

s.

品

Hercules" MCU

DRM

CAN

8

Battery Management Systems, EPS, Braking Systems, VCU in EV/HEV Application

# Why Functional Safety?



BP's Deepwater Horizon oil well explosion last year killed 11 workers and caused the biggest offshore spill in US history. Photograph: Reuters

#### Why was there an explosion and fire on Deepwater Horizon oil rig?

According to BP's September 2010 report, the accident started with a "well integrity failure". This was followed by a loss of control of the pressure of the fluid in the well. The "blowout preventer", a device which should automatically seal the well in the event of such a loss of control, failed to engage. Hydrocarbons shot up the well at an uncontrollable rate and ignited, causing a series of explosions on the rig.

#### How many people were killed?

Eleven, from Texas, Louisiana and Mississippi.

Source: Guardian Newspaper

#### Toyota to Pay \$1.2B for Hiding Deadly 'Unintended Acceleration'

Y BRIAN ROSS, JOSEPH RHEE, ANGELA M. HLL, MEGAN CHUCHMACH ING AARON KATERSKY + MICRO R. 2014 F Share with Facebook



Toyota Motor Corp. vehicles at parked ahend of shoreen outside the Central Motor Corp. plant in China, Myegi Prefecture, Japan, Merch 7, 201

Source: ABC News

### Functional Safety goals:

- Perform intended functions
- When fail, fail predictably



### **ISO 26262 – Functional Safety of Road Vehicles**

| INTERNATIONAL<br>STANDARD                                              | ISO<br>26262-1                          |  |
|------------------------------------------------------------------------|-----------------------------------------|--|
|                                                                        | First edition<br>2011-11-15             |  |
|                                                                        |                                         |  |
| Road vehicles — Functiona                                              | al safety —                             |  |
| Part 1:<br>Vocabulary                                                  |                                         |  |
| Véhicules routiers — Sécurité fonctionnelle —<br>Partie 1: Vocabulaire |                                         |  |
|                                                                        |                                         |  |
|                                                                        |                                         |  |
|                                                                        |                                         |  |
|                                                                        |                                         |  |
|                                                                        |                                         |  |
|                                                                        |                                         |  |
|                                                                        |                                         |  |
| ISO                                                                    | Reference number<br>150 26262-1:2011(E) |  |
|                                                                        | © ISO 2011                              |  |

- Automotive specific interpretation of IEC 61508 but replaces it rather than extending it.
- Aligns automotive life cycle and supply hierarchy.
- Separates component design from system design. Most complex components must comply to standard.
- TI participates in US and international working group as well as leading Semiconductor subgroup:
  - ISO/TC 022/SC 03/WG16
  - ISO/NP PAS 19451



# Hercules<sup>™</sup> TMS570 safety MCUs for automotive and transportation motor control



### Extending Hercules TMS570 safety MCU platform

- From 120 MIPS to 500 DMIPs lockstep ARM Cortex-R core
- From 128KB to 4 MB flash
- $\circ~$  Cortex-R4 and Cortex-R5 options  $~\circ~$
- Fixed- and floating-point options

#### Proven safety architecture

- o ISO26262, IEC61508
- Lockstep CPUs
- $\circ~$  CPU and RAM built-in self test  $\circ~$
- Flash & RAM ECC
- Clock, Voltage monitoring

### Expanded motor control support

- Enhanced PWMs, capture and Quadrature Encoder Interface
- New MotorWare<sup>™</sup>-enabled Kits
- New DSP Library

#### SafeTI™ Design Packages

Docs, Tools, Software

- Complementary, safetyenabled Components
- Safety Development Processes





### TMS570LC4x Block Diagram

Lockstep ARM Cortex-R5F Cached Floating Point MCU

#### Features

Performance / Memory

- · Up to 300 MHz ARM Cortex-R5F w/ Floating Point
- Up to 4MB Flash and 512KB Data SRAM w/ECC
- 32KB Instruction & 32KB Data Cache w/ECC
- Dedicated 128KB Data Flash (EEPROM Emulation)
- 16 Channel DMA

#### Safety

- Dual CPUs in Lockstep, CPU Logic Built in Self Test (LBIST)
- Up to 16 CPU MPU regions, Flash & RAM w/ ECC (w/ bus protection)
- Memory Built-in Self Test (PBIST),Cyclic redundancy checker module (CRC)

IEC

Select peripheral RAMs protected by Parity/ECC

#### **Communication Networks**

- 10/100 MAC ,4 CAN Interfaces
- 5 Multi-Buffered SPI,4 UART (2 LIN capable), 2 I2C

#### **Enhanced I/O Control**

- 2x Timer Coprocessor (N2HET) w/DMA
  - Up to 64 total channels (2x32)
  - Pins can be used as Hi-Res PWM or Input Capture
- Motor Control Timers
  - ePWM, eCAP, eQEP
- 2 x12-bit Multi-Buffered ADC
  - Up to 48 total input channels
  - Calibration and Self Test

• Up to 145 GPIO pins (16 dedicated)

