TMS570LS1224: Functional Safety related settings in Halcogen

Hell Kumar,

Your questions are forwarded to our safety expert. He will give you more details.

Regards,
QJ

Hello Mallela,

Please find my responses to your questions below:

Mallela Kumar said:

1) Do we need to enable any safety related options in the Halcogen??

The software generated by HalCoGen is developed in a SIL3/ASILD certified process. There is a tab that indicates the possibility to choose to use a Safety Init for boot up. Although you could write your own or use the boot up files from the SafeTI Diagnostic Library, this selection is a good start to implementing safety on the device. For the other tabs and driver level setup, it is really up to your system level requirements if these are safety related or not. Certainly, at a driver level, there are no specific options listed in Halcogen for Safety, but your application requirements/Safety Requirements Specification, may drive specific configurations within some of the drivers.

Mallela Kumar said:

2) As the  micro TMS570LS1224 is SIL certified. Do we need not to bother on the SIL certification ??

The very short answer is you absolutely have to have your system assessed separately. The Hercules certificate only covers the Hercules MCU.

Hercules devices are Safety Certified to SIL3/ASILD but this is only at the device level under a System Out Of Context (SooC) approach. i.e., you still need to evaluate your system level requirements, fault potential (fault tree analysis), and Safety Requirements Specification (SRS) to determine how to best implement the device within your system. In the end, the system level integration of all components and the application of your requirements must be assessed by a 3rd party assessor. Using Hercules helps in this regard since, if you use the device in accordance with the Safety Manual and use the FMEDA tool customized to your application to get associated MCU safety metrics, you will have the safety evidence for the biggest part of your application taken care of. This doesn't preclude the assessor wanting to know how the chip is used and to analyze your overall architecture with respect to protection of the safety functions.

Mallela Kumar said:

3) are there any Functional safety related settings in the halcogen Tool??

The primary selection is the Safety Init tab with selection of which diagnostics you wish to run at boot time. See question #1 above.

Mallela Kumar said:

Please Suggest/ Provide information on SIL function safety aspects.  

Unfortunately, Functional Safety implementation is a very big topic that takes much more time to discuss than I can provide simply in this post. You may wish to contact one of the global Functional Safety Assessors to see about Training Sessions. We have used TUV SUD, exida for this with success, but you could also check with TUV NORD and TUV Reinland about training opportunities. These are not inexpensive, but provide an opportunity to get a complete picture of Functional Safety and  the steps needed for developing a functional safety system.

As I have stated in other posts, functional safety is really about the process that you follow where documentation, test, and evidence generation become a primary concern. In some ways, the final product or piece of HW becomes secondary. I have posted some information on process in this thread: https://e2e.ti.com/support/microcontrollers/hercules/f/312/p/599873/2207684 that may be helpful.

Hopefully this helps.

Hello Chuck,

Yes our product and software will be assessed by a 3rd party assessor preferably tuv rheinland.
1)We just want to know what are all the functional safety related settings need to enabled in the Halcogen.
2)Apart from Halcogen do we need to use SafeTI Diagnostic Library ?? ( currently we are not using it SafeTI Diagnostic Library , only settings Saftey Init Tab are enabled )

3) As you mentioned "The primary selection is the Safety Init tab with selection of which diagnostics you wish to run at boot time"
Is the Safety Init tab is sufficient from the functional safety point ??
4) Are there any seconadary Safety related options available which i need to enable??
5) Safety Init tab diagnostics runs at boot time, how about the safety related diagnostic which runs periodically??

Hello Mallela,

Have you reviewed section 5 of the Safety Manual that outlines the Integrator Responsibilities in the development of the Safety System using Hercules? There are many useful suggestions there and some guidance on how to proceed with your development.

As far as I am aware, the Halcogen tool is used primarily for driver configuration. There may be some specific driver configurations that are needed to implement some of the safety diagnostics outlined in the safety manual or required by your application. We at TI are not in a position to give specific safety guidance related to your integration since there are many differences from application to application. We provide a set of tools for your use that can be used as is, paired down, or enhanced, dependent on your specific safety needs. Your safety needs will be derived from your Safety Requirements Specification (SRS) and from your specific Safety Analysis (fault tree analysis for example).

