Embed Size (px)
Citation preview
26 e 27 de Agosto, 2014Transamérica Expo Center, São Paulo/SP
Safe IoT: Using LTSpice
to Model Failsafe Logic in Embedded Systems
Jonny Doin, CEO, GridVortex
Agenda
• Safety: What is Safety?
• Failure: What constitutes Failure?
• Design for Safety: Failsafe Design
• Failure in Embedded Systems
• LT Spice as a system modelling tool
• Modelling the Firmware/Hardware interfaces
• Simulating Software failure at the interface
• Circuit behavior under failure scenarios
• Final thoughts
Safety: What is Safety?
A Safe System is one that exhibits:
• Deterministic responses
• Controlled Behaviors for all inputs
• Never place its outputs in a hazardous
state
Safety: What is Safety? (2)
REALITY: ALL SYSTEMS WILL FAIL
Safety: What is Safety? (3)
In the real world, systems are always
connected to other systems.
Hazardous output states must be
qualified from the downstream (external)
systems point of view
Failure
Failure is a malfunction on the system, or
a deviation on designed behavior.
On any system, such a deviation on the
chain of processing can lead to system
failure.
Failure (2)
Designs can handle system failures at the
critical interfaces, by identifying input
failure and insuring a known output state.
This design pattern is recursive, i.e., can
be applied to subsystems down to the
smaller modules, to ensure that the whole
system fails in a safe mode.
Failsafe Design
Identifying the failure modes of the inputs
and the safe state of the outputs are the
main concerns of FailSafe Design.
The hazards must be assessed, e.g.,
following a FME(C)A methodology and
possibly a FTA fault-tree analysis for the
critical components.
Failsafe Design (2)
Once identified, the Hazardous behaviors
can be used to direct system design from
the ground up, designing for maximum
avoidance of such behaviors.
Failsafe Responses must be triggered by
an internal or external failure.
Failsafe Design (3)
Failsafe design can be “costly” in system
resources. For example, achieving
functional safety in Firmware may lead to
fully redundant processors, running in
lockstep mode.
Identifying critical system points can lead
to safe designs at low cost.
Failure in Embedded Systems
Mixed signal embedded systems are
ubiquitous, running from factory
automation to car engines.
The interconnected embedded systems,
also called IoT devices, need to be
designed as critical nodes for functional
safety.
Failure in Embedded Systems (2)
Aside from failsafe Firmware design
techniques, the Firmware/Hardware
interface is one critical design node.
Designing such interface for safety,
simulating and testing the failure modes
are essential safety critical design
concerns.
LT Spice as a System Tool
LT Spice is a very fast and accurate
professional circuit simulation tool.
Used as a circuit simulator, LT Spice can
predict actual behavior with high
precision.
Modelling interaction of Firmware and
Analog hardware in the design stage is a
powerful capability.
LT Spice as a System Tool (2)
LT Spice allows modeling mixed-signal
systems, including Firmware behavior
interaction with Analog hardware:
• Behavioral sources (B)
• Digital Gate primitives (Axxx)
• Hierarchical subcircuits
• Waveform and data file generators
Modelling system interfaces
Designing the Fw/Hw interface as a
failsafe node has a number of
advantages:
• Functional Decoupling of Firmware and
Hardware
• Addresses CPU failure
• Lower cost of implementation
Modelling system interfaces (2)
Examples:
• Failsafe “Passive” drivers
• AC coupled commands
• Failsafe “ON” actuators
Example: Failsafe “passive”
Output analog drivers can be designed to fail
in high-impedance mode
Example: Failsafe “passive” (2)
The 2 analog outputs are buffered with failsafedrivers that go high impedance when VCC islost
Example: Failsafe “passive” (3)
• Each output is buffered and isolated with
2 NPN bipolar transistors.
• When VCC fails, the transistors cut off,
with very high impedance.
• A 68K resistor is seen by the output
current source and will drive the output
voltage to 6.8V, bringing the output to
100%.
• This failsafe guarantees the downstream
system is ON, even on loss of control.
Example: AC-coupled cmds
On a firmware failure, toggling signals will stop at VCC or GND.
AC-coupled commands can detect such firmware failures.
Example: AC-coupled cmds (2)
Example: Failsafe “ON”
When the failsafe behavior is to keep an actuator ON, the
firmware commands are designed to turn it OFF.
A firmware failure will keep the actuator ON.
Example: Failsafe “ON” (2)
Final Thoughts
Embedded Mixed Signal Systems are
becoming a major part of infrastructure and
control systems.
Using LT Spice for failsafe design and
verification on embedded systems can increase
safety, even on low-cost IoT devices.
