TM
August 2013
Freescale’s Functional Safety Solutions program
TM
2
Functional Safety. Simplified. Simplifies the process of system compliance, with solutions designed to address the requirements of automotive and industrial functional safety standards
Supports the most stringent Safety Integrity Levels (SILs),enabling designers to build with confidence
Reduces the time and complexity required to develop safety systems that comply with ISO 26262 and IEC 61508 standards
Zero defect methodology from design to manufacturing to help ensure our products meet the stringent demands of safety applications
TM
3
Functional Safety Standards
Automotive
Industrial
ISO 26262
IEC 61508
Safety Support Safety Hardware
Safety Software
Safety Process
Freescale Quality Foundation
TM
4
Functional Safety Standards
Automotive
Industrial
ISO 26262
IEC 61508
Safety Support Safety Hardware
Safety Software
Safety Process
Quality Management ISO TS 16949 Certified Quality Management System Hardware - Zero Defects Software – SPICE Level 3
Freescale Quality Foundation
TM
5
Continuous Improvement Process evaluation, assessments / audits and gap-analysis exist to ensure processes are continually optimized
Functional Safety Standards
Automotive
Industrial
ISO 26262
IEC 61508
Safety Support
Organization Safety is an integral part of the Freescale world wide organization Project Management Configuration & Change Management, Quality Management, Requirements Management, Architecture & Design, Verification & Validation
Safety Hardware
Safety Software
Safety Process
Freescale Quality Foundation
TM
6
Safety Analysis Selected products defined & designed from the ground up with safety analysis being done at each step of the process Assessments / Audits Safety Confirmation Measures
Functional Safety Standards Microcontrollers Lockstep Cores, ECC on Memories Redundant Functions, Internal Monitors, Built In Self Test, Fault Collection & Control
Automotive
Industrial
ISO 26262
IEC 61508
Safety Support Safety Hardware
Analog and Power Management Voltage Monitors, External Error Monitor, Advanced Watchdog, Built In Self Test
Safety Software
Safety Process
Sensors Timing Checker, Digital Scan of Signal Chains, DSI3 or PSI5 Safety Data links
Freescale Quality Foundation
TM
7
Functional Safety Standards
Automotive
Industrial
ISO 26262
IEC 61508
Safety Support Safety Hardware
Safety Software
Safety Process
Freescale Quality Foundation
TM
8
Automotive Software AUTOSAR OS & MCAL Core Self Test Device Self Test Complex Drivers Software Partnerships Partnering with leading third-party software providers to offer additional safety software solutions for automotive and industrial.
Functional Safety Standards
Automotive
Industrial
ISO 26262
IEC 61508
Safety Support Safety Hardware
Safety Software
Safety Process
Freescale Quality Foundation
TM
9
People Regional functional safety experts Documentation Safety Application Notes / Safety Manual / FMEDA
•
Functional safety is complex
•
SafeAssure products are conceived to simplify system-level functional safety design and cut down time to compliance
•
Key functional safety activities addressed − Failure
analysis (FMEA, FTA, FMEDA) − Hardware integration (Safety Manual) − Software integration (Safety Manual) − Support Interface (DIA for ISO 26262) •
Helping you design-in SafeAssure products and achieving your system-level functional safety compliance, simply
TM
10
Overall ISO 26262 compliance is achieved together, we each own a piece of the puzzle
ISO26262
OEM • • • •
Relevant scope of ISO26262 high
Item definition Hazard analysis and risk assessment Safety Goals Functional Safety Concept Safety Requirements & DIA
Safety Manual & Safety Analysis Tier 1
• Safety Architecture • Safety Concept • ASIL Classification of Functions
Relevant scope of ISO26262 medium
Safety Requirements & DIA Tier 2 Supplier - Freescale
Safety Manual & Safety Analysis
Freescale Functional Safety Focus Safety Element out of Context
Foundation
• HW / SW offering Product Safety Measures (implemented in offering, described in Safety Manual, quantified/qualified by Safety Analysis) Development Process & Methods Quality & Quality Data
TM
11
•
• •
• •
The automotive industry develops generic elements for different applications and for different customers. These generic elements can be developed independently by different organizations. In such cases, assumptions are made about the requirements and the design, including the safety requirements that are allocated to the element by higher design levels and on the design external to the element.
