[MUSIC PLAYING]

Hi. My name is Jitin George, and I'm a product marketing engineer for C2000 microcontrollers at TI. In this training, I will cover the topic of functional safety as it applies to C2000, and we'll talk about how customers can leverage C2000 SafeTI MCUs the development of functional safety compliance systems.

Here's the agenda for this training. I will start with an introduction to functional safety and will introduce the concept of systematic and random hardware faults. Next, we will take a closer look at the different types of SafeTI products that C2000 has to offer.

In the final section of this training, we will explore how C2000 SafeTI products help address systematic and random hardware faults. We will also learn about the various functional safety enablers that TI provides for C2000 SafeTI products that customers can leverage to help streamline their system safety certification efforts.

Let's get started with the definition of safety and functional safety. Safety is the freedom from unacceptable risk of physical injury or damage to property or the environment.

In contrast, if you look at functional safety, it is a smaller part of the overall safety that essentially depends on a system operating correctly in response to its inputs. Additionally, functionally-safe systems should have the ability to detect potentially dangerous conditions and subsequently deploy the appropriate safety mechanisms that can mitigate the consequences of these hazardous events if and when they occur.

I will be covering the concept of safety mechanisms a little later in the presentation. But before that, it is very important that we have a basic understanding of systematic faults and random hardware faults that can cause these hazardous events.

In the previous slide, we introduced the concept of safety as a freedom from unacceptable risk of physical injury or damage to the property or the environment. But the fact of the matter is there is no such thing as zero risk. No physical item has a zero fail rate, no human makes zero error, and there is no software that can ever foresee every operational possibility that exists.

Long story short, you can never completely eliminate risk. But it can be minimized. Functional safety standards are designed to help minimize the risk of physical injury resulting from dangerous failures. These dangerous failures can arise from either systematic faults or random hardware faults.

Systematic faults typically cannot be quantified. They are caused by human error and can result from mistakes in the design or manufacturing process of an element, subsystem, our system. These faults can be managed and mitigated with a robust and rigorous development process.

Random hardware faults, on the other hand, are unpredictable failures that occur during the lifetime of a hardware element. These random hardware faults can typically be quantified in terms of the exposure, which is essentially how often does a failure occur or the probability of occurrence of this type of failure, severity-- if it does in fact occur, how severe will the consequences of the failure be-- and lastly, controllability. This is the case where if the failure does occur and the severity is indeed high, how well can you control it? This is where safety mechanisms and their diagnostic coverages come into play.

In the next few slides, we will talk about how C2000 SafeTI products help address systematic and random hardware faults.

Before we talk about the systematic and random hardware capability of C2000 MCUs, let's take a quick look at the different classes of C2000 SafeTI products that TI offers. C2000 SafeTI products are mainly classified as C2000 SafeTI automotive and industrial products and C2000 SafeTI quality managed products.

The C2000 SafeTI automotive and industrial products are developed following TI's rigorous and robust hardware development process that has been independently assessed and certified by TUV SUD. These products are mainly targeted towards automotive and industrial applications that require compliance to the ISO 26262 and the IEC 61508 standards. This table here lists all of our SafeTI automotive and industrial products, along with their component-level random hardware capability.

The C2000 SafeTI quality managed products, on the other hand, are developed following TI's ISO-9001/IATF-16949 compliant hardware development process and are mainly targeted towards white goods, household goods, and appliances.

Although these products mainly support compliance to the IEC 60730, UL 1998, and IEC 60335 standards, it is important to keep in mind that these quality managed products also come with a safety manual and an FMEDA that can be leveraged to assist with compliance to a wide range of other standards for customers and applications, which include automotive as well as industrial systems. This table here shows a list of all our SafeTI quality managed products.

Let's now take a closer look at what C2000 has to offer from a functional safety perspective.

C2000 SafeTI products are designed to meet up to the highest standards in managing both systematic as well as random hardware faults. The first two pillars here talk about how C2000 helps address systematic and random hardware faults, while the third pillar focuses on how you can streamline your system safety certification with the help of our safety enabler, such as safety documentation, Safety Diagnostic Library, Compiler Qualification Kit, and other third-party tools.

In the next slide, we will focus on the first pillar and see how C2000 helps manage and mitigate systematic faults.

Systematic fault coverage, at its core, is making sure that you have a sufficiently robust and rigorous development process that prevents developers from creating bugs in their design. For TI as an IC manufacturer, this means that when you design and develop silicon, you start with the requirements.

The implementation should, then, mirror what the requirements are, a verification process should in place to verify everything that was implemented, and, finally, silicon validations should check the actual capability on the silicon when the silicon is ready. This is the V-model approach to make sure that there's traceability all the way back to the requirements phase.

We at TI have an independent functional safety management process and safety culture established within the company, and we understand that such rigor in the development of all of our SafeTI products is critical in managing and mitigating systematic faults. Keeping this in mind, all of our C2000 SafeTI quality managed products are developed using a rigorous, enterprise-wide hardware development process, which is ISO 9001, IATF 16949 compliant.

Our C2000 SafeTI automotive and industrial products, on the other hand, are developed using our QRAS AP00210 hardware development process that has been independently assessed and certified by TUV SUD to support systematic fault coverage of ASIL D, SIL 3.

Here's what the certificate looks like. It shows that our internal hardware development process, called QRAS AP00210, meets the requirements of the applied standards shown here in the certificate. In keeping with the safety culture established within TI, this certificate gets revalidated every year, and we get TUV SUD to recertify our QRAS AP00210 process every three years.

Now that we have a good understanding of the systematic capability of C2000 SafeTI products, let's turn our attention to the second pillar and talk about how C2000 SafeTI MCUs help detect and prevent random hardware faults.

Earlier in the presentation when I had talked about dangerous failures, I had introduced random hardware faults as unpredictable failures that occur during the lifetime of a hardware element. These faults can typically be detected and prevented with the help of built-in safety mechanisms or safety diagnostics.

Safety mechanisms play a pivotal role in the overall safety of a system by detecting potentially dangerous failures and consequently helping place the system in a safe state. C2000 SafeTI MCUs come with over 300 built-in safety mechanisms that provide the necessary diagnostic coverage required by the ISO 26262 and the IEC 61508 standards to meet a random hardware capability of ASIL B, SIL 2 at a component level.

These MCUs also come up with a company functional safety manual that provides detailed information on the available safety mechanisms that can be implemented by customers in the development of compliant systems up to the safety integrity levels of ASIL D, SIL 3. Additionally, we also provide our customers with a tunable FMEDA.

While most MCU manufacturers don't allow for FMEDA customization, we provide a truly customizable solution with our C2000-based based FMEDA that allows customers to tailor the FMEDA to their own application-specific needs. We will explore some of the key features of the C2000 FMEDA in the next slide.

A typical FMEDA is used in the development stage of a customer system and provides a detailed analysis of the different failure modes, the associated effects of the failure modes, safety mechanisms, and the impact of any implemented safety mechanisms in terms of the diagnostic coverage.

Our C2000-based FMEDA comes with the added benefit of tunability, allowing customers to tune the FMEDA to their own application-specific needs without having to rely on anyone else. The C2000 FMEDA provides a variety of different options to tailor the FMEDA based on the end application in which the MCU is used. Let's explore some of these features and the associated benefits by looking at the F2037x, F2807x FMEDA as an example.

This is how the C2000 FMEDA is organized in multiple tabs in the spreadsheet. As you can see, each tab displayed here is either blue or green in color. The blue color tabs and fields inside this FMEDA are user customizable. These blue tabs have fields where values can be entered by the user, and the default values of these fields can be changed based on the end application need. Green tabs, on the other hand, show the results of the computation based on the use of choices that were made in the blue tabs.

Let's briefly talk about some of the key features that I've highlighted here. The Product Function Tailoring feature allows customers to select only those parts and subparts of the MCU that are used in their end application and marked them Yes if they are functional safety related or No if they are not.

The C2000 FMEDA sets the default utilization of on-chip resources at 100%. But in reality, the application may not even use all of the peripherals and memories available on the device. The benefit of the Product Function Tailoring feature is that it enables customers to easily select the required on-chip resources in the FMEDA to exactly match the end application use case, thereby yielding more accurate results.

The Package FIT Estimation feature is related to the operating mission profile. There may be situations where there is a change in the operating mission profile of the end application and the default setting in the FMEDA may no longer accurately represent this application use case.

For example, the operating mission profile on the C2000 FMEDA is set to the mission profile for automotive motor control applications by default. Now, if the MCU were to be used in any other application, chances are that the MCU parameters, such as package type and minimum power dissipated, would also change, requiring the FMEDA to be tuned accordingly.

The FIT Estimation feature enables this level of customization by allowing customers to enter values specific to their own application-specific operational profile.

The last two features that I want to discuss here are Safety Mechanism Tailoring and Custom Diagnostics.

In the previous slide, I talked about how hardware functional safety requirements at the MCU level are satisfied by implementing safety mechanisms that are described in the functional safety manual. However, existing safety mechanisms, with their diagnostic coverages, may not always be adequate in some situations when there is a change in functional safety requirements at the application level. In such situations, additional safety mechanisms may need to be defined for the MCU to be able to meet the new functional safety goal.