| MS570LC4x                                                                                                              | Temperature                                                                                | -40°C - 125°C                                                  | AEC Q100                                                                                                         |
|------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|----------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------|
| ARM<br>Cortex™-R5F                                                                                                     | Up to 4MB<br>Flash (w/ ECC                                                                 |                                                                | Ver & Clocking<br>OSC/PLL<br>CLKMON                                                                              |
| ARM     Cortex-R5F     Up to 300 MHz     Memory Protection Unit                                                        | Up to 512KB<br>SRAM (w/ EC<br>128KB EEPROM (en                                             | C) Saf                                                         | VMON<br>ety & System<br>CPU BIST<br>SRAM BIST                                                                    |
| Lockstep CPU Fault Detection                                                                                           | JTAG<br>ETM, RTP, DMM                                                                      |                                                                | CRC<br>OS Timers<br>Vindowed Watchdog                                                                            |
|                                                                                                                        | DMA w/ Memory Protec<br>I System Bus and Vectored                                          |                                                                |                                                                                                                  |
| Analog<br>12-bit MibADC1 – 24ch<br>12-bit MibADC2 – 24ch<br>Temperature Sensor<br>Memory Interface<br>SDRAM/ASYNC EMIF | Communicati<br>10/100 EMAC<br>4x CAN<br>5x Multi-Buffer SI<br>4x UART (2 LIN cap<br>2x I2C | P1                                                             | rol Peripherals<br>gh End Timer (N2HET)<br>ePWM (14ch)<br>eCAP (6x)<br>eQEP (2x)<br>put / Output<br>GIO/INT (16) |
|                                                                                                                        | <b>37p BGA</b><br>16x16mm)                                                                 | <ul> <li>Hig</li> <li>ISC</li> <li>App</li> <li>Aut</li> </ul> | eted Applicatic<br>h End IEC61508 a<br>026262 Safety<br>blications<br>omotive, Rail,<br>ospace (COTS) Of         |
|                                                                                                                        |                                                                                            |                                                                | ospace (COTS), (<br>STRUMENTS                                                                                    |

### TMS570LS31x/21x Block Diagram

IEC

ISO

FlexRay

CAN

#### Lockstep ARM Cortex-R4F w/ Floating Point

#### Features

#### Performance / Memory

- Up to 180 MHz ARM Cortex-R4F w/ Floating Point
- Up to 3MB Flash and 256KB Data SRAM
- Dedicated 64KB Data Flash (EEPROM Emulation)
- 16 Channel DMA

#### Safety

- Dual CPUs in Lockstep
- CPU Logic Built in Self Test (LBIST)
- Up to 12 CPU MPU regions
- Flash & RAM w/ ECC (w/ bus protection)
- Memory Built-in Self Test (PBIST)
- Cyclic redundancy checker module (CRC)
- Select peripheral RAMs protected by Parity

#### **Communication Networks**

- 10/100 MAC ,FlexRay w/DMA,3 CAN Interfaces
- 5 SPI (3 Multi-Buffered),2 UART (1 LIN capable), 1 I2C

#### Enhanced I/O Control

- 2x Timer Coprocessor (N2HET) w/DMA
  - Up to 44 pins plus 6 monitor channels
  - Pins can be used as Hi-Res PWM or Input Capture
- 2 x12-bit Multi-Buffered ADC
  - 24 total input channels (16 shared)
  - Calibration and Self Test
- Up to 120 GPIO pins (16 dedicated)

| MS570LS31x                                    | Temperature -4             | 0°C - 125°C AEC Q100                |
|-----------------------------------------------|----------------------------|-------------------------------------|
| ARM                                           | Memory                     | Power & Clocking                    |
| Cortex™-R4F                                   | Up to 3MB                  | OSC/PLL                             |
| ARM                                           | Flash (w/ ECC)             | CLKMON<br>VMON                      |
| Cortex-R4F                                    | Up to 256KB                |                                     |
| Up to 180 MHz                                 | SRAM (w/ ECC)              | Safety & System                     |
| Memory Protection Unit                        | 64KB EEPROM (emulated)     | CPU BIST<br>SRAM BIST               |
|                                               | Debug                      | CRC                                 |
| Lockstep CPU Fault Detection                  | JTAG                       | OS Timers                           |
|                                               | ETM, RTP, DMM              | Windowed Watchdog                   |
| 12-bit MibADC1 – 24ch<br>(16 shared channels) | 10/100 EMAC<br>2ch FlexRay | High End Timer 1<br>(N2HET1 = 32ch) |
|                                               | 2ch ElexBay                |                                     |
| 12-bit MibADC2 – 16ch                         | ,                          |                                     |
| (16 shared channels)                          | 3x CAN (64mb)              | High End Timer 2<br>(N2HET2 = 14ch) |
|                                               | ,                          | High End Timer 2                    |

Texas Instruments



### **Electric Vehicle – Architecture Overview**





# **Battery Management System (BMS)**

#### What is the

#### **Battery Management System?**

- In an electric vehicle (EV) or hybrid electric vehicle, the battery management system monitors and controls the high-voltage battery stack. This includes:
  - Measuring the cells' charge, voltage, and health
  - · Measuring the temperature of the cells
  - Controlling the current among cells to avoid overor under-charging (cell balancing)



#### What does this EE consist of?

- Passive cell balancing
  - The technique places a bleed resistor across a cell when its state of charge exceeds that of its neighbors. This extends the useful lifetime (number of cycles) of the battery.
  - Simple but has resistive losses
- Active cell balancing
  - Shuttles energy among individual cells using FET matrix to direct energy from higher-charged cells to lower-charged cells
  - High efficiency, but requires more circuitry

#### Thermal management

- Monitors temperature and controls heat/cooling for battery pack
- Maintains battery pack within temperature range for best operation of cell chemistry

#### Disconnect unit

- · Disconnects high voltage from the rest of the car
- Disconnects during servicing or in case of crash
- Fuel cell management
  - Monitors and controls the operation of fuel cell unit in fuel cell vehicle
  - Controls high voltage generated by chemical reaction within the fuel cell



# **BMS: Functional Safety is Required**



- Primary concern with Lithium Ion Batteries is potential for thermal runaway caused by internal short in a cell or due to manufacturing flaw or an accident.
- BMS systems monitor the cell voltages and temperatures and alerts the vehicle control unit of any abnormalities.
- Car manufactures require BMS development be done according to the ISO 26262 functional safety standard up to ASIL C/D level.
- Battery Management Systems are expected to continue to grow!!
- ISO 26262 is automotive functional safety standard. Hercules MCUs are certified to ISO 26262 ASIL-/D!!





