Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
certification Flow
exida / Texas Instruments
Chris OBrien exida, CFSE
Hoiman Low TI Safety MCU, FSCAE
February/2015
e ida
Topics
exida
IEC 61508 Safety Lifecycle
Texas Instruments
HerculesTM MCU Functional Safety How-To Workshop
Summary
e ida
Concept
Overall Scope
Definition
Overall Safety
Requirements
Safety Requirements
Allocation
Overall Planning
6
Operation &
Maintenance
Planning
Validation
Planning
Installation &
Commissioning
Planning
Safety-related
systems :
E/E/PES
ANALYSIS
Phases
(What does the product
need to do?)
10
Realisation
12
Overall Installation
& Commissioning
13
Overall Safety
Validation
14
16
Decommissioning
Safety-related
systems : other
Technology
11
Realisation
External Risk
Reduction
Facilities
Realisation
REALIZATION
(NPD to meet the
What)
15
Overall Modification
& Retrofit
OPERATION
(How do we keep the
system functioning
3
safely?)
Element
Sensor
Sensor
Logic
Logic
solver
solver
Final
Final
Element
Element
Scope Levels
Systems
The relationship between the items can
be expressed as follows:
A System is composed of one of more
Sub-systems.
A Sub-system is composed of one of
more Elements.
As implied in IEC 61508, it is often useful
to include another lower level, a
component. In which case we can say
that an Element is composed of one or
more Components.
1
1-n
SubSystems
1
1n
Elements
1
1n
Component
s
Safety Lifecycle
Requirements
Requirements
Systematic Capability
IEC 61508-2010
Measure (scale of SC 1 to SC
4) of the confidence that the
systematic safety integrity of
an element meets the
requirements of the specified
SIL, in respect of the specified
element safety function, when
the element is applied in
accordance with the
instructions specified in the
compliant item safety manual.
Phase
Safety Requirements
Hardware Design
Software Design
Implementation
1. Market Requirements
Customer Requirements
Use Cases
SIL Capability, SIL Certification Levels
2. Regulatory Requirements
For general purpose products, SIL requirements cannot
come from a specific application hazard analysis
Copyright exida 2014
10
11
No
Requirements
Testable?
Yes
No
Design Testable?
No
System FMEA
Yes
Design
Sufficient?
Software Design
12
13
14
Implementation Phase
15
16
17
Functional Safety
Management
Objectives and Requirements
Specify engineering process including each
step with input and output documents.
Control and manage documentation
Specify responsibilities of persons and
organizations
Evaluate competency of those assigned to roles
Evaluate Quality Management of Suppliers
Establish a system to monitor product quality
and safety for the lifetime of the product
Copyright exida 2014
18
3. Hazard and
risk analysis
4. Overall safety
requirements
5. Safety requirements
allocation
6. Overall
operation and
maintenance
planning
7. Overall
safety
validation
planning
8. Overall
installation and
commissioning
planning
9. SRS
E/E/PES
realization
Back to appropriate
overall safety lifecycle
phase
2. Overall scope
definition
Verification
Documentation
1. Concept
16. Decommissioning
or disposal
19
20
21
Documentation Objectives
What needs to be documented?
Any information to effectively
perform:
Each phase of the safety life cycles
The management of functional safety
Verification
Functional Safety Assessment
Copyright exida 2014
22
Typical Documentation
Functional
Safety
Management
Plan
Design
DesignSpecification
FMEDA
Report
Change
Request
Database
Software
E/E/PE Integration
Integration Test
Plan / Report
E/E/PE Validation
Verification
and Validation
Plan/Report
Software
Design
Review /
Analysis Report
Software
Module Test
Plan/Report
User
Installation
Manual /
Safety Manual
Modification
Safety
Requirements
Specification
23
Documentation
Documentation Requirements:
How shall
Documentation:
be accurate and concise?
be easy to understand by
those persons having to make
use of it?
suit the purpose for which it is
intended?
be accessible and
maintainable?
have Titles or Names
indicating the Scope of the
Contents?
have a Revision Index (Version
Numbers)?
make it possible to search for
relevant Information?
