Functional safety with netX
- André Groß
- Edmund Bendels
Functional safety is part of the overall safety of a system or piece of equipment and generally focuses on electronics and related software.
It looks at aspects of safety that relate to the function of a device or system and ensures that it works correctly in response to commands it receives.
In a systemic approach Functional safety identifies potentially dangerous conditions, situations or events that could result in an accident that could harm somebody or destroy something.
It enables corrective or preventive actions to avoid or reduce the impact of an accident.
The aim of Functional safety is to bring risk down to a tolerable level and to reduce its negative impact; however, there is no such thing as zero risk.
Functional safety measures risk by how likely it is that a given event will occur and how severe it would be; in other words: how much harm it could cause.
Depending on the hazard potential, the system is classified in a safety integrity level (from SIL1 to SIL4). SIL1 means the lowest risk and SIL4 the highest risk with catastrophic effects.
- random or systematic failures of hardware or software
- human error
- environmental circumstances such as for example temperature, weather, electro-magnetic interference or mechanical phenomena
- loss of electricity supply or other disturbances
- incorrect specifications of the system; both hardware or software;
- omissions in the specifications of safety requirements (e.g. failure to put in place all relevant safety functions in line with different modes of operation).
So called electrical, electronic or programmable safety-related systems (E/E/PE) cover all the parts of a device or system that carry out automated safety functions.
This includes everything from sensors, through control logic and communication systems, to final actuators, including any critical actions of a human operator as well as environmental conditions.
- 1oo1 (One out of One): The failure of a channel leads to the loss of the safety function.
- 1oo2 (One out of Two): The failure of a channel leads to shutdown. But only the failure of both channels leads to the loss of the safety function.
- 2oo2 (Two out of Two): If one channel fails, the system remains functional. Only the failure of the 2nd channel leads to the loss of the safety function.
- 2oo3 (Two out of Three): At least three failures must occur simultaneously to cause a loss of the safety function.
The black box priciple describes the netX specific part in a safety critical application.
Hilscher's core competence is the data transfer through different types of standard protocols.
In a safety critical application, the standard protocol is expanded by a safety layer which is realized by one or more separated fail-safe CPU(s) / F-CPU.
Thus, the process data are transferred by the netX SoC to the F-CPU. For the safety application, the netX behaves like a black box.
Hilschers expertise concentrates only on the part of the black Channel, the Safety related part must be done by the customer or a third party.
Yes, the netX can be used in safety critical applications!
The netX SoC takes over the transfer of the process data to the fail-safe CPU(s). These Functional safety relevant CPUs are connected with the netX SoC i.e. by UART or SPI.
The below application example of a 1oo2 circuit describes the netX SoC part and Hilscher expertise (black edging) in a safety critical application.
The red edging part illustrates the safety specific part of the design for which we recommend to contact one of our Functional safety partners.
