freescale safeassure solutions and iso26262 - nxp.com · develop safety systems that comply with...

TM

August 2013

2 TM

Freescale’s Functional Safety

Solutions program

3 TM

Simplifies the process of system compliance, with

solutions designed to address the requirements of

automotive and industrial functional safety standards

Reduces the time and complexity required to

develop safety systems that comply with ISO 26262

and IEC 61508 standards

Functional Safety. Simplified.

Supports the most stringent Safety Integrity

Levels (SILs),enabling designers to build with

confidence

Zero defect methodology from design to

manufacturing to help ensure our products meet

the stringent demands of safety applications

4 TM

Safety

Support

Safety

Hardware

Safety

Process

Safety

Software

Automotive ISO 26262

Industrial IEC 61508

Functional Safety Standards

Freescale Quality Foundation

5 TM

Safety

Support

Safety

Hardware

Safety

Process

Safety

Software





Continuous

Improvement

Process evaluation,

assessments / audits and

gap-analysis exist to

ensure processes are

continually optimized

Quality

Management

ISO TS 16949

Certified Quality

Management

System

Hardware - Zero

Defects

Software – SPICE

Level 3

6 TM

Safety

Support

Safety

Hardware

Safety

Process

Safety

Software





Organization

Safety is an integral

part of the

Freescale world

wide organization

Project

Management

Configuration &

Change

Management,

Quality

Management,

Requirements

Management,

Architecture &

Design, Verification

& Validation

Safety Analysis

Selected products

defined & designed from

the ground up with safety

analysis being done at

each step of the process

Assessments / Audits

Safety Confirmation

Measures

7 TM

Safety

Support

Safety

Hardware

Safety

Process

Safety

Software





Microcontrollers

Lockstep Cores,

ECC on Memories

Redundant

Functions, Internal

Monitors, Built In

Self Test, Fault

Collection & Control

Analog and Power

Management

Voltage Monitors,

External Error

Monitor, Advanced

Watchdog,

Built In Self Test

Sensors

Timing Checker,

Digital Scan of

Signal Chains, DSI3

or PSI5 Safety Data

links

8 TM

Safety

Support

Safety

Hardware

Safety

Process

Safety

Software





Automotive Software

AUTOSAR OS & MCAL

Core Self Test

Device Self Test

Complex Drivers

Software Partnerships

Partnering with leading

third-party software

providers to offer

additional safety software

solutions for automotive

and industrial.

9 TM

Safety

Support

Safety

Hardware

Safety

Process

Safety

Software





People

Regional functional

safety experts

Documentation

Safety Application Notes /

Safety Manual / FMEDA

TM 10

• Functional safety is complex

• SafeAssure products are conceived to simplify system-level functional safety design and cut down time to compliance

• Key functional safety activities addressed

− Failure analysis (FMEA, FTA, FMEDA)

− Hardware integration (Safety Manual)

− Software integration (Safety Manual)

− Support Interface (DIA for ISO 26262)

• Helping you design-in SafeAssure products and achieving your system-level functional safety compliance, simply

11 TM

OEM

• Safety Architecture

• Safety Concept

• ASIL Classification of Functions

Tier 1

• HW / SW offering

Tier 2 Supplier - Freescale

• Item definition

• Hazard analysis and risk assessment

• Safety Goals

• Functional Safety Concept ISO26262 Safety

Requirements &

DIA

Safety

Requirements &

DIA

Safety Manual &

Safety Analysis

Relevant

scope of

ISO26262

high

Fou

nd

atio

n

Product Safety Measures (implemented in

offering, described in Safety Manual,

quantified/qualified by Safety Analysis)

Development Process & Methods

Quality & Quality Data

Relevant

scope of

ISO26262

medium

Overall ISO 26262 compliance is

achieved together, we each own a

piece of the puzzle

Freescale Functional Safety Focus

Safety Element out of Context

Safety Manual &

Safety Analysis

12 TM

• The automotive industry develops generic elements for different applications and for different customers.

• These generic elements can be developed independently by different organizations.

• In such cases, assumptions are made about the requirements and the design, including the safety requirements that are allocated to the element by higher design levels and on the design external to the element.

• Such an element can be developed by treating it as a safety element out of context (SEooC).

• An SEooC is a safety-related element which is not developed for a specific item. This means it is not developed in the context of a particular vehicle.

Referenced ISO/FDIS 26262-10:2012(E), Clause 9

13 TM

Referenced ISO/FDIS 26262-10:2012(E), Clause 9

14 TM

59 out of a total of 122 work products applicable to Freescale Referenced ISO/FDIS 26262-10:2012(E), Clause 9

Development

of a Software

component as

a SEooC*

Development

of a Hardware

component as

a SEooC*

15 TM

• To view the latest SafeAssure product table visit

www.freescale.com/SafeAssure

• To view the latest SafeAssure product table visit www.freescale.com/SafeAssure

http://www.freescale.com/SafeAssure

http://www.freescale.com/SafeAssure

16 TM

• Gen 1 Safety More than 10 years experience of safety development in the area of MCU

• Gen 2 Safety First general market MCU, MPC564xL (Leopard) -> currently being integrated into TIER1 Systems

• Gen 3 Safety From 2012, multiple MCUs in Body, Chassis and Powertrain (McKinley) will be architected according to ISO 26262

Ge

n 1

Sa

fety

Ge

n 2

Sa

fety

Ge

n 3

Sa

fety

McKinley – 55nm

2000

2008

PowerSBC

Leopard – 90nm

Custom Safety Platform for Braking

Fun

ctio

nal S

afe

ty S

olu

tion

s

PowerSBC

2012

• Voltage Supervision

• Fail-Safe State Machine

• Fail-Safe IO

• Advanced Watchdog

• Voltage Supervision

• Fail-Safe State Machine

• Fail-Safe IO

• Advanced Watchdog

• 32-bit Dual-Core MCU

• Developed according to ISO 26262

• Target Applications for Chassis – ASILD

• 32-bit Quad-Core MCU

• Developed according to ISO 26262

• Target Applications for Powertrain – ASILD

• This is the first MCU of the new generation

• Started to ship in 2000 first safe MCU for braking applications

• IEC 61508 / ISO 26262 compliance achieved at system level

(top down approach)

• MCU features are a key enabler for SIL3 / ASILD

Custom IC

17 TM

• Components:

− Safety Integrity Level 3 (SIL3) certified Chip-

Set:

Full-Custom leading edge automotive safety MCU

MCU Full-Custom leading edge mixed-signal IC

− Actuators: Valves, Motor

− Sensors: Acceleration-, Pressure-, Wheel-

speed-Sensors

TM 19

• The automotive and industrial industries are increasingly requiring functional safety solutions.

• Freescale is your expert safety partner for your next-generation safety-critical applications

• Freescale is implementing a systematic approach to functional safety that reduces complexity for manufacturers of functional safety systems.

• Freescale’s new SafeAssure program is built on four key elements: safety process, safety hardware, safety software and safety support.

• The SafeAssure program is about the complete functional safety solution, not only a microcontroller-based program. It includes microcontrollers, sensors, analog and power management ICs.

• The ultimate goal of the program is to simplify system compliance with functional safety standards and, at the end of the day, keep people safe.

• For more information visit, www.freescale.com/safeassure

20 TM

SafeAssure Freescale HW / SW

Solutions

PowerSteering Use-Case

21 TM

SafeAssure EPS Demonstrator

• Demonstrates an EPS system solution

using Freescale components

• Offers an example of the management of

the system safety case as defined by

ISO26262 covering

1. Item definition

2. Hazard and risk analysis

3. Definition of safety goals and requirements

4. Functional Safety Concept

5. Technical Safety Concept

6. System analysis example using FTA

• Exemplifies one Hazardous Event caused

by one malfunction of the system

22 TM

Product development at system level

Other

Technologies

In case of modification,

back to appropriate

lifecycle phase

Item definition 3-5 P

rod

uctio

n

Op

era

tio

n

Planning

Management of functional safety 2-5 to 2-7

Co

nce

pt

ph

ase

Pro

du

ct

de

ve

lop

me

nt

Aft

er

rele

ase

for

pro

du

ctio

n

Hazard analysis and

risk assessment 3-7

Functional safety concept 3-8

4

Safety validation 4-9

Functional safety assessment 4-10

Release for production 4-11

Production 7-5

7-6 Operation, service &

decommissioning

HW level 5 SW level 6 7-6 7-5

Controllability

External

Measures

23 TM

Safety Case Management:

use of tool to manage development of

safety case with large numbers of

hazardous events

2.1 Hazard Analysis:

Malfunction (MF) identified using HAZOP

keywords applied to main function – e.g.

provide steering support BEFORE

required by driver (or self steering)

2.3. Risk Assessment:

assess severity, exposure and controllability

(S, E and C) of the HE for the driving condition

to determine ASIL level of safety goal

3. Safety Goal: define safety goal for HE

Item Definition:

identifies main system functions e.g.

‘Provide steering support as

required by driver’

2.2 Hazard Analysis:

describe hazardous event (HE) occurring

as a result of a malfunction of the main

system function at > 80 km/h

Safety Analysis

Tool used in this example: medini analyse from ikv++ technologies

24 TM


Other

Technologies


back to appropriate

lifecycle phase


rod

uctio

n

Op

era

tio

n

Planning


Co

nce

pt

ph

ase

Pro

du

ct

de

ve

lop

me

nt

Aft

er

rele

ase

for

pro

du

ctio

n

Hazard analysis and

risk assessment 3-7


4




Production 7-5


decommissioning


Controllability

External

Measures

25 TM

Actuator

Control

Torque Assist

Requirements

Calculation 1

Power Stage

• Power Bridge

• Pre-driver

Power Relay Actuator

Isolator

Relay

Actuator

Monitoring

Rotor

Position 1

Rotor

Position 2

Torque Assist

Requirements

Calculation 2

Phase Current

Monitor 2

VBATT

Phase

Current

Monitor 1

Gate

Drive

Torque Sensor 1

Steering Angle Sensor 1

Steering Speed Sensor 1

Torque Sensor 2

Steering Angle Sensor 2

Steering Speed Sensor 2

Safe State OP2

(SSOP2)

Safe State OP1s

(SSOP1n)

SS

OP

2

SS

OP

1b

SS

OP

2

SS

OP

1a

SS

OP

2

SS

OP

1c

System Monitoring

• power supply

• clock

• watchdog/supervisor

Motor control channel

• dedicated sensor inputs

Power channel

• deactivated in safe state

Actuator monitoring channel

• dedicated sensor inputs

• control of safe state

System monitoring channel

• control of safe state

Actuator

Power Stage

• Power Bridge

Torque/

Angle

Sensors

26 TM


Other

Technologies


back to appropriate

lifecycle phase


rod

uctio

n

Op

era

tio

n

Planning


Co

nce

pt

ph

ase

Pro

du

ct

de

ve

lop

me

nt

Aft

er

rele

ase

for

pro

du

ctio

n

Hazard analysis and

risk assessment 3-7


4




Production 7-5


decommissioning


Controllability

External

Measures

27 TM

VBATT

Power

Switch

PwSBC

MC33907

MCU

MC5643L

VDCLINK

Predriver

MC33937A

Power

Bridge

FS0b

(SSOP2)

IO1

(SSOP1a)

Motor

Actuator

Isolator

IO2

(SSOP1b)

Default: open

VDD

DSPI Watchdog

Error

Monitor IO3

(SSOP1c) EN1

EN2

Supply

Monitor

FCCU

RST RST

GND

VDD

GND

GND

• Power channel de-activation under control of

application (MCU) and system monitor (SBC)

• Motor control and actuator monitoring channels

implemented on MCU and pre-driver

• System monitoring channel implemented on intelligent

SBC

28 TM


Other

Technologies


back to appropriate

lifecycle phase


rod

uctio

n

Op

era

tio

n

Planning


Co

nce

pt

ph

ase

Pro

du

ct

de

ve

lop

me

nt

Aft

er

rele

ase

for

pro

du

ctio

n

Hazard analysis and

risk assessment 3-7


4




Production 7-5


decommissioning


Controllability

External

Measures

29 TM

Du

al-C

ore

Lo

ckste

p M

CU

Co

re 1

C

ore

2

Op

era

tin

g S

yste

m

(AS

IL D

)

Co

ntr

ol T

ask:

To

rqu

e A

ssis

tan

ce

Re

qu

ire

men

t C

alc

ula

tio

n

Independent

Sensor Input

Mo

nito

r Ta

sk:

To

rqu

e A

ssis

tan

ce

Re

qu

ire

men

t C

alc

ula

tio

n

Independent

Sensor Input

Op

era

tin

g S

yste

m

(AS

IL D

)

Con

trol T

ask:

PM

SM

Con

trol

Actuator Drive

Peripherals

Mo

nito

r Ta

sk:

PM

SM

Con

trol M

on

ito

r

Independent

Sensor Input

Op

era

tin

g S

yste

m

(AS

IL D

)

Safe State

Control Safe State

Control

Safe Operating System

• calls independent control

and monitoring tasks

• support end-to-end

protection of communications

Control Task, part 1

• calculate required

torque assist

Monitoring Task, part 1

• re-calculate required

torque assist

• activate safe state if

different from CT

Control Task, part 2

• control actuator to

provide required

torque assist

Monitoring Task, part 2

• monitor actuator

• activate safe state if

control incorrect

Safety Operating System

Solution supporting ASIL D: EB tresos Safety OS from Elektrobit

Tech Lab

DEMO

Technical

SESSION

F0306

30 TM


Other

Technologies


back to appropriate

lifecycle phase


rod

uctio

n

Op

era

tio

n

Planning


Co

nce

pt

ph

ase

Pro

du

ct

de

ve

lop

me

nt

Aft

er

rele

ase

for

pro

du

ctio

n

Hazard analysis and

risk assessment 3-7


4




Production 7-5


decommissioning


Controllability

External

Measures

31 TM

• Safety Analysis is carried out during Concept

and Product Development Phases

• Objective of the analysis

- examine consequences of faults and failures on the

system

- provide information on conditions and causes that

could lead to violation of a safety goal

- identification of new hazards not previously

considered

• Qualitative and quantitative analyses are carried

out

- Example: qualitative FTA demonstrating faults in

redundant sensors (SensorA and SensorB) needed to

lead to violation of safety goal ‘Prevent Self Steer’

- Quantitative analysis such as FMEDA also required

Safety Analysis

Tool used in this example: medini analyse from ikv++ technologies

freescale safeassure solutions and iso26262 - nxp.com · develop safety systems that comply with...

Documents