What functional safety module designers need from IC developers

Similar documents
Functional safety manual RB223

Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309

Low voltage switchgear and controlgear functional safety aspects

Type 9160 / Transmitter supply unit / Isolating repeater. Safety manual

Type Switching repeater. Safety manual

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

FMEDA Report Failure Modes, Effects and Diagnostic Analysis and Proven-in-use -assessment KF**-CRG2-**1.D. Transmitter supply isolator

Functional Example AS-FE-I-013-V13-EN

Failure Modes, Effects and Diagnostic Analysis

TWO CHANNELS REDUNDANT SAFETY ARCHITECTURE SINGLE CHANNEL NON-REDUNDANT SAFETY ARCHITECTURE

Extension to Chapter 2. Architectural Constraints

FUNCTIONAL SAFETY CERTIFICATE

Service & Support. Functional Safety One Position switch. Safe Machine Concepts without Detours. benefit from the Safety Evaluation Tool.

Failure Modes, Effects and Diagnostic Analysis. Rosemount Inc. Chanhassen, MN USA

SAFETY MANUAL SIL Switch Amplifier

OPTISWITCH 5300C. Safety Manual. Vibrating Level Switch. Relay (2 x SPDT) With SIL qualification

MANUAL Functional Safety

FUNCTIONAL SAFETY CERTIFICATE

Safety Manual VEGASWING 61, 63. Relay (DPDT) With SIL qualification. Document ID: 52082

FMEDA and Prior-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

Vibrating Switches SITRANS LVL 200S, LVL 200E. Relay (DPDT) With SIL qualification. Safety Manual. Siemens Parts

MANUAL Functional Safety

Failure Modes, Effects and Diagnostic Analysis

Hardware safety integrity (HSI) in IEC 61508/ IEC 61511

Original operating instructions Safety relay with relay outputs G1501S / / 2016

Siemens Safety Integrated Take a safe step into the future

Safety-related controls SIRIUS Safety Integrated

AS-i Safety Relay Output Module with Diagnostic Slave

Safety Manual. Vibration Control Type 663. Standard Zone-1-21 Zone Edition: English

Proline Prowirl 72, 73

Options for ABB drives. User s manual Prevention of unexpected start-up (option +Q957) for ACS880-07/17/37 drives

Using Zynq-7000 SoC IEC Artifacts to Achieve ISO Compliance

AS-i Safety Relay Output Module with Diagnostic Slave

The ApplicATion of SIL. Position Paper of

HART Temperature Transmitter for up to SIL 2 applications

FSO Webnair FSO Safety Functions Module. ABB Group February 11, 2015 Slide 1

BT50(T) Safety relay / Expansion relay

MANUAL Functional Safety

Safety Manual. VEGABAR series ma/hart - two-wire and slave sensors With SIL qualification. Document ID: 48369

Original operating instructions Safety relay with relay outputs with and without delay G1502S / / 2016

Options for ABB drives. User s manual Emergency stop, stop category 0 (option +Q951) for ACS880-07/17/37 drives

New developments about PL and SIL. Present harmonised versions, background and changes.

Hiperface DSL Combined with Safety

HART Temperature Transmitter for up to SIL 2 applications

Industrial Embedded Systems - Design for Harsh Environment - Dr. Alexander Walsch

Failure Modes, Effects and Diagnostic Analysis. PR electronics A/S

PLUS+1 SC Controller SC0XX-1XX Controller Family

IQ SIL Option. IQ actuators for use in applications up to SIL 3. sira CERTIFICATION

Functional Safety Design Packages for STM32 & STM8 MCUs

Failure Modes, Effects and Diagnostic Analysis

FMEDA and Proven-in-use Assessment. G.M. International s.r.l Villasanta Italy

Safety manual. This safety manual is valid for the following product versions: Version No. V1R0

