Microcontrollers for Safety Critical Applications

By Jim Harrison

Contributed By Electronic Products


Can’t sleep and looking for a little light reading? I have a list of 84 separate standards for safety that critical systems engineers may run into over the course of their design careers. I have whittled this somewhat daunting list down to five essential standards which this article will discuss. These are:
  • IEC 61508
  • ISO 26262
  • IEC 60730 and IEC 60335
  • EN ISO 13849
These newer standards recognize the need for protection against both random and systematic failures in safety critical systems. Random failures are usually component failures, and are related to reliability and FIT numbers. Systematic failures are usually software and hardware design method failures. To put it simply, these failures are caused by an imperfect design.

The primary method used to mitigate failures of both types is with self-testing. Some processor features that assist in designs targeting these standards include the CPU self-test block, a replicated, safety enhanced watch-dog timer, memory ECC parity on peripheral/DMA/interrupt memories, parity or CRC checks on all communication channels, memory built-in self-test (BIST), clock and supply voltage monitoring, on-chip clock or dual clocks, a junction temperature sensor, and dual A/Ds with shared channels.

Having safety handled with hardware (the processor) instead of code can speed development, speed error detection, improve safety, and ease certification efforts. There are some automated code review design tools that focus on safety and may be helpful to engineers, though some people liken them to spell checkers. There are also a few automatic code generators in this area to consider and perhaps an IDE employing model-based development. Of course the OS, if you have one, needs to be safety aware, and a quality C++ compiler, for a higher abstraction level and support for object-oriented programming, will be essential.

The standards

IEC 61508 - Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems

IEC 61508 spans both hardware and software. It can be divided into three areas: business processes, hardware development, and software development. The standard provides measures for management and reduction of both systematic and random failures.

Diagram of IEC 61508 safety lifecycleFigure 1: The IEC 61508 safety lifecycle.

ISO 26262 - Road Vehicles Functional Safety

ISO 26262 is an adaptation of IEC 61508 to automotive electrical/electronic systems. It provides an automotive safety lifecycle (management, development, production, operation, service, de-commissioning) and supports tailoring necessary activities during these lifecycle phases (Figure 1). It also provides an automotive-specific, risk-based approach for determining risk classes (Automotive Safety Integrity Levels or ASILs).

IEC 60730 and IEC 60335 - standards for safety

The IEC/UL 60730 standard for safety is an established testing specification for electrical, electronic, mechanical, EMC, and other features of AC appliances. The specification’s Annex H spells out the safety aspects most relevant to safe operation of MCU hardware and software used in appliances. Software requirements are further defined in Annex Q of the IEC 60335-1. These safety standards require certification that proves compliance with the standards and shows system robustness. To simplify compliance, OEM’s require components that can be certified as IEC 60730 compatible or compliant. Specifically for MCUs, 60730 Annex H - Requirements for Electronic Controls details test and diagnostic methods.

60730 allows manufacturers to take one of three approaches to address safety in MCU-based systems.
  1. Dual-channel architecture with two MCUs, each performing related tasks in lock step, one checking the other.
  2. Single-channel architecture accompanied by functional testing at the point of manufacture (the option used most frequently today). This method has the drawback of not being able to address problems once the appliance is out of the factory.
  3. Single-channel with periodic self-test architecture addressing the problem of in-service operation by having firmware that regularly checks critical functions of the electronic control
Microcontrollers that support the single-channel self-test option likely provide the highest level of consumer protection at the lowest cost. A good idea is to have two accurate oscillators on an MCU — one to operate the appliance and the other to supply an independent time base for when periodic tests are executed.

NXP, Fujitsu, Renesas, Microchip, and Texas Instruments all offer a software library for IEC/UL 60730/60335 implementations.

60335 includes fire protection via fusing — and is used in conjunction with the 60730 standard (Shurter has a helpful white paper on the subject).

EN ISO 13849 - Safety of machinery - Safety-related Parts of Control Systems

EN ISO 13849 is known as the Machinery Directive. This standard replaced EN 954-1, a standard that machinery builders are familiar with, and to which most already conform. 954-1 is a simple standard, with an easy-to-follow risk graph to establish a safety category for their machine. Safety categories are worked out on a qualitative basis, so the process is also quick. The new EN ISO 13849-1 follows a similar process, but the user then has to perform a number of calculations involving diagnostic coverage, mean time to dangerous failure, along with architecture and common-cause failures to validate that the performance level has been achieved.

Unlike EN 954-1, 13849-1 addresses the programmable electronic safety devices being used increasingly in machinery and the computed risk assessment for a given safety function will yield a Performance Level (PL). In December 2009, the deadline for moving from EN 954-1 to EN ISO 13849-1 was extended to December 31, 2011 (in the European Economic Area) and is being adopted by many U.S. manufacturers.

Microcontrollers of interest for safety apps

The NXP LPC17xx series, such as the LPC1769 and LPC1788 use a Cortex M3 and have 512 Kbytes of flash, 64 or 96 Kbytes of RAM, CAN, Ethernet, I²C, IrDA, Microwire, USB OTG, a D/A converter, and an 8-channel 12-bit A/D converter. Operating range is -40° ~ 85°C.

NXP will provide an IEC60335 Class B–certified library for these and other Cortex M3 processors. Using this library does not grant your project status as a certified application. It is still necessary to have to have the complete application software certified, but it is certainly a great starting point.

The Freescale Kinetis K20 MCUs, such as the PK20N512VLQ100, feature high-speed USB 2.0 OTG with device charge detection capability and provide basic safety items. They have memory protection for all masters on the crossbar switch, and a hardware CRC engine that validates memory contents and communication data. An independent-clocked COP guards against clock skew or code runaway for fail-safe applications such as the IEC 60730 safety standard for household appliances. The MCU also has an external watchdog monitor and secure storage and tamper detect.

Renesas V850 microcontrollers (Figure 2), such as the V850ES/JG3, support a boot swap mechanism to ensure fail-safe firmware update even during power failure. The chips watch dog timer uses an internal, dedicated oscillator. Moreover, it is a windowed watchdog timer that catches abnormally frequent watchdog resets. The ICs use 2.85 to 3.6 V, run at up to 50 MHz, and have 256 Kbytes of flash and 64 Kbytes of RAM.

Image of Renesas V850 microcontrollersFigure 2: Renesas V850 microcontrollers can tackle safety issues.

Some versions of this MCU are equipped with a redundant core with a comparator, self-diagnostic functions for logic and memory, and other effective functions for achieving functional safety. The Cortex M3-based Fujitsu FM3 family of MCUs, such as the MB9B500, offer functional safety features. Fujitsu provides an extensive library of safety-related software routines, compliant with IEC safety standards.

The Fujitsu self-test library (STL) covers IEC 60730 and IEC 60335 requirements. The Class B library routines include pre-operation self-test (POST) tests which should be implemented at system startup and cover items such as the CPU, RAM/ROM, and I/O peripherals. They also have code for BIST that should run periodically while the product is in service.

The processors are based on a Cortex M3 and have 256 or 512 Kbytes of 60-MHz flash with 32 or 64 Kbytes of RAM. They also have CAN and USB 2.0 interfaces, an eight-channel DMA, a quadrature counter, and up to 16 channels of 12-bit A/D conversion. The ICs include a Clock Super Visor (CSV). Clocks generated by CR oscillators are used to supervise abnormality of the external clocks. If an external clock failure is detected, reset is asserted, but if a frequency anomaly is detected, either an interrupt or reset is asserted. They also have a Low Voltage Detector (LVD) with two-stage monitoring of voltage on the VCC with error reporting via interrupt and auto-reset operation.

Summary

This article has presented summaries of five essential safety standards and a sampling of microcontrollers equipped with features important to engineers designing for safety critical applications. More information can be found by using the provided links to pages on the Digi-key website.

 

Disclaimer: The opinions, beliefs, and viewpoints expressed by the various authors and/or forum participants on this website do not necessarily reflect the opinions, beliefs, and viewpoints of Digi-Key Electronics or official policies of Digi-Key Electronics.

About this author

Jim Harrison

About this publisher

Electronic Products

Electronic Products magazine and ElectronicProducts.com serves engineers and engineering managers responsible for designing electronic equipment and systems.