This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TMS470MF03107: Hercules mcu for SIL3 level and PLd level

Part Number: TMS470MF03107
Other Parts Discussed in Thread: TMS570LC4357, HALCOGEN, TPS65381A-Q1, AMIC110

Hello,

I am going to develop an industrial drive with Functional Safety functions (such as STO, SS1, SS2, SOS, SLS, ...) according to the following standards and safety levels:

    • IEC 61508 (generic functional safety standard) -> SIL3 level
    • IEC 61800-5-2 (industrial drive safety standard) -> SIL3 level
    • IEC 62061 (machinery) -> SIL3 level
    • ISO 13849-1 (machinery) -> PLd level

Here some questions:

  1. If using only one Hercules MCU for each drive is sufficient for our SIL3 target (e.g. max SIL and PL, DC diagnostic coverage, redundance ...). I've read that the Hercules architecture is 1oo1D (the safety system is not redundant) so will it imply that the MCU has DC>99%?
  2. Which versions among the Hercules MCU family are totally certified and provided with user documentation?
  3. I know that TI offers tools for the validation, but which tools we need for the assessment. Have you some more detailed information or a practical example?
  4. Regarding the application level (the code written by us) is it validated using the tools provided by TI or do we need some external unit test (like Polyspace, Cantata, LDRA, ecc)?
  5. Do you have experience if someone has already succeeded to implement a IEC61508/SIL3-compliant product with only one Hercules MCU?
  6. We tried the Demo Kit for Compiler Qualification, but we saw there is the Hercules SafeTI Compiler Qualification Kit (that is free of charge). Which are the differences affecting the certification process?

Many Thanks,

Fax

  • Hello Fax,

    First, let me point out that the part number referenced is a non-lockstep device with limited safety capability. It is a QM (quality managed) device and is not certified. Although system level considerations may come into play, this device is generally not intended for the level of safety that you have noted as your goals. It is an automotive grade device so there is potential for it to be used in automotive applications that do not require the rigor of higher ASIL requirements.

    In light of this, I will answer your questions relative to our more standard Hercules line Safety MCUs with Lockstep Cores. This includes the TMS570LS0x32 series at the low end up to the TMS570LC4357 at the top end relative to feature content and performance.

    Hercules Safety Concept:

    To begin and to be clear, these devices have 2 CPUs/Cores but they are operating in lockstep and cannot be dis-conjoined. These cores are operating out of phase to allow temporal diversity (i.e., always operating 2 clocks out of synch). They are synchronized at their outputs and the outputs are compared via comparator logic such that if there are any differences in their operation, a fault can be notified. In this since, only 1 of the cores is truly active in the system and the second is acting only as a diagnostic of the first to insure consistent and accurate operation.

    In addition to this, there are several other hardware based safety mechanisms such as a logic built in self test for the cores (LBIST), built in self-test (BIST) for the RAMs, ECC on flash and RAM, etc.... The end result is a safe island of HW built around the code execution in order to keep the code execution safe. This then allows the use of SW based tests to provide safety for the remaining peripherals and other IP on the device.

    Now that we have the baseline understanding of the concept, I will address your specific questions:

    .

    Fax said:
    1. If using only one Hercules MCU for each drive is sufficient for our SIL3 target (e.g. max SIL and PL, DC diagnostic coverage, redundance ...). I've read that the Hercules architecture is 1oo1D (the safety system is not redundant) so will it imply that the MCU has DC>99%?

    Yes, the Hercules device is based on a 1oo1D architecture. Each of the lockstep devices in the Hercules family of Safety MCUs has been certified to IEC61608:2010 SIL3 as a SEooC. We have effectively demonstrated the ability to achieve a DC>-99% in compliance with the IEC61508 standard requirements for at the component level. This doesn't necessarily mean that a SIL3 level can be achieved at the system or integrator level. This is dependent on many application specific requirements as well as the requirements of the individual standards to which you are trying to align and comply with.

