Design and Implementation of on-chip Safety Controller in terms of the Standard IEC 61508

Transcription

1 Design and Implementation of on-chip Safety Controller in terms of the Standard IEC Ali Hayek, Michael Schreiber, Bashier Machmur and Josef Börcsök Chair for Computer Architecture and System Programming University of Kassel Wilhelmshöher Allee 71, Kassel GERMANY Abstract: - With rapid growth of technology and the shrinking of the features sizes, highly efficient embedded computing system components can be integrated together to form a system-on-chip, which saves power, space, and thus production costs. However, this makes the chip vulnerable to more possible errors. Developing safetyrelated systems conforming to the norm IEC and comprising a system-on-chip becomes an essential demand. This paper proposes an on-chip safety system architecture (OCSS) conforming to the second edition of the standard IEC which considers on chip redundancy with the presence of diagnostic units. The presented OCSS contains two redundant processor channels, each of which has a processor unit, data memory, program memory, communication interfaces, inputs and outputs. Furthermore, on-chip diagnosis- and monitoring units are integrated. The safety-related implementation of the proposed architecture is introduced in this paper. This includes safety-related physical separation and placement and routing. Additionally, embedded test structures are introduced. Finally, common-cause failures for the two channels are taken into account by using beta factor estimation for different techniques that may affect the system safety. Key-Words: - Systems-on-Chip; Safety; Reliability; IEC Introduction Industrial control applications across all segments from factory, machine, and process automation to energy generation, railway and automotive applications require an increasing amount of safetyrelated equipment. Summarized, this paper explores the design and implementation of an industrial safety system on a single chip conforming to international safety standards. Indeed, system-on-chips are nowadays increasingly used in several everyday electronic applications. For example, the average midrange control system contains nowadays over a dozen of microcontroller systems. High-end automotive systems comprise even tenfold or more. Those systems need to fulfill a wide set of functionalities and highly competitive features; they need to be tough and robust, they need to be flexible and powerful. Especially systems for safety-related applications need to be ultra-reliable and extremely dependable, as well - while being cost-effective in development. However, state of the art development of safetyrelated systems is hardly compatible with most of the features of modern chip development. This is the reason why, in the past, the development of safetyrelated systems was based on less advanced technologies. Safety-related systems used to be developed at component level using discrete components such as relays, switches and microprocessors. A couple of years ago, there still were no place for advanced semiconductor technology, which provides attractive features like high-performance, flexibility and optimized power consumption in competitive development cycles. In 2010, there has been a significant re-think: With the enhancement, of the norm IEC and the publication of its second edition, the standard was revised and upgraded. Since then, it was possible to implement safety-related systems with on-chip redundancy conforming to the IEC standard. The main goal of the current paper is to introduce the design and implementation of an onchip safety system (OCSS) in terms of the second edition of the safety norm IEC In fact, several published research and commercial works deal with this novel area. While semiconductor companies such as Texas Instruments [1], Freescale semiconductor [2] and Renesas Electronics [3] ISBN:

2 introduced certified safety chips mainly for automotive and transportation applications, the present research work focuses with a differentiated redundancy concept for industrial control applications. The presented OCSS offers full redundancy at system level. It consists of safetyrelated 1oo2D architecture with on-chip diagnosis, which acts and behaves like mono-processor system towards external devices. First FPGA-based prototypes of the proposed architecture were published in recent works [6] and [7]. After the introduction, in the second section of this paper, the norm IEC is presented. The main focus lies on the second edition of the standard, especially regarding on-chip redundancy. Section 3 presents the proposed architecture concept. In Section 4, the technical implementation of hardware measures and techniques for the proposed architecture are presented. In Section 5, a Conclusion with a short qualitative evaluation of the presented concept is given. A detailed evaluation and safety calculation of the presented system is to be published in a separated research work. CPU RAM ICs PLD ROM COM COM Discrete system on printed circuit board PCB Miniaturization Process Fig. 1. Migration to systems-on-chips 2 Background In this section a general overview about safetyrelated systems is given. Especially, the norm IEC and its second edition which are relevant for this work are focused. For further information about the design and evaluation of safety-related systems please refer to [8] and [9]. 