In regard to use of SafeTI Diagnostic Library, it is provided as a convenience and is not required. It has code to implement many of the diagnostics identified in the safety manual and in the FMEDA tool which is used to calculate FIT rates, SFF, and other safety related metrics you will need for certification. The FMEDA tool is customizable to your application in regard to operational profile, pin use, feature use, diagnostic use, and finally custom diagnostic use. None of these are required by TI for use in your system or in your development and are provided for convenience to make you development process easier. For certain, all of the information provided in these documents and by the FMEDA tool will directly relate to the certification process with any assessor and can serve as evidence in your certification.

For your last three questions:
"3) As you mentioned "The primary selection is the Safety Init tab with selection of which diagnostics you wish to run at boot time"
Is the Safety Init tab is sufficient from the functional safety point ??
4) Are there any seconadary Safety related options available which i need to enable??
5) Safety Init tab diagnostics runs at boot time, how about the safety related diagnostic which runs periodically??"

The boot time diagnostics that are ran are primarily related to our basic safety premise/approach that we call "Safe Island" where we run diagnostics on critical CPU resources at boot time which insures their validity for use in SW based diagnostics later. More information on this can be found in the Safety Manual.

I'm not certain what you mean by secondary safety related options, but for certain there are more diagnostics that should be ran related to latent fault detection, SW test of function, SW test of error path and reporting, black channel considerations, etc. which also prove that each of the peripherals are working as intended or protect the safety function. Again, more can be found by review of the safety manual and perhaps sections of the IEC61508 standard.

from a safety standpoint, I would strongly encourage you to review the content of the device specific Safety Manual and Safety Analysis Reports. The safety manual is available on the product page on user guides. The Safety Analysis Reports are NDA documents and only available in our SafeTI Private Forum. Access to the private forum can be requested using this link, www.ti.com/safetyanalysis, and filling out the SafeTI NDA and returning per the instructions.

You may also want to review the online safety training we have. There are several videos located on the www.ti.com/safeti page towards the bottom that go through Functional Safety principles and development concerns, etc.

Hello Chuck,

I will throughly go through the safety Manual of TMS570LS1224.

But i have a quick question for you.

In Earlier reply you mentioned "In regard to use of SafeTI Diagnostic Library, it is provided as a convenience and is not required." but  in the below link

TI strongly recommends customers to use SafeTI

^TM

  Diagnostics Library for all safety diagnostics related functions. 
Can you provide some clarification whether to use SafeTI Diagnostic Library or not??
processors.wiki.ti.com/.../Integration_of_HALCoGen_with_Hercules_SafeTI_Diagnostics_Library

 

Hello Mallela,

Thank you for the link to the SafeTI Diag Wiki page. I was previously unaware of this page. I don't feel the "strong" recommendation is warranted and should be removed. Certainly, there are benefits to using the library as many of the diagnostics are implemented within it and it gives some guidance on how they should be done. In addition, there are CSP packages available to help in the creation of evidence of testing and suitability for functional safety use for your assessor. This equates into ease of use and cost reduction for you and your development at the system level. However, our device certifications are based purely on hardware and the assumption of the use of the appropriate safety diagnostic whether they be HW or SW but we do not make assumptions on who develops the SW for execution of the safety diagnostics. i.e., we do not assume you are using HalCoGen nor assume you are using SafeTI Diagnostic Library. It is purely a choice for you to make.

Note that I will be taking the initiative to have the Wiki page updated to remove the "strong recommendation" comment as it is unwarranted. TI, in general, does not have the application level awareness that you as the integrator have and should not be making recommendations such as this. As the integrator, it is up to you to make the assessment as to whether the use of the SafeTI diagnostic library is appropriate and beneficial for your project based solely on the needs of your specific project and safety requirements.