Sensors for situation awareness are probably the most important performance drivers in functional safety applications. In cobot environments, it is no longer just FuSi-qualified sensors and switching devices that are required to bring the robot to a standstill when it enters the production cage; any movement must be detected. In the collaborative use of robots and autonomous logistics vehicles in production, camera, lidar and laser data must therefore be processed and analyzed. This increasingly involves the use of artificial intelligence. This data must sometimes also be compared with sensors to determine geopositioning data in order to enable evasive maneuvers according to predefined decision patterns.

All of this has to be done in real time and in a functionally safe manner. However, it does not always have to be quite as complex as in autonomous vehicles. Even a digital rear-view mirror of an industrial truck that is still controlled by employees is a complex "sensor". If it is to be functionally safe, it must be constantly checked to see whether it is still working. A frozen image could ultimately lead to the driver making completely incorrect assessments.

Power-hungry sensors

It is not always the case that such performance-hungry function modules used in the field of functional safety must necessarily also be functionally safe. For example, it is being discussed how environmental detection in vehicles can be implemented without the burden of ISO 26262. What is certain, however, is that in combination with functionally safe solutions, they require significantly more performance than the functionally safe elements of a system would ever need to fall back to the safe side.

More performance is therefore required in applications that now also require sensors for situation recognition in combination with AI. The real-time connectivity of such systems also adds to the need for fast data throughput with low latency when higher-level control logic is used for autonomously guided systems that are connected via private 5G networks, for example.

Mixed-critical systems on the rise

In addition to the conventional FuSi controllers, application processors are also required, which ideally host the system's GUI as well as situation recognition and artificial intelligence - in mobile machines, for example, these are driver assistance systems. x86 technology is therefore highly interesting for such mixed-critical systems. Above all because a homogeneous further development of this generic multi-core processor technology is to be expected and not least because the first processors of this type have integrated controllers that fulfill FuSi functions. The Intel Atom x6000E processor technology is already qualified in such a way that it supports applications that must be certified in accordance with IEC 61508 safety integrity level SIL2.

Areas of application for SIL2 can be found in industrial machines, collaborative robots and products for Industry 4.0 such as IoT gateways and edge servers. Other markets arise from the requirements of automated intralogistics with autonomous logistics vehicles and range from factory mobility to all new markets that can be found in autonomous driving, from agricultural and construction machinery to smart city vehicles and AUVs to UAVs. Last but not least, medical devices as well as hardware for train and route control or avionics are also target markets. Safety certification is required in these areas, for example to avoid the risk of electric shocks, fire and explosions, crushing and impacts or even being run over. Redundancy and the ability to implement fail-safe processes are therefore required.

Functionally safe Computer-on-Modules

Manufacturers of embedded computer technology are therefore increasingly qualifying their products for functional safety. For example, the manufacturer-independent standardization committee PICMG - which is responsible for embedded computer form factors such as COM-HPC and COM Express - announced a corresponding extension to the COM-HPC hardware specification at embedded world 2022. It defines signal pinouts to support FuSi applications. This is necessary in order to support the FuSi-qualified safety islands of modern chipsets or system-on-chips (SoCs). This is a special part of the hardware that is separated from the main part of the chipset or SoC together with supporting firmware and software. This safety island monitors the health and status of the main chipset or SoC and can report all results via dedicated FuSi GPIOs and a dedicated FuSi SPI slave interface to a FuSi system safe state agent or safety controller, which is implemented as a FuSi SPI master on carrier boards and processes safety and status information for further use. The final specification is expected before the end of this year, or early 2023 at the latest.

Functionally secure virtual machines

Thanks to their Safe Island Controller, Intel Atom multicore processor technology enables the creation of mixed-critical systems that host secure applications in real-time capable virtual machines. They can even host sophisticated sensor technology for situation recognition.

