report Safety Assessment Report Internal Safety Assessment Report Internal Compliance Level Tool Templates for Compliance Documentation Executable Test Cases Executable Test Cases Click Wrap License Signed License Agreement Signed License Agreement Test Results Report Free software Safety Manual Tool Safety Manual See Pricing Table See Pricing Table these are provided for software that is configurable by user ie HALCoGen and CCS Compiler wis TEXAS INSTRUMENTS 87 SafeTI Compliance Support Packages Following artifacts are provided as part of a SafeTI Compliance Support Package 1 Software Tool Safety Requirements document 1 Defines both functional and safety requirements of the software tool 2 Software Tool Safety Architecture Document 1 Defines the architecture of the software tool including safety provisions 3 Code Review Report 1 Provides the MISRA C 2004 violations for the file 4 Quality Review Report L Provides the HIS Quality metrics for the file 5 Dynamic Coverage Analysis Report 1 Provides the Statement Branch and MC DC Coverage information 6 Unit Test Regression Report 1 Shows the unit tests performed and the result of each unit test T Test Manager report 1 Summary of the Code Review
59. ted Within these FMEAs diagnostic measures and timing aspects have been analysed These FMEAs should be used in further development as input for the Safety requirement specification of several safety microcontroller devices Result The FMEAs provided in the documents 01 D38 were made by Texas Instruments Incorpo rated and reviewed by SUD The results of the FMEAs meet the requirements according to N1 and 2 These review results are recorded in Ri R38 The effectiveness of the selected diagnostic measures has to be verified on the final device Summary For the analyzed failure modes according to N1 2 appropriate diagnostic measures to reach SIL 3 or ASIL D have been specified A concluding re evaluation of the IP FMEAs has to be done in context of the final device i Texas INSTRUMENTS 15 SafeTI Hitex Safety Kit SafeTI HSK Cost effective entry into functional safety related to 15026262 and IEC61508 B Evaluate the use and performance of the Hercules M MCU safety features B Fasily apply the recommendations of the Hercules MCU amp TP 65381 Safety Manual Inject System amp CPU faults and Monitor and Measure the reaction via a GUI Includes Evaluation Board with integrated debug USB cable and Power Supply i ie E j Par n B Windows based GUI Demo Application with full source code Code Composer Studio ID
60. tion ERA Power Management 5 PSCONIockstepeompareseltiest 0 0 0 OK EN IT _ 0 PLL slip detector Einen p se ua AM i CLK4 External monitoring via M p mv CLK58 Intemal watchdog DWWD E mm veter dim E mm EX LARA a 7 NE 7m b Allow customization of diagnostics selection For example CPU lock step compare and boot time LBIST are used while periodic LBIST is not used cement Reset i Texas INSTRUMENTS 75 FMEDA worksheet Package Pin Tailoring RESULTING DIAGNOSTIK COVERAGE of pins pina PRGA High End Timer Modules HHET Allow customer to adjust the number of Allow customer to input pin pins used by module in its application level application diagnostic Example 31 NHET1 pins are with its own diagnostic available if only 20 pins are used coverage number change to 20 vis TEXAS INSTRUMENTS 76 FMEDA worksheet Metrics Summary Details oummary of IEC 61508 Metrics Examples Permanent Transient amp Die Package Die Package Overall Numbers are normalized to Die Permanent Total RAW FIT Permanent Transient Pe
Download Pdf Manuals
Related Search