    Fax said:
    2. Which versions among the Hercules MCU family are totally certified and provided with user documentation?

    For a complete list of devices certified to IEC61508 or both IEC61508 and ISO26262, please refer to the www.ti.com/safeti page for details. TI provides most of the documentation for our certified devices publicly without a need for an NDA. However, an NDA is required for our Safety Analysis Reports and our FMEDA tool. The NDA materials are provided within the SafeTI Private Forum which can be joined by completing the form at this link, http://www.ti.com/safetyanalysis, and submitting a SafeTI NDA. This forum can also be used to discuss any NDA related topic for our SafeTI products since all of the members of the private community are covered under their associated NDA agreement. We do ask that NDA topics remain off of the (this) public forum.

    Fax said:
    3. I know that TI offers tools for the validation, but which tools we need for the assessment. Have you some more detailed information or a practical example?

    We offer several tools to aid in the development of a safety project and for use of our Hercules devices.

    To start, there are a couple of SW packages that can are available for free to aid in device specific SW development so you can focus on your application.

    This starts with our our HalCoGen tool. As the name implies, it is a HAL code generation tool. It has a GUI that allows for the graphical configuration of each peripherals/IPs on the device including the system IP such as clock settings, interrupt management, etc.Once all of the elements are configured, the tool will automatically generate the boot up code and drivers for each of the configured IPs.

    A second SW package is our  SafeTI Diagnositic library which has many of the safety mechanisms coded up to allow for easier integration into your application.

    Each of the above tools have associated CSPs that can be purchased. I will discuss the CSPs in more detail within the context of your next question.

    Of course the key tool for development is the IDE. Our IDE is an exlipse based tool called Code Composer Studio and includes the editor, compiler, programmer and debug environment, Each of these components are not considered safety critical except for the compiler which will have a direct impact on the executable code. For this reason we offer a couple of compiler qualification options in our Compiler Qualification Kits (CQKs). More information can be read about these in a permanent post at the top of the private forum. Here is a link: https://e2e.ti.com/support/microcontrollers/hercules/f/312/t/616290. There is also a product page for the pay for use user based model where your team performs the tests on your specific setup and compiler use case. It is located here: http://www.ti.com/tool/SAFETI_CQKIT

    Finally, TI offers a tool (FMEDA) that can be used to customize the safety related metrics for the device to our application based on the application specific mission profile, feature use, pin use, safety mechanism use, etc. The resulting FIT rate metrics can then be used in the overall system calculations for evidence to provide to the customer's system level assessor.

    Fax said:
    4. Regarding the application level (the code written by us) is it validated using the tools provided by TI or do we need some external unit test (like Polyspace, Cantata, LDRA, ecc)?

    TI offers compliance support packages (CSPs), that, in most cases, include a Test Automation Unit (TAU tool) along with a set of collateral that includes both static and dynamic test reports. The TAU tool allows the customer to recreate the testing as reported in the test reports in case there is any change made to the provided safety related code or for customization of the code to the application. The TAU tool is a limited license LDRA based tool. It can only be used on the code provide by TI as part of the applicable package. I believe there are always options to negotiate an expansion of the license with LDRA so that the tool could cover the wider application level code if desired but this is at the discretion of the end customer/integrator. Our intent for the CSP is to provide all the necessary information to allow the integrator to qualify the TI provided software components for use in their safety systems. This means the code provided has not been certified or assessed outside of TI for specific compliance to any given standard. More information and downloadable demos can be found here: http://www.ti.com/tool/safeti-hercules-diag-lib-csp and here http://www.ti.com/tool/safeti-halcogen-csp

    Fax said:
    5. Do you have experience if someone has already succeeded to implement a IEC61508/SIL3-compliant product with only one Hercules MCU?