Source - http://energy.gov/eere/vehicles/fact-918-march-28-2016-global-plug-light-vehicle-sales-increased adjout-80-2015



### TMS570 Active Cell-Balancing Battery-Management: TIDM-TMS570 TIDESigns

#### Features

- The diagnostic features of TMS570LS0432 microcontroller (MCU) are enabled to monitor and report TMS570LS0432 status during run time.
- The TMS570LS0432 MCU configures BQ76PL455A-Q1 for monitoring cell voltages and checking BQ76PL455A-Q1 status during run time.
- The TMS570LS0432 MCU analyzes the data from all battery cells and generates active cell balancing command.
- The TMS570LS0432 MCU commands EMB1428Q for cell balancing and monitors EMB1428 and EMB1499 status during run time.

#### **Benefits**

- Demonstrate TMS570LS0432 (an ISO 26262 capable MCU) supporting active cell balancing between one cell in a 16 cell battery module and a 12V supply for emulation of HEV/EV application.
- Demonstrate building the system example using the off shelf TI evaluation kits: TMSLS0432 Launchpad and EM1402 BMS EVM.

#### **Target Applications**

- Electric and Hybrid Electric Vehicles (EVs, HEVs, PHEVs, and mild hybrids)
- Energy Storage (ESS)
- Uninterruptible Power Supplies (UPSs)
- E-Bikes and E-Scooters

#### Tools & Resources



- <u>TIDM-TMS570BMS TI Design Folder</u>
  - User Guide
  - Relevant Design Files
- Device Datasheets:
  - TMS570LS0432
  - BQ76PL455A-Q1
  - <u>EMB1428Q</u>
  - <u>EMB1499Q</u>





# Safety Motor Control Block Diagram



Texas Instruments

# **Anti-Lock Braking Block Diagram**



Texas Instruments

## **Electronic Stability Control Block Diagram**



TEXAS INSTRUMENTS

# **Hercules** Product & Process Certification



- First devices certified by Exida for IEC 61508 SIL-3 use in 2011
- TÜV-SÜD certified the SafeTI Hardware functional safety development process in 2013 for:
  - IEC 61508 SIL-3
  - ISO 26262 ASIL-D
- Hercules MCUs certified for IEC 61508 SIL-3, ISO 26262 ASIL-D:
  - Hercules MCU Safety Architecture
  - Device (RM42, RM46x, RM48x)
  - Device (TMS570LS03x/04x/11x/12x/21x/31x)
- TÜV-Nord certified the SafeTI Software functional safety development process in 2015 for
  - IEC 61508 SIL-3
  - ISO 26262 ASIL-D
- TÜV-SÜD concept assessment in 2014 for ISO 13849:
  - Lockstep MCU + Safety Companion Power Supply



### **Applying Functional Safety Standards**



# **SafeTI** Software Framework

SafeTI<sup>™</sup> Software **Development Process** Certified by TÜV NORD meeting ISO 26262 and **IEC 61508 requirements** 





### HALCoGen - Hardware Abstraction Layer Code Generator

### **HALCoGen Features**

- User Input on High Abstraction Level
- Generates C Source Code for Hercules™ MCU
  - Peripheral Drivers
  - Device Initialization
- Native support for CCS, ARM, IAR and GHS IDEs
- Interactive Help System with example code



SafeTI™ HALCoGen Compliance Support Package: <u>www.ti.com/tool/safeti-halcogen-csp</u>





# **Hercules** SafeTI<sup>™</sup> Diagnostic Library

Provides simple interfaces and a framework for

- Initializing and Enabling Safety diagnostics/Features prescribed by the Hercules Safety Manual.
- Fault injection to allow testing of application fault handling

Lockstep compare

registers

Boot time execution of LBIST STC

Periodic execution of LBIST STC

Use of status shadow registers

Software readback of written configuration

Software readback of written configuration

Periodic software readback of static configuration

Safety Feature or Diagnostic

- Error Signaling Module (ESM) handler callback routine.
- Profiling for measuring time spent in diagnostic test/fault handling

Unique Identifier

CPU1

CPU2A

CPU2B

CPU7

ESM1

ESM3

ESM4

**Device Partition** 

Cortex-R4F CPU

Error Signaling





Texas Instruments

### **SafeTI™** Compliance Support Package (CSP)



- Assists customers using Hercules software components to comply to functional safety standards
- SafeTI software development process certified by TUV NORD to IEC 61508 and ISO 26262
- CSPs Include:
  - Documentation:
    - Safety Requirements
    - Safety Manual
    - Static and Dynamic test results
    - Code coverage reports
    - MISRA-C results
    - Traceability report
  - Unit Test Capability:
    - TI unit level test cases



LDR

- Test Automation Unit (TAU) based on LDRAunit<sup>®</sup>
- Available NOW! for HALCoGen and SafeTI Hercules Diagnostic Library
  - www.ti.com/tool/safeti-halcogen-csp
  - www.ti.com/tool/safeti-hercules-diag-lib-csp
  - Customers can download the demo or submit request for production version



SafeTI Compliance Support Packages available now!