© Congatec

Real-Time Systems also announced at embedded world that it would be addressing the topic of FuSi comprehensively and providing an operating system-independent, type 1 hypervisor certified for functional safety for x86 processor technology with the 'RTS Safe Hypervisor'. It targets mixed-critical workloads based on x86 multicore processor technologies and will be available worldwide. It is delivered as a complete OEM package that bundles the certified real-time hypervisor with functionally secure and non-secure virtual machines and a certified secure operating system such as the Linux-based Zephyr or QNX. This package is aimed at any commercially available or customer-specific embedded computing platform equipped with Functional Safety-capable x86 processors. The first implementations will be based on Intel Atom processors of the x6000E series with integrated Intel Safety Island. An expansion to products based on Intel Core processors of the eleventh generation is another option for the future.

The goal of RTS is to provide developers with the most efficient path to fully functional, safety-compliant applications by providing pre-certified platforms. Secure real-time hypervisor technology is the key to connecting everything from secure hardware, secure type 1 virtual machines and secure operating systems to non-secure domains running multi-purpose operating systems. Ultimately, application developers only need to worry about the safety-critical part of their application to obtain functional safety certification.

OEMs using such hardware platforms for mixed-critical application designs profit from cost savings due to a reduced number of systems, resulting in an improved mean time between failure (MTBF) compared to multi-system installations. Another benefit is that developers can manage critical and non-critical applications on a single chip or hardware, facilitating application development and testing, as well as data exchange between these applications. And despite the single-system approach, such a hypervisor implementation allows all non-safety-related applications to be continuously updated and modified without the need to recertify the safety-related components. This is extremely important not only for innovation, but also for improving cyber security.

Real-time operating systems for safety and security

Congatec also announced that it would be investing heavily in the functional safety market. The company had already announced a strategic partnership with Sysgo, Europe's leading provider of real-time operating systems for safety and cybersecurity applications, at the end of 2021. The aim of the cooperation is to provide solution platforms that are specifically tailored to the requirements of functional safety and cybersecurity, not only for x86 processors but also for Arm processors. The first implementations, which can be certified in corresponding designs up to ASIL B or SIL 2, will be available on x86 and Arm Cortex-based Computer-on-Modules in the future. A typical use case is Safety Element out of Context (SEooC), as defined in ISO 26262.

The full-service offering provided under the new partnership agreement is designed to simplify and shorten the development process for safety-critical systems. It includes comprehensive certification support for the various safety standards - analogous to the ICE 61508 standard for functional safety of electronic systems. Support for the Sysgo PikeOS RTOS and hypervisor-based platforms ranges from railroad applications (EN 50129 / EN 50657) to commercial and agricultural vehicles (ISO 26262), civil aviation technology (DO 254) and PLCs in automation and process control (IEC 61508) through to medical applications (IEC 62304).

Atom x6000-E processor technology on COMs

The combination of functionally secure processor technology and OS/hypervisors is particularly attractive when it can be provided ready for use on Computer-on-Modules. Congatec also presented a demo for such FuSi building blocks in a live demo at embedded world. It is based on the conga-MA7 COM Express mini module prepared for functional safety, which integrates the FuSi-qualified Intel CPU x6427FE with Safety Island support. The demo showed a FuSi application based on the RTS hypervisor and integrated real-time Linux. OEMs can now start implementing Congatec's functional safety-qualified modules and BSPs as well as their own software components in their application platforms.

Certifiable solution modules

In order to qualify Computer-on-Modules for safe operation, all components and the entire BSP must be prepared for FuSi certification - including the safety manuals and all other necessary documentation. All organizational processes and documents created during development and testing - such as FMEDA (Failure Modes, Effects and Diagnostic Analysis) and the verification and validation (V&V) process - must also be aligned with the certification requirements and reviewed by external experts. All this is available from Congatec so that customers can start their FuSi projects immediately to benefit from faster time-to-market, lower costs and reduced implementation risk.

The author: Zeljko Loncaric is a Marketing Engineer at Congatec.

© Congatec

x86-based embedded multicore platforms thus offer a solid ecosystem for functional safety, which is particularly impressive due to its homogeneous processor roadmaps that are not tied to a single processor manufacturer. Standardized Computer-on-Modules also provide the foundation for scaling the necessary performance across all processor sockets and manufacturers. OEMs that use a Computer-on-Module as an application-ready building block - including all relevant software components such as boot loader, hypervisor and BSP - that is already certifiable for functional safety can also save a lot of time and money. They only need to qualify the customer-specific carrier board and corresponding adaptations for certification.