How to meet IEC 61508 ‘SIL 3’ requirements with two low-cost MCUs

tt_designs_logo_254
We receive many enquiries from organisations that need to meet IEC 61508 (SIL 3) requirements.

On this page, we present- in outline – a simple TT software framework that can be used to meet these requirements using two low-cost MCUs.

[This page was last updated 2017-08-31]

empty_space


empty_space

1. Select your TT Platform

empty_space
A wide range of different TT Platforms can be employed in safety-related embedded systems.

Some examples are shown in the table below (which is adapted from ‘ERES2‘):

empty_space

empty_space

In the IEC 61508 design that we are considering in this example, Hardware Fault Tolerance (HFT) is a key consideration.

When we have an HFT of 0, this means that we have only a single processing path available: if this fails, our goal must be to ensure that the system can enter a Fail-Safe State. When we have an HFT of 1, we have a second processing path available: if one processing path fails, we may be able to continue operating the system (at least for a while), possibly in a Limp-Home Mode.

Because of the emphasis on HFT in IEC 61508, developers of systems that must comply with this standard tend to focus on the use of designs with two MCUs (with HFT = 1). In many cases, the design will also employ ‘SIL decomposition’: what this means in practice is that a ‘SIL 3’ design is often based on a hardware platform that is assembled from two ‘SIL 2’ microcontrollers (MCUs).

In keeping with this focus, the design notes presented on this page assume that the system will be based on ‘DuplicaTTor®-A’ Platform, based on two ‘SIL 2’ MCUs (each with an appropriate Safety Manual).

For example, our DuplicaTTor Evaluation Boards incorporate two STMF405 MCUs.

empty_space

empty_space

Other options are available: the software architecture presented below can be employed with any pair of ‘SIL 2’ MCUs.

empty_space


empty_space

2. Start your design with a TT software framework

empty_space
TT software architectures provide a simple and cost-effective way of meeting IEC 61508 requirements.

For example:

  • TT architectures are “Highly Recommended” for systems of Safety Integrity Level (SIL) 2 or above. [IEC 61508-3 (2010), Table A.2]
  • Use of a TT architecture “Greatly reduces the effort required for testing and certifying the system” [IEC 61508-3 (2010), Table C.1]
  • Static synchronisation of access to shared resources – a key characteristic of all TT designs — is “Recommended” (SIL3) / “Highly Recommended” (SIL4) [IEC 61508-3 (2010), Table A.2]
  • Limited use of interrupts – a defining characteristic of TT designs – is “Recommended” for SIL1 and SIL2 systems and “Highly Recommended” for SIL3 and SIL4 systems. [IEC 61508-3 (2010), Table B.1]

As we noted above, the design presented here is based on what is known as a DuplicaTTor®-A Platform. This Platform allows us to link together the processing on the two MCUs in a highly-deterministic manner (that can be easily modelled).

The architecture of this Platform is illustrated below.

empty_space

empty_space


empty_space

Build your own ‘DuplicaTTor’ design

empty_space
‘DuplicaTTor® Design Suite 0405’ (DDS-0405) is aimed primarily at organisations that wish to develop TT systems in compliance with IEC 61508 (up to ‘SIL 3’) and / or ISO 13849 (up to Pl e Cat 4).

DDS-0405 targets the DuplicaTTor Evaluation Board (DEB-0405).

The DDS-0405 is accompanied by comprehensive documentation, including a detailed safety manual.

Further information can be found on the DDS-0405 page.

[19 October 2017]

empty_space