### SafeTI<sup>™</sup> Compiler Qualification Kit



Assists in qualifying TI C/C++ Compiler s

to functional safety standards

- Flexible integration into development processes due to the model-based qualification method
- Assessed by TÜV Nord to comply with both IEC 61508 and ISO 26262
- Includes:
  - Qualification Support Tool (model-based)
  - Process specific documentation:
    - Tool Classification Report
    - Tool Qualification Plan
    - Tool Qualification Report
    - Tool Safety Manual
  - Solid Sands <u>SuperTest™</u> qualification suite
  - TI compiler validation test cases
  - Test Automation Unit (TAU)
  - 24hrs of <u>Validas</u> consulting services
  - TÜV Nord assessment report





### Hercules TMS570 AUTOSAR v4.0 rev3 Support



\*From partner



### **Applying Functional Safety Standards**



CSP = Compliance Support Package



SafeTI™

### **ISO 26262 - Management of Random Failures**







### **Determining ISO 26262 ASIL Level**

- To determine the ASIL level of a system a Risk Assessment must be performed for all Hazards identified.
- Risk is comprised if three components: Severity, Exposure & Controllability





### **ASIL Determination Table**

### Risk = Severity x (Exposure \* Controllability)

|                                                                         |                                                                                                   |                             |                 | ,                |
|-------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|-----------------------------|-----------------|------------------|
|                                                                         |                                                                                                   |                             | Controllability |                  |
| Severity                                                                | Exposure                                                                                          | C1 Simply                   | C2 Normal       | C3 Difficult     |
|                                                                         | E1 Very Low                                                                                       | QM                          | QM              | QM               |
| S1                                                                      | E2 Overcharge                                                                                     | r <mark>e</mark> QM         |                 |                  |
| Light and moderate injuries                                             | E3 Severity: Life threatening injury (S2)<br>Exposure: City road or highway high probability (E4) |                             |                 | ASIL A           |
|                                                                         |                                                                                                   | : difficult for driver to a |                 | ASIL B           |
| Severe and iffe threatening injuries<br>(survival probable)             | E1 Very Low                                                                                       | QM                          | QM              | QM               |
|                                                                         | E2 Low                                                                                            | QM                          | QM              | ASIL A           |
|                                                                         | E3 Medium                                                                                         | QM                          | ASILA           | ASIL B           |
|                                                                         | E4 High                                                                                           | ASILA                       | ASIL B 🤇        | ASIL C           |
| S3<br>Life-threatening injuries (survival<br>uncertain), fatal injuries | E1 Very Low                                                                                       | QM                          | QM              | ASIL A           |
|                                                                         | E2 Low                                                                                            | QM                          | ASILA           | ASIL B           |
|                                                                         | E3 Medium                                                                                         | ASIL A                      | ASIL B          | ASIL C           |
|                                                                         | E4 High                                                                                           | ASIL B                      | ASIL C          | ASIL D 27        |
|                                                                         |                                                                                                   |                             |                 | èxas Instruments |

# **Application Example**

BMS Function: Manage battery cell charging status and thermal management of battery pack



Simplified diagram for illustration purpose only



# **Application Example**

Hazard: Cell over temperature-> Risk: Fire-> ASIL-C

Safety Goal: Prevent cell over temperature with thermal management



Simplified diagram for illustration purpose only



# MCU Safety Critical Elements per Safety Function



- Safety Critical Elements are elements within MCU the implement the safety function
- Diagnostics are necessary to detect safety related failures
- Sufficient diagnostics coverage (DC) is needed to meet required IEC 26262 HW metrics per ASIL level
- In this example, safety critical elements are: Safe Island, ADC, PWM, GIO



# **Managing Hardware Random Failures**



MCL

- Millions of transistors, metal lines, resistors, capacitors..
- Each component could fail (permanent and/or transient)
- A component failure could lead to a system failure

- Failure rate is measured in Failure In Time (FIT)
- 1 FIT is 1 fail in 10<sup>9</sup> operating hours
- Assuming 1 million cars on the road with 4 driving hours per day per car on average:
  - 100 FIT => ~150 failures per year

| ASIL   | SPFM | PMHF (FIT) |
|--------|------|------------|
| ASIL B | >90% | <100       |
| ASIL C | >97% | <100       |
| ASIL D | >99% | <10        |

What is the total system failure rate?

### Unacceptable risk

Apply diagnostic until total system failure rate is below functional safety requirement





# **MCU Failure Mode and Failure Rate**





#### Permanent random failures:

- Tox integrity, Short, Open, Stuck At, Drift ....
- Source of permanent component failure rate data:
  - MILHDBK 217F
  - SN29500
  - IEC/TR 62380
  - Supplier reliability data
  - ...
- TI uses IEC/TR 62380 where # of transistors, # of memory bits, temperature and package effect can be modeled.
- Failure rate is commonly expressed in FIT (Failure In Time)
  - 1 FIT = 1 failure in 1E9 hours.



- <u>Transient random failures:</u>
  - Cosmic Rays
- Failure rate data source is TI experiments in Los Alamos lab and TI lab



### Hercules<sup>™</sup> MCU safety diagnostic features



🔱 Texas Instruments

# How to implement Applicable Diagnostics?

### Hercules<sup>™</sup> Safety Manual

| Safety Manual for TMS570LS12x and 11x            |
|--------------------------------------------------|
| Hercules <sup>™</sup> ARM®-Based Safety Critical |
| Microcontrollers                                 |

| Literature Number: SP%U360A<br>October 2012 - Revised December 2014 |
|---------------------------------------------------------------------|
|                                                                     |
|                                                                     |
|                                                                     |
|                                                                     |

| Device Partition                 | Unique<br>Identifier | Safety Feature or Diagnostic                                       | Feature<br>Recommendation | Possible ISO 26262:2011 Latent Diagnostics                    |
|----------------------------------|----------------------|--------------------------------------------------------------------|---------------------------|---------------------------------------------------------------|
| Dennes Owents                    | PWR1                 | Voltage monitor (VMON)                                             | м                         | External Voltage Supervisor                                   |
| Power Supply PWR2                |                      | External voltage supervisor                                        | ++                        | Voltage monitor (VMON)                                        |
| Power Management<br>Module (PMM) | PMM1                 | Lockstep PSCON                                                     | м                         | PSCON lockstep self test                                      |
|                                  | PMM2                 | Privileged mode access and multi-bit keys for<br>control registers | м                         | Software test of register configuration and error<br>response |
|                                  | РММЗ                 | Periodic software readback of static<br>configuration registers    | +                         | CPU lockstep                                                  |
|                                  | PMM4                 | Software readback of written configuration                         | ++                        | CPU lockstep                                                  |
|                                  | PMM5                 | PSCON lockstep comparator self-test                                | ++                        | Self-test autocoverage                                        |

#### Table 2. Summary of Safety Features and Diagnostics

- An overview of the safety architecture for management of random failures
- The details of architecture partitions, implemented safety mechanisms, and recommended usage
- · Failure modes and failure rates
- Use Chapter 6 to determine applicable safety mechanisms by MCU module such as Safe Island, SPI, ADC ...



