• State TI Thinks Resolved
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 68 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

AM2634: IEC61508-2 Functional safety: Creation a 1oo2 architecture with HFT=1 using a single processor package

Tamás Paál
Prodigy 30 points
Part Number: AM2634
Other Parts Discussed in Thread: AM2632

Tool/software:

Hello,

I would like to simplify my functional safety project by using a single package of the AM2632 or AM2634. The target is SIL3. The dual channel so called 1oo2 system is the preferred hardware architecture, where the hardware fault tolerance is 1. The architecture needs two independent processing chains. One microcontroller in each chain that executes the same code and one of the microcontrollers compare the result of the two channels. If any of the channels detect an internal fault, the other channel can still handle the task.

The straightforward solution is to use two independent microcontrollers (two packages) and build the two channels this way.  However the AM2632 and AM2634 have 2 or 4 CPU cores. What more, two cores can run in lock-step mode to increase the reliability. The CPU itself is certified to IEC61508-2, they seem to be good candidates for the purpose.

Question: Is it possible/accepted to create a dual channel system using only one package of one of the mentioned devices? Any solution is acceptable here. I mean to use the two cores of the two core version to build up the two channels, or to use two core pairs configured in lock-step mode of the four core version for the same purpose. The main goal is to use only a single package instead of two packages.

I am not an expert yet, but in my understanding of the IEC61508-2 standard,  Annex E discusses a system like that, the on-chip redundancy. I found no information in the safety related documents of the CPU family if it has been certified for IEC61508 Annex E. Is it?

Thank you,

Tamas

  • 0
    TI__Expert 3476 points

    Hi Tamas,

    It would be best to use AM2634 in order to meet your requirements, it is certified for IEC61508.

    Regards,

    Sahana

  • 0 in reply to Sahana H G
    Prodigy 30 points

    Hi Sahana,

    Yes, I know that both the AM2632 and the AM2634 are certified for IEC61508. The question was if this certification is also valid for IEC61508 Annex E. It is not obvious.

    Thank you,

    Tamas

  • 0
    TI__Prodigy 210 points

    Hi Tamas, 

    The answer to the below Q is No. 

    Question: Is it possible/accepted to create a dual channel system using only one package of one of the mentioned devices? Any solution is acceptable here. I mean to use the two cores of the two core version to build up the two channels, or to use two core pairs configured in lock-step mode of the four core version for the same purpose. The main goal is to use only a single package instead of two packages.


    There is one error output pin (SAFETY_ERRORn) per package/device (AM2632 or AM2634). While you can create 2 lock-step config. chains using AM2634, the HFT is still 0 since fault in any chain will lead to the component/MCU to show error (detection is 1) and the availability (post fault-detection) is 0 as the component is to be in safe state. 

    Two AM2632/AM2634 packages can be a good candidate option to implement HFT=1 at the system-level.

    Hope this helps.

    Regards,
    Nilkanth

  • 0 in reply to Nilkanth Pathak
    Prodigy 30 points

    Hi Nilkanth,

    Thank you for the information.

    Is there any microcontroller in the TI portfolio that could be used in a system that I described? I mean to use a single package to form a HFT=1 at system level?

    Thank you,

    Tamas