• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 30 subscribers
  • Views 1044 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Hercules SIL 3

Raul Matos
Expert 5125 points

Greetings everybody.

 

I have a few questions regarding hercules safety features.

 

First, according to SIL 3, as far as I know, there are two possible ways of acting. Covering 90% of faults in a dual channel or 99% in a single channel.  How would Hercules work in this two ways.

I also want to know if TI has routines for internal fault detection for Hercules (memory, registrators, ULA, clock…).


Regarding OS, what would be the most suitable OS for working according to SIl3?

I also need to choose a processor to develop the project of 2 IO modules SIL3. Which would be the suggested Hercules in that case and what would be the major difference between the options?

  • 0
    TI__Mastermind 23000 points

    Hello Raul,

    First, fault coverage is not the same as safe failure fraction.  Diagnostic coverage is used to represent the % of faults detected (covered) in a system.  Safe failure fraction also includes the estimation of safe vs. dangerous failures in a system.  In general, the SFF will show a higher value than the DC.  There are requirements per standard on SFF per SIL, but not on DC.

    I believe you have some slight confusion on # of channels vs. hardware fault tolerance.  IEC 61508:2010 -2 Table 3 notes that to achieve SIL3 it is possible to support an element with no hardware fault tolerance at 99% SFF.  But, if we can show hardware fault tolerance =1, the SFF need only be 90%.  Hardware fault tolerance is typically shown via an architecture which includes multiple channels, but multiple channels do not guarantee hardware fault tolerance.  In most systems a single Hercules device from the TMS570LS or RM4x families can satisfy the processing needs of most SIL3 systems and achieve 99% SFF.  However, I have spoken with customers who want to support hardware fault tolerance >0 and have implemented 2oo3 (three channel voter) or 2oo2D (dual channel voter) systems to meet their safety requirements.

    The safety manual for the Hercules TMS570LS31x/21x and RM48x is posted to the TI web site http://www.ti.com/litv/pdf/spnu511.  When used in conjunction with the device TRM, the safety features should be thoroughly described.  All of the Hercules family members include hardware diagnostics on clock, power, reset, processing, memory, and I/O.

    Information on supported software and operating systems can be found on the TI web site:  http://www.ti.com/mcu/docs/mcuprodtoolsw.tsp?sectionId=95&tabId=2836&familyId=1931&toolTypeId=1#.  Multiple IEC 61508 certified options are available - such as High Integrity Systems SafeRTOS, Micrium uC/OS-II,  and SCIOPTA.

    Regarding recommended I/O modules, the Hercules products have many I/O options available - CAN, LIN, SCI (UART), GIO, NHET, SPI, Ethernet, FlexRay, ...  It is not easy to make a recommendation without some knowledge of the system which you plan to implement.   

     

    Regards,

    Karl