• State
  • Locked Locked
  • Replies 1 reply
  • Subscribers 30 subscribers
  • Views 576 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

How to determine safety test measures within Hercules controller for SILx...

Andreas Rickert
Prodigy 10 points

Hello TI Support!


We are currently working on a safety project.

The Hercules controller is used in this safety application with real-time requirements.

Certification should be SIL3 according to 61508.

 

We have read the safety manual (document number SPNU551A) and found much information about possible test measures for all the different parts of the controller.

 

In the application, real-time means, that actions have to be performed every 40 us!

Therefore, we are afraid, that we will have trouble with different CPU and SRAM tests during runtime.

-          Every CPU test needs at least 15,xx us and after this, we have a processor reset and need additional time to come back to the state before reset.

-          SRAM test needs at least 2,6 ms per block?!

-          SRAM ECC can be used, but it is not written, if this is sufficient for SIL3. It is not written, what DC is reached.

-          It is also not written, if the SRAM ECC must be tested and how this can be done.

 

In appendix B.3 it is written, that the “Definition of MCU safety requirements” is performed by TI.

Therefore my question is, how this definition is performed?

 

What information do you need from us?

Or can you tell us, what minimum tests must be performed to achieve SIL3?

Or are there any other documents? (Our customer has a NDA with you...)

 

Kind regards and thanks in advance,
Andreas Rickert

  • 0
    TI__Guru 59540 points

    Hello Andreas,

    Thank you for your interest in the Hercules line of Safety MCUs. 

    To begin, I will address your concerns with the 40us loop timing for your application and some of the safety mechanisms are defined as periodic checks. In these cases, it is up to you to define on a system level how frequently the diagnostics should be ran based on your system level safety requirements and specifically the requirements for your fault detection timing and fault tolerance time of your system. In many cases, the detection timing is going to be significantly less than the smallest loop time which will allow scheduling of the diagnostic tests in a way that is minimally impacting your application.

    Next, to address the selection of Safety Diagnostics used. Again, this should be done based on your application/system level safety requirements. Again, in many cases a minimal set of diagnostics can be chosen to achieve the desired diagnostic coverage and estimated FIT rates. TI provides a tool to use for this purpose. More information on the tool and access to it is available in the SafeTI Private forum as part of the NDA covered Safety Analysis Reports (SAR). 

    For the specific tests you mention in your post (CPU, SRAM PBIST tests, and SRAM ECC), TI's safe island concept and architecture covers these such that they can be ran at startup only. As an example, CPU LBIST is ran at startup along with the CCM diagnostics to prove the validity of the CPU Lockstep architecture. once the CPU and CCM are proven valid/safe the lockstep architecture provides the runtime diagnostic (with no overhead) during the application. A similar approach can be made with SRAM PBIST and SRAM ECC. PBIST and ECC are checked at startup through self-tests and tests of error paths, etc and once proven good/safe PBIST is used to validate SRAM safety and from there on out ECC is the runtime diagnostic protecting SRAM content in the device.

    In the end, it is up to you as the system integrator to decide when and what diagnostics to use and what estimated FIT rates are acceptable to you. We can discuss this topic in more detail on our SafeTI private forum (can request access through this link:  and once the SafeTI NDA is in place access will be granted.

    Andreas Rickert said:

    In appendix B.3 it is written, that the “Definition of MCU safety requirements” is performed by TI.

    Therefore my question is, how this definition is performed?

    As is also mentioned in the document, TIs assessment is based on a System Out of Context approach. In this regard, some assumptions have been made in order to move forward with the certification process. Details of the assumptions are included in SAR documents available through the Private forum/NDA. If there are specific questions on the SAR documents, these can be answered only in the private forum.

    Andreas Rickert said:

    What information do you need from us?

    Or can you tell us, what minimum tests must be performed to achieve SIL3?

    Or are there any other documents? (Our customer has a NDA with you...)

    Unfortunately, TI cannot provide specific information on what diagnostics would be required for your application since this ties more to your system level requirements. For certain, you can use the tools that TI provides to gauge impact on estimated FIT rates and other safety metrics such as PFH or MTTF in order to decide which diagnostics add value or not. Again, the tool is available only through the private forum which requires an NDA.

    Note that an NDA would need to be established between your direct company and TI in order to gain access to the private forum. A customer-third party developer relationship is not sufficient since the membership in the forum does not expire or get linked to your customer's NDA. If you submit the request for access through the link provided about, it is a relatively painless and quick process to give access provided you complete and return the SafeTI NDA that is signed by an authorized agent of your company in a timely manner.

    Again, thank you for your interest in the Hercules Safety MCUs and I look forward to working with you in providing more detailed information in the private forum where we can share more detailed information.