The Safety Mechanism Tailoring feature enables customers to view all the available safety mechanisms and provides a way to select the required safety mechanisms, depending on the functional safety requirements of the end application.

The Customer Diagnostics feature is really an extension of Safety Mechanism Tailoring, and it enables customers to add additional custom safety mechanisms and input the corresponding diagnostic coverage values depending on the functional safety concept that is implemented in the end application. This is an important functionality because it provides added flexibility by giving customers the option to define their own custom diagnostics in situations where the available safety mechanisms are not sufficient for the application.

If you want to learn more about our tunable FMEDA, please read the white paper or watch the five-part video training series on the C2000 tunable FMEDA. Here are the links to the white paper and the FMEDA training.

Now that we've seen how C2000 SafeTI products help address systematic and random hardware faults, let's finally take a look at all the different safety enablers that C2000 has to offer to help streamline system safety certification efforts for customers.

Here are some of the software enablers that we provide to help make designing functional safety compliant systems using C2000 MCUs easier and faster.

First, we have the C2000 IEC 60730 software package. This package is compatible with our Piccolo class of MCUs, such as the F2806x, F2805x, F2803x, and the F2802x. The software of this package is UL certified to the UL 1998 class 1 standard and is compliant with the IEC 60730 class B, both of which are mainly targeted towards home appliances, arc detectors, power converters, et cetera. The software is also VDE certified according to the IEC 60335-1 and the IEC 60730-1 standards.

The C2000 IEC 60730 software package comes with a functional safety manual that describes available safety mechanisms and also a software self-test library that can be used in the development of systems compliant to the IEC 60730 and the IEC 60335 functional safety standards. Additionally, the software self-test library, or the STL, can also be leveraged to assist customers in developing systems compliant with other functional safety standards.

The SafeTI Diagnostic Library, on the other hand, is compatible with our latest Delfino at Piccolo class of MCUs, namely the F2837x and the F2807x, and includes a functional safety manual, user guides, example projects, and source code to help customers make important system decisions and shorten system integration time, helping them get their products to market faster. It provides easy-to-call APIs that helps implement the safety mechanisms that are outlined in the functional safety panel and also allows customers to do fault injection testing and profiling of their control loops.

Additionally, we supply the SafeTI Diagnostic Library with a Compliance Support Package, or CSP, which provides customers with a series of documents that TI used to develop and test the SafeTI Diagnostic Library to show that our software development actually followed a systematic process. These documents include software safety requirement specifications, a software architecture document, software module of design documents on unit test plans, static analysis reports, dynamic analysis reports, functional test reports, and traceability documents.

As you can see, the Compliance Support Package provides the necessary documentation and reports to assist customers with compliance to a wide range of functional safety standards that are targeted towards automotive, industrial, and other applications.

This slide summarizes all of our key functional safety enablers that customers can leverage to help streamline their system safety certification efforts.

The first pillar provides a list of all of the certifications that we provide for our C2000 SafeTI products. First, we have the TUV-SUD certificate that shows that our internal hardware development process for C2000 SafeTI automotive and industrial products meets the requirements of the IEC 61508 and ISO 26262 functional safety standards.

Then, we have two UL 1998 certificates and a VDE certificate that apply to our C2000 SafeTI quality managed products. These certificates are all available on ti.com in the appropriate product folders.

The second pillar shows the various functional safety manuals and FMEDAs that we provide. Our functional safety manuals for the C2000 SafeTI automotive and industrial, as well as the quality managed products, are available on ti.com within the appropriate product folders.

Our tunable FMEDA for the C2000 SafeTI automotive and industrial products and our estimation-based FMEDA for our C2000 SafeTI quality managed products are available upon request. The process to request access is outlined in the C2000 SafeTI process document that is available on ti.com. Here's the direct link to this document.

The third pillar lists our software offerings for functional safety. I've already talked about the IEC 60730 software package and the SafeTI Diagnostic Library in the previous slide. In addition to these software packages, we also provide a Compiler Qualification Kit that further assists customers in their efforts to qualify their use of the TI C2000 C or C++ compiler to functional safety standards, such as the IEC 61508 and ISO 26262. Customers can download these software packages and the Compiler Qualification Kit for free on ti.com.

The last pillar shows a couple of our third-party tools that customers can use in the development of functional safety compliance systems. SafeRTOS is an IEC 61508 and ISO 26262 certified real-time operating system for embedded processors from Wittenstein high-integrity systems. Simulink from MathWorks is also ISO 26262 and IEC 61508 certified and provides key capabilities such as modeling, simulation, code generation, and automated testing based on the MathWorks IEC certification kit.

Please visit our C2000 functional safety web page at www.ti.com/c2000safeTI to learn more about our functional safety offerings. This concludes this training on C2000 functional safety. Thank you for watching.