PUBLIC USE
Philip Pesses, Automotive Technical Marketing
David Lopez, Segment & Application Manager
FTF-SMI-N1805
May 16, 2016
FTF-SMI-N1805
NXP FUNCTIONAL SAFETY
PORTFOLIO
PUBLIC USE1 #NXPFTF PUBLIC USE1 #NXPFTF
AGENDA
• What is NXP SafeAssure™ program
• Functional safety needs
• NXP experience on safety concept
• NXP microcontroller & analog portfolio
• Targeted industry applications
• Certification process
• Enablement
PUBLIC USE2 #NXPFTF
SafeAssure™ Program
• NXP simplifies the process of system compliance for automotive and industrial functional safety standards
• Reduces the time and complexity required to develop safety systems that comply with ISO 26262 and IEC 61508 standards
• Supports the most stringent Safety Integrity Levels (SILs)
• Zero defect methodology from design to manufacturing to help ensure our products meet the stringent demands of safety applications
• Functional safety activities address:
− Safety process (FMEA, FTA, FMEDA) integrated into development process
− Safety hardware (safety manual) BIST, ECC, etc
− Safety software (safety manual) Autosar MCAL, OS, core self tests, etc.
− Safety support – training, documentation and tech support
PUBLIC USE4 #NXPFTF
Deep Water
Explosion
Airline
Crashes
Nuclear Plant
Disaster
Windmill Error Causes
Overheating
Robust Safety Systems are Key to Prevent Industrial Impacts
Utility Fire
Factory Robot Injures
Operator
PUBLIC USE5 #NXPFTF
Why Does Industrial Need Functional Safety?
• Higher integration and system complexity
− Safety requirements established in non-traditional markets, e.g. solar energy
− Increase in use of high-performance sensor systems and results in substantially higher
MCU performance requirements
• Protect equipment against dangerous random failures or malfunction
• Reduce warranty or litigation costs by aligning to safety standards (IEC 61508 /
ISO 26262)
• Need for understanding faults vs. failure modes
PUBLIC USE6 #NXPFTF
• Dangerous failures in a safety system come from a combination of the following
− Development bugs e.g. software or hardware
− Insufficient system safety architecture
− Transient failures in semiconductors,
primarily SRAM with very high rate of occurrence
− Permanent failures in hardware
IEC
61
50
8
SIL
ISO
26
26
2
AS
IL
ISO
13
84
9
PL
Continuous Mode Safety Targets
based on
Consequence of
FailuresProbability of a
dangerous failure
per hour
n/a n/a a No requirements n/a
1 Ab
>=10-6 to < 10-5 Potential for minor
injuriesc
2B
d >=10-7 to < 10-6 Potential for major
injuries or one fatality
C
3 e >=10-8 to < 10-7 Potential for multiple
fatalitiesD
4 n/a n/a >=10-9 to < 10-8 Potential for fatalities
in the community
Failure Type Per Hour FIT %
MCU SRAM Transient
Failure Rate7.00E-07 700 70
MCU FF Transient Failure
Rate2.00E-07 200 20
MCU Package Permanent
Failure Rate8.00E-08 80 8
MCU Die Permanent
Permanent Failure Rate 2.00E-08 20 2
MCU Total Failure Rate 1.00E-06 1000 100
Residual failures on system level
Low
Safety
Integrity
High
Typical break down of failures on MCU level
Residual Failures on System Level Addressed by Safety Integrity
Targets
PUBLIC USE7 #NXPFTF
Technology
Semiconductor
& Packaging
Design incl.
DFT and
DFM*
Validation,
Characterization,
Qualification
ManufacturingProduction &
TestSupport
Standards: IEC 61508, AEC Q100, ISO TS 16949, ...
Automotive Requirements: Reliabilty, Zero Defects, Supply, Security, ...
