Introduction to the - NXP...
43
External Use TM Introduction to the SafeAssure Kit for Industrial Functional Safety Applications FTF-AUT-F0411 APR.2014 Mark O’Donnell | Product Manager Peter Schuller | Marketing Manager (MicroSys)
Transcript of Introduction to the - NXP...
External Use
TM
Introduction to the
SafeAssure Kit for Industrial
Functional Safety Applications
FTF-AUT-F0411
A P R . 2 0 1 4
Mark O’Donnell | Product Manager
Peter Schuller | Marketing Manager (MicroSys)
TM
External Use 1
Industrial Functional Safety
TM
External Use 2
Functional Safety Defined
• Functional safety is the absence of
unreasonable risk due to hazards
caused by malfunctioning behavior of
electrical/electronic systems
− Hazards: Potential source of harm
− Harm: Physical injury or damage to the
health of people
• Failures are main impairments
to safety
− Systematic: Failures, related in a
deterministic way to a certain cause, that
can only be eliminated by a change of the
design or manufacturing process,
operational procedures, documentation or
other relevant factors
− Random: Failures that can occur
unpredictably during the lifetime of a
hardware element and that follow a
probability distribution
TM
External Use 3
What is Functional Safety?
Functional safety refers to the ability to avoid the risk of
physical injury due to incorrect system operation in response
to system inputs.
Control!!!
TM
External Use 4
(Legal document incorporated across member states of EU)
EN ISO 13849-1/-2 (PLa – PLe)
EN IEC 61508
This relates to electronic
and micro processors EN IEC 62061
(SIL1 – SIL3)
Harmonized standards supersede all others from end of 2011 onwards (see Official Journal of the European Union for list)
European Union
Cites IEC 61508 up to SIL 3
United States of America
2006/42/EC Machine Directive
TM
External Use 5
Machine Directive: European Impact Only?
EEA – European Economic Area (EU + Iceland, Liechtenstein & Norway)
TM
External Use 6
Certification Groups Around The World
UL
ANSI
NR
EN
AS
JIS
GB
GOST R
Russian GOSSTANDART
GB = Guobiao, Chinese for "National Standard“
JIS = Japanese Industrial Standard
UL = Underwriters Laboratory
TM
External Use 7
Process
Automotive
Machinery
Application of Various Safety Standards
IEC 62061
IEC 61508
IEC 61511 ISO 13849 ISO 26262
TM
External Use 8
SIL
Safety Integrity Level
ISO 13849 vs. IEC 62061
Cat
Category
PL
Performance Level
ISO 13849
IEC 62061
IEC 61508
Machine
TM
External Use 9
ISO 13849 vs. IEC 62061
• SIL and PL are comparable
− Both are probabilistic measures for failure rates
ISO 13849 IEC 62061 PFH
PL a 10-4 10-5
PL b/PL c SIL 1 10-5 10-6
PL d SIL 2 10-6 10-7
PL e SIL 3 10-7 10-8
- SIL 4 10-8
TM
External Use 10
ISO 13849 vs. IEC 62061
• ISO 13849 categories have demands for architectural provisions
• Category 2 − Inputs are single-channel architecture
− Must be testable
− May be dual-channel (redundant) but very cost-intensive for sensors and wiring
• Category 3 and 4 − No test functions required for inputs (simpler design), but dual-channel
sensors/wiring required
Category Channels Inputs Outputs DC
1 1 - - -
2 1 Monitoring Monitoring -
3, 4 2 - Monitoring 10-7
TM
External Use 11
Industrial Functional Safety at Freescale
TM
External Use 12
Broad Portfolio Mark Leading IP
• S08 MCUs
• 16/32-bit DSCs
• 32-bit Kinetis MCUs
• 32-bit Qorivva MCUs
• QorIQ Processors
• Analogue
• Wireless IP
• Low power
• Memory technology
Enablement
• MQX RTOS
• CodeWarrior IDE
• Freemaster analysis tool
• Bare metal stacks, drivers,
libraries
• 3rd Parties
• SafeAssure Program
(Qorivva)
• Reference designs &
demos
• Freescale Tower System
Product
Longevity
Design
Support Quality
TM
External Use 13
• Active safety systems
• Advanced driver assistance
• Radar, vision systems
• Functional safety
• Connected home
• Portable medical
• Factory automation systems
Several Platforms Key to
Making the World a Healthier, Safer Place
We See a Healthier, Safer Population
TM
External Use 14
Energy
Generation
Transmission
Distribution
Factory
Production
Facility monitoring
Switchgear
Transport
Rail systems
Mobility and logistics
Industrial vehicles
Buildings
Control
Elevators
HVAC
