• State TI Thinks Resolved
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 220 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

RM48L952: nERROR pin to safe state

Monish27
Intellectual 636 points
Part Number: RM48L952

Hi Ti,

We are working on the safety application which are compliant to IEC61508 SIL3, we are having doubts on connections of the nERROR pin from MCU. In RM48 datasheet it is mentioned, some external monitor circuit should be there in design to move the system to safe state. 

1. Is there any design for external monitor circuit other than TPS65381 PMIC, which shall put the system into safe state?

2. Whether the nERROR pin can be connected (in loopback) to any of the GIO pins, so that the MCU can monitor the IO interrupt? If any error occurs, the MCU can do warm reset. Is this method shall be complaint to IEC61508 SIL3?

Please provide your suggestion, if any. But we have to achieve SIL3 complaint. 

Regards,

Monish

  • 0
    TI__Guru**** 197126 points

    Hi Monish,

    1. I don't have candidate except for TPS65381 PMIC

    2. When a diagnostic detects a fault, the error must be indicated. The error response is action that is taken by the MCU or system when an error is indicated. There are multiple potential of error response possible for the Hercules product. The system integrator is responsible to determine what error response should be taken and to ensure that this is consistent with the system safety concept.

    • CPU abort - This response is implemented directly in the CPU, for diagnostics implemented in the CPU. During an abort, the program sequence transfers context to an abort handler and software has an opportunity to manage the fault.
    • CPU interrupt - This response can be implemented for diagnostics outside the CPU. An interrupt allows events external to the CPU to generate a program sequence context transfer to an interrupt handler where software has an opportunity to manage the fault.
    • Generation of system nRST - This response allows the device to change states to warm boot from operational state. The SYS_nRST could be generated from an external monitor or internally by the software reset or watchdog (external or internal). Re-entry to the warm reset state allows possibility for software recovery when recovery in the operational state was not possible.
    • Generation of nPORRST - This response allows the device to change state to safe state from cold boot, warm boot, or operational states. From this state, it is possible to re-enter cold boot to attempt recovery when recovery via warm boot is not possible. It is also possible to move to the powered-down state, if desired, to implement a system level safe state. This response can be generated from the internal voltage monitor, but is primarily driven by monitors external to the MCU.

    Looping nERROR to a GIO pin is not a good solution. if a severe error occurs, the CPU or memory might not be trustable.