Functional Safety Plays a Key Role in Achieving Automation Goals

What is functional safety?

Safety is achieved when we can prevent dangers and minimize the risk of injury. Unfortunately, industry is full of machinery that can threaten human safety without proper precautions, like personal protective equipment. When electricity comes into play, the risks multiply with hot temperatures and electric shock hazards, to name a few. As the world advances with more and more electronics, including automation and other intelligent technology, safety measures get even more complicated. 

Thus, the functional safety of a system becomes paramount for organizations. According to the International Electrotechnical Commission (IEC), functional safety “focuses on electronics and related software and activates built-in safety mechanisms to reduce potential risks that could harm somebody or destroy something to a tolerable level.”^[1] This condition of functional safety means we trust the system to perform as designed. ^[2] Risks to not only humans but also the machinery and environment are actively minimized. 

The need for this security is becoming ubiquitous. As a basic example, precautions must be taken in case software within a smoke detector fails.^[3] As artificial intelligence comes into play, robots need to navigate through physical space. We can equip them with motor control devices such that their motors shut off when faced with a hazard.^[4] With the rise in automation, organizations strive to establish adequate functional safety solutions throughout their intelligent workplaces. This article discusses the foundations of functional safety with a focus on Renesas products in achieving it. 

Complying with standards for functional safety in automation

Whether required by an insurer, customer, union, or regulator, a functional safety certification, such as IEC61508, for your product or operation shows that you have systems in place to mitigate dangers in the case of equipment failure. With more humans and machines working side by side in high-speed operations, safety in automation is crucial. This is evidenced by the compound annual growth rate of functional safety certifications surpassing 8%, similar to that of industrial automation.^[5]

The EtherCAT (Ethernet for Control Automation Technology) protocol, developed in 2003, is seeing increased use in automation as we move through the latest industrial revolution, Industry 4.0.^[6] This phase requires the faster transmission and processing of EtherCAT to accommodate industrial automation and critical safety control data. Hence, the additional functional safety over EtherCAT (FSoE), certified by the EtherCAT Technology Group (ETG), can enhance machine safety and ultimately improve production capacity. 

Image 1: Understanding and achieving Functional Safety increases as automation in industry expands.

Functional safety, along with the adoption of IEC61508, is expanding to many applications. Robotics, in particular, is receiving more attention along with the medical and building management industries. Geographic trends show technology leaders in China, Germany, Japan, and the United States continuing to seek these certifications. Recently, developers in Eastern Europe have been showing an increased interest in functional safety. These movements align with the global emphasis on releasing safe products to the market.

Challenges to obtaining a functional safety certification

Achieving an IEC61508 or similar certification from an organization such as TUV can be overwhelming, especially since most applicants have little exposure to this process. In addition to the extensive work involved to not only comply with the standard but also obtain a certification, many developers have questions:^[7]

Where to begin? A first concern is whether to connect with a certification body, contract with a designer, or contact a vendor. The lack of familiarity with functional safety standards often forces developers to rely on experts. Collaborating with an organization that has a solid understanding and vast experience in functional safety certifications 

Must we redesign the hardware/software according to the standard? Developing safety solutions from scratch can often delay a product launch. The certification process is already time-consuming, so a project timeline can rarely accommodate additional software and hardware development. Off-the-shelf hardware, including microcontroller units (MCUs), and software solutions that are already compliant with the functional safety standard, can reduce both time and effort. MCUs are tiny computers that can perform specific, minor actions based on inputs within a large system, [8] such as the motor stop of the robot. 

How can we incorporate adequate functional safety from the start? Ideally, a product or system is designed with functional safety solutions from the start, and knowing what software and hardware to implement is fundamental to successful certification. Moreover, you can adopt a solution that is already certified to a high safety integrity level (SIL) and appropriate hardware fault tolerance (HFT). In essence, according to their definitions, you are confirming a low risk of failure.^{[9] [10]}

What is the overall certification process, and what documents are needed? So many unknowns arise with the fast pace of automation implementation and associated functional safety requirements. Guidelines are necessary for applicants to navigate the whole process.

These challenges are compounded with the installation FSoE, which requires significant network development. As complications arise, developers must consult with various suppliers and experts to solve their issues, further delaying the finished product.

Using advanced MCUs to achieve the functional safety 

Simple implementation

So, where exactly should you begin to achieve functional safety in your automation projects? Semiconductor manufacturer, Renesas specializes in MCUs for the intelligence market. The company has designed effective solutions for functional safety in automation, establishing a one-stop shop for those needing this certification. This easy-to-implement approach with 32-bit MCUs can cut the two or three-year duration of the development and pre-certification process to one year, allowing customers to launch their products sooner.

Renesas’s solution includes two basic solution blocks: SIL3–certified software for MCUs and reference hardware solutions to facilitate development. Out of four SILs, a high rating of SIL3 implies a low safety risk for the software. The reference hardware board includes a diagnosis and monitoring circuit, which is required by the standards, and be easily applied to your own network. This coupled with an HFT of one (i.e., the ability to tolerate one failure) achieves an MCU safety system with dual redundancy.

In the system example below, the yellow safety area monitors the non-safety portion controlled by the network MCU or microprocessor unit (MPU) and motor control MCU. Furthermore, the safety-area MCUs monitor each other (i.e., HFT = 1). With the hardware in place, Renesas SIL3-certified software can be a simple implementation.

Figure 1: System example with an installed function safety network. Image credit: Renesas

Renesas solution of FSoE

As an MCU/MPU supplier, Renesas also provides FSoE software solutions certified by TUV. For example, the FSoE Application, SIL3 System, and Self-test Software Kits enable easier and faster development than conventional processes.

The FSoE Application Software Kit includes an FSoE slave stack that is ETG-compliant and IEC61508/SIL3-certified. In addition, the network communication interface connects safety and non-safety input and output. It also simplifies the interface with Renesas's EtherCAT Slave MCU. Next, the certified Self-test and SIL3 System Software Kits let the MCU perform all the safety monitoring tasks, leaving developers free to focus on their actual product.

Figure 2: Renesas solution to functional safety over EtherCAT. Image credit: Renesas

Guiding you through the process

Functional safety is a significant undertaking, and the certification portion is no exception. Renesas’s Reference Document on the IEC61508 certification guidebook directs you through this process. It also includes guidance for motor (IEC61800-5-2) and machinery (IEC13849) safety certification as needed. 

Even better, the certification paperwork for the functional safety solution (software and MCU) is already complete—TUV-certified. For concept-phase requirements, a template document is provided, which you can easily customize with your product specification. The key to a smooth certification process is knowing what deliverables to submit and when. Along with the guidebook, technical expertise on the 32-bit MCUs is available from product development to release. 

References

[1] [Online]. Available: https://www.iec.ch/functional-safety.

[2] [Online]. Available: https://www.ivtinternational.com/opinion/opinion-why-functional-safety-and-what-is-it.html.

[3] [Online]. Available: https://www.dekra-product-safety.com/en/everything-you-need-know-about-iec-62368-and-where-functional-safety-comes.

[4] [Online]. Available: https://www.renesas.com/us/en/document/whp/functional-safety-industrial-automation.

[5] [Online]. Available: https://www.renesas.com/us/en/blogs/iec61508-functional-safety-solution-who-will-you-rely.

[6] [Online]. Available: https://www.motioncontroltips.com/is-ethercat-on-the-rise-for-motion-applications/.

[7] [Online]. Available: https://www.renesas.com/us/en/blogs/iec61508-functional-safety-solution-who-will-you-rely.

[8] [Online]. Available: https://www.techtarget.com/iotagenda/definition/microcontroller.

[9] [Online]. Available: https://www.safeopedia.com/definition/4881/safety-integrity-level-sil.

[10] [Online]. Available: https://efunctionalsafety.com/what-is-hardware-fault-tolerance-hft/.