    Yes. We have many customers that have certified SIL3 systems with only 1 Hercules device but the system level requirements and specific standards requirements need to be considered. As an example, for ISO13849, we have worked together with a third party assessor to review a concept using 1 Hercules device together with a TPS65381A-Q1 PMIC as test equipment in order to satisfy a Cat3 PLd rating and this similar concept has been used by our customers in their certified systems. More details can be discussed about this in an NDA safe environment. A word of caution for this, however, is that the suitability and ability to meet safety goals is always dependent on the safety function that is being implemented. To really understand the requirement and our ability to meet it with a single MCU +PMIC we would need to understand both the intended operation and the applicable safety state that would be enforced. Unfortunately, there is no one size fits all.

    Fax said:
    6. We tried the Demo Kit for Compiler Qualification, but we saw there is the Hercules SafeTI Compiler Qualification Kit (that is free of charge). Which are the differences affecting the certification process?

    I believe this was addressed above under the tools question and additional information pointed to the sticky post at the top of the public E2E for Hercules. If there are still questions after reviewing the information provided, please let me know.

  • Thank you for the reply.

    I'm the technician who represents the company who asked for the above questions.

    we have some further doubts about the difference between RM4x and TMS570x Hercules family.

    The application we'd like to develop using Hercules MCU is an industrial adjustable speed safety drive according IEC 61508 (SIL3) / ISO 13849-1 (PLd).

    Could you clarify in which cases should we prefer the RM4x family against TMS570x family? It seems that we can use a MCU of both families for an industrial-grade product and the cost in the website seems the same.

    Are there other relevant differences for our application?

    Thank you,

    Giacomo Gasparini.

  • Hello Giacomo,

    Giacomo Gasparini said:
    Could you clarify in which cases should we prefer the RM4x family against TMS570x family? It seems that we can use a MCU of both families for an industrial-grade product and the cost in the website seems the same.

    The primary difference from a programmers model perspective is the RMxx devices are little endian. 

    From a larger picture/system point of view, the RMxx devices are qualified to 105C vs 125C for the TMS570x series. This means that the peformance of the RMxx has been extended due to the lower ambient temperature rating and heat dissipation requirements. Generally this equates to about an additional 10% frequency increase for the Rmxx devices (see the device specific datasheet for specific ratings of the devices your considering).

    Giacomo Gasparini said:
    he application we'd like to develop using Hercules MCU is an industrial adjustable speed safety drive according IEC 61508 (SIL3) / ISO 13849-1 (PLd).

    Earlier you had asked about a single channel implementation for your application. As I mentioned, we have had customers successfully implement our devices together with our companion PMIC as test equipment to achieve a PLd classification. This does not mean it will be effective for all systems and, in particular, it is only ideal for binary safety goals. i.e., what I mean is safety goals that are either ON or OFF such as STO or E-STOP applications. For safety scenarios that require continued or even degraded performance such as Safe Speed Control it would be highly recommended to evaluate a two channel system where the second channel had better monitoring capability than simple test equipment status. I haven't investigated, but perhaps some HW based speed limiting or control might also be considered if this is required which could serve the purpose in lieu of a full processing second channel. In the end, it becomes a system issue to identify how best to protect the safety goal by the application.

  • I am not a TI subject matter expert.
    Here are some things to consider.
    The MicroController can be 1oo1 (and you will need to setup diagnostic schedules to account for that); the rest of the hardware can be built with xoox features that feed into the device's operational and self test status. It is something to think about.
  • Hi Neil,

    In general, the ISO13849 standard requires either 2 physical or logical channels to satisfy CAT3 architecture requirements. We have been able to do so using a companion device as a "go/no go" TE for the safety function (Safe Torque Off in this case). See the letter of endorsement from TUEV SUED posted here: www.ti.com/.../spnu604

    Do you have experience with a 1oo1D system that satisfies Cat3 PLd requirements as well? If so it would very helpful if you could post high level block diagrams of how this is implemented and details of how the safety goal is maintained (as long as it isn't proprietary to your application.) The hurdle that we typically have with more complex safety goals such as motor drive requirements is the need for some degraded performance or partial function. Since Hercules is an HFT=0 device, this represents a problem in the case of some failure modes requiring continued operation of the MCU in the event of any fault type, but this get back to system design and the definition of the default safe state.
  • A SIL# (a risk level) is not a Category# (a permitted technical approach)

    1oo1 as shown in category 1 is not allowed for Pld.