2.1 The Norm IEC The norm IEC [4] is a general standard in the area of functional safety, which was developed and first released in 1998 by the International Electrotechnical Commission (IEC), an international standards organization. It is named "Functional safety of electrical / electronic / programmable electronic systems" (E / E / PES). It is an application-independent base norm. Nevertheless it addresses all safety functions of a target system. CPU RAM ASIC Macro blocks ROM COM Glue Logic System-on-chip Application- and sector-specific norms and standards have been derived from IEC 61508, such as IEC for the process industry sector. The norm IEC only regards electrical and electronic programmable electronic safety-related systems (E/E/PES). The standard IEC is divided into 7 parts. It provides a guide for developing safety-related systems. The specific implementation of the requirements is flexible. Thus, IEC allows making use of future methods and methodologies. In this context, it defines four safety-integrity-levels, from SIL1 up to SIL4. The higher the SIL, the safer the E/E/PES. The specification of SIL provides a clear and unambiguous basis for developers, producers and customers to negotiating basic aspects of safety integrity. The norm IEC is also a basis for further standards. As mentioned above, the norm provides flexibility for technical respectively techno-logical innovations. Thus, the norm has been intentionally kept abstract and flexible how to cover the requirements for hardware and software, whereas the requirement itself is clearly defined. The norm leaves enough degrees of freedom for researchers and developers to apply own implementation ideas and make them free of the need to comply with stringent rules. Furthermore, innovations find their way into new drafts of the standard. While using on-chip redundancy (OCR) was not considered in the first edition, it has been considered in subsequent drafts, and could thereby be taken into consideration by developers and certification parties before the release of the second edition of IEC The main changes in the second edition of the norm are presented briefly in the next section. 2.2 The Second Edition of IEC The first edition of IEC addressed almost conservative technologies for the implementation of safety-related systems. With the release of the second edition of the standard in 2010 [5], the door was opened for new technologies, whose implications are completely unknown. An example is using integrated circuits in safety-related systems. The second edition of IEC defines the term on-chip-redundancy (OCR) and reasons the requirements for this purpose. In the present work, the requirements for developing safety-related systems based on systems-on-chips conforming to the second edition of IEC are considered. In ISBN:

3 the following, some new main features of the second edition are described briefly: New requirements for application specific integrated circuits (ASICs) in context with OCR Clear definition of systematic integrity compliance routes Clear definition of hardware integrity compliance routes New definition of the term proven-in-use 2.3 On-chip Safety Systems In this section, the requirements for on-chip redundancy in safety-related systems according to IEC are discussed. According to the standard, on-chip redundancy is defined as the implementation of redundant channels into a single IC die and achieving a hardware fault tolerance HFT>0. For example, as shown in Fig. 1, using onchip redundancy could be a miniaturization process; turning a safety-related discrete system into a single chip solution. The higher gate density and increasing miniaturization of ASICs increases performance and enhance the chip s capabilities. However, the increasing complexity also increases the vulnerability to several faults, e.g. commoncause faults and soft-errors. Despite a continuous improvement of production processes, extensive verification and validation process of chips is essential. Hence, using ASICs in safety-related applications requires a high level of fault control and fault prevention. Aspects such as noninteraction, physical separation and thermal integrity are of vital importance in order to avoid commoncause-failures. In the following, the methodologies and techniques according to IEC61508 part 2 are summarized. Please note that the introduced techniques only consider hardware implementation. Design and verification methodologies are to be discussed in future work. Annex E of IEC part 2 deals with the architectural techniques for on-chip safety systems. On-chip safety systems can only achieve SIL3, which is targeted for the proposed architecture. The most significant techniques applied in this work are summarized in the following: The different elements used in the design (control elements or monitoring elements) shall be physically separated on the substrate. Each element shall have its own power supply, separated bond wires and inputs and outputs. Cross-talk and short circuits shall be avoided by considering a minimum distance between each element. Thermal decoupling shall be achieved by using dedicated physical placement (using temperature sensors) or analyzing thermal effects (thermal simulation). Common-cause failures should be considered by defining the beta factor, thus qualifying the impact of common cause failures. Fig. 2. 