Failure Modes, Effects and Diagnostic Analysis

Hardware Safety Integrity. Hardware Safety Design Life-Cycle

SIRIUS Safety Integrated. Modular safety system 3RK3

88 Dugald Campbell. Making Industrial Systems Safer Meeting the IEC standards

IQ Pro SIL option TÜV Certified for use in SIL 2 & 3 applications

Options for ABB drives. User s manual FPTC-01 thermistor protection module (option +L536) for ACS880 drives

Riccardo Mariani, Intel Fellow, IOTG SEG, Chief Functional Safety Technologist

DEPENDABLE PROCESSOR DESIGN

A tool based estimation computation method of MCU random failure rate &functional safety metrics

FMEDA and Proven-in-use Assessment. Pepperl+Fuchs GmbH Mannheim Germany

Mobrey Hydratect 2462

Options for ABB drives. User s manual Emergency stop, stop category 1 (option +Q964) for ACS880-07/17/37 drives

ACT20X-(2)HTI-(2)SAO Temperature/mA converter. Safety Manual

MACX MCR-SL-(2)I-2)I-ILP(-SP)

Drive Technology \ Drive Automation \ System Integration \ Services. Manual. Electronic Motor DRC Functional Safety

Failure Modes, Effects and Diagnostic Analysis

Risk Assessment Methodologies. Michele M. Silva Solution Architect, Safety & Security Functional Safety Engineer (TUV Rheinland)

PowerFlex 700H AC Drive Safe Torque Off Option

Commissioning and safety manual SIL2

Executive summary. by Michel Bonnet, Maximilien Laforge, and Jean-Baptiste Samuel

Energize to Trip Requirement for SIL 3 according to IEC 61511

Safety modules. 8/4 inputs PROFIsafe S20-PSDI8/4

Altivar Process Variable Speed Drives ATV630, ATV650, ATV660, ATV680

MANUAL Functional Safety

Report. Certificate Z Rev. 00. SIMATIC Safety System

Pluto AS-i. Safety PLC. Approvals: Control of: Features:

FUNCTIONAL SAFETY FOR INDUSTRIAL AUTOMATION

Report. Certificate M6A SIMATIC S7 Distributed Safety

Battery Stack Management Makes another Leap Forward

Analysis on the application of on-chip redundancy in the safety-critical system

Understanding SW Test Libraries (STL) for safetyrelated integrated circuits and the value of white-box SIL2(3) ASILB(D) YOGITECH faultrobust STL

Enabling Increased Safety with Fault Robustness in Microcontroller Applications

Analysis on the Application of On-chip Redundancy in the Safety-critical System

ISO SINAMICS G110D FAQ

BIG8051. Development system. User manual

AURIX After-Lunch-Seminar Performance meets Safety. Safety & Security with professional Software-Components. Björn Assmann (Hitex GmbH)

Phone: Fax: Web: -

PLUS+1 Safety Controllers SC0XX-1XX Safety Controller Family

Certificate of Compliance No

DK32 - DK34 - DK37 Supplementary instructions

ControlLogix SIL2 System Configuration

Options for ABB drives. User s manual Prevention of unexpected start-up (option +Q950) for ACS880-07/17/37 drives

EZ-Bv4 Datasheet v0.7

Original operating instructions Fail-safe inductive sensor GI711S / / 2010

SafeC S to MSR127 Conversion

SAFETY RELAY YRB-4EML-31S MAIN FEATURES

Failure Modes, Effects and Diagnostic Analysis

Is This What the Future Will Look Like?

Transcription:

What functional safety module designers need from IC developers Embedded Platforms Conference Microcontrollers and Peripherals Nov 9 th 2016 14:50 15:30 TOM MEANY

Introduction This presentation gives a short introduction to functional safety What the IEC 61508 standard states as regards IC level requirements What IC suppliers and especially analog IC suppliers can do to make the job of module designers easier It is assumed the audience Has a general interest in functional safety Wonders what an IC manufacturer could do to the their life easier 2

What is functional safety? Safety is freedom from unacceptable risk Cars are dangerous but people choose to accept the risk because of the benefits of car travel Similarly hot coffee, electricity, getting out of bed Different from intrinsic safety and electrical safety Functional safety is to do with the confidence that a piece of equipment will carry out its task when required to do so 3

