March 16, 2022
Editor's Note: This content is contributed by Michael Zapke , Marketing Lead Industrial at AMD
Examples of safety features span from the rejection of a wrong user input to an immediate stop under certain conditions, a warning that can be visual, acoustic, or tactile, or a command to an adjacent machine, to name only a few. All these functions may be useful, but you are lucky when you never see any of them. But that's a problem: How do you know that a safety feature really works when you are in danger?
Operator’s safety at work is a regulated topic in many industries and in almost all regions of the world. Some regions require compliance to a specific standard and other are less stringent. The European Union has considered safety of machinery of such importance that in year 2006 issued the Machinery Directive 2006/42/EC, a set of legal requirements for manufacturers and distributors of machines in or to the EU market to ensure the safety of operators, maintenance personnel, equipment, and the environment. The Machine Directive put EN/ISO 13849 as the pre-requisite for safety of machinery that can be legally manufactured and sold in the EU.
EN/ISO 13849 is the framework to assess the risk in a structured way, which is key to measure it against safety targets. Targets are defined by two main metrics in ISO 13849: Metric #1 is the Performance Level, which describes the contribution of the machine to risk avoidance; Metric #2 is the Structure Category, which describes the robustness of the architecture against errors, e.g., through test functions in the lower categories and through the provisioning of multiple parallel instances of the safety channel (redundancy) in higher categories. Confirmation that a machine achieves the targeted Performance Level and has the right Structure Category is qualified by an independent assessor and is called a certificate.
Figure 1: Risk Levels and Their Relation to ISO 13849 Performance Levels and Sturucture Categories
Adaptive SoCs from AMD, and in particular Zynq® UltraScale+™ MPSoCs, contain functions to support the developer in creating a safe product. Both the architecture of the device family and the capabilities and process support of the tools for the design flow (Vivado® ML tools) are built so that users can create safe systems. Besides offering monitoring features on silicon and the capability to add diagnosis functions that are user built in the programmable logic, the architecture with multiple domains on silicon and with the capability to use processor cores side-by-side for redundancy to meet appropriate safety targets according to ISO 13849.
Figure 2:AMD's Contribution to Risk Reduction in Machinery
A new Technical Report from TUEV Sued attests that safe systems for machinery can be built with Zynq UltraScale+ MPSoCs. For example, homogeneous redundancy that uses two Arm® Cortex®-R5F cores inside the same device can reach Performance Level PLd and CAT 3, which corresponds approximately to Safety Integrity Level 2 (SIL 2). But that's not all. Heterogeneous architectures that run one safety channel in the Cortex-R5F and the other in programmable logic, also known as the FPGA part of the SoC, can even reach Performance Level PLe and CAT 4, which is roughly equivalent to SIL 3. Because ISO 13849's scope is machinery and not the individual electronic device, it's up to the Safety Concept for the targeted product to use the chip architecture and functionality in the right way. Now available is the Technical Report from TUEV Sued and AMD's Safety Guidelines for ISO 13849 applications UG1562 that help the user to build their products in the best possible way to achieve the safety targets.
Figure 3: Additional Documentation Support Field Equipment Manufacturers and Machine Builders
Many applications aim to achieve PLd and CAT 3. Intelligent sensors, for example, fall in this group of products. Powerful machines that interact with humans or that might damage or destroy other assets in case of malfunction may require PLe and CAT 4. Adaptive SoCs help to achieve both. The chip architecture allows conformance with the standard and integration in a single SoC, reducing onboard connectivity. Reducing I/Os, soldered connections, and cables increases reliability and the Mean Time Between Failures (MTBF), which helps with reaching the desired performance level.
For more than a decade, AMD-Xilinx has invested in Safety-related extensions. The design tools are certified against IEC 61508 since the year 2015. Safety Manuals, Application Notes, and scripts for the calculation of failure rates and advanced features like System Monitors, Single Upset Event Mitigation, or development practices like Isolation Design Flow are assets that AMD-Xilinx maintains and evolves. A web-based Safety Lounge is available for purchasers of the Functional Safety Package, and it contains all documents, certificates, reports, and other material.
Figure 4: Screenshot of the Functional Safety Lounge for Zynq UltraScale+ MPSoC (excerpt)
Figure 5. A Technical Report from TUEV Sued
In early Summer 2022, we will offer our next Functional Safety Working Group, a free virtual seminar in which our experts share their know how with you. You can find the registration page under https://www.xilinx.com/products/technology/functional-safety.html#functionalSafety. The participation requires that you sign an NDA. We look forward to meeting you there!