• State Resolved
  • Locked Locked
  • Replies 2 replies
  • Subscribers 38 subscribers
  • Views 275 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TIDA-01599: How can it reach SIL 3 if the testing path is only SIL 1?

Lorenzo Marcantonio
Prodigy 10 points
Part Number: TIDA-01599

I read the design guide and the working idea is clear to me; there is a dual channel with self test and single fault resistance; that should qualify for SIL3/PLd. However I don't have really worked with SILs but only with PLs, so there's a thing I don't get.

How could be it rated SIL3/PLd if the testing path and software is only SIL1 (the external MCU, suggested as a C2000 part). The MCU is substantially a category 1 system with 60% diagnostic coverage (due to self tests); if it's used in the control path of a category 3 subsystem (the STO function). Would that impair the whole subsystem level?

Or, alternatively, the explanation is: a fault in one of the working channel is always detected by the monitor (and the safe function is ensured by the other channel and/or forcing pulses) while a fault in the monitor goes undetected (acceptable as category 3 but not as category 4) but safety is ensured by the working channels (since only a single fault is assumed they are both considered as working correctly).

Have I missed something?

  • 0
    TI__Prodigy 355 points

    Thanks for your interest in TIDA-01599.

    From functional safety perspective, the diagnostic MCU (SIL1) is covering some parts single-point fault (SPF) for the STO safety function. (e.g. logic gate, resistors) And the SPF will not impair the diagnostic MCU which means we don't consider the double fault for both safety function and diagnostic circuitry at the same time. So, the SIL1 MCU has the capability to take care the SIL3/PLd STO system and we have the FMEDA files for the details.

    To your alternative explanation as I mentioned, the fault occurs in both safety channel and diagnostic circuitry simultaneously will not be taken into account.

    The diagnostic circuitry is monitoring both 2 safety channels and will enable the other safety channel to enter into the safe state once the dangerous detected fault is detected in one channel.

    Regards,

    Chen Gao

  • 0 in reply to Chen Gao
    Prodigy 10 points

    That's exactly as I thought, thanks. So in the end it's an hybrid between category 2 (for the separate testing block) and category 3 (for the dual channel) and the architecture is justified by the FMEA. I guess that the actual performance values need to be calculated instead of using the simplified categories