Sector specific standards IEC 61513 Nuclear Sector EN 50128 Railway applications IEC 61508 IEC 61131-6 Programmable Controllers IEC 61800-5-2 Variable speed drives ISO 10218 Robots IEC 61511 Process Industry ISO 26262 Automotive IEC 62061 Machinery Avionics D0178,D0254 Machinery ISO 13849 Medical IEC 60601 Home IEC 60730 4

A Measure of safety Increasing safety IEC 61508 SIL ISO 26262 ASIL Avionics LEVEL ISO 13849 PL 1 A D b 2 B C 3 C/D B e 4 - A - Nuclear Categories A C According to IEC 61508 the goodness of a safety function is expressed as a SIL level Four levels each at an order of magnitude apart Other standards and other application areas use different measures which are approximately the same Standards such as IEC 61131-6(PLC), IEC 62061(machinery), IEC 61800-5-2(variable speed drives), IEC 61511(process control), EN 50402(toxic gas sensors) all use the SIL terminology directly 5

The key 3 requirements for functional safety What Safety Functions Hazard Analysis Safety Function Requirements Risk Assessment Safety Integrity Requirements How Reliable Are the Safety Functions Hazard analysis tells us what safety functions are required The risk assessment says how good they must be expressed as a SIL There are 3 key requirements 1) Implement design measures to prevent introduction of systematic failures 2) Have good reliability 3) Be hardware fault tolerant 6

FS Requirement 1 an enhanced development process An enhanced development process is required for functional safety It incorporates the requirements of IEC 61508 which are relevant for an integrated circuit 7

FS Requirement 2 have good reliability Expressed in terms of FIT unit is failure per billion hours of operation ADI numbers based on accelerated life test available at www.analog.com/reliabilitydata Many customers need numbers according to IEC 62380 or SN29500 To calculate the numbers requires information such as transistor count not typically available to module designers Calculated values can be given in a safety manual to accompany the datasheet Need to also consider soft errors 8

FS requirement 3 -Metrics for fault tolerance du sd dd su Key ideas - Safe Failure fraction and Redundancy IEC61508 has the metric SFF ( safe failure fraction ) What fraction or percentage of faults will cause a safety violation Either show the failure is safe, detected by a diagnostic or is mitigated using redundancy, SFF must be higher than 90% for SIL 2 and 99% for SIL 3 Redundancy is typically applied at the system level but under limited circumstances can be usefully applied on-chip 9

Not all integrated circuits need to be certified Options include 1) Develop to the standard existing non-safety process and leave functional safety to module designers 2) Develop to the standard existing non-safety process but supply a safety manual 3) Develop to the functional safety process ADI61508 and self certify 4) Develop to the functional safety process ADI61508 and get external certification 10

So how can IC designers help module designers 11

Help reduce the time to market and ease certification Provide safety and non-safety versions of the same product Allows the safety version of a module to be developed easily from the non-safety version Perhaps with additional components populated Field power <250mW/Ch Isolated device supplies Supply of pre-certified components which can be treated as a black box during module assessment Amber Plus Power Feedback Avoid the what will TUV say? dilemma Supply of a safety manual with the important functional safety information Controller Power Control with icoupler AD5758 Iout/Vout DAC LOAD Analysis of system architectures to provide complementary products at the system level SPI bus Isolated SPI bus Analysis of system architectures to make sure products have the right features and performance to be integrated in a system 12

A safety manual and its contents For a part following either the internal or external process a safety manual will automatically be produced But for other parts IC suppliers can still decide to produce a safety manual The contents of that safety manual will include The development process used to develop your part even if not IEC 61508 compliant The reliability predictions Die size, number of die, number of RAM cells, number of FF, transistor count The available diagnostics A completed Annex F checklist Evidence to support any claims of on-chip separation Details of any assumed system level diagnostics Summary results from an FME(D)A Any fault exclusions which can be claimed 13

Annex F of IEC 61508-2:2010 Even if a part not developed to a functional safety process can complete the Annex F checklist 14