1oo2D Architecture 3 Proposed Architecture The norm IEC provides a basis for qualitative and quantitative analysis in the field of functional safety. Particularly, architectural measures to provide a desired safety or reliability have been introduced, such as hardware fault tolerance, system redundancy and implementation of diagnostic and monitoring elements. Considering the use of hardware redundancy and hardware fault tolerance, MooN-system architectures (M out of N) are usually targeted. The name describes the system architecture and its hardware fault tolerance. For a safety-related MooN system, M out of N channels are sufficient to transferring the system into a safe state. The basic form of this redundancy is the 1oo2 architecture which represents a safety architecture with hardware fault tolerance HFT = 1. The architecture presented in this work is based on the 1oo2D architecture, a 1oo2 architecture with diagnosis units oo2D Architecture The 1oo2 architecture (one out of two) is one of several system architectures which are described in the standard IEC This kind of architecture is composed of two parallel channels. If both channels of the system fail, the system may lose the safety function. The 1oo2D architecture is a 1oo2 architecture with integrated diagnostic units. As mentioned above, a 1oo2D architecture describes a complete system or a subsystem, consisting of two channels (main and redundant ISBN:

4 channel). Both channels are performing the same function. In case of a failure, only one of the two channels is required to transfer the system into a safe state. A diagnostic unit compares continuously the results of both channels. If there is an inequality, an error is detected, i.e. one of the channels or both are faulty provided, the diagnostic unit itself is performing failure-free. In case of an error, the diagnostic unit informs the two channels. Both then would attempt to bring the whole system into a safe state. The faulty channel may not be able doing that. However, the failure-free channel still can bring the system into a safe state, on its own. The system remains in a safe state until the fault is corrected and both channels are functioning again. If both channels fail independently or due to the same fault, the 1oo2D (sub-) system is not able to trigger the safe state by its own. For such cases, external diagnostic measures such as watchdog, temperature and voltage monitoring are used to transferring the system into a safe state. Fig. 2 shows a simplified block diagram of a 1oo2D architecture for an ASIC. 3.2 On-chip Safety System Architecture Besides presented architecture, other architectures such as 1oo3-, 2oo3-, and 2oo4 architectures are used. Two core parameters for specifying and determining the SIL are the average probability of a failure on demand (PFD), and per hour (PFH), respectively. Comparing PFD and PFH for the architectures mentioned above, the 1oo2 architecture achieves very good values, considering the minimal redundancy. The 1oo2 would be the architecture of choice for fail-safe systems as long as safety comes first, then availability and reliability. The main target of the present work is the integration of the 1oo2D architecture into a single system-on-chip. The redundant processor channels as well as diagnosis units are integrated into a single silicon die. In Fig. 3 the proposed OCSS is described. The OCSS consists of two identical processor channels. Each channel consists of a processor unit, data and program memory, several communication interfaces and input and outputs (IOs). Both blocks operate synchronously and are monitored by an on-chip diagnosis unit. The integration of the 1oo2D architecture brings many advantages. Due to the on-chip miniaturization, the component count and system size is shrinking. The latter also reduces the on-chip power consumption and the overall system costs. Regarding reliability and safety issues, the integration of all system components into a single chip can reduce error sources (packages, wires, solder joints, etc.) and can lead to better safety and reliability parameters. 4 Safety-related Implementation In this section, the safety-related implementation of the proposed OCSS is presented. Concerning the description of concrete measures to cover the requirements, this paper considers only some essential aspects. Implementation details will be published in a separated work. In the following subsections, the implementation of the requirements presented in section III is introduced. Note, however, that every specific system architecture and every system design may have different reasons as well for as against a specific measure. A failure mode and effect analysis (FMEA) should address these aspects adequately. Fig. 3. OCSS Architecture 4.1 Physical Placement In this section, the physical implementation of the measures presented in the previous sections is illustrated by a case example, which describes the proposed OCSS. The OCSS presented in Fig. 3 is shown in Fig. 4 with inserted safety-related measures. In the following, these measures are described. The figure shows a possible definition of the channels of the 1oo2D architecture. The proportions and the arrangement and number of pads are not representative. Each channel is integrated into a separate power domain, which is shown in the diagram as a dashed border. This means that each channel is a system on its own, comprising its own CPU, memory and communication interfaces, and ISBN:

