• State Resolved
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 5165 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Development of SIL4 certified safety system

Mohit Hada
Intellectual 745 points

Hi,

We are in the process of development of Safety Class SIL4 certified systems for which I am planning to use Hercules ARM Cortex R4/R5.

We are concerned about the followings:-

1) Whether RTOS is mandatory to be used for such controllers full utilization in a smooth way or whether without RTOS enough support is available. I mean how do people normally go about it. We want to avoid RTOS to avoid the complexity of CENELEC verification of RTOS and the cost associated with it. We do not plan to use TCP-IP stack and USB stack for our system rather simple serial RS422/485 for communication  or converted to optical output.

If RTOS is at all necessary then which RTOS is best suggested in terms of price and essential documents such as SIL3/SIL4 certification.

2) Whether the controllers will remain there - i.e. whether silicon and support will be available for coming 5 years or so for these as we have burnt our hands badly with stellaris series.

3) Is there some low cost way for CENELEC SIL3-SIL4 verification of the application software to be developed for the systems from TI or one has to get it verified and validated using tools such as parasoft c/c++ or vector cast or LDRA etc.

Kindly guide us in this. We will be thankful.

Many Regards.

MOHIT.

  • 0
    TI__Guru 59540 points
    Hello Mohit,

    First, let me answer the easy question, question 2, regarding silicon and support. The Hercules family of devices is developed from our ARM based automotive MCUs that have been in existence for more than 20 years. We still have ARM7 based microcontrollers developed in the late 90's and early 2000's in production and going strong. In regard to support, we always strive to support our microcontrollers throughout their lifecycles and as long as they are in production. The plans for the Hercules (TMS570 and RM4x/5x) MCUs is no different. In fact we have many automotive customers already on these devices that require 10+ years of support.

    In regard to use of an RTOS, this is highly dependent on the requirements of the application. An RTOS is often used to, not only, schedule tasks, but also to provide priorities and permissions for tasks within highly complex application. If these types of operations are necessary for your application then perhaps an RTOS will be needed. I don't think there are any specific requirements from either an MCU or safety standard point of view to use an RTOS; however, there may be compelling reasons from a practical point of view to use one given the isolation of functions within the application and the assurance of execution of safety tasks. This is really a design consideration that must be defined by you as the application architect and as a result of a careful evaluation of the application's safety requirements.

    Finally, I am not familiar with CENELEC SIL3 and SIL4 requirements; but, assuming this follows the same track as other safety standards in it's alignment with IEC61508, the software requirements including validation and verification are generally defined within the standard. I know that TI offers a Safety Drivers package and also offers a Software certification package for those drivers that includes some limited license for LDRA tools. Again, though, you would have to evaluate if this option is the most cost effective for you. I also know that it is possible to develop home grown verification and validation suites using scripting and custom instrumentation of the your code. I would expect that using an off the shelf solution such as LDRA or some other tool, might be easier to "sell" to the certification entity given wider acceptance and proven in use factors.

    Finally, I apologize for the very broad answers; however, the questions asked are very general and are really dependent on your specific situation and your specific requirements. I have copied one our safety experts that has had a great deal of experience/exposure to many different safety applications so that they can comment further and address any follow on questions you might have.
  • 0 in reply to Chuck Davenport
    Intellectual 745 points

    Hi Chuck,

    Thanks for the detailed reply.

    Basically we want to develop applications for railways such as Electronic Interlocking System and Axle Counter systems where the entire firmware is defined in two parts - i.e. an Executive firmware and an Application firmware.

    Executive firmware does all the house keeping jobs such as power on safety checks, program flow control, error indications and messages, integrating nodes on a network management system (we try to avoid ethernet here due to extra cost for TCP IP stacks, their V&V and we chose to go for serial communication - Rs232/422/485 with or without Optical Fiber Cables). There is very less information on such systems as to how people have gone about their ways - with RTOS or without RTOS. Keeping RTOS (will become part of executive firmware) makes house keeping jobs reliable but having licensing costs involved  and their V&V. So I am confused as to what should be the approach for such application - a rough or thorough guideline. Again application firmware involves logics based on filed inputs and operator inputs whose V&V is mandatory.

    Now Whether it is GUI software or firmwares (executive/application), how can we minimize the cost of the V&V as well in terms of tools licensing for above cited applications and how can we in-house generate certifications so that final product cost is reduced and made extremely competitive.

    If based on the above inputs, we can get some more details, approach, some guidelines for tackling the development to make it safe, easy to implement and cot effective as well.

    Will also wait for the experts take that chuck has copied to.

    Many Thanks.

  • 0 in reply to Mohit Hada
    TI__Guru 59540 points
    Hello Mohit,

    The questions/challenges you pose are very good questions that are always at the forefront of a development project. Unfortunately, I cannot provide much more guidance on these points as they are choices that must be made by your organization based on the industry standards, project requirements, and laws where you intend to sell your products.

    As I mentioned before, the first step is to understand the requirements of the specific safety standards and SIL levels you intend to target and then to analyze and document the safety requirements and infrastructure requirements to meet these objectives. By doing so, this will answer many of the questions you have asked.

    We believe that utilizing the Hercules devices helps in minimizing costs given the large amount of work TI has put into the safety documentation that we provide in our Safety Manuals, Safety Analysis Reports, and FMEDAs. However, in the end, there is a high level of dependency on how these features are used within the application and how the application is implemented on a system level.

    In regard to self-certification, I am not familiar enough with the standard you mentioned to state if this is possible or not.
  • 0
    TI__Mastermind 23000 points

    Hello Mohit,

    Sorry for the delayed response over the holidays.  

    I'm afraid I need to confirm  a points first.  CENELEC is not a standard, but a standards development organization which publishes many standards.  Because you mention rail applications, I am assuming that you are trying to comply with the EN 50126/50128/50129 series of standards, correct?  

    I am not so familiar with the rail standards, but I am very familiar with the IEC 61508 standard which the rail standards are in the process of aligning.  In the IEC 61508 (and in other standards I have seen), there is no specific guidance for or against an RTOS.  There are many vendors who can provide pre-certified RTOS implementations to meet IEC 61508 requirements, and use of such should also help to reduce the cost and complexity of verification according to the rail standards.  Here is a link which notes some of the 3rd party RTOS options for the Hercules platform, including multiple pre-certified offerings:  LINK

    I am more of a hardware expert, but I understand that the effort involved in demonstrating SIL 3/SIL 4 capability of software is never trivial.  Assuming the rail standards apply similar criteria as IEC 61508, then all aspects of the development process must be assessed, not just the final software product.  Tools such as you mention are very helpful to verify correct software implementation, but must be used as part of a larger overall assessment strategy.

    Because many customers come to us with system level support needs which are beyond the scope of our expertise, we have partnered with 3rd party experts in many functional safety applications.  Here is a link which lists some of these companies:   LINK  We do have a few partners as noted in this list with rail development expertise; it may be worthwhile to contact one or more of these companies to discuss specific end equipment support/consulting options.

    Best Regard,

    Karl

  • 0 in reply to KGreb
    Intellectual 745 points
    Thank you Chuck and Greb for your detailed replies.

    Regards.
  • 0 in reply to Mohit Hada
    Intellectual 745 points
    Thank you karl for your reply.

    Regards.