• State
  • Locked Locked
  • Replies 1 reply
  • Subscribers 30 subscribers
  • Views 649 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TMS570LS0714: Any proof or certificate of safety of the ECC function

cc liu
Expert 1150 points
Part Number: TMS570LS0714

Dear All

We are using tms570ls0714 to do a safety critical project, which aimed to get the SIL4 of EN50128.

We decided to use the ECC functions. But  the assessors were astonished when they hear that ECC can change the data and program on flash section.

We explained that when there is a single bit error, the cpu will correct that, and it will improve our safety level. But they don't agree, they think the program context can not be changed all the time.

They ask for the  certificate of  the ECC function to prove that ecc detection and correction logic is safe and reliable.

Can you guys offer me something related?

And another issue is that  in the doc SPNU550A,you mentioned "

Safety Analysis Report Summary for TMS570LS12x and TMS570LS11x ARM?-Based Safety Critical Microcontrollers (SPNU530)

Detailed Safety Analysis Report for TMS570LS12x and TMS570LS11x ARM?-Based Safety Critical Microcontrollers (SPNU531) "

I cannot find these two docs anywhere.  I'd like to have these two docs related to tms570ls0714 and 1227?

Thank you so much.

Best Regards

Leo

  • 0
    TI__Guru 59540 points

    Hello Leo,

    cc liu said:
    We decided to use the ECC functions. But  the assessors were astonished when they hear that ECC can change the data and program on flash section.

    To be honest, I am surprised your assessor isn't familiar with ECC technology. It has been in use in safety and safety related applications for decades and is a proven method to deal with soft/transient faults. Also, I am glad that you have decided to use ECC within your project as it would be impossible to meet the safety metrics without it.

    Also, to be clear, the ECC logic does not change the Flash bits or program in your device. It is a correction mechanism that will evaluate the data/instruction delivered to the CPU vs. the ECC signature. If a single bit failure is detected, there is a proven algorithm (as described in the TRM) that is used to determine the faulty bit and correct it. If there is more than 1 bit that is faulty within the 64bit word/ECC signature, then the CPU is notified of the fault and the nERROR pin is asserted.

    cc liu said:
    They ask for the  certificate of  the ECC function to prove that ecc detection and correction logic is safe and reliable.

    Each element within the device has been evaluated during the third party assessment process including the ECC logic as part of the CPU. This includes a comprehensive review of all associated testing, proven in use data, and architecture related materials. It is also worth noting that the ECC logic is part of the CPU core which is lockstepped such that all core operations are compared between the primary CPU Core and the diagnostic CPU Core. Any deviation in any of the input or output signals to either of the two cores is flagged as a defect. In other words, if there is a malfunction in the ECC logic of 1 core, the device will notify the system of a Core compare error allowing the system to enter a safe state.

    As far as availability of additional information regarding the certification of the ECC function, we cannot provide any additional information beyond what is available in our available documentation as it is considered proprietary.The primary reason we have taken the additional steps to have our devices certified is to save our customers from this level of scrutiny; the certification speaks for itself.

    cc liu said:

    Safety Analysis Report Summary for TMS570LS12x and TMS570LS11x ARM?-Based Safety Critical Microcontrollers (SPNU530)

    Detailed Safety Analysis Report for TMS570LS12x and TMS570LS11x ARM?-Based Safety Critical Microcontrollers (SPNU531) "

    These documents are covered under NDA as they have proprietary information in them that we do not wish to place in the public view. They are only available through our SafeTI Private E2E. You can request access to this forum through this link: 

    Note that access to this private forum requires the completion of the SafeTI NDA which is offered as a form to be completed during the request process. The completed SafeTi NDA must be signed by an authorized agent of your company, scanned, and returned to TI via email to safety_docs@list.ti.com - Use to email owners of Safety Docs across TI

    The Safety Analysis Reports may go a long way to satisfy many of your assessors concerns as we discuss the specific operational profile considered during our assessment as well as details on radiation testing, estimated FIT rates, SFF, PFH, etc. for the device. In addition, the Detailed Safety Analysis report also includes an FMEDA tool that allows you to customize the operational profile to your application and get application specific safety metrics and FIT rates.

    Finally, to summarize, I don't understand the comments/concerns regarding ECC since this is very mature technology which has been used in Aerospace, Automotive, Industrial Safety, and Railway for many, many years. Specifically, you would be challenged to find an Aerospace application without this feature given the very high levels of radiation for non-terrestrial applications.

    If there are still questions or concerns, please reach out to me via the messaging feature of this forum and we can arrange a direct call to discuss in more detail.