Safety design on FPGA‘s

Elmer Chiang,

BD Director, AP Sales & Marketing

TUV R. Certified Fuctional Safety Engineer

Folie 1
Who is NewTec?
A Brief Profile

Folie 2
Vision & Mission

We make the world safer!

Folie 3
 Story of Initiation

NewTec GmbH Complete System Global and

Engineering office Provider NewTec cross-sectoral experts
is founded continues to expand for Functional Safety
and Embedded Security

1986 1995 2007 2017

F900_0717 Folie 4
 Toward a successful future

In the near future, interconnected and automated systems will dictate the
market. Their reliability will be the basis for the success of your business.

Folie 5
How does NewTec work?
Customer Benefits

Folie 6
NewTec Service Portfolio

Strengthening your market position by availing of the

innovation and technology impulses from NewTec

Services Faster product launch and reduced development costs

thanks to the wide range of expertise that NewTec offers

Training & Risk minimization thanks to maximum transparency,

Consultation integration in your processes and successful project
management

High level of safety and security expertise with respect

to development processes and global safety standards
Products
Ensuring competitiveness by reliably protecting your
sensitive data

Folie 7
 NTSafetySolutions

Safe Products – fast and efficient:

Risk management, ensure safety,
managing SIL

Services

Training &
Consultation

Products

F900_0717 Folie 8
 NTSafetySolutions
Training & Consultation
• Varied range of seminars
for functional safety in
practice
• Safety workshops for
individual customers
Products, e.g.
• SafeFlex – Reference platform
for safety development
• NTSafeDrive – Safety module for
drives
• NTSafePLC – Safe PLC basis-platform
for industry applications
F900_0717
Expert services to do
with all aspects of product
development
• Safety management assessment
• Safety risk assessment
• Safety requirement analysis
• Licensing strategy
• Safety planning
• Safety concept
• Concept examination
• Functional safety management
Managed Services
in Product Lifecycle
• Safety system development
• Safety engineering
• Safety software development
• Safety hardware development
• Integration, verification &
validation
• Documentation & traceability
Folie 9
 NTSecuritySolutions

Embedded Security:
Protection against sabotage attacks and
external manipulation

Services

Training &
Consultation

Products

F900_0717 Folie 10
 NTSecuritySolutions

Training & Consultation Expert services to do with Managed services

all aspects of product
• Varied range of seminars development
relating to embedded
security • Security risk assessment
• Security workshops for • Security requirement
individual customers analysis
• Security concepts
• Penetration tests
Products, e.g.
• Security robustness tests
• Statistical code analysis
• NTSecureCloudSolution
• NTSecurePOS
in product lifecycle
• Continuous examination of weak
points due to new threats
• Continuous examination of
conformity with current safety
standards
• Continuous maintenance of the
safety requirement wanted
• Incident management
• Obsolescence management for
safety-relevant system parts

F900_0717 Folie 11
 NewTec Product and System Development

Complete Lifecycle of the

Product Engineering

• Requirements
• Design
• System development
• Software development
• Hardware development
• Mechanics
• Testing

F900_0717 Folie 12
 Why Smart Watchdog/Challenge

• Processor Suppliers deliver Systems with Lockstep Processor and

System Basis Chip
• Intel PSG to provide SIL3/SIL4 ready systems with Max 10 System Basis
Chip

F900_0717 Folie 13
 Example of Motor Control System

Control algorithm Low level motor control

implemented on NIOS II implemented in FPGA
Softcore processor logic

Industrial Ethernet Encoder Interface

communication
Implemented on NIOS II
Softcore processor Drive Control PWM Power Stage

IE Stack
Industrial
Ethernet
MAC

Motor Encoder

F900_0717 Folie 14
 Example of Motor Control System with Safety

Safety encoder considered

Safety critical software black channel communication
Safety Processing Emergency Shut Off

Safety processing Communicaton

Safety
Encoder
Encoder Interface

Drive Control PWM STO Power Stage

IE Stack
Industrial
Ethernet
MAC

Industrial Ethernet considerd

as black channel communication Motor Encoder

F900_0717 Folie 15
 Different ways to implement safety

• 1 standard MCU is used for drive controls

• 2 “safe” MCU’s are used for safe communication and safe stop functionality

F900_0717 Folie 16
 Different ways to implement safety

• Safety designs require diagnostics to be run periodically to ensure safety

function is functioning correctly. For a processor this generally requires
Software Test Libraries (STL’s)
• STL’s used to test processor functionality in addition to rest of
system

F900_0717 Folie 17
 Different ways to implement safety

• Disadvantages of STL’s
• Running STL’s consume essential processing MIPS
• STL’s are often destructive and require system context to be Saved
before running Restored after running
• Alternative to provide hardware realtime diagnostics via Lockstep
processor implementation or two channel solution

F900_0717 Folie 18
 Different ways to implement safety

• Provide hardware realtime diagnostics via Lockstep processor

implementation
• Provide hardware realtime diagnostics via Smart Watchdog (Two channel)
Redundancy

F900_0717 Folie 19
 What is a lockstep processor….

HFT 1

• It is not 1oo2 system

• It is a processor with hardware diagnostics
• Diagnostics provided by 2nd slave processor and comparator

F900_0717 Folie 20
 What is a lockstep processor….

SFF (Safe Failure Hardware Fault Tolerance

Fraction)
0 1 2
<60% Not Allowed SIL1 SIL2
60% - <90% SIL1 SIL2 SIL3
90% - <99% SIL2 SIL3 SIL4
≥99% SIL3 SIL4 SIL4

• STL may achieve 70% DC

• Limits safety capability to SIL1/2
• Lockstep capable of achieving >99%
• Enables SIL3/4 capability
F900_0717 Folie 21
 Safe Processor Architecture

NIOS II NIOS II

Comparator

CRC
Program RAM Data RAM Timers Mailbox
Calculator

IP Safety Protocol
F900_0717 Folie 22
 Different ways to implement safety

Safe processor & peripherals is safety critical

• Implement using LockStep processor
• >99% DC
• Reduces need for STL -> more performance for safety application
• ECC for program/data RAM
• 90% DC

F900_0717 Folie 23
 Different ways to implement safety

• STL (limited) for

• Timers
• Interrupts
• Bus infrastructure
• CRC Calculation
• Accelerate CRC calculations for Safe IE
• Clock Checker
• Check clock network/PLL

F900_0717 Folie 24
 Smart Watchdog vs Lockstep

• LockStep processor >99% DC

• For all other components a DC >99% must be proven
• Single Chip needs additional “system basis chip”
• To detect common cause failures of single chip
• Monitoring and test of power monitoring
• Clock Watchdog

F900_0717 Folie 25
 Smart Watchdog Concept

Smart Watchdog as Monitor

• Pre-configured NIOS II processor to supervise program flow and correct
data
• Power Supply
• Design guideline for discrete design of power monitor
• IP Core to test power supply monitor
• Window Watchdog
• Enhanced safety block associated with fail-safe output
• SPI Interface
• Flexible Safe I/O

F900_0717 Folie 26
 Challenge

• SIL3 with least possible effort on customer side

• „safetify“ existing systems
• Pre-Integrate Diagnostics

F900_0717 Folie 27
 Smart Watchdog Concept

Input Processing Output

monitoring

Processing

F900_0717 Folie 28
 Solution Smart Watchdog Concept

F900_0717 Folie 29
 Smart Watchdog Concept

• Intel FPGA as Customer-Application-FPGA

• MAX10 FPGA as Smart-Watchdog
• Power Supply Design including Power Supply Monitoring

F900_0717 Folie 30
 Smart Watchdog Concept

• Integrated IP-Cores for

• Safe RAM
• Safe ROM
• Safe Clock
• Diagnostic Communication
• IP-Cores on demand for
• Safe Digital Inputs
• Safe Digital Outputs
• Safe Ethernet Communication

F900_0717 Folie 31
 Smart Watchdog Concept

• Integrate Safety in existing Systems

• Pre-configured Diagnostics with IP-Cores
• Simple Safety-Application in Smart Watchdog FPGA
• Less effort in Engineering
• Very short Time-to-Market
• Safe I/O, communication, memory just by using the concept
• Safety-Manual

F900_0717 Folie 32
 Demonstration

STO

Realisation of Safe Torque Off according to

DIN EN 61800-5-2 with SafeFlex

F900_0717 Folie 33
Safety Concept
HW System Architecture
Sensor Logic Actuator
Introduction

• SAFEFLEX: Hardware Architecture

 Demonstration System Architecture

SafeFlex+ Diagnostic Measures

Power Supply

Power Supply
Monitor
Cyclone 5 SoC SOM

DSI 1 DS0 1

DSI 2 DS0 2

DSI 3 DS0 3

DSI 4 watchdog DS0 4

DSI 5
TS0 1
DSI 6
TS0 2
MAX10 SOM

RAM for
Blackchannel

Ethernet Ethernet

F900_0717 Folie 37
 NTSafeDrive

The NTSafeDrive is an add-on Safety Module. It is enabling existing

drives to be used in environments where Functional Safety is required. It
supports encoder and encoderless operation.
The Safety Module is based on a two FPGAs 1oo2 architecture. It is
certifiable up to SIL3/SILCL3 according to IEC61508/IEC62061 and, PLe,
Cat 4. according to ISO 13849.

F900_0717 Folie 38
 NTSafeDrive

NTSafeDrive
Power Supply with Power
Monitor

Safe Input Safe Output

Safe Input Safe Output

Safe Input Control Main Safe Output

Safe Input Safe Output

Safe Input Safe Output

Control Child

EMIF

SPI PWM FB
Encoder Interface

Customer Servo Drive

Control STO Power Stage

Motor Encoder

F900_0717 Folie 39
 Typical applications

• Servomotors
• Inverters

F900_0717 Folie 40
 Safe drive functions IEC61800-5-2/ IEC60204-1:

Advanced stop functions:

• Safe Torque Off (STO)
• Safe Stop1 (SS1)
• Safe Operating Stop (SOS)
• Safe Stop2 (SS2)
Advanced position functions:
• Safe Direction (SDI)
• Safely-limited Increment (SLI)
• Safely-Limited Position (SLP)

F900_0717 Folie 41
 Safe drive functions IEC61800-5-2/ IEC60204-1:

Brake Functions
• Safe Brake Control
• Safe Brake Test
• Safe Monitored Temperature

F900_0717 Folie 42
 Supported Encoder Interfaces

• EnDat
• Hiperface DSL
• SinCos
• SSI
• BISS
• BISS Safety

F900_0717 Folie 43
 Safety Protocol

• FSoE
• ProfiSafe
• CipSafety
• Safety for TSN ??
• OpenSafety

F900_0717 Folie 44
 Customer benefits

With the use of the NTSafeDrive Module you can focus on your core
competence, functional
safety is achieved by using the module and the support of NewTec.

F900_0717 Folie 45