The number of embedded systems with functional safety requirements is steadily growing. Manufacturers who want to operate their products in safety environments are required to follow safety standards like the machinery standards ISO13849-1 and the IEC62061, both of which are harmonised under the EU’s machine directive 2006/42/EC. Manufacturers must meet these standards to ensure the right level of safety on the system level.
Although the functional safety standard IEC61508 was primarily intended for applications at system level, it has been expanded to cover products and the component level. Components with a safety certification have a clear advantage, as they support the system developer with all necessary information on how to include the component. They also provide the required proof of the claimed safety integrity level. The safety manual of each component summarises all safety relevant information and procedures.
Due to its high complexity, the standard classifies a microcontroller as a Type B component, where the behaviour under fault conditions cannot be completely determined. This classification helps users to determine the target Safety Integrity Level (SIL) for the system.
Most safety hardware today is equipped with microcontrollers or standalone semiconductors, which should meet similar safety standards to help automation suppliers design-in the required safeguards. Typical examples are light curtains, laser scanners, modular configurable relays, and safe motion controllers.
These industrial applications have specific requirements that are an important part of the safety assessment. Common to most applications is their need for a high level of usage or continuous mode of operation. The diagnostic tests must fulfil the requirement for 24/7 operation times that are widespread in industrial automation environments. Diagnostic tests are repeated in each process safety time (PST) interval that is typically in the range of several milliseconds.
One example is safe motion control. In this area, machine builders construct systems with safety features that are compliant with the standard IEC61800-5-2. Stop functions like STO or SS1 are already included in a variety of drives products today. In order to reach the highest Safety Integrity Level SIL3, most systems include redundancy as a way to implement diagnostic functions. In a two channel system (HFT=1, 1oo2D) a cross monitoring between both channels allows the observation of the correct control flow and is an effective way to protect the system against transient faults. Other measures include the repetition of computation tasks and the implementation of redundant application software.
Components that are already certified for IEC61508 enable manufacturers to design their systems in compliance with the safety standard and significantly reduce risk and project schedule. For this purpose, Renesas offers a safety qualification package to its customers for its RX631/63N 32-bit microcontroller family. The microcontroller family is certified by the TÜV Rheinland for compliance with IEC61508 for SIL2/SIL3.
The MCU safety analysis includes a full analysis of the MCU component and runs on the contained functional blocks with an IEC61508 compliant fault model. It also analyses possible Common Cause Failures.
Quantitative analysis techniques, such as FMEDA (Failure Modes Effects and Diagnostic Analysis) help determine the effectiveness of the MCU safety integrity architecture. With FMEDA, the safety solution computes failure rates for each MCU block, including the effect of permanent and transient faults. It also takes into account the probabilities that such faults generate a dangerous or safe failure.
The implementation of additional safety mechanisms, which are part of an additional software component - the diagnostics software - address possible gaps between hardware safety measures and defined safety requirements. This software complies with the requirements defined in IEC61508-3 for SIL3.
The dynamic fault injection on the RX CPU core analyses the diagnostics software coverage for permanent faults. It uses the real product netlist for this validation. Fault injection involves the deliberate introduction of a fault into the netlist to evaluate the effect of a net being shorted to VCC or GND or being disconnected or shorted to another net. This allows users to evaluate the effectiveness of the diagnostics software at detecting faults and provides a high quality diagnostic test for the CPU core.
All customer relevant information and procedures related to functional safety are summarised in a safety manual. This safety manual also reflects the usage of the actual diagnostics software and the safety analysis results usable by the customer. As stated in IEC 61508-2, Annex D, the purpose of a safety manual for a compliant item is to document all the information necessary to the integration of the MCU into a safety-related system, in compliance with the requirements of IEC 61508. System developers can use the MCU safety manual to prepare the final system safety manual for the end users.
For the safety assessment, Renesas applies its own qualification flow. The first step of the workflow is to plan the safety activities and define the targets, then prepare a safety plan and a safety requirement specification. The workflow then progresses to the analysis of the safety capabilities of the MCU, followed by the development of the diagnostics software. TÜV Rheinland supports all steps in the qualification flow to ensure the effectiveness of the implemented measures and compliance with the standard. The certificate issued by the TÜV Rheinland allows the system developers to use the microcontroller component under defined and proven conditions for their safety applications.
The IEC61508 standard also includes normative requirements for tools. Tools in the classes T2 and T3 require a specification or product manual defining the behaviour and development lifecycle. To comply with these requirements, Renesas used a certified tool for the development of the diagnostics software. This tool, IAR Embedded Workbench for RX, is a complete development tool suite for developing embedded applications. It includes high-performance compiler and debugger tools incorporated in an easy-to-use integrated development environment.
The quality assurance measures applied by IAR Systems and the included safety manual allow application developers to use IAR Embedded Workbench for RX in safety-related software development for each Safety Integrity Level (SIL) in accordance with IEC 61508.
The certified safety qualification package for RX631/63N microcontrollers provides an advantage for manufactures aiming to fulfil the requirements of the functional safety standard IEC61508. Comprehensive safety analysis and high quality diagnostic software, along with certified tool support through IAR Embedded Workbench for RX, is a substantial improvement and allows seamless safety system integration.
This article is written by Andreas Thamm, Assistant Manager, MCU/SOC & Solution Marketing, Smart Factory, Industrial & Communications Business Group, Renesas Electronics Europe.