1. An overview of functional safety standards and easing certification exida / Texas Instruments Chris O’Brien – exida, CFSE Hoiman Low – TI Safety MCU June / 2014
Compliance to Functional Safety standards is becoming a requirement for automotive and many industrial equipment's. Today’s webinar hosted by exida and TI will cover the overview of functional safety standards, the certification steps and the Hercules MCU family support to various functional safety standards. 
We will have about 50 minutes presentation followed by 10 minutes Q&A. Please send your questions through the chat panel.

2. Topics
exida
Overview of functional safety standards for industrial and automotive systems
Steps to certification
Services provided by exida
Texas Instruments
Hercules MCU family and safety features overview
Hercules MCU for IEC 61508, ISO and other functional safety standards
Chris O’Brien is a principle partner from exida and a Certified Functional Safety Engineer. Chris, I will let you get started.

3. exida Capabilities Copyright exida 2000-2014 Assessment and
Certification
Lifecycle Services
Knowledge Base
Copyright exida

4. The origins of IEC 61508: 1988 Piper Alpha 167 dead $3.4B
Piper Alpha offshore rig fire/explosion in 1988 killed 187 people, cost 3.4 B$, triggered invesitgation into industrial safety.
The purpose of this slide in this location is to help define what is functional safety. At its highest level functional safety is a practice whose goal is to prevent industrial accidents and to save lives! This particualar accident pictured above essentially drove the creation of IEC
Piper Alpha dead $3.4B
Copyright exida

5. Industrial Accident Causes: 1995
Specification
44%
Design &
Changes after
Implementation
Commissioning
15%
21%
Operation &
Installation & Commissioning
Piper Alpha offshore rig fire/explosion in 1988 killed 187 people, cost 3.4 B$, triggered invesitgation into industrial safety.
The purpose of this slide in this location is to help define what is functional safety. At its highest level functional safety is a practice whose goal is to prevent industrial accidents and to save lives! This particualar accident pictured above essentially drove the creation of IEC
Maintenance 6%
15%
“Out of Control: Why Control Systems go Wrong and How to Prevent Failure,” U.K.: Sheffield, Heath and Safety Executive
Copyright exida

6. IEC/EN 61508 Functional Safety: 1998/2000
Specification
44%
Design &
Implementation
15%
Installation & Commissioning 6%
Operation &
Maintenance
Changes after
Commissioning
21%
DINV VDE0801
DIN V 19250
ISA
S84
HSE
PES
EWICS
IEC61508
Piper Alpha offshore rig fire/explosion in 1988 killed 187 people, cost 3.4 B$, triggered invesitgation into industrial safety.
The purpose of this slide in this location is to help define what is functional safety. At its highest level functional safety is a practice whose goal is to prevent industrial accidents and to save lives! This particualar accident pictured above essentially drove the creation of IEC
Copyright exida

7. The continuing need today . . .
Copyright exida

8. Functional Safety
Functional Safety Goal – The automatic safety function will perform the intended function correctly or the system will fail in a predictable (safe) manner.
Perform the intended function correctly – Reliability Engineering
Fail in a predictable manner – Safety Engineering
Working groups and national standards bodies from around the globe have been involved in the process of bringing together the IEC61508 standard.
DINV19250 : Fundamental Safety Aspects to be Considered for Measurement and Control Equipment. A 1989 German draft national standard for safety related systems, and formerly the basis for all TUV risk assessment.
DINV VDE0801 : Principles for Computers in Safety Related Systems. German draft national standard, 1990.
S.84 : Application of Safety Instrumented Systems for the Process Industry, ISA (Instrument Society of America).
EWICS : European Workshop on Industrial Computer Safety
HSE PES : UK Health & Safety Executive guidelines on Programmable Electronic Systems.
Copyright exida

