• State
  • Locked Locked
  • Replies 3 replies
  • Subscribers 30 subscribers
  • Views 333 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

TMS570LC4357: Where can i find the SIL3 certification file?

TMS570LC4357: TMS570LC4357 Dual MCU Working Mechanism - How does the backup MCU work?

Alex Lee
Prodigy 60 points
Part Number: TMS570LC4357

Hi TI experts,

We intend to use the TI MCU TMS570LC4357 for SIL3 certificate in our railway application. We have checked the datasheet for TMS570LC4357, it is noted that there are two MCUs working inside TMS570. The R5F is the main MCU while the R4F is the backup MCU. How is the dual-core MCU working?

I want to know if the main MCU R4F failed, what will happen? Is our software will crash or software will continue run as normal?

Here are 2 scenarios I can think of after reading the datasheet:

Scenario 1: R5F failed, R4F will immediately take over and continues running software, meanwhile an error flag will be raised

Scenario 2: R5F failed, R4F will immediately STOP running software, meanwhile an error flag will be raised

If the scenario 1 is the actual case, what do we need to do at application layer to always ensure the backup MCU R4F can take over if there is any failure in R5F? Or it is triggered by default and transparent to application layer software?

Please Advice and answer.

  • 0
    TI__Guru 69891 points

    Hi ,

    There won't be any backup CPU concept in the Hercules devices (including TMS570LC4357).

    Yes, there are two CPU's but here one CPU is called as main CPU and other CPU is just called as checker CPU. And we can't program them differently(they always run the same application) and both CPU's will always operate in lockstep mode functionality.

    The lockstep is the mode of operation of the dual ARM Cortex-R5F CPUs. The device has one module called CPU Compare Module for Cortex-R5F (CCM-R5F). During CPU lockstep mode, the outputs of the two CPUs are compared on each CPU clock cycle by this CCM-R5F. Any mis-compare is flagged as an error of the highest severity level. The outputs of the two VIMs in lockstep are also compared on each cycle by this module.

    The two processors are initialized to the same state during system start-up, and they receive the same inputs, so during normal operation the state of the two processors is identical from clock to clock.

    An error in either processor will cause a difference between the states of the two processors, which will eventually be manifested as a difference in the outputs. The CCM-R5F module monitors the outputs of the two processors and flags an error in the case of a discrepancy.

    For more details, please refer the CCM-R5F chapter in TRM:

    --
    Thanks & regards,
    Jagadish.

  • 0 in reply to jagadish gundavarapu
    Prodigy 60 points

    Hi Jagadish,

    Thank you very much for your prompt reply.

    With you detailed explanation, I understand more or less how dual-core MCU mechanism working. I got another question regarding this

    jagadish gundavarapu said:
    An error in either processor will cause a difference between the states of the two processors, which will eventually be manifested as a difference in the outputs. The CCM-R5F module monitors the outputs of the two processors and flags an error in the case of a discrepancy.

    What will the CCM-R5F do if there is an error of CCM discrepancy? Will CCM-R5F run as normal or it just halts there? This is very critical to us as we are in automotive industry we dont want the software stop driving and monitoring the whole system when there is a discrepancy. Because it is a potential huge safety risk to our product. 

    Is there any chance the R5F MCU ignores the CCM discrepancy error and continues running? Or possible to let checker MCU takes over the control?

    Please help.

    Many thanks,

    Alex

  • 0 in reply to Alex Lee
    TI__Guru 69891 points

    Hi Alex,

    Alex Lee said:
    What will the CCM-R5F do if there is an error of CCM discrepancy? Will CCM-R5F run as normal or it just halts there?

    If any discrepancy, then CCM-R5F will just signal an error to the ESM (Error Signaling Module) module. The device will never halt, and a software handler is necessary to implement the appropriate response to the error dependent on the application needs.

    --
    Thanks & regards,
    Jagadish.