safe sensor with RM48L952ZWTT

Hi Charles,

we have only one safe MCU and the idea is to connect two or more Sensors (similar) in order to ensure integrity (correctness) and in the same time functional-safety. How many sensors we will use is not the problem. The goal is to fullfill these requirements: integrity and functional safety.

I get the suggestion from colleges that redundancy could be an approach since it s an appraoch used in sensor systems for aviation and safe-critical application

To be more precise: we have a low-cost sensor (with i2c interface) and we intend to develop a safe component for a demonstrator (research project) that can be used for safe-critical-application. In order to use it in industry, this should be SIL3 certified. For this reason we bought a SIL3 MCU and we dont know exactly how to proceed. If I2C is the wrong way, can you suggest another approach. As i know, is it possible to connect more than one device to a I2c bus since they can have different addresses.

Thank you in advance for your help.

To be honnest we are not expert in developing safe sensor systems but as a research scientist, we are trying to proove the feasability of our concepts for specific applications.

regards,

G.

Hello G.,

To implement such a system it is important to understand the concepts behind dependent fault analysis and common cause failures. In the IEC61508 (Annex E I believe) standard there are specific mechanisms listed to analyze your system with regard to to common cause failures (separate from a dependent fault analysis). This mechanism allows you to come up with a BetaIC factor which "scores" your implementation in regard to its susceptibility to common cause failures.

In your proposed implementation both sensors would be the same technology which means that a systematic fault would impact both equally. In addition, a systematic or random fault in the I2C interface could also lead to complete failure. Although these events in themselves are not critical in and of themselves, they could be if the sensor input is critical to protecting the safety function. A simple solution, would be to design the system such that a failure of the ability to sense would place the device into a safe state preventing in correct operation of the application as a whole.

Overall, it is difficult to assess your implementation since there are very few details on the system as a whole. To evaluate the effectiveness, it would be necessary to know what the safety requirements are and what the specific safety function is. If it is providing the sensor reading, then your implementation is questionable in regard to true redundancy (again note specific definition of information redundancy techniques within the IEC61508 standard).

For a truly redundant system, I would recommend some additional measures.

1.) Consider separating the sensors onto separate I2C buses. This can be done by utilizing a device that has 2 I2C interfaces (TMS570LC4357) or using NHET to emulate an I2C interface in addition to the included HW I2C module. More information about using the NHET as an I2C can be found in this thread: e2e.ti.com/.../1032239 with additional information and guidance available at this link: e2e.ti.com/.../665692

Note that the I2C communication buses would need to be treated as black channel and would need to have built in protection mechanisms for safety. For example, if the sensor is a slave and does not respond in a given, expected time frame or if data sent over the communication line does not have the correct CRC/parity or if data is determined to be incomplete such as a data length error. i.e., there needs to be some data integrity checks including but not limited to comparison of the results for each sensor.

2.) Consider diversity in sensor types such that you use 2 different sensor technologies. The diversity allows for the introduction of completely different communication mechanisms and potentially different data formats. Again, this helps in the common cause failure analysis and helps minimize the impact of a systematic failure affecting both sensors in the same way with potentially believable but wrong reported results.

Finally, you must consider the failure rate of the entire system and not necessarily individual components. Its a good start to begin with devices with the highest SIL ratings as possible, but the combination of these together must be considered along with the DC (Diagnostic Coverage) and SFF (Safe Failure fraction) on a system/application level.

Where:
DC = (Total dangerous detected faults)/(total dangerous detected + total dangerous undetected faults)

and

SFF = (total safe faults+ total dangerous detected faults)/(total safe faults+ total dangerous detected faults + total dangerous undetected faults)

In the end, I don't know if I have completely addressed your question but we realistically cannot ever answer your aside from providing suggestions that need to be evaluated and considered by you as the system integrator since you are the most aware of your system requirements and safety goals. Which is also why we do not have any example source codes that would fit your scenario. We do, however, have a concept study we completed with TUEV SUED regarding a CAT3 PLd implementation in which we utilize 2 temperature sensors to disable a motor drive (Safe Torque Off) during an over temp scenario (Safe Temp Control). This concept study report is located here: www.ti.com/.../spnu604. Note that CAT3 PLd has some overlap with SIL3 rating within IEC61508.

Also, if you have not yet done so, I would recommend that you sign up for our private SafeTI forum (requires an NDA) where we can get deeper into specific Hercules safety topics that we might not be able to discuss in this forum due to their proprietary nature. You can sign up by going to this link: www.ti.com/safetyanalysis

Hopefully, you will find some helpful and insightful information within this post. I know it is quite lengthy but, the topic can be quite complex and this only scratches the surface of the topic.

Regards,
Chuck Davenport