Upload
vuminh
View
218
Download
1
Embed Size (px)
Citation preview
TM
August 2013
2 TM
Freescale’s Functional Safety
Solutions program
3 TM
Simplifies the process of system compliance, with
solutions designed to address the requirements of
automotive and industrial functional safety standards
Reduces the time and complexity required to
develop safety systems that comply with ISO 26262
and IEC 61508 standards
Functional Safety. Simplified.
Supports the most stringent Safety Integrity
Levels (SILs),enabling designers to build with
confidence
Zero defect methodology from design to
manufacturing to help ensure our products meet
the stringent demands of safety applications
4 TM
Safety
Support
Safety
Hardware
Safety
Process
Safety
Software
Automotive ISO 26262
Industrial IEC 61508
Functional Safety Standards
Freescale Quality Foundation
5 TM
Safety
Support
Safety
Hardware
Safety
Process
Safety
Software
Automotive ISO 26262
Industrial IEC 61508
Functional Safety Standards
Freescale Quality Foundation
Continuous
Improvement
Process evaluation,
assessments / audits and
gap-analysis exist to
ensure processes are
continually optimized
Quality
Management
ISO TS 16949
Certified Quality
Management
System
Hardware - Zero
Defects
Software – SPICE
Level 3
6 TM
Safety
Support
Safety
Hardware
Safety
Process
Safety
Software
Automotive ISO 26262
Industrial IEC 61508
Functional Safety Standards
Freescale Quality Foundation
Organization
Safety is an integral
part of the
Freescale world
wide organization
Project
Management
Configuration &
Change
Management,
Quality
Management,
Requirements
Management,
Architecture &
Design, Verification
& Validation
Safety Analysis
Selected products
defined & designed from
the ground up with safety
analysis being done at
each step of the process
Assessments / Audits
Safety Confirmation
Measures
7 TM
Safety
Support
Safety
Hardware
Safety
Process
Safety
Software
Automotive ISO 26262
Industrial IEC 61508
Functional Safety Standards
Freescale Quality Foundation
Microcontrollers
Lockstep Cores,
ECC on Memories
Redundant
Functions, Internal
Monitors, Built In
Self Test, Fault
Collection & Control
Analog and Power
Management
Voltage Monitors,
External Error
Monitor, Advanced
Watchdog,
Built In Self Test
Sensors
Timing Checker,
Digital Scan of
Signal Chains, DSI3
or PSI5 Safety Data
links
8 TM
Safety
Support
Safety
Hardware
Safety
Process
Safety
Software
Automotive ISO 26262
Industrial IEC 61508
Functional Safety Standards
Freescale Quality Foundation
Automotive Software
AUTOSAR OS & MCAL
Core Self Test
Device Self Test
Complex Drivers
Software Partnerships
Partnering with leading
third-party software
providers to offer
additional safety software
solutions for automotive
and industrial.
9 TM
Safety
Support
Safety
Hardware
Safety
Process
Safety
Software
Automotive ISO 26262
Industrial IEC 61508
Functional Safety Standards
Freescale Quality Foundation
People
Regional functional
safety experts
Documentation
Safety Application Notes /
Safety Manual / FMEDA
TM 10
• Functional safety is complex
• SafeAssure products are conceived to simplify system-level functional safety design and cut down time to compliance
• Key functional safety activities addressed
− Failure analysis (FMEA, FTA, FMEDA)
− Hardware integration (Safety Manual)
− Software integration (Safety Manual)
− Support Interface (DIA for ISO 26262)
• Helping you design-in SafeAssure products and achieving your system-level functional safety compliance, simply
11 TM
OEM
• Safety Architecture
• Safety Concept
• ASIL Classification of Functions
Tier 1
• HW / SW offering
Tier 2 Supplier - Freescale
• Item definition
• Hazard analysis and risk assessment
• Safety Goals
• Functional Safety Concept ISO26262 Safety
Requirements &
DIA
Safety
Requirements &
DIA
Safety Manual &
Safety Analysis
Relevant
scope of
ISO26262
high
Fou
nd
atio
n
Product Safety Measures (implemented in
offering, described in Safety Manual,
quantified/qualified by Safety Analysis)
Development Process & Methods
Quality & Quality Data
Relevant
scope of
ISO26262
medium
Overall ISO 26262 compliance is
achieved together, we each own a
piece of the puzzle
Freescale Functional Safety Focus
Safety Element out of Context
Safety Manual &
Safety Analysis
12 TM
• The automotive industry develops generic elements for different applications and for different customers.