The component capability is frozen
after technology, packaging &
product development and impacts
the right slope of the „Bath Tub
Curve“
Quality & Reliability in a Typical Automotive 125degC (Ta) Mission Profile
Note: DFT = Design for Test; DFM = Design for Manufacturability
Truly Different: Automotive Ultra-Reliable MCU vs. Consumer
ComponentsZVEI work group classified 6 categories for potenial 66 differences
PUBLIC USE8 #NXPFTF
Automotive Market Trends
• Connectivity & Security
− Optimize information flow across the car (from LIN to Ethernet)
− Protect data to avoid hacking
− Simplify network design at OEM level
• Drive Train Electrification
− Green trend : EV / HEV vs combustion to reduce emissions
− 48 V electrical network to improve power efficiency
− ISO26262 Functional Safety growth driver and system availability
• Autonomous & Safe Drive
− Highest automotive MCU/MPUs performance for real time decision
− Increased safety & security level to protect lives (fail operational)
− Driverless to develop social mobility & reduce traffic congestion
PUBLIC USE9 #NXPFTF
Zero Accidents: Auto World’s Big Goal
Road Traffic Injuries
Road Traffic Accident will be the 3rd Worldwide
DisabilityAjusted Life Years (DALYs)
PUBLIC USE11 #NXPFTF
Ge
n 1
Sa
fety
Ge
n 2
Sa
fety
Ge
n 3
Sa
fety
MPC5744P/MPC5777M/C/etc - 55 nm
2004
2012
PowerSBC
MPC5643L - 90 nm
Custom Safety Platform for Braking
Fu
nctional S
afe
ty S
olu
tions
PowerSBC
Available
Now
• Voltage supervision
• Fail-Safe state machine
• Fail-Safe IO
• Advanced watchdog
• Voltage supervision
• Fail-Safe state machine
• Fail-Safe IO
• Advanced watchdog
• 32-bit Dual-Core MCU
• Developed according to IEC 61508 / ISO 26262
• Target applications for chassis – ASIL-D
• 32-bit Dual/Quad-Core MCU
• Developed according to IEC 61508 / ISO 26262
• Target Applications Chassis & P/T for – ASILD
• Safe methodology, architecture, SW and tools
• Started to ship in 2000 first safe MCU protoypes for
braking applications
• IEC 61508 / ISO 26262 compliance achieved at system
level (top down approach)
• MCU features are a key enabler for SIL3 / ASILD
Custom IC
In
planning
Ge
n 4
Sa
fety
Technology (under investigation)
Integrated dependability approach combining safety & security with
availability as well as reliability process requirements
Gen 4 Safety - In planning
phase
Gen 3 Safety - Multiple
MCUs in automotive are
being designed and
developed according to IEC
61508 / ISO26262
Gen 2 Safety - First
general market automotive
MCU (MPC5643L) certified
according to IEC 61508 /
ISO26262
Gen 1 Safety - More than
10 years experience of
safety development in the
area of MCU & SBC
NXP Leadership Driving Auto MCU Functional Safety Solutions
PUBLIC USE12 #NXPFTF
Safety Certification Achievement
Systematic Integrity:
• ASIL-D The µC MPC5643L is a safety element out of context per ISO DIS 26262-10.
• The development as documented by NXP has met the applicable ISO 26262-4, ISO 26262-5, ISO 26262-8 and ISO 26262-9 design and verification & validation requirements for Automotive Safety Integrity Level (ASIL) D applications as guided by ISO DIS 26262-10 and the functional safety management requirements per ISO 26262-2.
Random Hardware Integrity
• The FMEDAs performed by NXP meet the verification requirements of ISO 26262-5 §8 and the requirements applicable to an IC SEooC of ISO 26262-5 §9.4.2 for ASIL D applications.
• The quantitative input to the FMEDA was based on NXP field experience and statistics. Appropriate scaling factors according to ISO 26262-5 Annex F will have to be agreed with the future user.