5 its own IO and power supply pads. Both subsystems are separated by a gap. As each subsystem has its own power supply, it is called a power domain. While the standard does not require a specific gap width, the distance between the domains may vary depending on the process technology which is used for the OCSS manufacturing. As a rule of thumb, ten to one hundred times of the gate length of the used process technology should be sufficient for the gap. For a 0.18 micron CMOS technology, for example, the targeted 50 microns for the gap width is considered to be definitely sufficient. The isolation and decoupling of the channels in the above example is ensured by a silicon-barrier, which does not include voltage connections - shown in the figure as a white area. It should be noted that this measure may be appropriate for ASICs with high frequency signals. For low-frequency signals, this measure may be inappropriate. Also note that for on-chip redundancy a common ground in the substrate (bulk) is necessary. Therefore, a complete electrical isolation of the power domains is not possible. This common ground connects all dedicated power domains. An alternative solution would be the use of multichip Packages (MCPs) to incorporate multiple dies on a system. However, this complicates the routing between blocks and more expensive and complex systems. Another important aspect for the physical separation between the individual channels is the pad assignment. Ground pads can be used for decoupling by placing them right between adjacent pads of different power domains, as shown in Fig. 4. Additionally, pads for non-safety functions can be used in the same manner for decoupling the power domains. The diagnostic unit (comparator or voter) also possesses its own power domain. This, however, is not required; the diagnostic unit may well be placed in the power domains of one channel. The main idea is that the individual channels are separated from each other sufficiently. A further aspect is the routing between the channels, which is described in the next section. 4.2 Physical Routing In this section, the physical implementation of the measures presented in the previous sections is illustrated by a case example, which describes the proposed OCSS. The OCSS presented in Fig. 3 is shown in Fig. 4 with inserted safety-related measures. In the following, these measures are described. The routing between the channels is affected by the use of special pre-routing blocks, as done by design tools. In general, it is important to note that only a minimum of connections between several power domains should exist. This includes, for example: Necessary signals to the with the diagnostic unit Acknowledgment signals from the diagnostics unit to the channels Common input signals of both processors (clock, reset, debug signals) Pad signals for testability issues (boundaryscan chain). Such signals are needed by the defined architecture, and they are indispensable for the safety function. Normally, those are low power signals. Additionally, the number of these signals is supposed to be manageable, so that a crossing-free routing with enough distance between the signal lines should be possible. However, parallel signal lines should be far enough apart to avoid crosstalk. Depending on the signal frequency, a suitable distance would be required, for example twice the distance for clock signals than for other signals. Fig. 4. Safety Implementation of the OCSS Archtiecture 4.3 Test Development The design of system-on-chips is associated with test development and implementation. At this point, the design of safety-related chips not only requires a careful implementation of test development, but also the introduction of safety-related measures at the ISBN:

6 test level. In this section, a summary overview of the implementation of the measures at test level is given Scan-Test The norm IEC states that test coverage on the complete system level should be higher than 99%. Therefore, a structural test method for the logic is required. For this purpose, the scan-path method, which was established in chip development, is targeted in our work. A scan path is built into the chip. In addition to the chip s normal operation mode, a test mode is implemented. This mode can be requested using separate input pads. In test mode, all flip-flops of a circuit - or even the whole power domain - can be interconnected to a shift register chain. This means that the circuit is divided in a combinatorial part and a memory part, which contains the shift register. The scan-logic can be controlled via specific test pads for that power domain. The scan-path test runs according to the following pattern: The data will be pushed to the memory block via shift register and applied to the combinatorial logic of the circuit. Subsequently it will be switched to normal operating state to execute the combinational part of the circuit. Finally, it is switched back to test mode, to push out and evaluate the data in the output flip-flops. This makes it possible to carry out a complete functional test at any gates Built-In Self-Test The built-in self-test method (BIST) is a test circuit implemented on the chip. It is possible to generate test signals and having evaluated the results automatically. The BIST logic essentially consists of a BIST controller; a test-pattern generator (TPG), which is responsible for the generation of stimuli; the circuit-under-test (CUT), the to be tested logic; and the output-response-analyzer (ORA), which is responsible for evaluating the responses. For the presented concept, BIST logic mainly serves testing the on-chip memory Boundary Scan-Test The boundary scan test is an important test in the manufacturing process. The advantage of the Boundary-Scan-Test interface compared to previous test interfaces is that single components as well as multiple components can be tested using the same infrastructure. The connection of circuit nodes, which are to be tested, is done via serial data path, which extends between internal connections and external contacts/pins. The data path consists of so called single scan cells, each consist of a serial in-/output, a parallel in-/output, as well as various control signals. Depending on direction of data and function several types of scan cells can be used. The challenge in our concept was to develop a safetyrelated boundary-scan concept, which does not affect the safety-related chip development. The concept was based on realizing a redundant boundary scan concept which guarantees the absence of feedback for both channels. 