### **Detailed Safety Analysis Report & FMEDA worksheet**



- Failure mode distribution calculated with TI MCU database using YOGITECH Safety Designer tool
- Failure mode coverage verified by fault injection in the TI MCU database using YOGITECH Safety Verifier tool

#### Available under NDA

TMS570LS12x Detailed Analysis Report spnu531a

#### **Detailed Safety Analysis Report**

- · Assumptions of use applied in calculation of safety metrics
- Summary of IEC 61508 or ISO 26262 standard safety metrics at the MCU component level
- A fault model used to estimate device failure rates and an example of customizing this model for use with the example application.
- FMEDA with details to the sub-module level of the MCU, that enables calculation of safety metrics based on customized application of diagnostics
- Use of FMEDA worksheet
  - FIT Estimation sheet to tailor use conditions
  - Product Function Tailoring sheet to select MCU modules used
     in safety function
  - Pin Level Tailoring sheet to select MCU pins used in safety function
  - Safety Mechanism Tailoring sheet to select applied Safety mechanisms
  - Summary and Details-ISO26262 or IEC61508 sheets to determine if MCU and modules safety metrics are met.







### ISO 26262/IEC61508 HW Metrics Calculation Mission Profiles

#### Customer input for failure rate estimation



- Automotive Mission Profile in IEC/TR 62380 (FMEDA worksheet default):
  - 10 years service with 3 phases per day night, day, not used
    - 2 night trips per day, 4 day trips per day, 30 days shut down
  - 3 temperature phases
    - · Engine cold, Engine warm, Engine hot
  - On/Off ratio: 0.058 / 0.942

Based on TMS570LS12x v1.0 FMEDA worksheet<sub>37</sub>



### **FMEDA worksheet – Product Function Tailoring**

| Type         | Total Size | User Size | Unit   |
|--------------|------------|-----------|--------|
| Type<br>SRAM | 192        | 192       | Kbytes |
| FLASH        | 1.25       | 1.25      | Mbytes |
| FLASH-FEE    | 64         | 64        | Kbytes |

| CPU SubSystem              | CPU      | Cortex R4F Central Processing Unit (CPU)                                           | YES |
|----------------------------|----------|------------------------------------------------------------------------------------|-----|
| CPU SubSystem              | VIM      | Vectored Interrupt Module (VIM)                                                    | YES |
| CPU Sub-System             | NA       | LBIST                                                                              | NO  |
| CPU SubSystem              | NA       | PBIST                                                                              | NO  |
| DEBUG                      | JTG      | Joint Technical Action Group (JTAG) Debug/Trace/Cali bration Access                | NO  |
| DEBUG                      | DBG      | Cortex R4F Central Processing Unit (CPU) debug and trace                           | NO  |
| DEBUG                      | POM      | Parameter Overlay Module                                                           | NO  |
| RAM System                 | RAM      | SRAM and Level 1 (L1) Interconnect                                                 | YES |
| Flash System               | OTP      | One Time Programmable (OTP) Flash Static                                           | YES |
| Flash System               | FLA      | Primary Flash and Level 1 (L1) Interconnect                                        | YES |
| Flash System               | FEE      | Flash emulated EEPROM (FEE)                                                        | YES |
| NTERCONNECT                | INC      | Level 2/Level 3 (L2/L3) Interconnect                                               | YES |
| SYSTEM                     | ESM      | Error Signaling Module (ESM)                                                       | YES |
| SYSTEM                     | PMM      | Power Management Module (PMM)                                                      | YES |
| SYSTEM                     | RST      | Resot                                                                              | YES |
| SYSTEM                     | 575      | System Control                                                                     | YES |
| SYSTEM                     | CLK      | Clock                                                                              | YES |
| SYSTEM                     | EFU      | EFuse Static Configuration                                                         | YES |
| SYSTEM                     | DMA      | Direct Memory Access (DMA)                                                         | YES |
| SYSTEM                     | IOM      | Input/Output (I/O) Multiplexing (IOMM)                                             | YES |
| Peripheral                 | FRY      | FlexRey Including FlexRay Transfer Unit (FTU)                                      | NO  |
| Peripheral                 | CAN      | Controller Area Network (DCAN1)                                                    | YES |
| Peripheral                 | CAN      | Controller Area Network (DCAN2)                                                    | NO  |
| Peripheral                 | CAN      | Controller Area Network (DCAN3)                                                    | NO  |
| Peripheral                 | GIO      | General Purpose Input/Output (GIO)                                                 | YES |
| Peripheral                 | LIN      | Local Interconnect Network (LIN)                                                   | NÖ  |
| Peripheral                 | SCI      | Serial Communications                                                              | NO  |
| Peripheral                 | ADC      | Multi-Buffered Analog to Digital Converter (MIbADC1)                               | NÖ  |
| Peripheral                 | ADC      | Multi-Buffered Analog to Digital Converter (MIbADC2)                               | NO  |
| Peripheral                 | MSP      | Multi-Buffered Serial Peripheral Interface (MbSP(1))                               | NO  |
| Peripheral                 | MSP      | Multi-Buffered Serial Peripheral Interface (MbSP(3)                                | NO  |
| Peripheral                 | MSP      | Multi-Buffered Serial Peripheral Interface (MbSP(5)                                | NO  |
| Peripheral                 | HET      | Next Generation High End Timer (N2HET1) Including HET Transfer Unit (HTU1)         | NO  |
| Peripheral                 | HET      | Next Generation High End Timer (N2HET2) Including HET Transfer Unit (HTU2)         | NO  |
| Peripheral                 | SIPI     | Seriel Peripheral Interface (SPI2)                                                 | NO  |
| Peripheral                 | SPV      | Seriel Peripheral Interface (SPI4)                                                 | NO  |
| Peripheral                 | 811      | Real Time Interrupt (RTI) Operating System Timer                                   | YES |
| Peripheral                 | ETH      | Ethomet                                                                            | NO  |
| Peripheral                 | EMF      | External Memory Interface (EMIF)                                                   | NO  |
| Peripheral                 | USB      | Universal Serial Bus (USB)                                                         | NO  |
| Peripheral                 | NC       | Inter-Integrated Circuit (I2C)                                                     | NO  |
| Peripheral                 | CAP      | Enhanced Capture (eCAP1)                                                           | NO  |
| Peripheral                 | CAP      | Enhanced Capture (eCAP2)                                                           | NO  |
| Peripheral                 | CAP      | Enhanced Capture (eCAP2)                                                           | NO  |
| Peripheral                 | CAP      | Enhanced Capture (eCAP4)                                                           | NO  |
| Peripheral                 | CAP      | Enhanced Capture (eCAP5)                                                           | NO  |
| Peripheral                 | CAP      | Enhanced Capture (eCAPE)                                                           | NO  |
| Peripheral                 | QEP      | Enhance Quadrature Encoder Pulse (eQEP1)                                           | YES |
| Peripheral                 | GEP      | Enhance Quadrature Encoder Pulse (eQEP1)                                           | YES |
| Peripheral                 | PWM      | Enhanced Pulse Width Modulators (ePWM1)                                            | YES |
| Peripheral                 | PWM      | Enhanced Pulse Width Modulators (ePWM2)                                            | YES |
| Peripheral                 | PWM      | Enhanced Pulse Width Modulators (ePWM3)                                            | YES |
| Peripheral                 | PWM      | Enhanced Pulse Width Modulators (ePWM4)                                            | YES |
| Peripheral                 | PWM      | Enhanced Pulse Width Modulators (ePWM4)<br>Enhanced Pulse Width Modulators (ePWM5) | YES |
| Peripheral                 | PWM      | Enhanced Pulse Width Modulators (ePWM6)<br>Enhanced Pulse Width Modulators (ePWM6) | YES |
| Peripheral                 | PWM      | Enhanced Pulse Width Modulators (ePWM7)                                            |     |
| Peripheral<br>Power Supply | PWR      | Power Supply                                                                       | YES |
| rower aupply               | 1 PRINCE | Power outpry                                                                       | TES |



- · Allow customization of failure rate estimation
- Include only MCU modules used by application
- Include actual Flash and SRAM memory size used

Based on TMS570LS12x v1.0 FMEDA worksheet <sup>38</sup>



### FMEDA worksheet – Safety Mechanisms Tailoring

Safety mechanisms considered in the FMEDA

| From Safety Manual            |                      |                                                               |                                       |  |
|-------------------------------|----------------------|---------------------------------------------------------------|---------------------------------------|--|
| Device Partition              | Unique<br>identifier | Safety Feature or Diagnostic                                  | Diagnostic<br>Used in<br>Application? |  |
| Power Supply                  | PWR1                 | Voltage monitor (VMON)                                        | 1                                     |  |
| Power Supply                  | PWR2                 | External voltage supervisor                                   | 1                                     |  |
| Power Management Module (PMM) | PMM1                 | Lockstep PSCON                                                | 1                                     |  |
| Power Management Module (PMM) | PMM2                 | Privileged Mode Access and Program Sequence Control Registers | 1                                     |  |
| Power Management Module (PMM) | PMM3                 | Periodic SW readback of static configuration registers        | 1                                     |  |
| Power Management Module (PMM) | PMM4                 | SW readback of written configuration                          | 1                                     |  |
| Power Management Module (PMM) | PMM5                 | PSCON lockstep compare self-test                              | 1                                     |  |
| Clock                         | CLK1                 | LPOCLKDET                                                     | 1                                     |  |
| Clock                         | CLK2                 | PLL slip detector                                             | 1                                     |  |
| Clock                         | CLK3                 | Dual Clock Comparator (DCC)                                   | 1                                     |  |
| Clock                         | CLK4                 | External monitoring via ECLK                                  | 0                                     |  |
| Clock                         | CLK5A                | Internal watchdog -DWD                                        | 1                                     |  |
| Clock                         | CLK5B                | Internal watchdog -DWWD                                       | 1                                     |  |
| Clock                         | CLK5C                | External watchdog                                             | 1                                     |  |
| Clock                         | CLK6                 | Periodic SW readback of static clock configuration registers  | 1                                     |  |
| Clock                         | CLK7                 | SW readback of written configuration                          | 1                                     |  |
| Clock                         | CLK8                 | Software test of DCC operation                                | 1                                     |  |
| Clock                         | CLK9                 | Software test of DWD operation                                | 1                                     |  |
| Clock                         | CLK10                | Software test of DWWD operation                               | 1                                     |  |
| Reset                         | RST1                 | External monitoring of warm reset                             | 1                                     |  |
| Reset                         | RST2                 | SW check of last reset                                        | 1                                     |  |
| Reset                         | RST3                 | SW warm reset generation                                      | 1                                     |  |
| Reset                         | RST4                 | Glitch filtering on reset pins                                | 1                                     |  |
| Reset                         | RST5                 | Use of status shadow registers                                | 1                                     |  |
| Reset                         | RST6                 | External watchdog                                             | 1                                     |  |
| Reset                         | RST7                 | Periodic SW readback of static configuration registers        | 1                                     |  |
| Reset                         | RST8                 | SW readback of written configuration                          | 1                                     |  |
| Reset                         | RST9                 | Software test of basic reset functionality                    | 1                                     |  |

