• State TI Thinks Resolved
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 441 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TMS570LS2124: TUV SUD ask it must enable all diagnosis for SIL3

Daniel Fang
Genius 11600 points
Part Number: TMS570LS2124

Hi,

My customer use TMS570LS2124 to achieve SIL3 target. 

According to the document of SPNU511B_Safety Manual for TMS570LS31x and TMS570LS21x Hercules ARM Safety Critical Microcontrollers.pdf and Hercules FMEDA LS31x_LS21x_v1.3.xlsx. We have adopted certain diagnosis for selected function, so that each function in FMEDA can achieve 99% diagnostic coverage. 

However, the 3rd party TUV SUD says that all functions such as efu, lbist, pbist need to be fully selected, otherwise, can't meet SIL3 ability.

For example, my customer already enable boot time PBIST check for RAM(RAM7A), but do not enable periodic PBIST check for RAM(RAM7B).

Although the final SFF can reach 99.92%, but TUV SUD believes that the diagnosis is still insufficient and needs to be fully enabled.

Therefore, I would like to ask when this security chip is applied to SIL3 applications. Except for the safety parameters in FMEDA that meet the requirements of IEC 61508, are there any mandatory or necessary requirements? This information is not fully explained in the safety manual. Thanks.

  • 0
    TI__Mastermind 49120 points

    Hi Daniel,

    The FMEDA lists all the on-chip diagnostics and safety mechanisms and you can also see the effect of enabling / disabling any diagnostic or safety mechanism on the overall diagnostic coverage number. The spreadsheet also allows you to tailor the FMEDA per pin usage, module usage, or safety mechanism usage.

    The safety assessor should include in his/her report what other external safety mechanisms are required to meet SIL3.

    As for the specific example you gave about PBIST running at boot time versus periodically - only one of these mechanisms is expected to be enabled in an application. Is the customer application an always-ON application?

    Does the application include a safety monitor such as a PMIC that can put the system in a safe state in case of a severe fault?

    Regards, Sunil

  • 0 in reply to Sunil Oak
    TI__Genius 11600 points

    Hi Sunil,

    Thanks for your reply.

    My customer product is expected to apply in either de-energized-to-trip application or energized-to-trip application.

    For a single module, in case that a severe fault happen in the safety chip, additional measures are adopted to help module go to the safe state.

  • 0 in reply to Daniel Fang
    TI__Mastermind 49120 points

    Hi Daniel,

    Yes, it is usually sufficient to only execute the PBIST checks on the CPU RAM once at boot-up or shut-down. As I said, it would be important to understand the actual feedback from the assessors and then look for safety mechanisms / diagnostics to address this feedback.

    Regards, Sunil