Provide IC FME(D)A with the information needed for the module level FME(D)A IC level FME(D)A Block Area FIT DC % Diagnostics λ S λ DU λ DD Interface 10 5 99 CRC 2.5 0.02 2.48 Converter 50 25 90 Reference inputs 12.5 1.2 11.3 Reference 20 10 99 Comparison 5 0.05 4.95 Regulator 20 10 60 Power on reset 5 2.0 3.0 IC summary λ DU 3.3 λ DD 21.7 λ S 25 λ 50 DC 86.8 System level FME(D)A Component FIT DC % Diagnostics λ S λ DU λ DD U 1 50 86.8 See safety manual 25 3.3 21.7 Safety function summary λ DU λ DD T 2 R 1 C 1 L 1 λ S λ SFF 15

Give module designer options on diagnostics 4/20mA + AD7124 ADC - - + A module designer could use comparison Doubles the cost, doubles the PCB area, halves the reliability and still subject to CCF(common cause failure) which limits its effectiveness OR could use an ADC with built in diagnostics for the IC itself and at the system level CRC on the SPI, CRC on the fuses, CRC on the internal references, Ability to generate internal 0, +/-FS and +/- 20mV inputs, ability to check its clock and its reference, transducer burnout current sources 16

Features to assist in implementing redundant architectures uc1 uc2 If using comparison as a diagnostic synchronization issues can look like an error If the two ADC are not synchronized a step input can look like a difference and trip the system A SYNC pin can keep the ADC synchronized Per device diagnostics are still important to localize the fault 17

Other options for diagnostics What if comparison is not possible due to area constraints? What if cannot stop conversions to do reference conversions? A part like the AD7770 solves the issue by providing a SAR ADC which is fast enough to convert all 8 channels albeit with lower accuracy The SAR ADC has a different architecture and its own interface to limit CCF 18

Assist in meeting reliability goals High level of integration to reduce component count Integrated diagnostics Integrated redundancy Combination of features into a single piece of silicon Transistors on a piece of silicon are very reliable Take two ICs with 50k to 500k transistors FIT rate according to SN29500 is 67 FIT each => total is 134 FIT Take one IC with 500k to 5M transistors and the FIT rate becomes 78 FIT => a reduction in total FIT of up to 100% 19

System level thinking a motor control example Pretending to be a module designers highlights to the IC designer the information their customers need to design in integrated circuits Goal make it easier to use ICs in a safety design Channel 1 It also helps answer the questions related to features on individual integrated circuits e.g. should there be diagnostics on an isolated current sensor such as the AD7403 20

Features to support redundant architectures Often three options Standard safety - perhaps 1oo1 High safety perhaps 1oo2 High safety and availability perhaps 2oo3 Issues include How two DAC can share the load How to achieve a safe state How to disconnect a failing unit How to recognize which is the failing unit How to synchronize if using comparison as a diagnostic 21

IC designers can help clarify the standards AD5758 ADSP-CM41X Annex E of IEC 61508-2:2010 only covers duplication and only digital ICs What about divergent redundancy? Such as a part with an ARM M4F and an ARM M0 core? What about a DAC with an on-chip ADC as a diagnostic? 22

IC designers need to know enough to talk to module designers The standard is large and complex, and its contents are not easily absorbed. Moreover, it is generic in nature, meaning that it is not targeted at any particular applications, although the thrust of it is more appropriate for complex safety-related control systems in the process, nuclear, railway and similar industries than for non complex machinery control. IEC 61508 and similar standards are often described as large and complex In the past discussions related to functional safety began with a description of what was meant by SIL IC designers need to understand PL, MooN, HFT, DC, SFF, PFH 23

Summary 24

Summary Make as safe as possible Moral Comply with the regulations as written Legal Financial Minimize the cost of compliance Meeting functional safety requirements is difficult for module designers Silicon suppliers can partner to provide the necessary interpretation of the standards supply the data needed by module designers give features needed by module designers Module designers need to talk to their IC supplier early to plan the architecture 25

The END 26

Extra slides 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback