Verification Methods for Designing Secure Industrial Chip Systems

Many industrial fields, such as industrial automation, logistics, and smart grids, require machinery and products to be safe and certified for functional safety. Flexibility and increasing safety costs are very important factors when developing machinery that must comply with safety standards around the world. In these applications, safety requirements have created new mechanical development processes and increased the complexity of electronic equipment, which generally leads to significantly increased hardware costs and longer time to market. Industrial chip systems can help engineers save 18 months of design time in the process of obtaining IEC 61508 product certification. Having certified devices such as Altera FPGAs means that designers can take full advantage of the flexibility of FPGAs without worrying about whether these devices can be used in safety applications.

Design Challenges

Companies planning to sell their products to countries that need to comply with local safety regulations that require certification of functional safety assessors, such as the new Machinery Construction Directive (2006/42/EG), which is a requirement for exporting products to Europe, must adopt a safety approach throughout the design process in order to compete. Plant operators need to operate machinery safely to improve efficiency, for example, maintenance can be performed while part of the machinery is still working, significantly reducing startup and downtime, etc.

When a company decides to develop a safety product, it must consider safety as a core system function. Historically, safety functions have been added to the system through other functions such as redundant controllers or communication modules, combined with circuits to monitor the system. Compared with designing safety applications optimized for safety and cost competitiveness from the beginning, these built-in safety components are added as an afterthought to the system concept, significantly increasing costs, being inflexible and unable to be updated.

Design challenges in developing secure applications include:

• Adopt “safety” design approach and safety concepts.

• Requires more engineering investment (time and skills), resulting in delayed product launch and higher total cost of ownership.

• Engineering management, collecting data from all system components and documenting the project in accordance with safety regulations.

The key to successful design is to use proven design methodologies, qualified tools and components as part of the product, and consider safety issues from the beginning of product development.

Typical application steps

If safety issues are not considered, the five typical design steps for developing a specific application include:

• Architecture development

• Component selection

• Application design and implementation

• Integration and testing

• Release

The first step is the product architecture, as shown in Figure 1. For a typical motor control application such as a drive, the design steps divide the system into parts such as system control, communication, and real-time motor control functions. For example, for the control and real-time parts of the system, the architecture selects software implementation, and for the communication part determines the use of a hardware/software approach to support real-time industrial Ethernet communication protocols.

Figure 1. Architecture development

The next step is to select components (Figure 2). Once the decision is made, the control software may run on a standard application processor, the real-time motor control portion may be implemented on a digital signal processor (DSP), and the communication portion of the system may be implemented using an FPGA-based approach. Using FPGAs, the system can flexibly implement various industrial Ethernet standards such as Ethernet/IP, EtherCat, PROFINET, or SERCOS III in the same interchangeable devices. With the flexible communication architecture, the standard hardware platform can be customized to easily meet the special protocol requirements of the end user.

Figure 2. Component selection

After determining how to partition and selecting components, the design team can start development work for their respective applications. Then, they integrate the components into a complete system, test the system functions, and release the product.

Increased safety

If functional safety design is developed according to product requirements, other engineering stages need to be enhanced, as shown in the yellow part of Figure 3.

Figure 3. Additional design steps based on safety steps

The purpose of designing safety applications is to obtain functional safety certification, such as IEC 61508, which leads to increasingly complex engineering. The IEC 61508 specification covers the entire safety lifecycle from the development of specific applications to the withdrawal of products from the market. Following the steps and processes of safety standards, it is necessary to simplify communication with assessors to ensure that safety goals, concepts, processes and solutions are clearly understood and safety requirements are met.

Project start-up and risk analysis

During the engineering start-up and risk analysis phase, the safety scope is determined based on the general requirements of the application. For the implementation phase, the required and achievable safety integrity level (SIL) of the application is determined, sorted out and documented as the basis for risk analysis and assessment. Risk analysis is the basis for later measurements, which shows the understanding of the product boundaries and is closely related to the product scope definition. It is the basis for the required SIL, defines the safety functions in detail, and the product documentation framework. This needs to be done at the component level as well as the system level.

Architecture Development

Designers then develop the architecture to meet the functional and safety requirements. They refine the safety requirements, document certain functions that will be implemented during the operation and maintenance phases, and determine the strategies needed to verify that the safety requirements can be met.

Safety requirements specification

For safety drives, the scope of engineering may include several aspects, such as determining whether drive parameters are within the permitted range or whether a safety I/O signal is a critical event. The most basic safety feature of a drive is "safe shutdown" (STO), which disconnects the power supply to the motor in a safe manner. This process may also include communicating with the entire automation system that a safety event has occurred and must be evaluated within a certain time period, for example, shutting down the entire application in a series of steps.

Verification and certification planning

The development of a validation plan includes controlled failure insertion methods to test the system, perform other monitoring, observe the system, and compare current parameters to predetermined parameters and allowable values.

Component Selection, Component, IP and Tool Qualification

Typical projects have component selection steps, but designers should ensure that components and IP functions are suitable for safety applications. It is important to consider the residual error probability, which is the basis for calculating the total failure probability (FIT) of the product and the final SIL. This can be achieved by collecting device and design tool data for widely used products, so that there will be no systematic errors and it can be used reliably (for example, for IP), and by using error probability reports and reliability information of semiconductor products such as processors or FPGAs.

Application design and implementation

Complex system functions such as communication protocols, memory interface IP for FPGAs, or Altera’s Nios® II embedded processor IP embedded in FPGAs, typically used to run software stacks for industrial Ethernet protocols in drive applications, all require safety application analysis, testing, and certification.

Function/diagnostic function

In addition to implementing the application, certain features must be built into the design. These designs require basic parameter monitoring features such as clock and power, as well as complex features such as data monitoring, observing the output of pulse width modulation (PWM) to ensure that the system is working properly. They also need features that can automatically detect errors and put the system into a safe state. Basic functions include ensuring that memory contents have not been changed due to external influences on the design, monitoring the system clock to ensure that the design is driven within the set system parameters (or errors due to failure of external components), and the power supply is working properly.

Integration and testing

Integrate each component into the safety drive solution and test it to achieve the expected system functions and provide the set safety functions. Through safety verification, ensure that the required safety features can play a role during operation, for example, ensure that external factors have no adverse effects on the designed safety functions and accidental disabling will not affect the system.

Security Verification, Certification and Release

Throughout the process, close cooperation with the assessors is required to ensure that the assessments conducted during the development process are reasonable and provide appropriate safety functions. Finally, the assessors certify the safety functions of the product and the product can be launched on the market.

Add pre-authentication security features

Semiconductor suppliers such as Altera provide certain steps to help achieve this process, reducing the investment in safety application development. For example, immediate use of functional safety pre-certified semiconductor data, IP, development processes, and design tools can significantly shorten the entire product development process, as shown in Figure 4.

Figure 4. Design steps with pre-certification security steps

Altera has invested nearly two years to achieve product certification. Altera's SIL 3 (SIL3) functional safety data package includes certification of Altera tools, IP, and device data by assessment agency TÜ Rheinland, shortening and simplifying the development of safety applications compliant with IEC 61508. Pre-certified design flows and tools, as well as pre-certified embedded systems and diagnostic intellectual property (IP) reduce certification risks for safety-critical industrial applications, such as servo and inverter drives, safety I/O and PLCs, and automation controllers.

The test and application data of IP and design tools as well as device reliability data are summarized and sorted out to simplify functional safety verification. The company adopts the design method (V-Flow) approved by TÜV Rheinland to meet the special needs of FPGA design. The functional safety package includes the necessary diagnostic functions and is designed as FPGA IP. Functional safety package users benefit from Altera's early investment in TÜV and can save the same time in engineering investment.

Safety-Driven Examples

This example of a driver with safety I/O uses Altera's certified FPGA design tool Quartus II software 9.0 SP2 and the recommended design methodology to implement this application example. In addition, as shown in Figure 5, this application uses two FPGAs instead of an external processor and DSP. The application is partitioned into several Nios II soft-core processor cores. The first Nios II soft-core processor provides communication stack support, the second handles system control, and the third Nios II processor is integrated into the motor control module. The motor control algorithm is partitioned, and its software portion runs on the Nios II processor, and the hardware module developed specifically for this application accelerates the implementation of the motor control loop. The external safety controller provides the redundancy required for SIL3 applications.

Figure 5. Two-chip FPGA implementation of a secure driver

The solution combines a safety controller and a fieldbus controller in one FPGA, using Altera's SOPC Builder system integration tool to integrate a Nios II soft-core processor, other communication IP blocks, as well as encoder interfaces and memory interfaces
.

For the low-level monitoring functions of critical and common diagnostic tasks in FPGAs, this example uses Altera's safety-certified diagnostic IP modules. These diagnostic IPs are designed to meet the requirements of the IEC 61508 specification and perform the following common diagnostic functions:

• Cyclic Redundancy Check (CRC) calculation – used in many systems, especially in fieldbus applications.

• Extract Clock Check – This core checks whether a system clock is present and the clock frequency.

• SEU Check Controller – This block uses the built-in soft error checking hardware in the device to monitor changes caused by soft errors.

Since these hard-core IPs are implemented in the FPGA logic area, the system processor no longer has to bear these tasks. In terms of certification methods, Altera used the IEC specification to analyze the FPGA design method and related requirements. From this analysis, Altera formed a tool flow document. The central theme of this tool flow is the description of the FPGA V-Flow developed by Altera, as shown in Figure 6.

Figure 6. Tool flow

V-Flow and its related documents map all the steps of Altera FPGA safety application design to the IEC specification to meet its requirements. In addition, it explains which design steps use which Altera tools. It refers to certain chapters in the IEC specification to guide users to develop safety applications according to the appropriate development steps.

This includes the certification documents and data required by the assessor, in a format that fully complies with the IEC 61508 specification, so it is easy for the assessor to process them. Providing these documents in the correct format saves a lot of documentation work for safety engineering. In the included reliability report, Altera has performed extensive analysis of the reliability statistics of Altera FPGAs, including all the information required to calculate the FIT rate.

By reusing the drive system concept that complies with the pre-certified two-chip approach, the typical application development process can usually be accelerated according to the certified design method, design flow, tools and IP. The certification process is accelerated because the reliability data of the components can be used immediately and the provided format is easily integrated into all documents for safety certification. In safety design and system design, designers can take full advantage of the flexible FPGA design integration capabilities. Since safety has become one of the key requirements of specific applications, it is included in the entire concept and achieved by meeting cost and product time-to-market targets.