9. How do you keep it doing what it should?
IEC Safety Lifecycle 1
Concept
ANALYSIS Phase
What should it do? 2
Overall Scope Definition 3
Hazard & Risk Analysis 4
Overall Safety Requirements 5
Safety Requirements Allocation
Overall Planning 9
Safety-related systems : E/E/PES 10
Safety-related systems : other Technology 11
External Risk Reduction Facilities
REALIZATION Phase
How will it do it? 6
Operation & Maintenance Planning 7
Validation Planning 8
Installation & Commissioning Planning
Realization
Realization
Realization
The IEC safety lifecycle is one of the more comprehensive guidlines for how to effecively achieve functional safety through the use of safety instrumented systems. 12
Overall Installation & Commissioning 13
Overall Safety Validation 14
Overall Operation & Maintenance 15
Overall Modification & Retrofit
OPERATION Phase
How do you keep it doing what it should? 16
Decommissioning
Copyright exida

10. IEC 61508 – Fundamental Concepts
IEC61508 Safety Life Cycle – detailed engineering process
Probabilistic performance based system design
Random Failures
A key objective of of IEC61508 was to address accident causes by creating a system to manage safety, to assure proper technical requirements and to assure competant personnel.
Users will require certification bodies to use IEC61508 to certify equipment per technical requirements, processes (Functional Safety Managment), and personnel - certified safety engineer.
Systematic Faults
– Design Mistakes
SOFTWARE RELIABILITY
HARDWARE RELIABILITY
Copyright exida

11. The Functional Safety Standards Can be Applied at Many Levels
Components
Process assessment, failure analysis/data and documentation to help product development
Elements
Process assessment, hardware failure analysis / data and documentation showing usage in system design
Systems
Risk based framework for
SIL level, process assessment
and system failure analysis
Conceptual design begins with identification of the equipment to be used in the SIS. The criteria used to select equipment for process control (such as the materials, accuracy, environmental conditions, etc.) also completely apply to safety applications. In addition, failure rate data should be available to assist in the design.
For equipment certified to a particular SIL level, obtain the equipment’s Safety Manual. That manual includes essential information for proper application of the equipment. For equipment not safety certified, the user is responsible for proper application.
Instructor’s Note: For application assistance on particular equipment, contact the process safety engineer.
Copyright exida

12. Safety Functions (Safety Goals)
Specific single set of actions and the corresponding equipment needed to identify a single hazardous event and act to bring the system to a safe state.
Examples:
Open drain valve when tank level is too high
Sound an alarm when explosive gas concentration exceeds a certain level
Thus an individual Safety Instrumented Function (SIF) is designed to first identify the need and then act to bring the system to a safe state for each hazard scenario. The effectiveness of the SIF is measured by the its risk reduction factor (often expressed as a Safety Integrity Level). The required risk reduction is the difference between the process risk before a SIF and the “tolerable level” of risk to be achieved for that process or piece of equipment.
It is important to note that a SIF is an individual function and a SIS can include multiple functions, so the SIL refers to each SIF rather than to the entire safety instrumented system.
Copyright exida

13. Element
Sensor
Logic solver
Final Element
element - part of a subsystem comprising a single component or any group of components that performs one or more element safety functions.
[IEC 62061, definition 3.2.6, modified]
NOTE 1: An element may comprise hardware and/or software.
NOTE 2 : A typical element is a sensor, programmable controller or final element
Copyright exida

14. System Architecture Drawing
The system architecture drawing(s) document the relevant sub-systems and their relationship. The function(s) of each sub-system is fully described.
Chapter 8, “Functional Safety, An IEC Compliant Development Process,” exida, 2010.
Copyright exida

15. Project Milestones Product and process review
Product reliability and failure mode analysis
Requirements fulfillment and traceability
Final audit and assessment report
Copyright exida

16. Project Flowchart
Copyright exida

17. Certification Process
New product with no field history:
The new design must have a full hardware failure analysis.
The new design must follow the design process requirements of IEC for the target SIL level.
A Safety Manual must be created to explain how to use the product at the system level.
Random
Systematic
Systematic
Copyright exida

18. FMEDA
Product l
Failure Modes l
Diagnostic Coverage
Useful Life
Using a component database, failure rates and failure modes for a product (transmitter, I/O module, solenoid, actuator, valve) can be determined far more accurately than with only field warranty failure data
Copyright exida

19. Software Development V-model
Copyright exida

20. Why would the IEC 61508 committee care about tools?
Tool Justification
Why would the IEC committee care about tools?
During the final certification audit of a transmitter, the assessor asked to witness the RAM test. After injecting a bad bit, nothing happened.
The software engineer had “simply set the optimization up one level”. The optimizer concluded the diagnostic code (save a byte to a temporary location, set all bits, clear all bits, return the original value) could be eliminated. And it did exactly that. This had a major impact on cost and release schedule.
Those using a tool must know how the tool works. Sometimes tools can be dangerous.
Those using a tool must understand how all settings impact operation of the tool.
Section number?
Copyright exida

21. Offline Tool Qualification Requirements
Documented selection criteria and justification
Document tool version and release date
Document results of any tool validation performed
For T2 and T3 only:
Evidence that Tool Specification/Documentation is provided to users
Determine level of reliance on tools (T2 / T3)
Identify and mitigate tool failures that could affect executable software (e.g., Tool HAZOP)
Selection of Tool part of process
Selection Justification
Copyright exida

22. exida SafetyCase Database
Requirements
Arguments – Assessment
Audit Lists
Evidence
Copyright exida

23. Accreditation
Each Certification Body (CB) operates per a “scheme” and gets accredited by an Accreditation Body (AB). In the USA, ANSI is the AB.
Functional Cyber-Security
Achilles Level 1-2
ISA Secure Levels 1 – 3
Functional Safety Certification
IEC 61508
IEC 61511
IEC / ISO 13849
IEC / ISO 26262
EN 50271
Other Functional Safety
Exida is accredited by ANSI, the US accreditation body.
Copyright exida

24. exida Products and Services
Company Business Units
exida Products and Services
Consulting
Process Safety (IEC 61511, IEC 62061, ISO 26262)
Alarm Management
Control System Security (ISA S99)
Product Certification
Functional Safety (IEC 61508)
Control System Cyber- Security
Network Robustness (Achilles)
Professional Certification
CFSE
CFSP
Control System Security Expert (CSSE)
Training
Process Safety
Control System Security
Onsite
Offsite
Web
Security Development
Engineering Tools
exSILentia
(PHA Import,
SIL Selection
LOPA
SRS
SIL Verification)
Safety Case
FMEDA
SCA
Reference Materials
Databases
Tutorials
Textbooks
Reference Books
Market Studies
Copyright exida

25. excellence in Dependable Automation
Copyright exida

26. Topics
exida
Overview of functional safety standards for industrial and automotive systems
Steps to certification
Services provided by exida
Texas Instruments
Hercules MCU family and safety features overview
Hercules MCU for IEC 61508, ISO and other functional safety standards
My name is Hoiman Low of Texas Instruments. I am working in the Safety MCU marketing. Today I would like to give you an introduction of Hercules MCU family, and why it is suitable for use in functional safety applications.

27. Hercules™ MCU: End Equipment
Aerospace & Railway
Industrial
Flight Control
Communications Gateway
Industrial Motor
Control
Manufacturing /
Robotics
Avionics / Autopilot
Elevator
Escalator
Anti-Skid Control
Wind Power
Motor Control
Automotive
Industrial
Automation / PLC
Sensor & Communications
Gateway
Airbag
Braking / Stability Control
Radar / Collision Avoidance
(ADAS)
Hybrid & Electric Vehicles
Infusion Pumps
Solar Power
TI MCU has a long history in supporting automotive safety applications. We are well known in automotive braking such as ABS and stability control systems. If you are driving a car with an ABS or ESP system, the chances are high that it is powered by a Hercules MCU.
Because of its well known hardware based architecture, robust development process and automotive grade quality, Hercules MCU is also widely used in transportation, industrial and medical applications that functional safety is a requirement.
Active Suspension
Electric Power Steering
Oxygen
Concentrators
Anesthesia
Chassis / Domain Control
Respirators
Medical 27 27

28. TI HerculesTM MCU Platform ARM® Cortex™ Based Microcontrollers
100MHz to 330MHz
384KB to 4MB Flash
-40 to 105°C Operation
ENET, USB, CAN & UART
Developed to Safety Standards
IEC SIL-3
Cortex-R – up to 550 DMIPs
Industrial and Medical Safety MCUs
Hercules™ MCU Platform
TMS570
80MHz to 300MHz
256KB to 4MB Flash
Automotive Q100 Qualification
-40 to 125°C Operation
FlexRay, ENET, CAN, LIN/UART
Developed to Safety Standards
ISO ASIL-D
IEC SIL-3
Cortex-R – up to 500 DMIPs
Transportation and Automotive Safety MCUs
The Hercules MCU product line includes the RM4x and TMS570 families.
The RM family is targeted at safety critical industrial and medical applications and features TI’s highest performance floating point ARM based MCU core running at 330MHz and providing more than 550 Dhrystone MIPS of performance. This family is also well suited for rugged industrial applications that require negative 40 to positive 105 deg C temperature operation. Ethernet, USB, CAN, SPI, I2C and UART connectivity also make the RM MCUs fit well into several industrial and medical applications. It has been developed to IEC SIL-3 safety standards
The TMS570 family is targeted at high performance transportation applications that require Automotive/AEC Q100 (Grade 1) qualification and negative 40 to 125C temperature operation. This family also features Ethernet, FlexRay, CAN, LIN, SPI, I2C and UART connectivity The Cortex R in the TMS570 components also provide over 480 DMIPs of performance with core clock rates up to 300MHz. . It has been developed to both the ISO ASIL-D and IEC SIL-3 safety standards.
Lockstep MCUs for
functional Safety 28 28 28 28

29. Applying Functional Safety Standards
SafeTI™ design packages help meet functional safety requirements while managing both systematic and random failures.
Risk reduction
Safety Life Cycle
SIL - 1/2/3/4
Development Process
Systematic Failures
Process Certification
Software CSP
Compiler Qual. Kit
Safety Plan
Software
Documentation
Tools
Config Management
Random Failures
Diagnostics
Architectural Metric
Failure Rate
For customers who are new to functional safety standards, it is pretty challenging to understand what it takes to apply the functional safety standard to its end equipment.
From a very high level, functional safety is about risk reduction, reducing risk from an unacceptable level to a tolerable level.
There are systematic failures and random failures that need to be taken care of.
Systematic failures are caused by weak development and manufacture process, inadequate supporting process such as documentation, configuration management, as well as tools and software. Random failures are failures occurring at random time causing degradation in the hardware, for example a single bit flip of Flash due to data retention issue.
For a system to be certified for functional safety compliance, evidence of compliance of the system, elements and components will need to be made available to the assessor. This is resource intensive and time consuming. The validity of the evidence will need to be proven. MCU being a key component in an electronic programmable system, TI makes available the SafeTI design packages to ease the certification effort.
I will explain the steps taken by TI on Hercules MCU to protect against the random and systematic failures, and packages made available to our customers, and how they can be used to facilitate the certification.
Change Management
V&V
Hercules
Architecture
(FMEDA)
Personnel Competence
Certification
CSP = Compliance Support Package

30. Hercules MCU safety features
Random
Safe Island Hardware diagnostics Blended HW diagnostics Non Safety Critical Functions
Lockstep CPU & Lockstep Interrupt Fault Detection
ECC for flash / RAM evaluated inside the Cortex R
ECC or Parity on select Peripheral, DMA and Interrupt controller RAMS
Memory BIST on all RAMS for fast memory test
CPU Self Test Controller requires little S/W overhead
IO Loop Back, ADC Self Test, …
Error Signaling Module w/ External Error Pin
On-Chip Clock and Voltage Monitoring
Physical design optimized to reduce probability of common cause failure
PBIST/LBIST
OSC PLL
POR
CRC
RTI/DWWD
ESM
Enhanced System Bus and lockstep Vectored Interrupt Module
DMA
Memory
Flash
w/ ECC
Embedded Trace
RAM
Power, Clock, & Safety
Memory Interface
JTAG Debug
Calibration
Serial Interfaces
Network Interfaces
Dual ADC
Cores
Available
Dual High-end Timers
GIO
EEPROM w/ ECC
Compare Module for Fault Detection
Parity or CRC in Serial and Network
Communication Peripherals
Dual ADC Cores with shared channels
External Memory
ARM® Cortex™R
w/ MPU
Memory Protection
Unit
Protected Bus and lockstep Interrupt Manager
Lockstep
CPU
Let me start with the Hercules MCU architecture and how it deals with the random failures.
Safe island – safety around power, CPU, flash and RAM that you can trust the execution unit in the MCU will provide the correct result and will alert you in case it doesn’t (either correct with ECC, or flag so you can take corrective action)
Blended – Some safety features (some built in checks, but not everything, so you may have to use some software if you are using in a safety application)
Developed with a functional safety management plan
TI approach is to heavily protect critical regions of logic with HW diagnostics. This provides a “safe island” of known good logic.
The “safe island” can then detect failures in the remaining device through a cost effective blend of HW, SW, and system diagnostics.
Safe Island Hardware diagnostics (RED)
CPU incorporates a lockstep checker solution for cycle by cycle fault detection.
The second ARM Cortex-R CPU is physically flipped and rotated on the die to reduce the probability of a common cause failure.
SECDED ECC for flash and SRAM detects faults on each memory access
Hardware BIST engines for CPU and SRAM enable factory grade tests in final application
Power, clock, and reset have internal and external HW diagnostic hooks
All these HW based diagnostics provides enhanced and KNOWN coverage versus SW based diagnostics.
Blended HW diagnostics (BLUE)
There are ECC or Parity on peripheral memories
Analog and digital I/O loopback testing
ADC self test and calibration
Shared channels on dual ADCs
All hardware diagnostics include mechanisms to enable test of latent faults in the checker mechanisms
Bold items are introduced with the new Cortex-R5 devices

31. Hercules TMS570LS and RM4x Architecture Concept Assessment
Random
The Hercules MCU Safety features and its architecture shown in the last slide has been assessed by TÜV Süd. The assessment result is that the safety features specified are appropriate diagnostic measures to reach IEC SIL3 and ISO ASIL-D.
This assessment report can be re-used by our customers as one of the evidences that the Hercules MCU is suitable to be used in a safety system where IEC SIL3 or ISO compliance is required.

32. TPS65381 Power Supply & Safety Monitor ControlCard Interface
SafeTI™ Hitex Safety Kit
Random
Hitex Safety Kit Software
SAFETI-HSK-RM48
SAFETI-HSK-570LS31
TPS65381 Power Supply & Safety Monitor
On Board Display
Kit Overview
Fault injection and reaction monitoring via GUI
MCU Diagnostic features profiling
SafeTI Software Framework + SafeRTOS included
The Hitex Safety Kit enables developer to evaluate the SafeTI components such as Hercules MCU together with Powe Supply & Safety Monitor TPS It supports hardware fault injection and system response monitoring in real-time. It also provide capabilities of run time profiling of various Hercules MCU diagnostic features.
ControlCard Interface
Hercules™ MCU 32

