functional safety and safety standards - challenges and ... · phase of creation system boundary...
Post on 31-Aug-2019
5 Views
Preview:
TRANSCRIPT
TM
Freescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008.
Functional Safety and Safety Standards: Challenges and Comparison of SolutionsAA309
June 25th, 2007
Christopher TempleAutomotive Systems Technology Manager
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 2
Overview
►Functional Safety Basics
►Functional Safety Standards
►Functional Safety Measures
186CRGB: 208, 12, 51
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008.
Functional Safety Basics
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 4
Functional Safety Definition
Definitions according to IEC61508►“risk”
• “combination of the probability of occurrence of harm and the severity of that harm”
►“harm”• “physical injury or damage to the health of people either directly or
indirectly as a result of damage to property or to the environment”►“safety”
• “freedom from unacceptable risk”►“functional safety”
• “part of the overall safety relating to the equipment under control (EUC) and the EUC control system which depends on the correct functioning of the electrical/electronic/programmable electronic (E/E/PE) safety-related systems, other technology related safety-related systems and external risk reduction facilities”
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 5
Safety in the Context of Dependability
Dependability
SafetyAvailability
ReliabilitySecurity
Usability, recoverability, maintainability, extendibility,
trustability, etc.
Usability, recoverability, maintainability, extendibility,
trustability, etc.
Secondary attributesProbability that the system will
perform to its specificationthroughout a period of duration t
Percentage of time for which the system
will perform to its specification
Probability that the system will not showa specified dangerous behaviorthroughout a period of duration t
Definitions according to IFIP WG10.4
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 6
Impairments through Faults
Phenom.cause
Phase ofcreation
System boundary Persistence Example
permanentDesign faults man-made development internal
(HW/SW)architecture,algorithmstemporary
permanentManufacturing faults man-made manufacturing internal
(HW/SW)
compiler bugs,test escapes,
SI-faultstemporary
permanent
intermittent timing
permanent noise, short circuitexternal
transient
Interaction faults man-made operational external temporary interface formats
ageinginternal
Physical faults physical operational
a-particles, glitches
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 7
Fault - Error - Failure Model
Failure
Error
Fault
error detectionlatency
fault duration
faultdormacy
faultoccurence
faultactivation
errordetection
erroractivation
error latency
FaultCause of an error
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 8
Fault - Error - Failure Model
Failure
Error
Fault
error detectionlatency
fault duration
faultdormacy
faultoccurence
faultactivation
errordetection
erroractivation
error latency
ErrorManifestation of
the fault in a system
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 9
Fault - Error - Failure Model
Failure
Error
Fault
error detectionlatency
fault duration
faultdormacy
faultoccurence
faultactivation
errordetection
erroractivation
error latency
FailureDeviation of the delivered
service from compliance with the specification
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 10
System / Component Hierarchy
►A system can be viewed as a set of interacting components with each component being a system in itself but on a lower hierarchylevel
System (top hierarchy)
Component Component Component
Component is a new system in itself
Component Component ComponentComponent is a new system in itself
Component Component ComponentComponent is a new system in itself
Component Component Component
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 11
System / Component Hierarchy
System (top hierarchy)
Component Component Component
Component Component ComponentComponent Component Component
Component is a new system in itself
Component Component Component
functional safety developstop down
“safety measures” work towardsfunctional safety objective bottom up
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 12
Addressing Faults in Systems
Means for Addressing Faults
DevelopmentLifecycle
HW Measures
SW Measures
Fault Tolerance(Error Processing,Fault Treatment)
Fault Removal(Verification,Diagnosis, Correction)
Fault Forecasting(Qualitative Evaluation, Quantitative Evaluation)
Means for A
ddressing Faults
Fault Prevention
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008.
Functional Safety Standards
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 14
Safety Challenge
►No established metric and value network to classify safety of measures without top system context
• How to quantify safety of measures?
• How to compare different approaches?
• How to make a good techno-economical decision?
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 15
Role of Standards
►Standards are emerging as a framework to establish metrics
• IEC61508 (existing)• Safety lifecycle defined• Top down• Recommended &
mandatory practices• ISO26262 (emerging)
• Decomposition of safety from system to component level
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 16
The 7 Parts of IEC 61508► 1: General Requirements► 2: Requirements for electrical /
electronic / programmable electronic safety-related systems (means HW)
► 3: Software Requirements► 4: Definitions and abbreviations► 5: Examples of methods for the
determination of safety integrity levels
► 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
► 7: Overview of techniques and measures
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 17
IEC61508 Safety LifecycleConcept
Overall scope definition
Hazard & risk analysis
Overall safety requirements
Safety requirements allocation
Safety-relatedsystems:E/E/PES
Realization
Overall installationand commissioning
Overall safety validation
Overall operation, maintenanceand repair
Decomissioning or disposal
Overall modification and retrofit
Overall planning
Overalloperation andmaintenance
planning
Overall safetyvalidationplanning
Overallinstallation andcommissioning
planning
Safety-relatedsystems:
othertechnology
Realization
External riskreductionfacilities
Realization
Back to appropriateoverall safety lifecycle
phase
Outside of the scope ofIEC61508
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 18
IEC61508 - Towards Functional Safe Systems
Carry out a failure mode and effect analysis to determine the effect of each failure mode of each component or group of components in the subsystem on the behaviour of the E/E/PE safety-related systems
Following is required:
• a detailed block diagram of the E/E/PE safety-related system describing the subsystem together with the interconnections for that part of the E/E/PE safety-related system which will affect the safety function(s) under consideration;
• the hardware schematics of the subsystem describing each component or group of components and the interconnections between components
• the failure modes and rates of each component or group of components and associated percentages of the total failure probability corresponding to safe and dangerous failures.
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 19
Interaction between IEC61508 Part 2 and Part 3
Source: IEC61508-3, “7 Software safety lifecycle requirements”, figure 7
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 20
Target Failure Rates According To IEC61508
Source: IEC61508-2, “2 Requirements for electrical / electronic / programmable electronic safety-related systems ”, table 3
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 21
Diagnostic Coverage & Safe Failure Fraction
►Current definition in IEC61508
„diagnostic coverage“ DC = ∑λdd / ∑ λd„safe failure fraction“ SFF = (∑λs + ∑λdd) / (∑ λs + ∑ λd)
= (∑λs + DC * ∑λd) / (∑λs + ∑λd)
with λs=0: SFF = DC
∑λs : safe failure probability∑λd : dangerous failure probability
∑λdd : detected dangerous failure probability∑λud : undetected dangerous failure probability
∑λd = ∑λdd + ∑λud
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 22
Designing a Safe System
Integrity Requirements
Are the safety functions effective enough?
Safety Integrity Level 1..4
Dangerous failure rate λduDiagnostic Coverage DCSafe Failure Fraction SFF
Refine the system until the remaining risk is below the highest acceptable risk
Risk Analysis
How likely is a hazard?How dangerous is a hazard?
How controllable is the systemin case of a hazard?
Safety Functions
How to mitigate the hazards?
Hazard Analysis
Which unintended situations(hazards) can occur?
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 23
IEC 61508 versus ISO 26262
IEC 61508 ISO 26262
Risk classification SIL1 - SIL4 ASIL A - ASIL D
Development Lifecycle Overall safety lifecycleAutomotive safety
lifecycle (incl. V model)
Recommended & mandatory HW measures & practices
Recommended & mandatory SW measures & practices
Target General safety standard for E/E/PE systems
Adaption of IEC 61508for the automotive
industry
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 24
IEC 61508 SIL versus ISO 26262 ASIL
SIL 1
SIL 2
SIL 3
SIL 4
ASIL A
ASIL B
ASIL C
ASIL D
Safety Integrity Level
IEC61508[today]
Ranking by assessing the probability of a
dangerous failure per hour
Automotive SIL
ISO26262[future]
Ranking by assessing severity of injuries, exposure to hazardous situations and the controllability of the driving situation
low
high► Direct comparison not possible► Assessment of recommended & mandatory HW/SW measures & practices
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008.
Functional Safety Measures
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 26
Impairments through Faults
Phenom.cause
Phase ofcreation
System boundary Persistence Example
permanentDesign faults man-made development internal
(HW/SW)architecture,algorithmstemporary
permanentManufacturing faults man-made manufacturing internal
(HW/SW)
compiler bugs,test escapes,
SI-faultstemporary
permanent
intermittent timing
permanent noise, short circuitexternal
transient
Interaction faults man-made operational external temporary interface formats
ageinginternal
Physical faults physical operational
a-particles, glitches
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 27
Addressing Faults in Systems
Means for Addressing Faults
DevelopmentLifecycle
HW Measures
SW Measures
Fault Tolerance(Error Processing,Fault Treatment)
Fault Removal(Verification,Diagnosis, Correction)
Fault Forecasting(Qualitative Evaluation, Quantitative Evaluation)
Means for A
ddressing Faults
Fault Prevention
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 28
Error Processing versus Fault Treatment
Error Detection( detect latent errors to mitigate effect of error)
Detects error upon activation by ‘normal’ system operation
Duplexing & Comparison, …(Redundancy based techniques)Timing & Execution Checks(Reasonableness based techniques)
Error Diagnosis
‘forces’ activation of fault within test interval
Backward & forward recoveryError RecoveryCompensation (Redundancy based techniques)
Testing & Fault Diagnosis ( detect dormant faults before these create errors)
Online BIST(Redundancy based techniques,Reasonableness based techniques)
Fault IsolationReconfiguration
Fault Treatment
Error P
rocessing
In general error detection ≠ online testing!
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 29
Tradeoffs of Different Redundancy Approaches
Time related approaches
Algorithm relatedapproaches
differentclockcycles
concurrentthreads
one afteranother
float &
integer
different
math/flow
main prg &
plausibility checkchallenge &
response
different FFs
different submodules
different modules
different die areas
different chips
⇒ Tradeoff : Performance
⇒ Tradeoff : SW Complexity
⇒ Tradeoff: HW CostsHW relatedapproaches
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 30
Processing Subsystem Philosophies for Safety
Master / Slave Approach Dual Processor Approach
Single Core Self Test Approach
Dual Core Approach
PeripheralsMemory
MCU #1
Peripherals Memory
MCU #2
ComplexHardwareWatchdog
OutputDrivers
(Valves,pump)
SPIn
n
InputModules
n
Sensors
n
Clo
ck
Mon
COP
LVI
Safety Relay
Safety Relay
CPU
CPU
MCU #2MCU #1
Peripherals Memory
CPU
PeripheralsMemory
ComplexHardwareWatchdog
OutputDrivers
(Valves,pump)
SPIn
n
InputModules
n
Sensors
n
Clo
ck
Mon
COP
LVI
Safety Relay
Safety Relay
CPU
MCU #1
PeripheralsMemory
MemoryValidation
BusValidation
CPU’s
Clo
ck
Mon
COP
LVI
ComplexhardwareWatchdog
OutputDrivers
(Valves,pump)
SPIn
nInput
Modules
n
Sensorsn
Safety Relay
Safety Relay
MCU #1
PeripheralsMemory
Clo
ck M
on
COP
LVI
CPU
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 31
Comparison of different Architectures
Key Parameters
► Desirable System Properties• Low Cost• Low Complexity• High Availability
► Safety Properties• Transient Fault Detection• Early Detection of permanent
Faults• Detection of systematic SW Faults
Architectures
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 32
Desirable SystemProperties
Fault Detection
Metric for Fault Tolerance Mechanisms
early Detection ofpermanent Faults
Availability
LowComplexity
Detection oftransient Faults
Detection ofsystematicSW Faults
LowCost
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 33
Single Core - Fault Tolerance Mechanisms
early Detection ofpermanent Faults
Availability
LowComplexity
Detection oftransient Faults
Detection ofsystematicSW Faults
LowCost
single coreno self test
single corewith self test
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 34
Dual Core - Fault Tolerance Mechanisms
early Detection ofpermanent Faults
Availability
LowComplexity
Detection oftransient Faults
Detection ofsystematicSW Faults
LowCost
dual corelocked
no self test
dual corelocked
with self testdual core“tightly coupled”
with self test
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 35
“Multi” Core/Device - Fault Tolerance Mechanisms
early Detection ofpermanent Faults
Availability
LowComplexity
Detection oftransient Faults
Detection ofsystematicSW Faults
LowCost
dual (identical) core“loosely coupled”
dual devicecore with
coprocessor
TMFreescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008. 36
Summary►Functional Safety Basics
• Functional safety is a system property
• It is impaired by faults►Functional Safety Standards
• IEC61508 / ISO26262• Top down assessment• Safety lifecycle• Recommended & mandatory
HW/SW measures & practices►Functional Safety Measures
• Error detection versus testing• Redundancy• Trade-off depending on fault
assumptions
186CRGB: 208, 12, 51
TM
Freescale™ and the Freescale logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2007-2008.
top related