• These generic elements can be developed independently by different organizations.
• In such cases, assumptions are made about the requirements and the design, including the safety requirements that are allocated to the element by higher design levels and on the design external to the element.
• Such an element can be developed by treating it as a safety element out of context (SEooC).
• An SEooC is a safety-related element which is not developed for a specific item. This means it is not developed in the context of a particular vehicle.
Referenced ISO/FDIS 26262-10:2012(E), Clause 9
13 TM
Referenced ISO/FDIS 26262-10:2012(E), Clause 9
14 TM
59 out of a total of 122 work products applicable to Freescale Referenced ISO/FDIS 26262-10:2012(E), Clause 9
Development
of a Software
component as
a SEooC*
Development
of a Hardware
component as
a SEooC*
15 TM
• To view the latest SafeAssure product table visit
www.freescale.com/SafeAssure
• To view the latest SafeAssure product table visit www.freescale.com/SafeAssure
16 TM
• Gen 1 Safety More than 10 years experience of safety development in the area of MCU
• Gen 2 Safety First general market MCU, MPC564xL (Leopard) -> currently being integrated into TIER1 Systems
• Gen 3 Safety From 2012, multiple MCUs in Body, Chassis and Powertrain (McKinley) will be architected according to ISO 26262
Ge
n 1
Sa
fety
Ge
n 2
Sa
fety
Ge
n 3
Sa
fety
McKinley – 55nm
2000
2008
PowerSBC
Leopard – 90nm
Custom Safety Platform for Braking
Fun
ctio
nal S
afe
ty S
olu
tion
s
PowerSBC
2012
• Voltage Supervision
• Fail-Safe State Machine
• Fail-Safe IO
• Advanced Watchdog
• Voltage Supervision
• Fail-Safe State Machine
• Fail-Safe IO
• Advanced Watchdog
• 32-bit Dual-Core MCU
• Developed according to ISO 26262
• Target Applications for Chassis – ASILD
• 32-bit Quad-Core MCU
• Developed according to ISO 26262
• Target Applications for Powertrain – ASILD
• This is the first MCU of the new generation
• Started to ship in 2000 first safe MCU for braking applications
• IEC 61508 / ISO 26262 compliance achieved at system level
(top down approach)
• MCU features are a key enabler for SIL3 / ASILD
Custom IC
17 TM
• Components:
− Safety Integrity Level 3 (SIL3) certified Chip-
Set:
Full-Custom leading edge automotive safety MCU
MCU Full-Custom leading edge mixed-signal IC
− Actuators: Valves, Motor
− Sensors: Acceleration-, Pressure-, Wheel-
speed-Sensors
18 TM
TM 19
• The automotive and industrial industries are increasingly requiring functional safety solutions.
• Freescale is your expert safety partner for your next-generation safety-critical applications
• Freescale is implementing a systematic approach to functional safety that reduces complexity for manufacturers of functional safety systems.
• Freescale’s new SafeAssure program is built on four key elements: safety process, safety hardware, safety software and safety support.
• The SafeAssure program is about the complete functional safety solution, not only a microcontroller-based program. It includes microcontrollers, sensors, analog and power management ICs.
• The ultimate goal of the program is to simplify system compliance with functional safety standards and, at the end of the day, keep people safe.
• For more information visit, www.freescale.com/safeassure
20 TM
SafeAssure Freescale HW / SW
Solutions
PowerSteering Use-Case
21 TM
SafeAssure EPS Demonstrator
• Demonstrates an EPS system solution
using Freescale components
• Offers an example of the management of
the system safety case as defined by
ISO26262 covering
1. Item definition
2. Hazard and risk analysis
3. Definition of safety goals and requirements
4. Functional Safety Concept
5. Technical Safety Concept
6. System analysis example using FTA
• Exemplifies one Hazardous Event caused
by one malfunction of the system
22 TM
Product development at system level
Other
Technologies
In case of modification,
back to appropriate
lifecycle phase
Item definition 3-5 P
rod
uctio
n
Op
era
tio
n
Planning
Management of functional safety 2-5 to 2-7
Co
nce
pt
ph
ase
Pro
du
ct
de
ve
lop
me
nt
Aft
er
rele
ase
for
pro
du
ctio
n
Hazard analysis and
risk assessment 3-7
Functional safety concept 3-8
4
Safety validation 4-9
Functional safety assessment 4-10
Release for production 4-11
Production 7-5
7-6 Operation, service &
decommissioning
HW level 5 SW level 6 7-6 7-5
Controllability
External
Measures
23 TM
Safety Case Management:
use of tool to manage development of
safety case with large numbers of
hazardous events
2.1 Hazard Analysis:
Malfunction (MF) identified using HAZOP
keywords applied to main function – e.g.
provide steering support BEFORE
required by driver (or self steering)
2.3. Risk Assessment:
assess severity, exposure and controllability
(S, E and C) of the HE for the driving condition
to determine ASIL level of safety goal
3. Safety Goal: define safety goal for HE
Item Definition:
identifies main system functions e.g.
‘Provide steering support as
required by driver’
2.2 Hazard Analysis:
describe hazardous event (HE) occurring
as a result of a malfunction of the main
system function at > 80 km/h
Safety Analysis
Tool used in this example: medini analyse from ikv++ technologies
24 TM
Product development at system level
Other
Technologies
In case of modification,
back to appropriate
lifecycle phase
Item definition 3-5 P
rod
uctio
n
Op
era
tio
n
Planning
Management of functional safety 2-5 to 2-7
Co
nce
pt
ph
ase
Pro
du
ct
de
ve
lop
me
nt
Aft
er
rele
ase
for
pro
du
ctio
n
Hazard analysis and
risk assessment 3-7
Functional safety concept 3-8
4
Safety validation 4-9
Functional safety assessment 4-10
Release for production 4-11
Production 7-5
7-6 Operation, service &
decommissioning
HW level 5 SW level 6 7-6 7-5
Controllability
External
Measures
25 TM
Actuator
Control
Torque Assist
Requirements
Calculation 1
Power Stage
• Power Bridge
• Pre-driver
Power Relay Actuator
Isolator
Relay
Actuator
Monitoring
Rotor
Position 1
Rotor
Position 2
Torque Assist
Requirements
Calculation 2
Phase Current
Monitor 2
VBATT
Phase
Current
Monitor 1
Gate
Drive
Torque Sensor 1
Steering Angle Sensor 1
Steering Speed Sensor 1
Torque Sensor 2
Steering Angle Sensor 2
Steering Speed Sensor 2
Safe State OP2
(SSOP2)
Safe State OP1s
(SSOP1n)
SS
OP
2
SS
OP
1b
SS
OP
2
SS
OP
1a
SS
OP
2
SS
OP
1c
System Monitoring
• power supply
• clock
• watchdog/supervisor
Motor control channel
• dedicated sensor inputs
Power channel
• deactivated in safe state
Actuator monitoring channel
• dedicated sensor inputs
• control of safe state
System monitoring channel
• control of safe state
Actuator
Power Stage
• Power Bridge
Torque/
Angle
Sensors
26 TM
Product development at system level
Other
Technologies
In case of modification,
back to appropriate
lifecycle phase
Item definition 3-5 P
rod
uctio
n
Op
era
tio
n
Planning
Management of functional safety 2-5 to 2-7
Co
nce
pt
ph
ase
Pro
du
ct
de
ve
lop
me
nt
Aft
er
rele
ase
for
pro
du
ctio
n
Hazard analysis and
risk assessment 3-7
Functional safety concept 3-8
4
Safety validation 4-9
Functional safety assessment 4-10
Release for production 4-11
Production 7-5
7-6 Operation, service &
decommissioning
HW level 5 SW level 6 7-6 7-5
Controllability
External
Measures
27 TM
VBATT
Power
Switch
PwSBC
MC33907
MCU
MC5643L
VDCLINK
Predriver
MC33937A
Power
Bridge
FS0b
(SSOP2)
IO1
(SSOP1a)
Motor
Actuator
Isolator
IO2
(SSOP1b)
Default: open
VDD
DSPI Watchdog
Error
Monitor IO3
(SSOP1c) EN1
EN2
Supply
Monitor
FCCU
RST RST
GND
VDD
GND
GND
• Power channel de-activation under control of
application (MCU) and system monitor (SBC)
• Motor control and actuator monitoring channels
implemented on MCU and pre-driver
• System monitoring channel implemented on intelligent
SBC
28 TM
Product development at system level
Other
Technologies
In case of modification,
back to appropriate
lifecycle phase
Item definition 3-5 P
rod
uctio
n
Op
era
tio
n
Planning
Management of functional safety 2-5 to 2-7
Co
nce
pt
ph
ase
Pro
du
ct
de
ve
lop
me
nt
Aft
er
rele
ase
for
pro
du
ctio
n
Hazard analysis and
risk assessment 3-7
Functional safety concept 3-8
4
Safety validation 4-9
Functional safety assessment 4-10
Release for production 4-11
Production 7-5
7-6 Operation, service &
decommissioning
HW level 5 SW level 6 7-6 7-5
Controllability
External
Measures
29 TM
Du
al-C
ore
Lo
ckste
p M
CU
Co
re 1
C
ore
2
Op
era
tin
g S
yste
m
(AS
IL D
)
Co
ntr
ol T
ask:
To
rqu
e A
ssis
tan
ce
Re
qu
ire
men
t C
alc
ula
tio
n
Independent
Sensor Input
Mo
nito
r Ta
sk:
To
rqu
e A
ssis
tan
ce
Re
qu
ire
men
t C
alc
ula
tio
n
Independent
Sensor Input
Op
era
tin
g S
yste
m
(AS
IL D
)
Con
trol T
ask:
PM
SM
Con
trol
Actuator Drive
Peripherals
Mo
nito
r Ta
sk:
PM
SM
Con
trol M
on
ito
r
Independent
Sensor Input
Op
era
tin
g S
yste
m
(AS
IL D
)
Safe State
Control Safe State
Control
Safe Operating System
• calls independent control
and monitoring tasks
• support end-to-end
protection of communications
Control Task, part 1
• calculate required
torque assist
Monitoring Task, part 1
• re-calculate required
torque assist
• activate safe state if
different from CT
Control Task, part 2
• control actuator to
provide required
torque assist
Monitoring Task, part 2
• monitor actuator
• activate safe state if
control incorrect
Safety Operating System
Solution supporting ASIL D: EB tresos Safety OS from Elektrobit
Tech Lab
DEMO
Technical
SESSION
F0306
30 TM
Product development at system level
Other
Technologies
In case of modification,
back to appropriate
lifecycle phase
Item definition 3-5 P
rod
uctio
n
Op
era
tio
n
Planning
Management of functional safety 2-5 to 2-7
Co
nce
pt
ph
ase
Pro
du
ct
de
ve
lop
me
nt
Aft
er
rele
ase
for
pro
du
ctio
n
Hazard analysis and
risk assessment 3-7
Functional safety concept 3-8
4
Safety validation 4-9
Functional safety assessment 4-10
Release for production 4-11
Production 7-5
7-6 Operation, service &
decommissioning
HW level 5 SW level 6 7-6 7-5
Controllability
External
Measures
31 TM
• Safety Analysis is carried out during Concept
and Product Development Phases
• Objective of the analysis
- examine consequences of faults and failures on the
system
- provide information on conditions and causes that
could lead to violation of a safety goal
- identification of new hazards not previously
considered
• Qualitative and quantitative analyses are carried
out
- Example: qualitative FTA demonstrating faults in
redundant sensors (SensorA and SensorB) needed to
lead to violation of safety goal ‘Prevent Self Steer’
- Quantitative analysis such as FMEDA also required
Safety Analysis
Tool used in this example: medini analyse from ikv++ technologies
TM