4.4 Avoiding Common-Cause Failures In addition to the single-point failures, it is important to consider failures which have common cause, so-called common-cause failures. This is described in detail in the norm IEC 61508, and thus explained only briefly here. Targeting SIL3 using o- chip redundancy with HFT>0 a base beta factor βic = 33% is assumed. By applying additional measures according to the tables given in IEC this factor may increase or decrease. Thus, the resulting beta coefficient is: βocss = βic + Σ modification. This shall not be higher than 25%. More information on this can be found in the norm. In this context, the following aspects are to be considered: Recognizing all uncontrollable faults - by diagnostic units, online tests, proof tests - needs to reach or holding the safe condition. For each channel and each singular executed monitoring component a diagnostic coverage (DC) of at least 60% should be achieved. Only diversely implemented (also differently designed) channels may monitor each other and thus improve as a watchdog the safe failure fraction (SFF) and DC. Homogeneous channels may only act as watchdogs for other channels if high SFF and DC have been already sufficiently reached. Tests regarding electromagnetic compatibility (EMC) with additional safety margin should neither impair the IC functionality neither destroy it. Unsymmetrical wiring should be avoided as much as possible. ISBN:

7 Based on table E.1 and table E.2 in Annex E of the IEC [5] an example calculation of the betafactor is given in Table 1. Table 1 Technique/ Measure External watchdog unit β-factor-calculation β-factor- Modification Not considered for the time being β OCSS- Factor 33 % On-chip diagnosis unit +5 to % Internal connections between blocks with cross-over Providing each block its power supply Structures that isolate and decouple physical blocks Ground pin between pin.out of separated blocks Temperature analysis and tests EMC-Tests with additional safety margin % % % % % % 5 Conclusion and Future Work In this paper, theoretical and practical conclusions are shown. For a SIL3 1oo2D architecture, consisting of two processor cores, a safety monitoring unit is specified, designed, implemented, and verified as a diagnostic unit. As the implementation of the presented OCSS goes beyond the time frame of this paper, a summarized implementation description is given, which considers the most important safety-related aspects. In a further context, general core requirements for developing safety-related system-on-chips are required. They include the development model for the realization phase, and requirements for hardware description language code (HDL). Thus, on the one hand, the requirements of IEC part 2 apply. On the other hand, as HDL code is software, the requirements of IEC part 3 also apply. The same applies to tests on HDL level. Additionally, core requirements for on-chip redundancy are mentioned, an example has been given. The channel separation into power domains and decoupling these using a silicon barrier are depicted. Furthermore, constraints on connections between those power domains are explained. The test development is an essential aspect for chip design. The used Scan-test, boundary scan test, and BIST implementations are presented briefly. Finally, the determination of the beta factor for OCR is presented. Techniques and measures that increase and decrease the beta factor in terms of IEC are presented and discussed. For a sample module, consisting of external and on-chip elements, the determination of beta factor is demonstrated. Future publications will have a tighter focus on the mathematical evaluation of the introduced systems. The calculation of the safety parameters will be introduced and an analysis and comparison with similar systems will be discussed. References: [1] Texas Instruments, Safety Manual for TMS570LS31x and TMS570LS21x Hercules and ARM Safety Critical Microcontrollers, User s Guide, Literature Number SPNU511B, April 2013 [2] Freescale Semiconductor, Qorrivva MPC5643L Microcontroller Data Sheet, Data Sheet: Advance Information, Document Number MPC5643K Rev. 8.1, May 2012 [3] Renesas Electronics, Microcontroller series for innovative SIL3/ASILD chassis applications, Document Number R30PF0016ED0100, May 2010 [4] International Electrotechnical Commission, IEC/EN 61508: International standard functional safety: safety related systems, Geneva; 2005 [5] International Electrotechnical Commission, IEC/EN 61508: International standard functional safety: safety related systems: Second Edition, Geneva; 2010 [6] J. Boercsoek, A. Hayek, M. Umar, Implementation of a 1oo2-RISC-Architecture on FPGA for Safety Systems, 6th ACS/IEEE International Conference on Computer Systems and Applications, Doha, 2008 [7] J. Boercsoek, A. Hayek, B. Machmur, M. Umar, Design and Implementation of an IPbased Safety-related Architecture on FPGA, XXII International Symposium on Information, Communication and Automation Technologies (ICAT), Sarajevo, Bosnia and Herzegovina, 2009, IEEE Conference Publications, pp.1-6 [8] J. Boercsoek, Functional Safety: Basic Principles of Safety-related Systems, Huethig, Heidelberg, 2006 [9] J. Boercsoek, Electronic Safety Systems: Hardware Concepts, Models and Calculations, Huethig, Heidelberg, 2004 ISBN: