Design industrial systems on a chip that meet stringent global safety standards
Industrial automation, transportation, smart grid, and many other industries require machinery and products to be safe and certified for functional safety. Flexibility and the incremental cost of safety can be a significant decision factor when developing machinery that must be compliant to worldwide safety standards.
Safety imposes new processes to machinery development as well as an increase in complexity for the electronics within these applications, typically resulting in significantly higher hardware costs and increased time to market. An industrial system on a chip can help engineers save up to 18 months of design time in achieving product certification according to IEC 61508. Having prequalified devices, such as FPGAs, means the designer benefits from the flexibility of FPGAs without having to worry about whether or not the parts can be used for safety applications.
If companies plan to ship their products into countries that require a certificate from a functional safety assessor to prove compliance with the local safety regulations, such as the new machine builder directive (2006/42/EG) that represents a must-meet requirement for products exported to Europe. They must adopt a safety-oriented approach throughout the whole design process to be competitive as well as compliant. Factory operators also require safe operation of machinery to improve productivity, such as maintenance work that can be executed while part of the machine is still in operation, or significantly shortened ramp-down and ramp-up times.
When a company decides to develop a safe product, it must consider safety as a core system functionality. Historically, safety has been added to the system by additional functionality such as redundant controller or communication modules combined with circuitry to monitor the system. These add-on safety components, introduced as an afterthought into the system concepts, incur significantly higher costs and are less flexible and scalable than designing a safe application that is optimized for safety and cost competitiveness, right from the start.
Design challenges for developing a safe application include:
* Adopting a "safe" design methodology and safety concepts
* Accounting for additional project effort (time and technology), resulting in longer
time to market and higher cost of ownership
* Project management, gathering of data for all system components, and
* Documenting the project according to the needs of the safety specification
The key to successful design is the adoption of validated design methodologies and qualified tools and devices as part of the product, and the consideration of safety right from the start of product development.
Typical Application Steps
Without having safety in mind, there are five typical design steps to develop an application including:
* Architecture development
* Component selection
* Application design implementation
* Integration and test
The first step, the architecture of the product, is shown in Figure 1. For a typical motor-control application such as a drive, the partitioning step separates the system into system control, communication, and real-time motor control functions. For example, the architect selects a software implementation for the control part and for the real-time portion of the system and decides to use a hardware/software approach for the communications portion to support real-time Industrial Ethernet communication protocols.
Figure 1. Architecture Development
The next step is the component selection (See Figure 2). The decision may lead to an implementation where the control software runs on a standard application processor, the real-time motor control portion is implemented on a digital signal processor (DSP), and the communication within the system uses an FPGA-based approach. An FPGA allows flexibility in the system to realize such various Industrial Ethernet standards as Ethernet/IP, EtherCat, PROFINET, or SERCOS III in the same device interchangeably. This flexibility for the communication part of the architecture allows use of a standard hardware platform that can be customized for the specific protocol needs of the end customer very easily.
Figure 2. Component Selection
After deciding on the partition and components, design teams will work on the development of their part of the application independently. Then, they will integrate the components to a full system, test system functionality, and release the product.
If the design is developed with functional safety as part of the product requirements, additional phases will need to be added to the project, as shown in orange in Figure 3.
Designing a safe application that is able to achieve a functional safety certification such as IEC 61508, project complexity increases significantly. The IEC 61508 specification covers the complete safety life cycle, from developing the application to decommissioning it. To simplify communication with the assessor, companies should follow the procedures and processes outlined in the safety standards, ensuring they clearly understand the objectives, concepts, procedures, and solutions to meet safety requirements.
Project Startup and Risk Analysis
In the project startup and risk analysis phase, the scope for safety is identified based on the general application. The desired and achievable Safety Integrity Level (SIL) is determined, formulated, and documented for the implementation stages, and acts as the basis for risk analysis and assessment. Risk analysis provides the foundation for later measurements, represents an understanding of the product’s boundaries, and closely links to the product’s scope definition. It provides a base for the required SIL, a detailed definition of the safety function, and the framework of the product documentation. This must happen on the component and system levels.
Next designers develop the architecture to meet functional and safety requirements. They refine the safety requirements and document both specific functions to be realized during operation, maintenance work, and the strategies that must be followed to validate that the safety measures meet requirements.
Safety Requirements Specification
For a safe drive, the project scope might include several aspects such as identifying whether the drive parameters are in the allowed range, or if a safety I/O signals a critical event. The most basic safety feature for drives is “safe torque off” (STO), in which the motor is disconnected from the power supply in a safe way. The procedure also might include communicating to the overall automation system that a safety event occurred and the measures that must be taken within a specified period, such as a sequential shut down of a whole application following a series of steps.
Validation, Verification Plan
Development of the validation plan may include methods of controlled failure insertion to test the system and additional monitors that observe the system to compare the current parameter to a range of predetermined, allowed values.
Component Selection, Component, IP, and Tools Qualification
While component selection is part of a typical project, designers must ensure the components and IP functions are suitable for use in a safe application. It is important to consider the residual error probability, which is used as a basis to calculate the product’s total failure-in-time (FIT) probability and the achievable SIL. This can be accomplished partially through gathering device and design tool data on widely used products that are more likely to be sufficiently free of systematic errors or proven in use (IP, for example), or reports that provide error rates and reliability information for semiconductor products like processors or FPGAs.
In addition to the implementation of the application, certain functionality must be added to the design. These designs require basic parameter monitoring functions such as clock and power, and complex functions such as data monitors that ensure correct system operations by observing the output from a pulse-width modulation (PWM). They also require functions that automatically identify failures and transition the system into a safe state. Basic functions include ensuring that memory content didn’t change due to external impact on the design, monitoring system clocks that ensure they are driving the design within the specified system parameters (or failed due to failure of external components), and that power supplies are operational.
Integration and Test
The individual components are integrated to a safe drive implementation and tested for the expected system and specified safety functionality. The safety validation must ensure that the desired safety features are in effect and remain in effect during operation, for example to ensure that an external impact on the design has no negative effect on the safety function such as accidentally disabling it without being noticed by the system.
Safety Validation, Certification, and Release
Throughout the entire process, close cooperation with the assessor is required to ensure that the measures taken during the development process are reasonable and provide the right level of safe functionality. Finally, the assessor certifies the product for functional safety, and it is ready to be released into the market.
Adding Prequalified Safety
There are certain steps where semiconductor vendors can help with the process and reduce the effort for the development of safe applications. For example, having immediate access to semiconductor data, IP, development flows, and design tools that are already qualified for functional safety can provide a significant acceleration of the overall product development process, as shown in Figure 4.
Figure 4. Design Steps with Prequalified Safety Steps
An example of added safety is Altera’s investment of almost two years to achieve product qualification. Altera’s SIL 3 (SIL3) Functional Safety Data Package, which includes a certificate for Altera tools, IP, and device data from assessor TÜV Rheinland, shortens and simplifies development of safe applications according to IEC 61508. The prequalified design flow and tools, as well as prequalified embedded system and diagnostic intellectual property (IP), reduce certification risks in safety-critical industrial applications, such as servo and inverter drives, safe I/O and PLCs, and automation controllers.
The required test and usage data for IP and design tools and device reliability data are summarized and formatted for easier functional safety certification. The company followed the V-Flow, a design methodology approved by TÜV Rheinland, to address the specific needs of FPGA designs. The functional safety package includes essential diagnostic functions designed as FPGA IP. Users of this functional safety package benefit from Altera`s up-front investment with TÜV and can save a similar amount of time from their own project schedules.
Example of a Safe Drive
An example of a drive with a safe I/O uses Altera´s qualified FPGA design tools, Quartus II software version 9.0 SP2, and a suggested design methodology for the implementation of the application. In addition, it includes a dual-FPGA implementation for the application, as shown in Figure 5, instead of external processors and a DSP. The application is partitioned onto several Nios II soft processor cores. The first Nios II soft processor provides support for the communication stacks, the second handles the control of the system, and the motor control block integrates the third Nios II processor. The motor control algorithm is partitioned so that its software portion runs on a Nios II processor and is accelerated by hardware blocks specifically developed for this applicator to accelerate the motor control loop. An external safety controller provides the redundancy required for a SIL3 application.
Figure 5. Dual-FPGA Implementation for a Safe Drive
This solution enables combining the safe controller with the field bus controller in a single FPGA, and uses Altera’s SOPC Builder system integration tool to integrate the Nios II soft processors with the other IP blocks for communication, the encoder interfaces, and memory interfaces.
Safety in the Drive-on-a-Chip
For low-level monitoring of critical but common diagnostic tasks in the FPGA, this example uses Altera’s safety-qualified diagnostic IP blocks. These diagnostic IPs, designed to the IEC 61508 specification, perform common diagnostic functions such as:
* Cyclic redundancy check (CRC) calculation—Useful in many systems and particularly useful for fieldbus applications
* Derived clock checking—This core looks at the presence and frequency of clocks in the system
* SEU check controller—This block works with the built-in soft error checking hardware in the device to monitor changes brought about by so-called soft errors
Since implementation of these hardware IP cores is in the FPGA logic area, the system processor is relieved of these tasks. In the area of qualified methods, Altera took the IEC spec and analyzed the FPGA design methods and related clauses and, based on the analysis, produced a tool flow document. The central theme of this tool flow is the description of an Altera developed FPGA V-Flow, shown in Figure 6.
Figure 6. Tool Flow
The V-Flow and the documentation that comes along with it maps all steps in the design of a safe application for Altera FPGAs to the IEC specification and its requirements. In addition, it explains which Altera tools are used for the specified design steps. It covers specific chapters in the IEC specification and offers a guide user to follow the right development steps for the development of a safe application.
The documentation and data that the assessor needs for certification are included in the package and provided in a format that matches precisely the IEC 61508 specification format for easier processing by the assessor. Having this documentation available in the right format saves a significant amount of work for the documentation of the safety project. In the included reliability report, is extensive analysis of the statistical information about the reliability of FPGAs, including all of the necessary information to calculate FIT rates.
By reusing a system concept for a drive that followed a pre-approved two-chip implementation and following a qualified design methodology, design flow, tools and IP, a typical application development can be significantly accelerated. Certification is accelerated, as reliability data for the components is immediately available and provided in a format that can be easily integrated into the overall documentation for the safety qualification. Designers can take advantage of flexible design integration using FPGAs for both safety and system design. As the safety aspect is considered as a key requirement for the application, it is integrated into the overall concept and can be realized by meeting cost and time-to-market targets.
About the Author
Christoph Fritsch is a senior strategic marketing manager in Altera’s Industrial and Automotive Business Unit. In this role, Mr. Fritsch is responsible for defining and developing Altera’s industrial and automotive architectures and solutions. Mr. Fritsch has been with Altera for 12 years serving in a variety of business and marketing roles. Prior to Altera, he was an ASIC project manager and hardware/software co-design researcher for Bosch Telecom. Mr. Fritsch holds a degree in computer science from Technical University of Dortmund in Germany.