An overview of functional safety standards

and easing certification

exida / Texas Instruments

Chris O’Brien – exida, CFSE

Hoiman Low – TI Safety MCU
June / 2014

e ida 1
Topics
•  exida
•  Overview of functional safety standards for industrial
and automotive systems
•  Steps to certification
•  Services provided by exida

•  Texas Instruments
•  Hercules MCU family and safety features overview
•  Hercules MCU for IEC 61508, ISO 26262 and other
functional safety standards

e ida 2
 exida Capabilities
Assessment and
Certification

Lifecycle Services

Knowledge Base

e ida Copyright exida 2000-2014

 The origins of IEC 61508: 1988

Piper Alpha 167 dead $3.4B

e ida Copyright exida 2000-2014

 Industrial Accident Causes: 1995

Specification 44%

Changes after Design &

Commissioning Implementation
21% 15%

Operation & Installation & Commissioning

Maintenance 6%
15%

“Out of Control: Why Control Systems go Wrong and How to

Prevent Failure,” U.K.: Sheffield, Heath and Safety Executive
e ida Copyright exida 2000-2014
 IEC/EN 61508 Functional Safety:
1998/2000

Specification 44%

Design &
Changes after
Implementation
Commissioning
15%
21%
ISA
Operation & Installation & Commissioning
S84
Maintenance
15%
6%
HSE
PES
DIN V 19250

DINV VDE0801

EWICS

IEC61508
e ida Copyright exida 2000-2014
The continuing need today . . .

Copyright exida 2000-2014

 Functional Safety
•  Functional Safety Goal – The automatic
safety function will perform the intended
function correctly or the system will fail
in a predictable (safe) manner.

•  Perform the intended function correctly –

Reliability Engineering
•  Fail in a predictable manner – Safety
Engineering

e ida Copyright exida 2000-2014

 IEC 61508 Safety Lifecycle
ANALYSIS Phase
1 Concept

Overall Scope
2 Definition What should it do?
Hazard & Risk
3 Analysis

Overall Safety
4 Requirements

Safety Requirements
5 Allocation

Overall Planning Safety-related Safety-related External Risk

systems : systems : other Reduction
Operation &

Planning
Validation
Installation &
6 Maintenance 7 Planning 8 Commissioning
Planning
9 E/E/PES

Realization
10 Technology

Realization
11 Facilities

Realization
REALIZATION
Phase
Overall Installation
12 & Commissioning How will it do it?
Overall Safety
13 Validation

Overall Operation & Overall Modification

14 Maintenance 15 & Retrofit
OPERATION Phase
16 Decommissioning
How do you keep it doing what
e ida Copyright exida 2000-2014
it should?
 IEC 61508 – Fundamental
Concepts

IEC61508 Safety Probabilistic

Life Cycle – performance
detailed based system
engineering design
process
Random Failures
Systematic Faults
– Design Mistakes
SOFTWARE HARDWARE
RELIABILITY RELIABILITY

Copyright exida 2000-2014

The Functional Safety Standards Can
be Applied at Many Levels
•  Components
–  Process assessment, failure analysis/data
and documentation to help product
development
•  Elements
–  Process assessment, hardware failure
analysis / data and documentation showing
usage in system design
•  Systems
–  Risk based framework for
SIL level, process assessment
and system failure analysis

e ida Copyright exida 2000-2014

 Safety Functions (Safety Goals)
•  Specific single set of actions and the
corresponding equipment needed to
identify a single hazardous event and act
to bring the system to a safe state.
•  Examples:
–  Open drain valve when tank level is too high
–  Sound an alarm when explosive gas
concentration exceeds a certain level

e ida Copyright exida 2000-2014

 Element

Sensor Logic solver Final Element

element - part of a subsystem comprising a single component or any

group of components that performs one or more element safety functions.
[IEC 62061, definition 3.2.6, modified]
NOTE 1: An element may comprise hardware and/or software.
NOTE 2 : A typical element is a sensor, programmable controller or final element

e ida Copyright exida 2000-2014

 System Architecture Drawing

The system
architecture
drawing(s)
document the
relevant sub-
systems and
their
relationship.
The function(s)
of each sub-
system is fully
described.
e ida Chapter 8, “Functional Safety, An IEC 61508 Compliant Development Process,” exida, 2010.
Copyright exida 2000-2014
 Project Milestones
•  Product and process review
•  Product reliability and failure mode
analysis
•  Requirements fulfillment and
traceability
•  Final audit and assessment report

e ida Copyright exida 2000-2014

 Project Flowchart

e ida Copyright exida 2000-2014

 Certification Process
New product with no field history:
– The new design must have a full
hardware failure analysis. Random

– The new design must follow the design

process requirements of IEC 61508 for
the target SIL level. Systematic

– A Safety Manual must be created to

explain how to use the product at the
system level. Systematic

e ida Copyright exida 2000-2014

FMEDA
COMPONENT Product
DATABASE λ

Product λ
Failure
Modes
Productλ

Component
Failure
λ’ s FMEDA
Modes
Diagnostic
Coverage

Diagnostic
Coverage
Failure Mode Useful
Distribution Life

Using a component database, failure rates and failure

modes for a product (transmitter, I/O module, solenoid,
actuator, valve) can be determined far more accurately
than with only field warranty failure data

e ida Copyright exida 2000-2014

 Software Development V-model
E/E/PE system Software safety Validation Validation Validated
safety requirements testing software
requirements specification
specification

Integration testing
Software (components,
E/E/PE system architecture subsystems and
architecture programmable
electronics)

Software Integration
system design testing (module)

Module Module
design testing

Output
Verification Coding

e ida Copyright exida 2000-2014

 Tool Justification
Why would the IEC 61508 committee care about tools?
During the final certification audit of a
transmitter, the assessor asked to witness
the RAM test. After injecting a bad bit,
nothing happened.

The software engineer had “simply set the

Those using a tool must optimization up one level”. The optimizer
know how the tool works. concluded the diagnostic code (save a byte
Sometimes tools can be to a temporary location, set all bits, clear all
dangerous.
bits, return the original value) could be
Those using a tool must
eliminated. And it did exactly that. This had
understand how all a major impact on cost and release
settings impact operation schedule.
of the tool.

e ida Copyright exida 2000-2014

 Offline Tool Qualification
Requirements
•  Documented selection criteria and justification
•  Document tool version and release date
•  Document results of any tool validation
performed
•  For T2 and T3 only:
–  Evidence that Tool Specification/Documentation is
provided to users
–  Determine level of reliance on tools (T2 / T3)
–  Identify and mitigate tool failures that could affect
executable software (e.g., Tool HAZOP)

e ida Copyright exida 2000-2014

 exida SafetyCase Database
Requirements Arguments – Assessment

Audit Lists
Evidence

Copyright exida 2000-2014

 Accreditation
Each Certification Body (CB) operates per a
“scheme” and gets accredited by an Accreditation
Body (AB). In the USA, ANSI is the AB.

Functional Cyber-Security
•  Achilles Level 1-2
•  ISA Secure Levels 1 – 3
Functional Safety Certification
•  IEC 61508
•  IEC 61511
•  IEC 62061 / ISO 13849
•  IEC / ISO 26262
•  EN 50271
•  Other Functional Safety

e ida Copyright exida 2000-2014

 Company Business Units
exida Products and Services

Consulting Product Professional Training Engineering Reference

Certification Certification Tools Materials
Process Process
Safety (IEC Functional CFSE Safety exSILentia Databases
61511, IEC Safety (IEC CFSP Control (PHA Import, Tutorials
62061, ISO 61508) System
26262) Control SIL Selection Textbooks
Control System Security
Alarm System LOPA Reference
Security Onsite Books
Management Cyber- Expert SRS
Security Offsite Market
(CSSE) SIL
Control Network Web Verification) Studies
System Robustness Security Safety Case
Security (Achilles) Development
(ISA S99) FMEDA
SCA

e ida Copyright exida 2000-2014

excellence in Dependable Automation

e ida Copyright exida 2000-2014

Topics
•  exida
•  Overview of functional safety standards for industrial
and automotive systems
•  Steps to certification
•  Services provided by exida

•  Texas Instruments
•  Hercules MCU family and safety features overview
•  Hercules MCU for IEC 61508, ISO 26262 and other
functional safety standards

26
Hercules™ MCU: End Equipment
Aerospace & Railway Industrial

Flight Control Communications Gateway

Industrial Motor
Control Manufacturing /
Avionics / Autopilot Elevator
Robotics
Escalator
Anti-Skid Control Wind Power

Motor Control
Automotive
Industrial
Automation / PLC

Sensor & Communications

Airbag Gateway
Braking / Stability Control

Solar Power

Radar / Collision Avoidance

Hybrid & Electric Vehicles (ADAS) Infusion Pumps

Oxygen Anesthesia
Concentrators
Chassis / Domain Control
Active Suspension Electric Power Steering Respirators
Medical
27
TI Hercules MCU Platform
TM

ARM Cortex™ Based Microcontrollers

®

RM
•  100MHz to 330MHz
Industrial and Medical
Safety MCUs •  384KB to 4MB Flash
•  -40 to 105°C Operation
•  ENET, USB, CAN & UART
•  Developed to Safety Standards
•  IEC 61508 SIL-3
•  Cortex-R – up to 550 DMIPs

Hercules™ TMS570
MCU •  80MHz to 300MHz

Platform Transportation and

•  256KB to 4MB Flash
•  Automotive Q100 Qualification
Automotive Safety
MCUs •  -40 to 125°C Operation
•  FlexRay, ENET, CAN, LIN/UART
Lockstep •  Developed to Safety Standards
MCUs for •  ISO 26262 ASIL-D
functional
Safety •  IEC 61508 SIL-3
•  Cortex-R – up to 500 DMIPs

28
 Applying Functional Safety Standards

Functional Safety SafeTI™ design packages help meet

functional safety requirements while
Risk reduction managing both systematic and
random failures.

Safety Life Cycle SIL - 1/2/3/4

Development Process Systematic Failures

Safety Plan Software

Process Certification
Software CSP
Documentation Tools Compiler Qual. Kit

Config Management
Random Failures
Change Management
Diagnostics
V&V
Architectural Metric Hercules
Personnel Competence
Architecture
Failure Rate
Certification (FMEDA)

CSP = Compliance Support Package

29
Hercules MCU safety features Random

Safe Island Hardware diagnostics

ECC for flash / RAM
Memory Blended HW diagnostics
CPU Self Test evaluated inside the
Protection
Controller requires Cortex R Non Safety Critical Functions
Unit
little S/W overhead
Memory BIST on all
Memory Power, Clock, & Safety
Physical design Lockstep RAMS for fast

Cortex™R
Flash

w/ MPU
CPU

ARM®
optimized to reduce w/ ECC OSC PLL PBIST/LBIST memory test
RAM
probability of common ARM® w/ ECC POR ESM
cause failure Cortex™R Flash
Error Signaling
w/ MPU EEPROM w/ ECC CRC RTI/DWWD Module w/ External
Error Pin
Lockstep CPU & Calibration Memory Interface
Compare Module for
Lockstep Interrupt JTAG Debug
Fault Detection External Memory
Fault Detection Embedded Trace On-Chip Clock and
DMA
Voltage Monitoring
Enhanced System Bus and lockstep Vectored Interrupt Module
ECC or Parity on Protected Bus and
select Peripheral, lockstep Interrupt
Dual Manager
DMA and Interrupt
Dual High-end
controller RAMS
Serial Network ADC Timers
IO Loop Back, ADC
Interfaces Interfaces Cores Available Self Test, …
Parity or CRC in Serial
Available
and Network
Communication GIO Dual ADC Cores with
Peripherals shared channels

Bold items are introduced with the new Cortex-R5 devices

30
Hercules TMS570LS and RM4x Architecture
Concept Assessment Random

31
SafeTI™ Hitex Safety Kit Random

Hitex Safety Kit Software

SAFETI-HSK-RM48
TPS65381 Power Supply &
SAFETI-HSK-570LS31 Safety Monitor

On Board Display

Kit Overview
q  Fault injection and reaction
monitoring via GUI
ControlCard Interface q  MCU Diagnostic features
profiling
q  SafeTI Software Framework +
Hercules™ MCU
SafeRTOS included

32
Hercules Safety Documents Random

Documents provided by TI some under NDA to assist in the

safety certification process:

–  Hercules component Safety Manual (SM)

Details product safety architecture and recommended usage

NDA

–  Safety Analysis Report Summary (SAR1)

Summary of FIT rate and FMEDA at component level for IEC 61508
and ISO 26262

NDA

–  Detailed Safety Analysis Report (SAR2)

•  Full details of all safety analysis executed down to MODULE level for
IEC 61508 and ISO 26262
•  Software tool for customizing analysis results to customer use case
NDA

–  Safety Report
Summary of compliance to IEC 61508 and/or ISO 26262

33
Hercules Safety Documents Random

Safety Manual

NDA Detailed Safety Analysis Report

34
SafeTI™ Hardware Development Process Systematic

Certification
TI’s hardware functional safety
development process has been certified
for:
Ø  IEC 61508 SIL-3
Ø  ISO 26262 ASIL-D

The certification demonstrates TI’s

commitment to have a process suitable
for developing hardware components
that are compliant to ISO 26262 and IEC
61508

35
HerculesTM and SafeTITM Systematic

Software and Tool Packages

Hercules Software and Tools

q  Production quality software to easily use Hercules MCU

q  Includes GUI configurator (where relevant)

q  Includes User Guide and Release Notes

SafeTI Compliance Support Package

q  Provide evidence to safety standards

q  Includes Test Reports, Quality Metrics, Safety Manual, etc.

q  Software developed to IEC 61508 & ISO 26262 requirements

SafeTI Tool Qualification Kit

q  Assists in qualifying the TI ARM Compiler to functional safety

standards
q  Model-based tool qualification methodology
q  Assessed to comply with both IEC 61508 and ISO 26262

36
SafeTI™ Compiler Qualification Kit Systematic

•  Assists in qualifying the TI ARM C/C++

Compiler to functional safety standards
•  Qualification of customer specific use case can
be less restrictive than certified compilers
•  Application of kit assessed by TÜV Nord to
comply with both IEC 61508 and ISO 26262

•  Includes:
•  Qualification Support Tool (model-based)
•  Process specific documentation:
•  Tool Classification Report
•  Tool Qualification Plan
TI  ARM  Compiler   •  Tool Qualification Report
•  Tool Safety Manual
•  ACE SuperTestTM qualification suite
•  TI compiler validation test cases
•  Test Automation Unit (TAU)
•  24hrs of Validas consulting services Approved by
•  TÜV Nord assessment report
IEC 61508

ISO 26262

37
 Typical Usage of Hercules MCU per Functional
Safety Standard*
Specific Diagnostic
Functional Safety
Typical Hercules MCU Usage Requirements per
Standard
Standard

IEC 61508 Single MCU for SIL1 - SIL 3, Dual MCU for SIL 4 No

ISO 26262
Single Hercules MCU ASIL A to D No
Automotive
EN 50129 Examples provided,
Single MCU for SIL1 - SIL 3, Dual MCU for SIL 4
Railway not requirements
ISO 22201
Single MCU for SIL1 - SIL 2, Dual MCU for SIL 3 Yes
Elevator
IEC 61511
Single MCU for SIL1 - SIL 3, Dual MCU for SIL 4 No
Process Safety
IEC 61800
Single Hercules MCU for SIL1 - SIL 3 No
Motor Drive
IEC 62061
Single Hercules MCU for SIL1 -SIL 3 No
Machine Safety
ISO 13849 Single MCU for Cat B, 1, 2 from PL a to PLe
No
Machine Safety Single MCU + Safety Companion for PL d/e CAT3/4
IEC 60730
Single MCU for Class A – C, Dual MCU for some Class C Yes
White Goods
* Items shown are typical examples. Achieved safety integrity level is the responsibility of the system developer.

38
 Project Flowchart

✓ ✓

✓ ✓

✓
✓ HerculesTM MCU data available through SafeTITM design package

e ida Copyright exida 2000-2014

 Thank You

Stay tuned for future webinars!

•  In-depth discussion of functional safety development and certification flow

•  How HerculesTM SafeTITM documentation facilitates the end equipment

certification process?

Contact Information:
Chris O’Brien:cobrien@exida.com
Hoiman Low: hm-low@ti.com

e ida 40