• State TI Thinks Resolved
  • Locked Locked
  • Replies 9 replies
  • Answers 4 answers
  • Subscribers 30 subscribers
  • Views 1124 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

RM57L843: To achieve CAT3, PLd using one RM57L843.

Inseok
Prodigy 115 points
Part Number: RM57L843
Other Parts Discussed in Thread: TPS65381A-Q1

Hi. 

I am considering of using one RM57L843 to get CAT3 PLd functional safety certification.

To design any two logic in one MCU, I am concerning if those two logic can be implemented independently in one core. 

(Let's say Core0 and Core1 , Core0 is logic core and Core1 is checker like lockstep does)

- In Core0, Is it possible to implement and design two different Logic1 and Logic2 without any interference between them?

- Regarding to Memory, Timing(Task) and any Communication, is it possible to implement and design Logic 1 and 2 independently without any interference?

Thanks

  • 0
    TI__Guru**** 196256 points

    Hello Inseok,

    One RM57L843 can be used to implement a system of CAT3 Pld.

  • 0 in reply to QJ Wang
    Prodigy 115 points

    Hi, QJ Wang.

    Thanks for the quick reply.

    It seems there is no issue with using one RM57 MCU to get CAT3 PLd for STO.

    I have additional question.

    1) Where can I get the document "TF85875T_release_2014_06_18.pdf"?

    2) Can I get reference design circuit related to the block diagram which you attached?  

    2) When you get CAT3 PLd from TUV SUD, did you use Safe RTOS? or Do you think is it needed?

       If we don't use Safe RTOS what kind of addition jobs do we have to do? 

    Thanks alot

    Inseok.

  • 0 in reply to Inseok
    TI__Mastermind 49120 points

    Hi In Seok,

    You can target Cat 3 PL d for the specific safety function using a single RM57 MCU along with a PMIC like TPS65381A. This safety concept is used in the report that QJ referenced.

    1) Where can I get the document "TF85875T_release_2014_06_18.pdf"?

    The report "TF85875T_release_2014_06_18.pdf" is only available after signing a safety NDA between your organization and TI, and this is already in progress.

    2) Can I get reference design circuit related to the block diagram which you attached?  

    Once we have the NDA in place, we can work to provide more information about the safety concept.

    3) When you get CAT3 PLd from TUV SUD, did you use Safe RTOS? or Do you think is it needed?

    Use of safeRTOS, or any RTOS, is not mandatory. If you do use an RTOS in your application, you will need to provide evidence of it being developed using a functional safety-compliant development process as well as the required coverage reports. This information is much easily available for RTOS like safeRTOS (and others as well).

    Hope this helps.

    Regards, Sunil

  • 0 in reply to Sunil Oak
    Prodigy 115 points

    Dear. Sunil

    Thanks for the reply.

    We are still under reviewing TI NDA document by legal team.

    The brief block diagram which you attached seems fine on ADC ports. 

    However, on our system most safety I/O ports will be connected to RM57 using SPI through Isolated Multi-Channel Input Devices(ICs).

    I understand RM57 supports 5-MibSPI. Here is my question.

    1) Can each MibSPI block work separately and individually without any interference?

        For redundancy, each Safety path should be guaranteed like "(SPI Input)->(Logic)->(Output) ".

        To use and get safety certification using single MCU(RM57), each safety path should not be interfered by any, according to an 3rd party auditors and assessors comments. 

    Please give your feed back about this.

    Thanks alot.

        

  • 0 in reply to Inseok
    TI__Mastermind 49120 points

    Hi,

    Yes, each MibSPI can be treated as a separate connection and can be even used for redundant communication between the master and a slave. There is a single CPU on RM57 to process (logic) the SPI inputs, so the application must be written to keep the interrupt service routines as short as possible, and process the SPI inputs in separate dedicated tasks to calculate the outputs. Another separate task can then compare the outputs from the two other tasks to determine a failure between the redundant channels if required.

    Usually a communication channel can be made a "black channel" by employing techniques such as built-in CRC packets to provide end-to-end integrity checking. There are also other mechanisms to ensure a safe "black channel" so that all other communication failure modes can also be addressed.

    Hope this helps.

    Regards, Sunil

  • 0 in reply to Sunil Oak
    Prodigy 115 points

    Hi, Sunil

    Thanks for the explanation. It was much helpful to me. 

    As you know I am going to use one RM57 MCU. It has five MibSPI module and each module has six ChipSelect.

    My safety controller application needs at least nine SPI. It means that RM57's SPI ports are little not enough now on my application.

    However, RM57 has function that select multiple slave devices using different Chip Select. 

    I am considering of using those multi chip select function. But I am little worry about safety input redundancy check. 

    Could you recommend any risk or things that I must consider when I design? and Also I am not sure it is possible solution to get functional safety.

    I wanted to attach simple block diagram here. but due to company security policy I can not attach any file on this site. 

    I will email you the simple block diagram. Please check the block and let me know your opinion.

    Thanks alot.

    Inseok 

  • 0 in reply to Inseok
    TI__Mastermind 49120 points

    Discussion continued offline.

  • 0 in reply to Sunil Oak
    Prodigy 115 points

    Dear. Sunil

    Thanks for your feedback by email. 

    I guess I found the solution using five SPI modules and GPIOs.

    I have an additional question about companion PMIC(TPS65381A-Q1).

    The PMIC's core voltage(1.2V) has lower current output than RM57 requires.

    TPS65381's core(1.2V) is max 600mA and RM57 requires typical about 580mA or in worse case it is over 800mA.

    There is no margin and the core voltage current from TPS65381 is not enough. 

    As my understanding so far, I should use companion PMIC to get safety certification using one RM57L843. 

    Would you recommend alternative solution or any latest version of companion PMIC with RM57L843? 

    Thanks a lot

    Inseok.

  • 0 in reply to Inseok
    TI__Mastermind 49120 points

    Hi Inseok,

    You can review the power solution implemented on this reference design:

    Regards, Sunil