why TMS570LS20216 is not certified to SIL4? technical or cost or others?

To enable SIL 4, a hardware fault tolerance (HFT) = 1 is required for type B hardware designs.  In practical terms, this means that SIL 4 systems cannot be realized without implementation of multiple hardware channels, generally as multiple physical components.   Most of the SIL 4 systems I have seen are based on the use of multiple SIL 3 channels; for example, a SIL 4 system might be realized using multiple SIL 3 capable TMS570 products.

The processor subsystem of the TMS570LS20216S is implemented as a single channel, 1oo1D, lockstep design which has HFT = 0.  However, the processor subsystem is only one part of the total chip design.  At chip level, the component design can be said only to be type B, single channel, with HFT =0.  Please keep in mind that to achieve SIL 4 for a safety function, the full "control path" of sensors, processing, and actuation (including supporting functions such as power supplies) must be designed with HFT=1. 

Please let me know if this response helps.

Hi,KGreb,

Thank you for your response. Your explanations really helps me understand the architecture of TMS570. The module of dual cores of cortex-R4F working in lock-step mode is 1oo2 architecture(Am I right?), but the FLASH，the SRAM and other modules on chip are shared by the dual cores, only a single module failure will cause the entire TMS570 failure,so the HFT of TMS570 is ZERO.

I have calculated the SFF of TMS570 is 98.6% by using the data (including hard fault fail SD，SU,DD,DU) which are provided by the "TI TMD570LS20216 61508 certificate". According to table 3 in chapter  7.4.3.1.1 of IEC61508-2,the device is becoming a SIL2 component.

Thus, My main points this time are:

(1)How to understand "The TMS570LS20216S MCU is cerified for use in SIL3 applications" in TMS570 datasheet?                                                                                                    Does it meansTMS570LS20216 is certified as a SIL3 device.
(2)When I design a SIL4 system using  TMS570,how can I realize it?Could you give me a simple example?

 Thanks very much!

 Best regards.

There are several ways in which a lockstep system can be realized.  While it is possible to implement two logic elements in lockstep as a 1oo2 system, this is not the approach taken on the TMS570.  The TMS570 implements two CPUs in a 1oo1D architecture.  The second CPU is used only as a diagnostic logic and has no possibility of driving the system bus, as would be possible in a 1oo2 architecture.  This approach has several advantages related to reduced failure mode propagation to other on-chip elements, timing closure, and die area.

You are correct that the HFT for the elements of a safety function as realized on most microcontrollers is zero.  To achieve HFT =1 will typically require multiple components.

When calculating SFF, it is necessary to keep a few points in mind:

• SFF should be calculated across an entire safety function.  A microcontroller is just one part of the realization of a safety function.  Sensing, actuation, processing, and supporting functions such as power, clock, and reset should all be considered.  It is not necessary for all elements to meet 99% SFF so long as the aggregate SFF of the function meets the 99% requirement.
• A microcontroller is a complex device which incorporates many sub-blocks.  SFF should consider only the elements of the microcontroller which are being used in the realization of the safety function for the SFF calculation.  The FMEDA report will provide a greater break down of safety metrics per functional block of the MCU.
• It is expected that software and application level diagnostics will be added by the user which can also result in additional diagnostic coverage for the hardware parts, further improving the hardware part safety metrics.

Regarding certification, per IEC 61508 it is not possible to certify an individual component such as any MCU.  Only a system which realizes a full safety function can be evaluated and certified.  This is why assessment rather than certification is done for components.  The best that can be said for a component is that it is "suitable for use in SIL 1/2/3/4 systems".  This means that it is highly plausible that a system integrator could make a certifable system based on the component.

When designing for SIL 4 with type B systems, it is necessary to design a system with HFT>0.  This means that you will need to develop a system with multiple channels which can detect a fault, identify the failing channel, and continue safe operation with the remaining channel.  An example of such a system would be a 2oo3 voting scheme, which after failure degrades to a 1oo2 scheme.  In such a system, the easiest approach is to implement three full systems of sensing, processing, and actuation.  Of course, additional measures should be taken to ensure that common mode failures are managed by the system architecture.  There are many other possible schemes, but this is the traditional example.

Please let me know if you have any further questions.

Hi,KGreb,

Thanks very much. Your response helps me a lot. TMS570 is realized  in a 1oo1D configuration,  I have a little confusion about it.assuming one Cortex-R4F core which drives the system bus called MASTER,the other core which is used as diagnostic logic called CHECKER.

My questions is :
(1)Which code is executed in CHECKER?Do the dual cores inside TMS570 execute the same code fetched from the Flash on chip?Master has access to the system memories and drivers all system outputs,but CHECKER just continuously executes the instructions moving on the bus and only drives its output to the CCM-R4F module on chip for diagnostic purpose. Do I understand correctly?

By the way ,beside IEC61508,could you recommand me some classic books or magazines about safety system hardware concept and design? I really need to learn a lot about safety.

There is a good diagram in SPRU489A (available on the TMS570 product web page) which should help you visualize the lockstep implementation. Please refer to section 23.2 (pdf page 1740) of the document.  The same set of inputs is fed to both CPUs, but the checker CPU output drives only the compare module (CCM) while the master CPU output drives both the compare module and the remainder of the device (flash, SRAM, peripherals, etc.).

It can be difficult to find background safety material which directly addresses component design.  Most of the material will focus on system design while treating the components as a black box.  However, I have found that several of the books written by Dr. William Goble (of exida, a TMS570 3rd party network member) are useful for general information.  In particular I can recommend "Safety Instrumented Systems Verification: Practical Probabilistic Calculation" as it provides a good background on the metric calculations as well as giving some reference info on common safety architectures.