Such an element can be developed by treating it as a safety element out of context (SEooC). An SEooC is a safety-related element which is not developed for a specific item. This means it is not developed in the context of a particular vehicle. Referenced ISO/FDIS 26262-10:2012(E), Clause 9 TM
12
Referenced ISO/FDIS 26262-10:2012(E), Clause 9
TM
13
Development of a Hardware component as a SEooC*
Development of a Software component as a SEooC*
59 out of a total of 122 work products applicable to Freescale TM
14
Referenced ISO/FDIS 26262-10:2012(E), Clause 9
•
To view the latest SafeAssure product table visit www.freescale.com/SafeAssure
•
To view the latest SafeAssure product table visit www.freescale.com/SafeAssure TM
15
•
Gen 1 Safety More than 10 years experience of safety development in the area of MCU
•
Gen 2 Safety First general market MCU, MPC564xL (Leopard) -> currently being integrated into TIER1 Systems
•
Gen 3 Safety From 2012, multiple MCUs in Body, Chassis and Powertrain (McKinley) will be architected according to ISO 26262 Gen 3 Safety
Functional Safety Solutions
2012 McKinley – 55nm
PowerSBC
• 32-bit Quad-Core MCU • Developed according to ISO 26262 • Target Applications for Powertrain – ASILD • This is the first MCU of the new generation
• Voltage Supervision • Fail-Safe State Machine • Fail-Safe IO • Advanced Watchdog
2008
Gen 1 Safety
Gen 2 Safety
2000
Leopard – 90nm
PowerSBC
• 32-bit Dual-Core MCU • Developed according to ISO 26262 • Target Applications for Chassis – ASILD
Custom Safety Platform for Braking
Custom IC
• Started to ship in 2000 first safe MCU for braking applications • IEC 61508 / ISO 26262 compliance achieved at system level (top down approach) • MCU features are a key enabler for SIL3 / ASILD
TM
• Voltage Supervision • Fail-Safe State Machine • Fail-Safe IO • Advanced Watchdog
16
•
Components: − Safety
Integrity Level 3 (SIL3) certified Chip-
Set:
Full-Custom leading edge automotive safety MCU
MCU Full-Custom leading edge mixed-signal IC
− Actuators:
Valves, Motor
− Sensors:
Acceleration-, Pressure-, Wheelspeed-Sensors
TM
17
TM
18
•
The automotive and industrial industries are increasingly requiring functional safety solutions. • Freescale is your expert safety partner for your next-generation safety-critical applications •
Freescale is implementing a systematic approach to functional safety that reduces complexity for manufacturers of functional safety systems.
•
Freescale’s new SafeAssure program is built on four key elements: safety process, safety hardware, safety software and safety support.
•
The SafeAssure program is about the complete functional safety solution, not only a microcontroller-based program. It includes microcontrollers, sensors, analog and power management ICs.
•
The ultimate goal of the program is to simplify system compliance with functional safety standards and, at the end of the day, keep people safe. • For more information visit, www.freescale.com/safeassure
TM
19
SafeAssure Freescale HW / SW Solutions PowerSteering Use-Case
TM
20
SafeAssure EPS Demonstrator •
Demonstrates an EPS system solution using Freescale components
•
Offers an example of the management of the system safety case as defined by ISO26262 covering 1. 2. 3. 4. 5. 6.
•
Item definition Hazard and risk analysis Definition of safety goals and requirements Functional Safety Concept Technical Safety Concept System analysis example using FTA
Exemplifies one Hazardous Event caused by one malfunction of the system
TM
21
Management of functional safety
7-6
4
3-7
Hazard analysis and risk assessment
3-8
Functional safety concept
Product development at system level
7-5
Production
5
Operation
Concept phase
Item definition
4-9
HW level
6
SW level
Controllability Other Technologies
External Measures
Safety validation
4-10 Functional safety assessment 4-11 Release for production
TM
7-5
Production
7-6
Operation, service & decommissioning
In case of modification, back to appropriate lifecycle phase
22
After release for production
Planning
3-5
Product development
2-5 to 2-7
Safety Case Management: use of tool to manage development of safety case with large numbers of hazardous events
Item Definition: identifies main system functions e.g. ‘Provide steering support as required by driver’
2.3. Risk Assessment: assess severity, exposure and controllability (S, E and C) of the HE for the driving condition to determine ASIL level of safety goal
3. Safety Goal: define safety goal for HE
2.1 Hazard Analysis: Malfunction (MF) identified using HAZOP keywords applied to main function – e.g. provide steering support BEFORE required by driver (or self steering)
2.2 Hazard Analysis: describe hazardous event (HE) occurring as a result of a malfunction of the main system function at > 80 km/h
Safety Analysis Tool used in this example: medini analyse from ikv++ technologies TM
23
Management of functional safety
7-6
4
3-7
Hazard analysis and risk assessment
3-8
Functional safety concept
Product development at system level
7-5
Production
5
Operation
