Embedded basics Part 1: IEC 61508 functional safety for MCUs

Functional safety is becoming one of the most important features in embedded systems, especially in the automotive and industrial markets, where safety and reliability are critical design attributes. It encompasses the development of a Safety Integrity Level (SIL) according to IEC 61508 functional safety standard for the general industry and an Automotive Safety Integrity Level (ASIL) according to ISO 26262 standard for the automotive industry.

The functional safety-enabled MCUs reduce design complexity and component count by putting critical functional safety features on a single chip. That saves developers from technological problems such as interpretation of difficult standards, acquiring methods for constructing dual-structure MCUs, and selection of third-party software support.

This article will focus on the IEC 61508 functional safety standard for aviation anti-skid, programmable logic controllers (PLCs), motors and drives, and medical equipment. Subsequently, the second part will provide a detailed treatment of MCUs that support the ISO 26262 standard for road vehicles.

IEC 61508 basics

IEC 61508, the umbrella functional safety standard for industrial applications, is based on two fundamental concepts: safety lifecycle and SILs. The safety life cycle embodies the engineering process that includes all steps to accomplish functional safety. It develops and documents a safety plan and then executes that plan.

On the other hand, SILs, quantifying the magnitude of risk reduction, have four levels, with SIL 1 being the lowest and SIL 4 being the highest level of risk reduction. The SIL certification identifies process hazards, eliminates the risk of failure, and determines if a product will fail safely. Here, it’s worth mentioning that SIL 4 isn’t related to machinery and factory automation applications, and is usually reserved for nuclear and railway transport designs.

Chipmakers are now offering MCUs with SIL 2 and SIL 3 certifications. The functional safety block in these MCUs monitors all the peripheral blocks: CPU, memory, and buses. And having an MCU incorporating functional safety block saves costs and minimizes development risks as compared to using a second MCU with dedicated on-chip diagnostic circuitry.

Figure 2: An IEC 61508-enabled MCU carrying out systematic and random failures using a reference kit. (Image: Renesas Electronics Corp.)

Two basic considerations

For MCUs claiming IEC 61508 functional safety certification, embedded developers need to examine a couple of things. First and foremost, the functional safety documentation along with safety manuals is a crucial requirement; it provides developers with implementation guidelines and helps them efficiently and quickly certify their designs with SIL 2 or SIL 3 according to IEC 61508.

Second, the software tools or IP libraries that are certified and enable designers to detect faults in a microcontroller. Other software tools can help developers evaluate functional safety platforms on a PC.

The more popular industrial applications served by the IEC 61508 standard include systems facilitating machine-operator protection and robot safety. Notably, the use of IEC 61508-compliant MCUs is expected to grow in robotic designs serving manufacturing, logistic, and service markets.