    I am thinking of the Category 2 (which is 1oo1, with predefined testing and diagnostic schedules). Something that would need to be a hardware solution in order to enter "a safe state" if the 1oo1 MicroController is deemed to be in fault.

    In section 4.5.4 of ISO 13849-1 2008, there are tables/charts at the bottom.
    Those show that low/medium risk occurrences can be handled with a Category 2 (as described in section 6.2.5). It is a 1oo1 design with a test cycle and test status. That configuration is not available in the high risk demand, it is only available in the low/medium demand.

    I could be wrong.
  • Neil,

    Agreed the SIL level is not a category level. Specifically, the question above was if a single MCU could satisfy the following safety requirements:

      • IEC 61508 (generic functional safety standard) -> SIL3 level
      • IEC 61800-5-2 (industrial drive safety standard) -> SIL3 level
      • IEC 62061 (machinery) -> SIL3 level
      • ISO 13849-1 (machinery) -> PLd level


    More specifically it was asked: 

    If using only one Hercules MCU for each drive is sufficient for our SIL3 target (e.g. max SIL and PL, DC diagnostic coverage, redundance ...).

    So I suppose bringing the category into the discussion might have been a bit presumptuous on my part since since PL equates more to the SIL level than does the category and the required safety levels didn't identify the category targeted.

    If category is not taken into account then certainly it is possible to utilize a single MCU with redundant or diverse IP (ex. 2X N2HET modules or diverse N2HET + ePWM, eCAP, eQEP IPs) to implement an acceptable level of safety together with an external PMIC as noted in our concept study. The primary question for this remains at the assessment at the system level and only the system integrator can make this level of impact noting that ISO 13849 as a machinery directive is taken at the system level not device/component level as is also the case with IEC62061 and IEC61800. The only one of these standards that we can apply at the component level is IEC61508 so this is the only one to which Hercules can claim full compliance but even this elevates to system level once the component is used at the application level.

  • thank you for the replies,

    about the difference between binary safety functions (es: STO) and complex functions (es: SS1, SOS):

    as far as you know, if we'd implement a FSoE (Fail-Safe over EtherCAT) fieldbus network that is SIL3 capable in order to request/configure safety functions between FSoE master node and FSoE slave node is the STO function still considered as binary function?

    Thank you.

  • Giacomo,

    In the case where there is a slave node performing the STO function and the Hercules is the master, it would not be a binary operation because it would take some processing by the MCU to complete the transmission to the slave node. The case where we were the slave, we could enter STO without intervention of the outside world should a critical fault be detected within the confines of the slave node.

    Also, relative to FSoE and EtherCAT, what are your thoughts on implementation of this protocol. My understanding from EtherCAT experts is that our Ethernet implementation and bandwidth is not capable of keeping up with the load and required response times. This is why we generally recommend us of an external ASIC or dedicated EtherCAT interface to filter out only the messages needed for Safety/FSoE. I have seen cases where an AMIC110 from TI is used in place of the more expensive ASICs for this purpose and we have a reference design doing this same thing, although non-safety, with a C2K device. A similar implementation could be done with hercules replacing the C2K device since the interface is simply a SPI interface.
  • To add one additional thought on the use of the AMIC110 in a PLd system. this would also give you the capability of a second channel to use for monitoring and crosschecking of operation further satisfying the ISO13849 standard. i.e., you might be able to use a more conventional power supply and replace the TPS65381A-Q1 PMIC functionality in our concept study with the more capable AMIC110 capability.