- Allow customization of diagnostics selection '1' diagnostic used, '0' diagnostic not used
- Consult Safety Manual Chapter 6

Based on TMS570LS12x v1.0 FMEDA worksheet 39



### **FMEDA worksheet – Metrics Summary / Details**

Summary of ISO 26262 Metrics Examples – Permanent/Transient & Die/Package:

|                                                                    | D         | ie               | Package             | Overall |  |
|--------------------------------------------------------------------|-----------|------------------|---------------------|---------|--|
|                                                                    | Permanent | Transient        | Permanent           | Sum     |  |
| Total FIT (Raw FIT)                                                |           |                  |                     |         |  |
| Safety related FIT                                                 | Dete      | availab          |                     |         |  |
| Probabilistic Metrics for random Hardware Failures - PMHF (in FIT) |           | <u>a wannano</u> | 1((\$,101)1((0)(\$) |         |  |
| Single Point Fault Metric - SPFM                                   | 99.58%    | 99.93%           | 99.93%              | 99.93%  |  |
| Latent Fault Metric - LFM                                          | 99.98%    | NA               | 100.00%             | 100.00% |  |

ISO 26262 categorization as in ISO 26262:2011-10, 8.1.8

|                                           |                               | D         | ie        | Package   | Overall |
|-------------------------------------------|-------------------------------|-----------|-----------|-----------|---------|
|                                           |                               | Permanent | Transient | Permanent | Sum     |
| Total faults                              | λ                             |           |           |           |         |
| Total Safety Related faults               | $\lambda_{SR}$                |           |           |           |         |
| Total Not Safety Related faults           | $\lambda_{nSR}$               |           |           |           |         |
| Total Safe faults                         | $\lambda_s$                   |           |           |           |         |
| Total not Safe faults                     | λ <sub>nS</sub>               |           |           |           |         |
| Total faults with prob. of violate the SG | $\lambda_{PVSG}$              | Data      | availab   |           |         |
| Total single point faults                 | $\lambda_{\text{SPF}}$        | Daila     | avamanyi  | ie anale  |         |
| Total residual faults                     | $\lambda_{RF}$                |           |           |           |         |
| Total Multi Point <sup>(ad)</sup>         | $\lambda_{\text{MPF}}^{(ad)}$ |           |           |           |         |
| Total Multi Point (t)                     | $\lambda_{MPF}^{(t)}$         |           |           |           |         |
| Total Multi Point detected faults         | $\lambda_{MPF_{det}}$         |           |           |           |         |
| Total Multi Point latent faults           | $\lambda_{MPF,I}$             |           |           |           |         |

FMEDA worksheet is available under NDA

Based on TMS570LS12x v1.0 FMEDA worksheet 40



### **FMEDA worksheet – Metrics Summary / Details**

### Details of ISO 26262 Metrics Examples – Permanent/Transient & Die/Package:

|                 |                                                                     | Permanent faults           |                                 |        |                                                |                  |                                                                                                                 |                          |                        |                                     |                                                                                                                 |                                       |
|-----------------|---------------------------------------------------------------------|----------------------------|---------------------------------|--------|------------------------------------------------|------------------|-----------------------------------------------------------------------------------------------------------------|--------------------------|------------------------|-------------------------------------|-----------------------------------------------------------------------------------------------------------------|---------------------------------------|
| Component level | Device Partition (according to TI SM)                               | Raw Permanen<br>faults FIT | t Total Safety<br>Related fault |        | in Lambda                                      | ult Safe Fault   | failure rate                                                                                                    | Lambo                    | ad L                   | ambda MPF,t<br>[1]                  | Multipoint fault<br>detected<br>Lambda<br>MPF_det<br>[v], [w]                                                   | Single Point<br>Fault Metric<br>Marra |
|                 |                                                                     |                            |                                 |        |                                                |                  |                                                                                                                 |                          |                        |                                     |                                                                                                                 |                                       |
|                 | Cortex R4F Central Processing Unit (CPU)                            |                            |                                 |        |                                                |                  |                                                                                                                 |                          |                        |                                     |                                                                                                                 | 99.94%                                |
| -               | Vectored Interrupt Module (VIM)                                     |                            |                                 |        |                                                |                  |                                                                                                                 |                          |                        |                                     |                                                                                                                 | 99.76%                                |
|                 | LBIST                                                               |                            |                                 |        |                                                |                  |                                                                                                                 |                          |                        |                                     |                                                                                                                 | NA                                    |
|                 | PBIST                                                               |                            |                                 |        |                                                |                  |                                                                                                                 |                          | r                      |                                     |                                                                                                                 | NA                                    |
| DEBUG           | Joint Technical Action Group (JTAG) Debug/Trace/Call bration Access |                            |                                 | 1      | vail                                           | h n              | and the second second                                                                                           | - n                      |                        |                                     | al a de la companya d | NA                                    |
| DEBUG           | Cortex R4F Central Processing Unit (CPU) debug and trace            | A 200                      |                                 | 128 AN | ௱௶                                             | <u>ଆ ଚାା</u> ଚ୍ଚ |                                                                                                                 | 707                      |                        |                                     | and and a second second                                                                                         | NA                                    |
| DEBUG           | Parameter Overlay Module                                            | A Description              | Tear                            | la an  | <u>l'ann</u>                                   | albire           |                                                                                                                 |                          |                        |                                     | and the factors of                                                                                              | NA                                    |
| RAM System      | SRAM and Level 1 (L1) Interconnect                                  |                            |                                 |        |                                                |                  |                                                                                                                 |                          |                        |                                     |                                                                                                                 | 99.92%                                |
| Flash System    | One Time Programmable (OTP) Flash Static                            |                            |                                 |        |                                                |                  |                                                                                                                 |                          |                        |                                     |                                                                                                                 | 99.50%                                |
| Flash System    | Primary Flash and Level 1 (L1) Interconnect                         |                            |                                 |        |                                                |                  |                                                                                                                 |                          |                        |                                     |                                                                                                                 | 99.93%                                |
| Flash System    | Flash emulated EEPROM (FEE)                                         |                            |                                 |        | -                                              |                  |                                                                                                                 |                          |                        |                                     |                                                                                                                 | 99.95%                                |
|                 | Transient faults                                                    |                            |                                 |        |                                                |                  |                                                                                                                 |                          |                        |                                     |                                                                                                                 |                                       |
| Component level | Device Partition (according to TI SM)                               |                            | Total Column                    |        | Fail rate<br>Safe Fault<br>Lambda S<br>[h].[i] |                  | the second se | Lambda<br>MPF,ad<br>[ad] | Lambda<br>MPF,t<br>[1] | Single Poir<br>Fault Metri<br>Marra | nt<br>Ic                                                                                                        |                                       |
|                 |                                                                     | -                          |                                 |        |                                                |                  |                                                                                                                 |                          |                        |                                     | -                                                                                                               | I                                     |
|                 | Cortex R&F Central Processing Unit (CPU)                            |                            |                                 | L _ L  |                                                |                  |                                                                                                                 |                          |                        | 99.95%                              | _                                                                                                               |                                       |
|                 | Vectored Interrupt Module (VIM)                                     |                            | Data                            | avail  |                                                |                  |                                                                                                                 |                          |                        | 99.20%                              | _                                                                                                               |                                       |
|                 | LBIST                                                               |                            | Jallal                          |        |                                                |                  | er ini                                                                                                          |                          |                        | NA                                  |                                                                                                                 |                                       |
| CPU SubSystem   | PBIST                                                               | T T                        |                                 |        |                                                |                  |                                                                                                                 |                          |                        | NA                                  |                                                                                                                 |                                       |
|                 |                                                                     |                            |                                 |        |                                                |                  |                                                                                                                 | -                        |                        |                                     |                                                                                                                 | _                                     |