PUBLIC USE13 #NXPFTF
NXP Safety MCU Features Using MPC5744P
Cross Bar Switch –E2E ECC (Addr+Data)
Memory Protection Unit – 32 regions
2.5 M
FLASH (I/D)
(A+D ECC)
PMU
SWT
MCM
STM
INTC
CACHE
PowerPC™
e200
VLE
S-FPU
DLMEMNexus/
Aurora
JTAG
Debug
CACHE
PowerPC™
e200
Safety
CheckerVLE
S-FPU
2 x
LIN
Fle
x
4 x
DS
PI
4 x
AD
C
3
Fle
xC
AN
3 x
eT
imer
FC
CU
2 x
Fle
xP
WM
2x C
TU
2 x
TS
EN
S
I/D-cache
384 KB
SRAM
(A+D ECC)
FlexRaySIPI
CR
C
Safe
eDMASafety Lake
I/O
BridgeSRAM Ctrl
Multi Ported
Flash ctrlI/O
Bridge
I/O
Syste
m
Crossbar Slaves
Ethernet
Sphere of Replication:
• Replicated e200Core
(Delayed) Dual Core Lockstep
• Replicated eDMA
• Redundant INTC, SWT, etc
• Redundant MMU
• RC Units at Gates to non
redundant sphere
• Safety Enhancement using
VLE
Clock & Power Monitoring
• Detects and mitigates clock
disturbances
• PLL
Timer
• eTimer0 channels “isolated”
Analog to Digital Converter
• On Line Assisted Hardware
BIST
Crossbar Switch + Memory
Protection Unit:
• Redundant, ECC
• RC Units at Gates to non
redundant sphere
Fault Collection Unit
• Detects when errors have
occurred
• Indicates error to external
• Independent of software
operation
Flash
• ECC
Random Access Memory
• ECC
Temperature Sensor
• Redundant
Cyclic Redundancy
Checker Unit
• Application Signature
Power Management Unit
• Internal Vreg
• Redundant Vmonitor
CM
Us
More details in MPC5744P Safety Manual
PUBLIC USE14 #NXPFTF
Philosophy
Process
PeoplePartners
Products
Functional Safety Values5P’s Functional Safety Pillars & Differentiation
Philosophy – Culture
• « To design systems that work correctly we MUST understand and correct how they can go wrong » Daniel Saul Goldin, NASA Administrator
• SafeAssure : Corporate commitment to support functional Safety
Process – Discipline
• Analog & sensor ISO26262 Development Process Compliance certified by TÜV-SAAR
People – Know how
• Training, Safety Culture & mindset. Expertise on ISO26262 standard, hardware architecture & documentation
Partners – Collaboration
• System solution to fit for ASIL (SBC + MCU + Drv)
• System safety goals (Car OEM)
Products – Value & Differentiation
• 1st ISO26262 SBC to fit for ASIL D systems
• Innovative hardware monitoring architecture
PUBLIC USE15 #NXPFTF
Functional Safety Values5P’s Functional Safety Pillars & Differentiation
• ISO26262 certified hardware development process
for analog and sensor products
• Development rules, processes and tools certified as
compliant with ISO 26262 standard part requirements
applicable to semiconductor suppliersISO 26262-2:2011 – Safety management
ISO 26262-5:2011 – Hardware development
ISO 26262-7:2011 – Production
ISO 26262-8:2011 – Supporting processes
ISO 26262-9:2011 – Safety analysis
PUBLIC USE16 #NXPFTF
First Generation Functional Safety SBC Qualified, Certified Fit for ASIL D, in Production
Architecture integrating supply and MCU
monitoring, Hardware redundancy, and tools
to fit for ASIL-D at system level
1 – Independent Voltage Supervisor
Independent references and bandgaps
2 – Fail Safe State Machine
Isolation trench for physical isolation
MCU error signal monitoring
Analog error signal handling
Generates system reset, or deactivation signal
3 – Watchdog Challenger
Windowed watchdog (1ms to 1024ms)
4 – Proven Documentation & Tools
Support to design ASIL applications
safety manual & FMEDA
Flexible (I/O)
Wake / INH
1 CAN HS
Vcca (100 / 300mA)
3.3V or 5.0V LDO
0 or 1 LIN 2.x, J2602-2
Secured SPI
Fail Safe State Machine (RST, FS0)
AMUX (Battery, I/O, Temp, Vref)
VPRE DC/DC
6.5V / 2.0A Buck
LV124 compliant
Advanced Low Power Modes (30µA)
VAUX – tracker (400mA)
5.0V or 3.3V LDO
VCOM (100mA)
5.0V LDO
VCORE DC/DC
From 1.2V up to 5.0V0.8 / 1.5 A versions
Boost Driver
Battery Sense
Before RBP
MC33907 & MC33908
PUBLIC USE17 #NXPFTF
MC33907 & MC33908 PowerSBCProven Industry Certifications
• C&S granted
• Velio granted
• IBEE Zwickau granted
• MOOSER J2962 granted
• AN4766 PCB Design & EMC
guideline
Elect. Conformance EMC/ESD Conformance
• Positive assessment
regarding design capability to
be used in a safety application
up to ASIL D
Safety Assessment
PUBLIC USE18 #NXPFTF
Second Generation SBC for Drive Train & ADAS – FS65/45
Samples available
PPAP June 2016
Data sheet
EMC board
Safety Manual
SW Starter Guide
FS65
Samples
FMEDA
eFAST
Maximize re-use vs MC33907/8• Same package (48 pins LQFP with EP)
• Same Technology (SM8MV)
• Pin to pin compatible
Evolutions vs MC33907/908 Power Management scalability• FS65 : 3 versions with DC/DC (0.8 A, 1.5 A, and 2.2 A NEW)
• FS45 : 1 version with LDO (1.2 V to 5.0 V up to 500 mA) – NEW
Advanced Safety Concept providing flexibility and availability• Configurable Fail Silent Mode with fit for ASIL D
• Second Fail Safe output (FS1b) to secure Safe delay after FS0b
Save BOM System Cost with new hardware solutions
• Long Duration Timer, FS1b, and VKAM Supply
Improve In Vehicle Networking Scalability • CAN FD 2Mb/s and LIN versions (C or L versions)
• CANless pin to pin compatible versions (N versions)
Support Attach Strategy• With S32 for Power Train, Drive train and ADAS (MPC57xx, S32R)• With other MCU suppliers
PUBLIC USE19 #NXPFTF
FS65 & FS45 Family – Extending Functional Safety SBC Solutions
Scala
ble
Po
wer
Man
ag
em
en
t
Scalable System Management
FS45xx1.2 V to 5.0 V / 500 mA
FS650x1.2 V to 5.0 V / 0.8 A
FS651x1.2 V to 5.0 V / 1.5 A
FS652x1.2 V / 2.2 A
Industrial Version
Vcom, No PHY
Standard
CAN FD & CANless
e-Safe
CAN FD, FS1b
PowerTrain
CAN FD, LIN, LDT
34FS4500C/N
34FS6500N
34FS6510N
34FS6520N
33FS4500C/N
33FS6500C/N 33FS6501C/N
33FS6511C
33FS6521C
33FS6502C/L
33FS6512C/L
33FS6522L
33FS4501C/N
ADAS HE EMS
Inverter, EMS
TCUEPS, HEV
Suspension
EPS, BMS
Elevators
eBike, PLC Mild Hybrid
Truck
IMM Radars
EPS, HVAC33FS6503L
33FS6513L
33FS6523L
HE EMS
Gear Box
TCU
PowerTrain
CAN FD, FS1, LDT
PUBLIC USE20 #NXPFTF
Automotive MCU Functional Safety RoadmapHardware Security Ethernet USBProductionProposal Planning Execution 135-150C Ambient
ADAS
Vision
Automated/Fusion
Surround
Front/rear Radar
VDS
Powertrain/hybrid
Chassis/safety
GATEWAY
Traditional ENET/FR
Displays/Clusters
GPIS
Body Electronic
Actuator/sensor
FET/relay Motor
CAN/LIN
LCD/Gauge
2015 2016 2017
2Q 3Q1Q2Q 3Q 4Q1Q2Q 3Q 4Q1Q2Q 3Q 4Q1Q
S32K14x
S32K11x
M4F 112Mhz, up to 2M, CAN-FD, ASIL B
M0+ 48Mhz, up to 256K, CAN-FD, ASIL B
S32V23xC
S32V23xG
S32V23xK
4x A53 1GHz, APEX, ISP, PCIe, SDHC, ASIL B
2x A53 600MHz, ASIL B
Vision processing for autonomous
Surround cameras
Short/Medium/Long range Radar
Sensor Data Fusion
Engine control
Power steering
Braking
High-end Functional Safety and Security
Vehicle Gateway
Body Controller
Audio Gateway
Multi Display Management and Clusters
General Purpose MCUs
Battery Management
BLDC Motor Control/ HVAC
High Voltage Integration
MPC5643L
MPC5777C/M
MPC574xR
MPC574xP
MPC564xB/C MPC574xG
MPC5668G MPC574xB/C
MPC560xP 2x 200MHz, Lockstep/ASIL D, 2.5M
Multi-core up to 300MHz, Lockstep/ASIL D, 8M, HSM/CSE, CAN-FD
Multi-core 264MHz, Lockstep/ASIL D, 4M
64MHz, 512K
2x 120MHz, lockstep/ASIL D, 1M
Single-Dual-core, 120MHz, 3M, CSEMulti-core, 160MHz, ASIL B, 6M, HSM, MLB, ENET switch, CAN-FD
Single-Dual-core, 160MHz, ASILB, 3M, HSM, CAN-FDDual-core116MHz, 2M, MLB
MAC57D5xxA5, M4, M0+, ASIL B Dual Display, SMD
MPC560xB
S12ZVL
S12ZVMC
S12ZVC
32-bit 64Mhz, up to 1.5M
MCU w LINPHY + Vreg, ASIL A
MCU w GDU +Vreg +PHY
MCU w CANPHY + Vreg, ASIL A
MPC567xK
MPC577xK
2x 180MHz, up to 2M
2x 266MHz, Lockstep/ASILD, up to 4M, SPT1.0 - 3D FFT
PUBLIC USE21 #NXPFTF
Functional Safety MCUs
Product Target Applications Safety Hardware
MPC577xK Vision/Radar Targets ASIL D
MPC5748G Control Module/Gateway Targets ASIL B
MPC5777M Engine Control Targets ASIL D
MPC5744P Safety Domain Control Targets ASIL D
MPC564xL Input/output Control Targets ASIL D
S32KGeneral Purpose ARM MCU,
Motor ControlTargets ASIL B
S32V Radar, Sensor fusion, Vision Targets ASIL B
S12ZVL LIN NodesTargets ASIL A
S12ZVC CAN Nodes
PUBLIC USE22 #NXPFTF
AEC Q100
All NXP Automotive
MCU are AEC
Q100 certified
125˚CAll NXP Automotive
MCU support up to
125˚C ambient
temperature
135˚C+Extended temperature
up to 135˚C+ ambient
on several product lines
(S08SG, S12G, S12ZV,
MPC57xx)
Low PPM
Benefit of one of the
lowest PPM level in the
industry targeting zero
defects performance
• Largest portfolio with automotive qualification grade
• High temperature for space constraint applications like fuel, oil, water pumps, sensor and
actuators.
NXP Products: Automotive Grade for Challenging Environments
PUBLIC USE24 #NXPFTF
Functional Safety Applications Derived from IEC 61508
Aerospace Control
e.g. flap drives, ventilation pumps, fuel pumps, brakes
Motor Control / Drives
e.g. robotics used in industrial automation, DC / AC motor
drives
Industrial Transportation
e.g. conveyor belts, fork lifter, brakes, (unmanned) vehicles
Robtics
e.g. welding, pick & place, laser/
water/plasma cutter, harvester
Power Generation and management
e.g. power plants, solar inverters, refineries
Generic Functional Safety
Standard
IEC 61508
Required for all applications where a
malfunction may cause physical injury or
damage to the health of people! Building
Control e.g. automatic
doors, access
Public
Transportation e.g. elevators,
escalators, automatic
doors, stair lifts, rail
switching controls
Medical e.g. pumps, injectors,
defibrillators, powered
patient beds, valves,
ventilators
Automotivee.g. ADAS,
Gateway, Chassis,
Body, wireless
charging
Industrial
Automation e.g.
process/ temperature/
smoke control, boilers,
chemical
Applications with
controlling
functionality Applications
with moving parts
Applications for people
EN 50128
railway
ISO 26262
automotive
IEC 62061
machinery
IEC 61511
process industry
DO-178B &
DO-254
Aerospace
IEC 60880 & IEC 61513
nuclear power stations
IEC 60601
medical equipment
IEC 61131
controls
IEC 61800
powertrain
IEC 61215
solar
ISO 13849
machinery
PUBLIC USE25 #NXPFTF
NXP Success Stories in Functional Safety
• Construction machines - MPC5777C, 13849-1 and SIL 3 / Motor control, hydraulic pumps, breaking…
• Medical pump - MAC57D5x, SIL 2 / HMI and safe display + characters stored in external QSPI flash.
• 3 phases solar inverter - MPC5675K, dual core w external memory + Ethernet / drives power inverters, data collection, network connection.
• Elevator by TUV Nord - MPC5744P, SIL3 / safety module, system put into safe state in case of fault.
• Fire alarms - MPC5643L, SIL requirement / control panel, decision making.
• Signaling systems - MPC5643L, SIL3 systems w lockstep / measurement, comm and decision making.
• Detection on construction machines - MPC5675K, SIL 2 requirement / radar application.
• Oilrig sensor systems - MPC5675K, SIL and external memory / gas sensor, decision making
PUBLIC USE27 #NXPFTF
Certify Your Safety System According to IEC 61508 / ISO 13849Best Practices and Expected Support
* NXP works with a range of partners in making the tools, software, training and engineering services necessary to help bring a solution to life.
** Optional
*** NXP document sharing which includes the Safety Manual, Reference Manual, manufacturing certificates and Data Sheet. FMEDA as well as the Safety
Plan addressing the ISO 26262 standard are available upon request (NDA needed).
Process
Mgmt
Technical
Workshop
Create an initial block architecture on system level
Concept incl.
Verification
Design incl.
Integration
Test
Certification
Make sure your company processes are properly documented (ISO 9001)
Create your safety concept by using safety plan as well as verification & validation plans to
document processes and responsibilites along the life time cylce (safety requirements)
Ensure the implementation of the defined safety requirements
Execute actions derived from the analysis of safety critical operations
Review FMEDAs & Safety Manual, determine PFH per safety critical function and specify
test cases
Perform a design review with a qualified safety expert
Build up first PCB with target SW & verify the HW
Perform & document tests on system level according to the mission profile
Prove the efficient control of occured HW/SW functional failures using fault insertion tests
Review the full development documentation according to IEC 61508 requirements
Review the conformity of SW & HW in details based on sampling
Customer Assessor Distribution
FAE
**
***
***
**
NXP
Partner*
**
PUBLIC USE29 #NXPFTF
Broad Portfolio
• ARM® Architecture (32-bit) for industry leading power consumption
• Power Architecture® (32-bit) for industry leading performance
• MagniV (16-bit) for industry leading integration
• S12 (16-bit) for industry leading scalability
Enablement
• S32 Design Studio IDE for ARM
• S32 Design Studio IDE for Power
• S32 Design Studio IDE for Vision
• CodeWarrior IDE for S12/MagniV
• SDK and Bare Metal Drivers,
Libraries
• FreeRTOS & MQX support
• Freemaster & AMMCLIB Motor Tools
• Processor Expert (PE)
• SafeAssure for IEC61508 / ISO26262
• AUTOSAR Functional Safety
MCAL/OS software for Automotive
• Reference Designs & Demos
• Low cost development kits (FRDM /
DEVKIT / TRK)
• 3rd Party Partner Ecosystem
Product Longevity Design SupportAutomotive
Quality
Platform-Level Solutions
Mark
Leading
IP
The Value Proposition of NXP MCU/MPUs
PUBLIC USE30 #NXPFTF
SafeAssure Kit – Machinery Safety Certification on System Level
Background
MicroSys& NXP Partnership developed a comprehensive SafeAssurekit based on MPC5744P & MC33907 (System Basis Chip)
Latest generic & machinery safety norms have been addressed
IEC 61508/ 62061 up to SIL 2
ISO 13849 up to PL d, Cat. B
SafeAssure kit lowers your cost during the early prototype development and comes with complete SW & HW documentation
Status
An additional concept study addressing highest safety integrity levels is underway (IEC61508/62061: SIL 3 & ISO 13849 PL e, Cat. 3) – planned to be completed in 2016
TÜV assessor currently in review of the safety kit capabilities.
Redundancy concept has been accepted already
Next: Final letter of certification -expected in early Q3 2016
Prototypes available now for your safety project!
PUBLIC USE31 #NXPFTF
Easy to Use Enablement & ToolsAccelerate Design In and Secure Use Case Validation
• Standardardize & Simplify HW
• Processor Exp., KDS, SDK
• USB Standard GUI
Universal SBC
Enablement
Automated Validation
eFAST – UniqueSimulation & Tools
• Accelerate & Secure System CZ
• Non ISO pulse OEM Database
• MCU Attach Strategy
• Simplify design in
• Optimize BOM selection
• Next : Safety Behavior Model
PUBLIC USE32 #NXPFTF
Green Hills Has Achieved The Highest Levels of Safety
Certifications
Certifying Authority Level Achieved Industry
FAA / EASA DO-178B, Level A Avionics
FDA Class II, III Medical
TÜV Nord, exida IEC 61508: 2010 – SIL 4 Industrial
TÜV Nord, exida EN 50128: 2011 – SIL 4 Rail / Transportation
TÜV Nord, exida ISO 26262-2010 – ASIL D Automotive
Transdyne Corp. SEI / CMMI All
IEEE and Open Group 1003.1 IEEE POSIX All
PUBLIC USE33 #NXPFTF
The most highly certified RTOS and IDE in the
embedded market segments
• INTEGRITY RTOS
• MULTI Compilers
• “Certified” is much different than “certifiable”
• CMMI Maturity Level 3 rating
The manufacturer
may use the mark:
Reports:
GHS 05/10-22 R001 V1 R3
Assessment Report
Validity:
This assessment is valid for
the MULTI Integrated
Development Environment
(IDE) and Toolchain
.
This assessment is valid until
April 1, 2015.
Revision 1.2 April 30, 2012
Certificate / Certificat
Zertifikat /
Evaluating Assessor
Certifying Assessor
Page 1 of 2
GHS 1002005 C001
exida hereby confirms that the:
Place embossed
seal here for
originals, lining it
up at the bottom
MULTI Integrated Development
Environment (IDE) and Toolchain
Has been assessed per the relevant requirements of:
IEC 61508: 2010 Part 3, Section 7.4.4
EN 50128: 2011, Section 6.7
ISO 26262: 2011 Part 8, Section 11
and meets requirements providing a level of integrity to:
Qualified for SIL 4 and ASIL D
Tool Functions: The MULTI IDE and Toolchain are used to create, edit, compile, link and debug embedded software applications on a variety of different platforms.
Application Restrictions:
The tool must be used under the same constraints, operating conditions and environments used in the validation of the tool. These are documented in the referenced Assessment Report.
Green Hills Software, Inc.
Santa Barbara, CA - USA
®
Certif ication Services
®
Certif ication Services
Functional Safety Experts
Products &Technologies
Safety TeamAssists customers before, during and after certification process
Training, analysis, development
Certification Support Services/Data
• Safety Manuals, Safety BSP, Safety Layer
Prepare customer with safety case strategy
Proven CustomerDeployments
Industrial, Automotive, Medical, Avionics, Financial infrastructure, IT Security, Military
PUBLIC USE35 #NXPFTF
ATTRIBUTION STATEMENT
NXP, the NXP logo, NXP SECURE CONNECTIONS FOR A SMARTER WORLD, CoolFlux, EMBRACE, GREENCHIP, HITAG, I2C BUS, ICODE, JCOP, LIFE VIBES, MIFARE, MIFARE Classic, MIFARE
DESFire, MIFARE Plus, MIFARE FleX, MANTIS, MIFARE ULTRALIGHT, MIFARE4MOBILE, MIGLO, NTAG, ROADLINK, SMARTLX, SMARTMX, STARPLUG, TOPFET, TrenchMOS, UCODE, Freescale,
the Freescale logo, AltiVec, C 5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C Ware, the Energy Efficient Solutions logo, Kinetis, Layerscape, MagniV, mobileGT, PEG, PowerQUICC, Processor Expert,
QorIQ, QorIQ Qonverge, Ready Play, SafeAssure, the SafeAssure logo, StarCore, Symphony, VortiQa, Vybrid, Airfast, BeeKit, BeeStack, CoreNet, Flexis, MXC, Platform in a Package, QUICC Engine,
SMARTMOS, Tower, TurboLink, and UMEMS are trademarks of NXP B.V. All other product or service names are the property of their respective owners. ARM, AMBA, ARM Powered, Artisan, Cortex,
Jazelle, Keil, SecurCore, Thumb, TrustZone, and μVision are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. ARM7, ARM9, ARM11, big.LITTLE, CoreLink,
CoreSight, DesignStart, Mali, mbed, NEON, POP, Sensinode, Socrates, ULINK and Versatile are trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. Oracle and
Java are registered trademarks of Oracle and/or its affiliates. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks
licensed by Power.org. © 2015–2016 NXP B.V.