24
Process Verification
Objective:
evaluate the outputs from a given process step to
ensure correctness and consistency
Requirements:
plan verification concurrently with development
verify in accordance with plan
document evidence of satisfactory completion of the
phase being verified recommend checklist
If problems are found, they are entered onto the
action item list and tracked until resolution
Problem issues must be addressed by returning to the
appropriate process step.
Copyright exida 2014
25
Process Verification
Recommend checklist at end of each phase completed
during or after phase review meeting.
26
Certification Process
New product with no field history:
Random Failure
Integrity
27
Accreditation
Each Certification Body (CB) operates
per a scheme and gets accredited by
an Accreditation Body (AB). In the USA,
ANSI is the AB.
Functional Cyber-Security
Achilles Level 1-2
ISA Secure Levels 1 3
Functional Safety Certification
IEC 61508
IEC 61511
IEC 62061 / ISO 13849
IEC / ISO 26262
EN 50271
Other Functional Safety
Copyright exida 2014
29
Topics
exida
IEC 61508 Safety Lifecycle
Texas Instruments
HerculesTM MCU Functional Safety How-To Workshop
Summary
e ida
30
Risk reduction
SIL - 1/2/3/4
Systematic Failures
Safety Plan
Software
Documentation
Tools
Config Management
Change Management
V&V
Random Failures
Diagnostics
Architectural Metric
Personnel Competence
Failure Rate
Certification
TM
HerculesTM
Architecture
(FMEDA)
Development
Process
MCU
Development
Process
Software
MCU
Software
Drivers, Library
Tool
Hardware
MCU
Hardware
Safety Metric
Show me evidence
32
IEC 61508
Hazard/Risk Analysis & SIL determination
Safety Function
Definition
SIL Determination
(SIL - 1/2/3/4)
Allocation of Safety
Requirements
HW Safety
Requirements
(SFF, PFH)
SW Safety
Requirements
Process Safety
Requirements
33
Sensor
MCU
Actuator
34
Sensor
MCU
Actuator
Safe State:
If a dangerous fault is detected in the
system, shut off the gas flow
35
Sensor
MCU
Actuator
36
PFH 1 / DANGEROUS-UNDETECTED
37
Type B products are complex products in which all failure modes are not known. Most
semiconductors are considered Type B.
HFT = Hardware Fault Tolerance where 0=No redundancy
SIL
SFF (HFT=0)
PFH (FIT)
SIL1
0% <60%
<10000
SIL2
60% <90%
<1000
SIL3
90% <99%
<100
38
MILHDBK 217F
SN29500
IEC/TR 62380
Supplier reliability data
TI uses IEC/TR 62380 where # of transistors, # of memory bits, temperature and package
effect can be modeled.
Failure rate is commonly expressed in FIT (Failure In Time)
1 FIT = 1 failure in 1E9 hours.
Apply SRAM
Diagnostics
Apply CPU
Diagnostics
Apply Flash
Diagnostics
Apply diagnostics to detect dangerous faults until appropriate SIL metrics (SFF, PFH) are met
SAFE - Safe, DD Dangerous Detected, DU Dangerous Undetected
40
Application Example
Voltage
Voltage
Regulator
Regulator
Motor
Torque
Command
from
Remote
Host
5-16MHz
5-16MHz
Clock
Clock Crystal
Crystal
1.2v 5v 3.3v
Pre
Pre Drivers
Drivers
nPORRST
DCAN1
Hercules MCU
Safety Function
Processing (MCU)
Calculate necessary
output commands to
motor based on desired
torque and current
position
Quadrature
Quadrature
Encode
Encoderr
OSCIN OSCOUT
System Reset
fety Goal: The motor shall deliver torque as commanded by the external host.
eQEP
GIO
Warning
Warning
Lamp
Lamp
ePWM1
ePWM2
Pre
Pre Drivers
Drivers
ePWM3
NHET1
H
H Bridge
Bridge
Drivers
Drivers
41
BLDC
BLDC
Motor
Motor
Sufficient diagnostics
coverage (DC) is needed to
meet required IEC 61508
HW metrics per SIL level
42
43
SIL
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL 3
SIL
SIL
SIL
SIL
SIL
SIL
SIL
SIL
SIL
SIL
SIL
SIL
SIL
SIL
3
3
3
3
3
3
3
3
3
3
3
3
3
3
44
Memory
Protection
Unit
Lockstep
CPU
ARM
Cortex R
w/ MPU
ARM
ARM
Cortex
Cortex R
R
w/
w/ MPU
MPU
Physical design
optimized to reduce
probability of common
cause failure
Random
Blended HW diagnostics
Non Safety Critical Functions
Memory
Flash
w/ ECC
RAM
w/ ECC
Flash
EEPROM w/ ECC
Calibration
JTAG Debug
Memory Interface
OSC PLL
PBIST/LBIST
POR
ESM
CRC
RTI/DWWD
Embedded Trace
External Memory
DMA
ECC or Parity on
select Peripheral,
DMA and Interrupt
controller RAMS
Parity or CRC in
Serial and Network
Communication
Peripherals
Serial
Interfaces
Network
Interfaces
Dual
ADC
Cores
Available
Dual
High-end
Timers
Available
GIO
Bold items are introduced with the new Cortex -R5 devices
45
Safety Function
Definition
SIL Determination
(SIL - 1/2/3/4)
Allocation of Safety
Requirements
HW Safety
Requirements
(SFF, PFH)
SW Safety
Requirements
Process Safety
Requirements
46
Apply Diagnostics to
Used Modules per
Safety Function
Evaluate IEC61508
Failure Rate Summary
SFF/PFH
met?
Y
Done
47
Package
Permanent
Die (silicon)
Permanent
Die (silicon)
Transient
49
Package
Permanent
Die (silicon)
Permanent
Die (silicon)
Transient
50
Package Used
TI PBGA
1.04
51
52
53
54
Data sheet
Release notes
Traceability report
Traceability report
57
TI Work Products
TI SW Product Lifecycle
Gen
eric
Input
s(Can
modi
fy
durin
g
proje
ct
tailori
ng)
Customer Deliverable
CP
1Pro
ject
Co
m
mis
sio
nin
g
CP
2Sa
fet
y
Re
qui
re
me
nts
&
Pl
an
nin
g
C
P3
ADe
sig
n
&
Im
ple
m
en
tati
on
CP3
BUnit
Testi
ng &
Integ
ratio
n
Testi
ng
CP4Safet
y
Requ
irem
ents
Verifi
catio
n&
Rele
ase
6 Specification of software
safety requirements
Software safety
requirements specification
Software Requirements
Document
Bi-Directional Traceability
Verification Reports
Traceability matrix
7 Software architectural
design
software
architecture
design;
SW Architecture Spec
11 Verification of software
safety requirements
Safety Manual
SW Manual
Functional Safety
Assessment Plan in Safety,
Plan, Functional Safety
Assessment Report
Software
functional
8 safety assessment
Functional Safety
Assessment Plan
Functional Safety
Assessment Report
CP5Project
Closur
e
58
61508
61508, 26262
Jan
2015
59
Software
Software
Development Tools
Development
Consulting Tools
& Training
Consulting & Training
Hercules
Ease development
Ease
Aiddevelopment
certification
Aid certification
Usable by customer
Usable
by customer
Certification
Ready
Certification
Ready
ISO 26262, IEC 61508
ISOcompliant
26262, IEC 61508
compliant
TM
Non-proprietary
Non-proprietary
Market accepted
Market
accepted
Respected
heritage
Respected heritage
Safety MCU
60
Thank You
Contact Information:
Chris OBrien:cobrien@exida.com
Hoiman Low: hm-low@ti.com
e ida
61