Details of ISO 26262 Metrics:

FMEDA worksheet is available under NDA

- For Permanent and Transient faults
- By modules (CPU, Flash, SRAM, DCAN, ADC...)

Based on TMS570LS12x v1.0 FMEDA worksheet 41



# **ISO 26262 Risk reduction**



- Use Safety Manual Chapter 6 to determine applicable safety mechanisms by MCU module such as CPU, SRAM, PWR...
- Use FMEDA worksheet
  - FIT Estimation sheet to tailor use conditions
  - **Product Function Tailoring sheet** • to select MCU modules used in safety function
  - Pin Level Tailoring sheet to select MCU pins used in safety function
  - Safety Mechanism Tailoring **sheet** to select applied Safety mechanisms
  - Summary and Details-ISO26262 or IEC61508 sheets to determine if MCU and modules safety metrics are met.



# **Hercules and SafeTI Process Certifications**

| Product                                                                                    | Standard                                                                                                                               | Assessor | Certificate |
|--------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|----------|-------------|
| RM48x<br>(20 Devices)                                                                      | IEC 61508-1:2010; SIL 3<br>IEC 61508-2:2010; SIL 3                                                                                     |          |             |
| RM46x<br>(12 Devices)                                                                      | IEC 61508-1:2010; SIL 3<br>IEC 61508-2:2010; SIL 3                                                                                     |          |             |
| TMS570LS31x/21x<br>(14 Devices)                                                            | IEC 61508-1:2010; SIL 3<br>IEC 61508-2:2010; SIL 3<br>ISO 26262-2:2011; ASIL D<br>ISO 26262-5:2011; ASIL D                             |          |             |
| TMS570LS12x/11x<br>(10 Devices)                                                            | IEC 61508-1:2010; SIL 3<br>IEC 61508-2:2010; SIL 3<br>ISO 26262-2:2011; ASIL D<br>ISO 26262-5:2011; ASIL D                             |          |             |
| SafeTI Development Process for IEC<br>61508 and ISO 26262 Compliant<br>Hardware Components | IEC 61508-1:2010; SIL 3<br>IEC 61508-2:2010; SIL 3<br>ISO 26262-2:2011; ASIL D<br>ISO 26262-5:2011; ASIL D                             |          |             |
| SafeTI Functional Safety Software<br>Development Process                                   | IEC 61508-1:2010; SIL 3<br>IEC 61508-3:2010; SIL 3<br>ISO 26262-2:2011; ASIL D<br>ISO 26262-6:2011; ASIL D<br>ISO 26262-8:2011; ASIL D |          |             |

### 56 Hercules products certified and counting!!

#### <u>RM48x</u>, <u>RM46x</u> and <u>RM42x</u> certified to IEC 61508 SIL 3 for Industrial functional safety applications.

#### TMS570LS31x/21x, TMS570LS12x/11x and TMS570LS04/03/02x certified to ISO 26262 ASIL D for Automotive functional safety applications.

SafeTI Hardware and Software development processes also certified.

### Reduce time and effort to certify your end system!!



### Hercules MCUs Accelerating Safety Products to Market



# Why TI for Battery Management System

MCU leadership in automotive safety applications:

- Braking -- 65% share,
- Airbag 40% share
- EPS >20% and growing

20+ years automotive experiences:

- Q100 qualification
- Zero defect (0 dppm)
- Product supply longevity
- -40c to 125c temp specification



SafeTI chip set (TMS570 + bq76PL455A + EMB14xx) for integrated safety BMS system

ISO 26262 certified MCU with documentation and tools ease system certification effort





# **Thank You**



Contact Information: Hoiman Low: hm-low@ti.com Loyal Bao:loyal-bao@ti.com