• State Resolved
  • Locked Locked
  • Replies 3 replies
  • Subscribers 31 subscribers
  • Views 1192 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

RM48L530: 1oo1d with external watchdog, HFT=1 ?

Elias Mabook
Prodigy 20 points
Part Number: RM48L530

Hello, 

I am new to functional safety and working on a design using Hercules RM48x. I have a basic question regarding the safety architecture.

The Hercules RM48x has 2 cores running in lock-step which is considered as 1oo1d architecture with HFT=0.

Does using an external watchdog make the HFT=1? What is the justification in case of yes/no? 

Thanks.

  • 0
    TI__Guru 59540 points
    Hello Elias,

    The inclusion of an external WD does not enable an HFT=1 designation. An HFT=1 means that no single point failure will cause loss of the safety function. With an external WD, how does a permanent failure get resolved to allow continued operation/protection of the safety function within the context of the MCU?
  • 0 in reply to Chuck Davenport
    Prodigy 20 points

    Thanks for your reply.

    Without going into deep details of the design, the external watchdog is able to monitor the RM48x by following one of the pins + monitoring extra conditions(undervoltage, overvoltage...). The output of 

    the watchdog is connected in series with the output of the RM48x. Reaching fail-safe state is possible with the watchdog circuit as well as with the RM48x.

    Would this be considered HFT=1 or it is an additional diagnostics? 

    Thanks.

  • 0 in reply to Elias Mabook
    TI__Guru 59540 points

    Elias,

    No, reaching failsafe state in and of itself is not considered HFT=1. failsafe State is considered an off-line test. See below excerpt from the IEC61508-1 standard.

    The second highlighted section describes the necessity to maintain the safety function by continued operation during testing. Placing the external watchdog or the MCU into a safe state means that one of the components is lost. The only way this could be considered as HFT>0 would be if the external watchdog was able to continue and maintain the safety function. However, this is at the system level and is beyond the scope of the MCU certification. The MCU certification assumes HFT=0 for the MCU.