Concept phase
Item definition
4-9
HW level
6
SW level
Controllability Other Technologies
External Measures
Safety validation
4-10 Functional safety assessment 4-11 Release for production
TM
7-5
Production
7-6
Operation, service & decommissioning
In case of modification, back to appropriate lifecycle phase
24
After release for production
Planning
3-5
Product development
2-5 to 2-7
Power Relay VBATT
Power Stage • Power Bridge
Phase Current Monitor 2
Actuator Isolator Relay
Actuator
• Pre-driver
Torque Sensor 1 Steering Angle Sensor 1 Steering Speed Sensor 1
Actuator monitoring channel • dedicated sensor inputs • control of safe state Torque Sensor 2 Steering Angle Sensor 2
Torque Assist Requirements Calculation 1
Rotor Position 1
Torque Assist Requirements Calculation 2
Actuator Monitoring
Rotor Position 2
Safe State OP1s (SSOP1n)
Safe State OP2 (SSOP2)
25
SSOP2
Phase Current Monitor 1
Torque/ Angle Sensors
System Monitoring • power supply • clock • watchdog/supervisor TM
SSOP2
SSOP1c
Actuator Control
Steering Speed Sensor 2
System monitoring channel • control of safe state
Gate Drive
SSOP1b
Motor control channel • dedicated sensor inputs
SSOP2
SSOP1a
Power channel • deactivated in safe state
Management of functional safety
7-6
4
3-7
Hazard analysis and risk assessment
3-8
Functional safety concept
Product development at system level
7-5
Production
5
Operation
Concept phase
Item definition
4-9
HW level
6
SW level
Controllability Other Technologies
External Measures
Safety validation
4-10 Functional safety assessment 4-11 Release for production
TM
7-5
Production
7-6
Operation, service & decommissioning
In case of modification, back to appropriate lifecycle phase
26
After release for production
Planning
3-5
Product development
2-5 to 2-7
Power Switch
VDCLINK
VBATT
Default: open
VDD
Actuator Isolator IO2 IO1 (SSOP1a) (SSOP1b)
FS0b (SSOP2)
Power Bridge
EN2 GND
GND
Watchdog
DSPI
Error Monitor
FCCU
IO3 (SSOP1c)
Motor
EN1
VDD
Supply Monitor GND
RST
RST
MCU MC5643L
PwSBC MC33907
TM
Predriver MC33937A
27
•
Power channel de-activation under control of application (MCU) and system monitor (SBC)
•
Motor control and actuator monitoring channels implemented on MCU and pre-driver
•
System monitoring channel implemented on intelligent SBC
Management of functional safety
7-6
4
3-7
Hazard analysis and risk assessment
3-8
Functional safety concept
Product development at system level
7-5
Production
5
Operation
Concept phase
Item definition
4-9
HW level
6
SW level
Controllability Other Technologies
External Measures
Safety validation
4-10 Functional safety assessment 4-11 Release for production
TM
7-5
Production
7-6
Operation, service & decommissioning
In case of modification, back to appropriate lifecycle phase
28
After release for production
Planning
3-5
Product development
2-5 to 2-7
Technical SESSION F0306
Control Task, part 1 • calculate required torque assist
Monitoring Task, part 1 • re-calculate required torque assist • activate safe state if different from CT
Actuator Drive Peripherals
Safe State Control
Control Task, part 2 • control actuator to provide required torque assist
Safety Operating System Solution supporting ASIL D: EB tresos Safety OS from Elektrobit TM
29
Operating System (ASIL D)
Operating System (ASIL D)
Safe State Control
Monitor Task: PMSM Control Monitor
Independent Sensor Input
Control Task: PMSM Control
Safe Operating System • calls independent control and monitoring tasks • support end-to-end protection of communications
Independent Sensor Input Monitor Task: Torque Assistance Requirement Calculation
Control Task: Torque Assistance Requirement Calculation
Operating System (ASIL D)
Core 1 Core 2
Dual-Core Lockstep MCU
Independent Sensor Input
Tech Lab DEMO
Monitoring Task, part 2 • monitor actuator • activate safe state if control incorrect
Management of functional safety
7-6
4
3-7
Hazard analysis and risk assessment
3-8
Functional safety concept
Product development at system level
7-5
Production
5
Operation
Concept phase
Item definition
4-9
HW level
6
SW level
Controllability Other Technologies
External Measures
Safety validation
4-10 Functional safety assessment 4-11 Release for production
TM
7-5
Production
7-6
Operation, service & decommissioning
In case of modification, back to appropriate lifecycle phase
30
After release for production
Planning
3-5
Product development
2-5 to 2-7
•
Safety Analysis is carried out during Concept and Product Development Phases
•
Objective of the analysis
•
-
examine consequences of faults and failures on the system
-
provide information on conditions and causes that could lead to violation of a safety goal
-
identification of new hazards not previously considered
Qualitative and quantitative analyses are carried out -
Example: qualitative FTA demonstrating faults in redundant sensors (SensorA and SensorB) needed to lead to violation of safety goal ‘Prevent Self Steer’
-
Quantitative analysis such as FMEDA also required
Safety Analysis Tool used in this example: medini analyse from ikv++ technologies TM
31
TM
