Breaking Down the Complexity of Functional Safety Design

July 19, 2018

Editor’s Note: This content is contributed by Paul S. Levy, Xilinx Sr. Staff Functional Safety Systems Engineer


Functional Safety is the study of methods and measures to reduce risk of harm to people and equipment when machines malfunction or when their operating environment is interrupted. Thinking of the 2018 FIFA World Cup that just ended, if we apply this to a game of football, referees have the ability and power to halt a game when they feel a violation occurs, but don’t always see everything and don’t always make the right call.

In the parlance of Functional Safety, these errors are called random hardware or systematic faults. These errors could make or break a game depending on which side of the field you’re on, so in an ideal sporting world, we could anticipate these erroneous calls and avoid them altogether. Functional Safety seeks to address a similar issue in systems design, where the cost of error could be catastrophic or fatal, such as a machine failing to detect an open panel and causing injury to the human operator or a railroad crossing gate failing and the training hitting a bus. Essentially, Functional Safety design tries to anticipate ways that systems can fail, and when they do, implement Plan B.


Increasing Demand for Functional Safety Systems

As one might expect, Functional Safety system design is subject to standards, issued either by official governing bodies or widely accepted authorities. Well known authorities are UL, ISO, and IEC. They exist to create and promote safety specifications such as Safety Integrity Level (SIL), which defines a target level of risk reduction. The work of these authorities is what drives state-of-the-art design and evolves Functional Safety across many different industries. Aircraft and automobiles, unsurprisingly, follow very strict government mandated safety standards; examples are air bags and rear-view cameras in cars. In housing construction, home remodels must abide by building codes and complete new builds must have UL-approved electrical distribution. As technology evolves, and systems become more complex, the list of industries and end applications that will be subject to Functional Safety standards will also grow. The era of self-driving cars and cobots is here, and these systems must demonstrate that they cannot (and will not) do harm to people.


Functional Safety Is Complex

Functional Safety design is largely based on the understanding of how systems fail and what to do when these systems do fail. This is a highly complex undertaking and widely considered the pinnacle of systems engineering involving techniques such as formal design methodologies. One approach used is the application of redundancy, where critical system components are duplicated as a fail-safe and to increase reliability. A software program, for example, can be executed on two separate processors to check if the outcomes are the same. If one processor produces a non-expected result, the system knows that there is an error. Multiple components, however, usually introduces challenges in power efficiency and performance while driving up cost. Don’t worry, Xilinx system engineers and architects will help you demystify the complexity of these approaches.


Xilinx Simplifies Functional Safety Design and Certification

Xilinx offers packaged solutions around device portfolios to help overcome the complexity of Functional Safety system design and meet certification requirements outlined by standards such as IEC 61508, DO-254 or ISO 26262. These pre-architected and validated solutions can dramatically shorten development timeframes for companies and eliminate the cost/risk associated with trying to implement a functional safety on their own.

What it comes down to for an OEM, then, is which device option to go with. When it comes to performance and power efficiency, general purpose CPUs and GPUs really cannot compete with ASICs or FPGAs, especially for real time, low latency tasks. Programmable System-on-Chips (SoCs) like Xilinx Zynq UltraScale+ MPSoCs offer the best overall cost-to-performance effectiveness, with ability to integrate several Arm CPUs on a single device while offering flexibility and scalability to size up/down according to the task at hand.


Xilinx Devices and Toolflows Enable Fault-Tolerant Design

Xilinx devices also feature hardware isolation, which allows both safety and non-safety functions to run on the same chip at the same time and make design updates without disturbing or touching already certified parts. The ability to control system failure modes through fault-tolerant design requires an implementation methodology that ensures fault propagation can be controlled. The Xilinx Isolation Design Flow (figure below) provides fault containment at the FPGA module level, enabling single-chip fault tolerance.


Learn More about Functional Safety

Last month, Xilinx just wrapped up the annual Functional Safety Working Group (FSWG) sessions in Europe and North America. If you missed these no charge events, you can learn more by reaching out to your local Xilinx technical sales contact and be sure to register next year or attend the upcoming events in China on September 25-26 in Shanghai and September 27-28 in Shenzhen.

Because there is no safety without security, you can save the date for a number of Xilinx Secure Working Groups (XSWG) across North America (Colorado: October 16-17, Washington DC: November 6-7) and Europe (Munich: December 18-19) and also the first Xilinx Security Design Workshop (XSDW) being held concurrently with the Xilinx Developers Forum on October 1-2 in San Jose, California.


Visit Xilinx's Functional Safety page at: