MCUs Integrate Features Targeted at Safety Standards

There are a growing set of applications for microcontrollers (MCUs) that require design teams to meet rigorous safety standards with their system design. For example, applications in transportation – planes, trains, autos, and others – require reliable designs in mission-critical subsystems that must meet applicable safety standards. Likewise, industrial applications require safety elements to protect employees working with equipment and to protect citizens living near industrial complexes. While it’s possible for design teams to use standard MCUs to deliver the required safety levels across a broad range of applications, MCUs that integrate safety features greatly simplify the design process.

To develop MCUs with integrated safety features, manufacturers must follow the international standard of rules as defined in IEC 61508, a standard titled “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems.” The International Electrotechnical Commission (IEC) uses a simple example to explain the requirement for safety features in industrial applications: a tank that contains flammable liquid must have a level switch that automatically closes a valve and prevents an overflow. The IEC refers to such a safeguard as an active safety system as opposed to a passive system, such as a containment vessel that might mitigate an overflow. The IEC asserts that functional safety relies on active systems.

The standard covers the complete safety life cycle, which has 16 phases and can be divided into three groups:

• Phases 1-5 address analysis
• Phases 6-13 address realization
• Phases 14-16 address operation

Moreover, central to the standard are the concepts of risk and safety function. The Safety Integrity Level (SIL) is determined from the probability of failure. For systems that operate continuously the allowable frequency of failure must be determined. For systems that operate intermittently the probability of failure is specified as the probability that the system will fail to respond on demand. The levels go from SIL1 through SIL4, however SIL3 is considered the highest level that can be achieved using programmable systems, including MCU-based systems.

IEC 61508 isn’t new to industrial applications. The IEC lists several examples, such as turbine control, medical device manufacturing, dynamic positioning control, speed control in motors, and even information systems where erroneous results affect safety. The standard has also begun to find use in automotive and other transportation applications. For example, there is an emerging standard – ISO 26262—that was adapted from IEC 61508 specifically for automotive applications and also other safety standards, such as FAA DO-178B, that focus on aviation safety.

Safety-centric MCUs
There are several MCUs with integrated safety features that can enable and simplify the task of achieving compliance. For example, Texas Instruments (TI) offers the TMS570 family of MCUs targeted at transportation safety applications including automotive chassis and stability control, electric power steering, hybrid and electric vehicles, aerospace, railway communications, and off-road vehicle engine control. The MCUs are the industry’s first ARM® Cortex™-R4F based floating point MCUs that meet IEC61508/SIL3 safety standards.

TI’s designers used a few primary techniques to yield an MCU capable of meeting safety requirements, including:

• Redundancy
• Isolation
• Data protection

The TMS570 family of MCUs integrates dual Cortex™-R4F processors in lock-step to concurrently execute the same code with real-time validation that each is producing the same results. These devices provide system-wide protection through seamless support for error detection from the processor, through the bus interconnect, and into the memories.

The design also uses TI’s “time diversity” to prevent a soft error, such as a bit flip from propagating through both cores. One CPU is delayed by a cycle relative to the other although the outputs of each core are resynchronized and compared when the second CPU completes a cycle. The design also protects data in memory and on bus transfers to prevent software errors. Integrated ECC support can correct single-bit errors on the fly, and detect two-bit errors.

TI offers the TMS570 family of products in a variety of configurations with a maximum clock speed of 160 MHz. The product family includes FlexRay, CAN, and LIN interfaces – all of which are used broadly in automotive applications. CAN and LIN are also widely used in industrial applications. Designers can choose from models with 1 to 2 Mbytes of flash, and 128 to 160 Kbytes of SRAM.

To help with design, TI offers two development kits that engineers can use to experiment with safety-centric designs. The TMDX570LS20SMDK Development Kit includes an MCU card and a separate I/O sensor interface card with a color touch-screen display and transceivers for FlexRay, CAN, and LIN. The TMDX570LS20SUSB USB Development Stick is powered by USB, and includes a basic set of sensors. Both kits include safety-focused demonstrations.

Safety on the power architecture
Freescale also has an MCU with integrated capabilities that target IEC 61508 SIL3 applications. The PXS20 Power Architecture Safety MCU operates as fast as 120 MHz and, as the name implies, is based on the Power (formerly PowerPC) RISC core architecture. The MCUs integrate dual e200z4 cores – the core derived from the MPC5xx family and the prior MPC8xx PowerQUICC communications SoCs.

The PXS20 design supports two operating modes – the design team can run the cores in lockstep mode for redundancy or the cores can be decoupled to enable independent operation.

The design includes a dual set of system peripherals as well as an interrupt controller, DMA controller, and memory protection units. The products include 1 Mbyte of flash and 128 Kbytes of SRAM that are both ECC protected. The MCUs are equipped similarly to the TI product with a 12-bit A/D converter and support for FlexRay that offers a fault-tolerant protocol implementation.

Safety software
Finally, design teams that want to deploy one of the MCUs in a safety-critical design will also have to satisfy the software portions of the specification. Both TI and Freescale are partnered with Green Hills Software for IEC 61508-compliant designs. Green Hills’ Integrity real-time operating system has been certified for IEC 61508, as well as for railway standards and the FAA DO-178B aviation standard.

The operating system leverages the hardware memory protection features in the MCU to isolate applications. The architecture protects the operating system code and the safety-critical tasks from errant or malicious code including worms, Trojan horses, and denial-of-service attacks.

Design engineers can expect more safety-centric MCU technology to emerge soon, especially with the automotive safety standard nearing completion. For example, TI has already announced that it is working with safety specialist Yogitech on supporting the ISO 26262 automotive standard with the TMS570 family.