• State TI Thinks Resolved
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 32 subscribers
  • Views 405 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM2634: IEC61508-2 Functional safety: Creation a 1oo2 architecture with HFT=1 using a single processor package

Tamás Paál
Prodigy 30 points
Part Number: AM2634
Other Parts Discussed in Thread: AM2632

Tool/software:

Hello,

I would like to simplify my functional safety project by using a single package of the AM2632 or AM2634. The target is SIL3. The dual channel so called 1oo2 system is the preferred hardware architecture, where the hardware fault tolerance is 1. The architecture needs two independent processing chains. One microcontroller in each chain that executes the same code and one of the microcontrollers compare the result of the two channels. If any of the channels detect an internal fault, the other channel can still handle the task.

The straightforward solution is to use two independent microcontrollers (two packages) and build the two channels this way.  However the AM2632 and AM2634 have 2 or 4 CPU cores. What more, two cores can run in lock-step mode to increase the reliability. The CPU itself is certified to IEC61508-2, they seem to be good candidates for the purpose.

Question: Is it possible/accepted to create a dual channel system using only one package of one of the mentioned devices? Any solution is acceptable here. I mean to use the two cores of the two core version to build up the two channels, or to use two core pairs configured in lock-step mode of the four core version for the same purpose. The main goal is to use only a single package instead of two packages.

I am not an expert yet, but in my understanding of the IEC61508-2 standard,  Annex E discusses a system like that, the on-chip redundancy. I found no information in the safety related documents of the CPU family if it has been certified for IEC61508 Annex E. Is it?

Thank you,

Tamas

  • 0
    TI__Expert 5396 points

    Hi Tamas,

    It would be best to use AM2634 in order to meet your requirements, it is certified for IEC61508.

    Regards,

    Sahana

  • 0 in reply to Sahana H G
    Prodigy 30 points

    Hi Sahana,

    Yes, I know that both the AM2632 and the AM2634 are certified for IEC61508. The question was if this certification is also valid for IEC61508 Annex E. It is not obvious.

    Thank you,

    Tamas

  • 0
    TI__Prodigy 410 points

    Hi Tamas, 

    The answer to the below Q is No. 

    Question: Is it possible/accepted to create a dual channel system using only one package of one of the mentioned devices? Any solution is acceptable here. I mean to use the two cores of the two core version to build up the two channels, or to use two core pairs configured in lock-step mode of the four core version for the same purpose. The main goal is to use only a single package instead of two packages.


    There is one error output pin (SAFETY_ERRORn) per package/device (AM2632 or AM2634). While you can create 2 lock-step config. chains using AM2634, the HFT is still 0 since fault in any chain will lead to the component/MCU to show error (detection is 1) and the availability (post fault-detection) is 0 as the component is to be in safe state. 

    Two AM2632/AM2634 packages can be a good candidate option to implement HFT=1 at the system-level.

    Hope this helps.

    Regards,
    Nilkanth

  • 0 in reply to Nilkanth Pathak
    Prodigy 30 points

    Hi Nilkanth,

    Thank you for the information.

    Is there any microcontroller in the TI portfolio that could be used in a system that I described? I mean to use a single package to form a HFT=1 at system level?

    Thank you,

    Tamas

  • 0 in reply to Tamás Paál
    TI__Intellectual 1110 points

    Hi Tamas,

    In your first post, you mentioned that your system safety target is "SIL 3." You can achieve this using a single SIL 3 certified MCU, e.g., a single AM2634 device with HFT=0.

    Your 'preference' is to implement using the 1oo2 (HFT=1) system configuration. However, using HFT=1 is not a must for SIL 3. You can meet the SIL 3 goal with a single channel, provided HW metrics are met, such as using the above-compliant TI devices. It may be possible to implement two logical channels on the same MCU to achieve SIL 3 (for meeting HW metrics). However, the claim of HFT=1 is not possible.

    HFT=1 supports 'Availability', in addtioan to 'Safety Integrity Level' to your system.

    If HFT=1 is a must-have target, you can use two components in the system (not necessarily two MCUs) to achieve the required HW independence.

    I hope this helps.

    Regards,

    --Ashish Vanjari

  • 0 in reply to Ashish Vanjari
    Prodigy 30 points

    Hi Ashish,

    Another metric of a functional safety system (besides the safety integrity level) is the PST, the process safety time. All safety functions have to react/run/been evaluated within the specified PST. In our application we need to specify the PST in a few millisecond range (1-5ms). We can achieve this easily regarding the safety functions using the AM263x CPU. What may cause problem is the self-test routines that we have to execute continuously in the background.

    In a HFT=0 system all self-test routines have to be completely done within the specified PST.

    In a HFT=1 system, the same tests have to be done only within 24 hours. (In practice within a few hours.) That's why we decided to go the HFT=1 , 1oo2 way.

    We are uncertain if all the necessary self-test routines (all safety reliant memory, peripheral and i/o tests) can be executed within a few milliseconds even using a CPU with so high processing power that the AM263x has.

    We are still evaluating what self-test routines have to be executed at all using the AM263x. Any help in this topic is highly appreciated too.

    Thank you,

    Tamas

  • 0 in reply to Tamás Paál
    TI__Intellectual 1110 points

    Hi Tamas,

    I now understand the reason behind your system architecture choice of 1oo2. 

    The entire MCU is large, but I imagine the SIF would utilize part of it. Only a subset of the complete MCU is required to be covered by the periodic self-test within the PST. Is this correct?

    What would be expected DC (Diagnostic Coverage) required to be demonstrated with the testing within PST?

    We may need to check if the combination of PBIST (for SRAMs), LBIST with STC (for CPU Core logic), and/or Software-based self-tests is sufficient for this application. Let me know if we can further discuss this topic in an email.

    Regards,

    --Ashish

  • 0 in reply to Ashish Vanjari
    Prodigy 30 points

    Hi Ashish,

    SIL3 and DC=3 is required.

    Thank you for the support!

    Yes, we can discuss the topic in email.

    Best regards,

    Tamas