• State TI Thinks Resolved
  • Locked Locked
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 520 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

RM44L920: Hardware structure to satisfy the HFT=1

SC Ahn
Prodigy 30 points
Part Number: RM44L920


Hello

I am working on the functional safety certification of industrial servo derive.

My first design concept was using one RM44 and PMIC.

However, I found that the RM44+PMIC concept is not sufficient for SIL3, Cat3, PLe certification

because this is a 1oo1D structure and HFT=0.

So, I am changing the design with two RM44 to satisfy the HFT=1.

I would like to ask if it is the good solution to use two RM44 for HFT=1?

Do I need to use two MCUs with Lockstep structure?

Look forward to you answer

Regards

 

  • 0
    TI__Mastermind 49120 points

    Hello,

    The architecture or implementation depends on the safety function of your system that is required to meet the target performance level. For example, if only a Safe Torque Off is required as a safe state for your system, an RM44x MCU with a TPS65381x PMIC is shown to meet the requirements of a cat 3 PL d system. See this concept evaluation report:  (requires safeTI NDA for access).

    There are certainly some additional requirements such as safe stop 1/2, safe limited speed, etc. that would require at least a dual-MCU implementation to meet the Cat 3 architecture requirements.

    Regards, Sunil

  • 0 in reply to Sunil Oak
    Prodigy 30 points

    Hello, Sunil

    Thank you for the reply.

    Do you think it is a good solution using the two RM4x series with lockstep structure, if we need dual MCU to implement SS1?

    Regards.

  • 0 in reply to SC Ahn
    TI__Mastermind 49120 points

    Hello,

    An SS1 condition requires being able to stop the drive as soon as possible and then enter a torque off condition. This would typically imply at least two components capable of driving the necessary PWMs to the gate driver to account for a failure in one of the parts (for HFT = 1).

    As you can appreciate we cannot make specific recommendations for architectures or implementations for systems targeted towards safety-critical applications. It is best to assess the functional requirements and create a functional safety concept of your system, and then work with an assessor as early as possible in the development.

    Regards,

    Sunil