Infrastructure
Water treatment
Oil and gas
M2M communication
Industrial Scalability, Security, Safety, Connectivity
Industrial Automation & Control
TM
External Use 15
Qorivva Means…
Qorivva MCUs built on
Power Architecture®
Unprecedented
Scalability The Qorivva portfolio offers
scalable solutions for
powertrain, body and
chassis & safety applications,
enabling streamlined tools and
development environments
High-Quality Portfolio Choose from hundreds of
32-bit Power Architecture
MCUs with peripheral sets
optimized for a full range of
automotive applications and
a focus on quality and long-
term reliability
Innovation With our newest MCUs built
on 55 nm process
technology, you get triple-
and quad-core devices that
significantly improve power
efficiency and quality, plus
configurable peripheral sets
to design exactly what you
need
Scalable, highly integrated solutions built on the
industry’s most powerful automotive architecture
Designed for
Automotive Built on industry-leading
Power Architecture
technology,
Qorivva MCUs offer
performance leadership
TM
External Use 16
Automotive Grade for Challenging Environment
AEC Q100
All Freescale
Automotive MCU are
certified AEC Q100
125˚C
All Freescale
Automotive MCU
support up to 125˚C
ambient temperature
135˚C+
Extended
temperature up to
135˚C+ ambient on
several product lines
(S08SG, S12G,
S12ZV, Qorivva)
Low PPM
Benefit of one of the
lowest PPM level in
the industry targeting
zero defects
performance
Largest portfolio with automotive qualification grade
High temperature for space constraint applications
• Fuel, oil, water pumps, sensor and actuators…
TM
External Use 17
Challenges for Complex Industrial Control Applications
• Advanced control algorithms
• Safety regulations
• Harsh conditions
• Quality and reliability
• Improved efficiency
• Reduced development time
• Lower system cost
• Component longevity
New Image to go here
Motion control, power generation,
clinical medical, aerospace and defense,
motor drives, renewable energy, robotics
and more
TM
External Use 18 18 18 18
Qorivva Means…
Qorivva MCUs
For Industrial built on
Power Architecture Easy Development
Make development a snap with run-time software,
reference designs and tools for rapid prototyping, advanced debug and system modeling
Market- Leading Integration Get up to 4 MB* embedded flash and a rich set of analog, connectivity and timing peripherals to support complex real-time control *90nm
Assured Safety, Quality & Reliability Meets medical, industrial and transportation requirements to ease safety approvals and durability mandates
18
Unmatched performance and ruggedized safety features
for almost anything that moves
Unmatched MCU Performance
Get up to >1500 DMIPS – the most powerful core for MCUs today – enabling single-chip
design for complex algorithms
TM
External Use 19
SafeAssure Program
TM
External Use 20
Simplifies the process of system compliance, with
solutions designed to address the requirements of
automotive and industrial functional safety standards
Reduces the time and complexity required to
develop safety systems that comply with ISO 26262
and IEC 61508 standards
Functional Safety. Simplified.
Supports the most stringent Safety Integrity
Levels (SILs),enabling designers to build with
confidence
Zero defect methodology from design to
manufacturing to help ensure our products meet
the stringent demands of safety applications
TM
External Use 21
Automotive ISO 26262
Industrial IEC 61508
Safety
Support
Safety
Process
Safety
Software
Safety
Hardware
IEC 61508
Generic Industry standard,
applicable to electrical / electronic /
programmable electronic safety-
related systems
Integrity levels
SIL 1, SIL 2, SIL 3, SIL 4
Pub date: More than 10 years ago
Continuous Improvement
Process evaluation, assessments /
audits and gap-analysis exist to
ensure processes are continually
optimized
Safety Analysis
Selected products defined &
designed from the ground up with
safety analysis done at each step of
the process
Assessments / Audits
Safety confirmation measures
Automotive Software
AUTOSAR OS & MCAL
Core self test
Device self test; complex drivers
Software Partnerships
Partnering with leading third-party
software providers for automotive
and industrial
People
Regional functional safety experts
Documentation
Safety application notes / safety
manual / FMEDA
ISO 26262
Automotive industry standard,
adaptation of IEC 61508 for
electrical/electronic systems within
road vehicles
Integrity levels
ASIL A, ASILB, ASIL C, ASILD
Pub date: Target end 2011
Quality Management
ISO TS 16949 Certified Quality
Management System
Hardware - Zero defects
Software – SPICE Level 3
Organization
Safety is an integral part of the
Freescale worldwide organization
Project Management
Configuration & change
management, quality management,
requirements management,
architecture & design, verification &
validation
Microcontrollers
Lockstep cores, ECC on memories
Redundant functions, internal
monitors, built in self test, fault
collection & control
Analog and Power Management
Voltage monitors, external error
monitor, advanced watchdog,
built in self test
Sensors
Timing checker, digital scan of
signal chains, DSI3 or PSI5 safety
data links
Functional Safety Standards
Freescale Quality Foundation
SafeAssure Approach: The Four Key Elements
TM
External Use 22
First ISO 26262 Certified MCU: Qorivva MPC5643L
• Certified by exida – an independent
accredited assessor
• Certificate issued based on a
successful assessment of the
product design and applied
development and production
processes against all requirements
and work product definitions of
ISO 26262 identified as applicable
to an MCU part
• MPC5643L MCU certified for use
for all Automotive Safety Integrity
Levels (ASIL), up to and including
the most stringent level, ASIL D
Released on 6th September, 2012
TM
External Use 24
Evolution of Functional Safety Standards
Generic
Standard
IEC61508
Industrial
Automation
Rail Transport
Automotive
Aeronautic
1980 1985 1990 1995 2000 2005 2010 2015
ISO 26262
IEC 61508 IEC 61508
Edition 2
IEC 61508
Edition 2
EN 50155
IEC 61508
EN 5012X
EN 50159
(IEC 61508)
DO 178
DO 178A ARP 4761 DO 254
Medical
IEC 60601
Edition 3
DO 178B
ARP 4754
DO 178C
ARP 4754A
IEC 61508
IEC 61511
IEC 62061
ISO 13849
TM
External Use 25
Functional Safety Standards Focus
Automotive Industry
standard, adaptation of IEC
61508 for electrical /
electronic systems within
road vehicles
Safety Integrity Levels
ASIL A, ASILB, ASIL C, ASIL D
Publication date
15 Nov 2011
Generic Industry standard,
applicable to electrical /
electronic / programmable
electronic safety-related
systems.
Safety Integrity Levels
SIL 1, SIL 2, SIL 3, SIL 4
Publication date
Ed. 2.0 – Apr 2010
Ed. 1.0 - More than 10 years
ago
ISO 26262 IEC 61508 ISO 13849
Functional Safety is the absence of unreasonable risk due to hazards caused
by malfunctioning behavior of electrical / electronic systems
One of two European
Standards to achieve
compliance with the
Machinery Directive
2206/42/EC
Performance Levels
a, b, c, d, e
Categories
B, 1, 2, 3, 4
Freescale has strengthened its product development cycle, making
functional safety an integral part of the process.
TM
External Use 26
miriac-EK5744 from MicroSys
TM
External Use 27
EK5744 Overview
• Partnership by Freescale and MicroSys
• Comprehensive SafeAssure kit
• Based on Freescale solutions
− Qorivva MPC5744P MCU
− MC33907 System Basis Chip
• Standards addressed
− IEC 61508 (2010)
− ISO 13849 (2008)
− IEC 62061 (2005) standards
Takes the risk out of your safety project!
TM
External Use 28
Typical Safety Designs for Higher Safety Claims
• Fully redundant architecture
− Two CPUs/CPU cores
− Two digital/analog inputs per sensor
value
− Digital outputs are monitored
• Diversity
− Time diversity
− Space diversity
− Diversity in hardware and/or software
Different CPUs/architectures
Different applications on CPU cores
Eliminate common cause failure
TM
External Use 29
Consequences of Redundant Design
• Development costs
− Additional hardware design costs
− Additional software design and implementation costs
− Synchronization between channels needed (complexity)
• Runtime costs
− Synchronization points in software
− Slows down execution
• Unit costs
− Additional hardware items (CPU, RAM, flash, synchronization, etc.)
− Because of runtime costs may require more expensive CPU(s)
TM
External Use 30
EK5744 Design
• Diversity (goal: eliminate random common cause errors)
− Space: Two lockstep cores running same application in different areas of RAM/flash
− Time: Delayed lockstep
− Redundant inputs
− Monitored outputs
• Performance
− No explicit synchronization
required (delayed lockstep)
• Cost
− Single application
− High performance MCU
− Single MCU (dual-core)
TM
External Use 31
EK5744 Benefits
• Low risk in your own design
− “Design” blueprints
− Ready-to use documentation
• Lower cost in development
− Build on proven hardware design
− Ready-to use safety firmware
− Single application design and
implementation
Focus on functional requirements of application
Safety requirements delegated to safety firmware
• Unit Costs
− Single or dual-channel inputs as needed
− Very little overhead for two CPU channels with single MCU (full
computing power)
TM
External Use 32
EK5744 Facts
• Safe I/O (up to SIL2, PL d, cat. 3)
− Testable digital inputs
− Testable analog inputs
− Digital outputs with read-back
function
− May be combined for redundant I/O
(dual channel architecture)
• Industry standard I/O
− IEC 61131-2 conforming
• TÜV SÜD to review capabilities
of safety kit (assessment)
TM
External Use 33
EK5744 Options
Safe Assure
Kit miriac
EK5744
EK5744
Certification Kit
Support
Consultation
Services
Full Device
Custom
Design,
Software
Development
Services
TM
External Use 34
Safe Assure Kit miriac EK5744
• EK5744 device in box for DIN rail mount
• Power supply
• Wind River dab C/C++ compiler (evaluation version)
• Firmware − Startup code
− Test functions
− Input/output drivers
− Reference manual
Required
• C/C++ compiler (full version for Wind River diab or GCC)
• Debugger (iSYSTEM, Lauterbach)
TM
External Use 35
EK5744 Certification Kit
• Hardware design
• Source code for firmware
• Test code for firmware
• Documentation for hardware designs and software
• Test results
• Copy of assessment report from TÜV (planned)
• Copy of TÜV certificate (planned)
TM
External Use 36
EK5744 Support/Consultation Services
• Support in certification
• Reviews
− Documentation
− Hardware design
− Software design
− Source code
• Consultation services
− Hardware design
− Software architecture
− Software design
Specifically tailored for your project needs
TM
External Use 37
EK5744-Based Custom Device
You can choose from
• Complete hardware design
• Software architecture, software design
• Software implementation
• Complete device including housing and planned TÜV certificate
TM
External Use 38
Summary
TM
External Use 39
miriac-EK5744
• Partnership by Freescale and MicroSys
• Comprehensive SafeAssure kit
• Based on Freescale SafeAssure products
− Qorivva MPC5744P MCU
− MC33907 System Basis Chip
• KITs will address IEC 61508, ISO 13849
& IEC 62061 Standards (Legislation
requires compliance in EEA)
• TÜV SÜD will review the KIT
• 1st KIT that will provide an industrial
safety solution using an MCU with an
integrated safety architecture
(MPC5744P)
TM
External Use 40
ISO 26262 ASIL D
• Safety measures of analog architecture and
development process (ISO 26262) helps to
reduce effort and time on ECU functional
safety assessment
• FCCU (dual core lock step) monitoring
Integrated Safety Architecture (ISA)
• Saves development effort and time as no
additional SW required (only 1 main MCU)
• Independant voltage monitoring and fail safe
state machine
• High HW diagnostic to cover SPF, LT, CCA
Secured SBC & MCU SW interactions
• Multiples registers to help SW diagnostics,
including safe state machine
• Safety mechanisms to secure SPI
• Advanced watchdog challenger to secure
MCU timing monitoring
Safety enablement provided by Freescale
• Application recommendations to combine
MC33907 and MPC5643L
• Safety manual, FMEDA and complete
ecosystem to ease development, save time
SafeAssure Analog Product: MC33907, MC33908 SBCs
TM
External Use 41
SafeAssure MCU Product: MPC5744P
ISO 26262 ASIL D
• Safety assessment of MCU architecture and
development process (ISO 26262)
• Helps to reduce effort and time on ECU
functional safety assessment
Integrated Safety Architecture (ISA)
• Saves development effort and time as no
complex diagnostic SW required
• CPU processing power available for running
applications
• High diagnostic coverage in HW to detect
random faults
SW deliverables provided by Freescale and
partners
• Enable support for ASIL D applications with
minimized performance degradation
• sMCAL & sOS, Se lf tests, SW safety manual
Safety enablement provided by Freescale
• Safety manual
• FMEDA
• System-level Application Note
TM
External Use 42
Next Steps
• SafeAssure KIT is planned to be available
end Q3’14
− Kits will be orderable from Freescale.com
(miriac-EK5744)
− Support will be from Freescale
at MPC5744P and MC33907 level,
and from MicroSys at system level
• Other KITs are being discussed
• Additional FTF papers
− FTF-IND-F0061, Industrial Control with QorIQ
− FTF-AUT-F0350, Safety Implementation for Power
System Basis Chips
TM
© 2014 Freescale Semiconductor, Inc. | External Use
www.Freescale.com