33. Hercules Safety Documents
Random
Documents provided by TI some under NDA to assist in the safety certification process:
Hercules component Safety Manual (SM)
Details product safety architecture and recommended usage
NDA
Safety Analysis Report Summary (SAR1)
Summary of FIT rate and FMEDA at component level for IEC and ISO 26262
NDA
Detailed Safety Analysis Report (SAR2)
Full details of all safety analysis executed down to MODULE level for IEC and ISO 26262
Software tool for customizing analysis results to customer use case
TI’s SafeTI technical documentation helps decrease development and certification time. The are four types of documents available for select SafeTI products: Safety Manual, Safety Analysis Report Summary, Detailed Safety Analysis Report, and Safety Report. 
The Safety Manual summarizes the product safety architecture and recommended usage.
The Safety Analysis Report Summary provides summary safety analysis data including safety metrics calculated at the component level for targeted functional safety standards.
The Detailed Safety Analysis Report provides detailed safety analysis data including safety metrics calculated at the sub-component level for targeted functional safety standards. This report also includes tools to calculate safety metrics tailored for a customer's specific implementation of the SafeTI product.
The Safety Report includes a summary of compliance to the relevant requirements of targeted functional safety standards as well as the results of any completed assessment or certification activities.
NDA
Safety Report
Summary of compliance to IEC and/or ISO 26262

34. Hercules Safety Documents
Random
Safety Manual
Detailed Safety Analysis Report
NDA
This Safety Manual provides information needed by system developers to assist in the creation of a safety critical system using a supported Hercules microcontroller. This document contains:
• An overview of the safety architecture for management of random failures
• The details of architecture partitions, implemented safety mechanisms, and recommended usage
The Detailed Safety Analysis Report contains results of safety analysis according to the targeted functional safety standards. The Detailed Safety Analysis Report contains:
• Assumptions of use applied in calculation of safety metrics
• Summary of IEC or ISO standard safety metrics at the MCU component level
• A fault model used to estimate device failure rates and an example of customizing this model for use with the example application.
• FMEDA with details to the sub-module level of the MCU, that enables calculation of safety metrics based on customized application of diagnostics

35. SafeTI™ Hardware Development Process Certification
Systematic
TI’s hardware functional safety development process has been certified for:
IEC SIL-3
ISO ASIL-D
The certification demonstrates TI’s commitment to have a process suitable for developing hardware components that are compliant to ISO and IEC
We talked about how Hercules MCU deals with the random failures. Let’s switch to the systematic failures.
The systematic failures are addressed primarily by having a robust development process with supporting processes such as documentation system, change management and configuration management etc. TI components developed for functional safety applications follow the SafeTI Hardware Development Process. This development process has been certified by TÜV Sud for IEC SIL3 and ISO ASIL-D
Our customers can use this certificate as evidence that the key component (MCU) in their programmable electronic systems was developed using a development process in compliance to IEC and ISO

36. HerculesTM and SafeTITM Software and Tool Packages
Systematic
Hercules Software and Tools
Production quality software to easily use Hercules MCU
Includes GUI configurator (where relevant)
Includes User Guide and Release Notes
SafeTI Compliance Support Package
Provide evidence to safety standards
Includes Test Reports, Quality Metrics, Safety Manual, etc.
Software developed to IEC & ISO requirements
TI provides HalCoGen which is a GUI based configurator to generate drivers. We also provide SafeTI diagnostic library which provides a simple C-callable software API for enabling the safety diagnostics and features prescribed by the Hercules Safety Manual.
These drivers and libraries will be integrated into the application software by our customers. Obviously it is our customers’ responsibility to certify their application SW to the appropriate safety standard. TI can ease the certification effort by providing the Compliance Support Package (CSP) that consists of documentation that the TI software are developed to IEC and ISO requirements.
Chris told about the criticality of the compiler tool in the embedded system development. Tool qualification is a critical step in functional safety development. TI has partnered with Validas and made available the SafeTI compiler qualification kit.
SafeTI Tool Qualification Kit
Assists in qualifying the TI ARM Compiler to functional safety standards
Model-based tool qualification methodology
Assessed to comply with both IEC and ISO 26262 36 36 36 36

37. SafeTI™ Compiler Qualification Kit
Systematic
Assists in qualifying the TI ARM C/C++ Compiler to functional safety standards
Qualification of customer specific use case can be less restrictive than certified compilers
Application of kit assessed by TÜV Nord to comply with both IEC and ISO 26262
Includes:
Qualification Support Tool (model-based)
Process specific documentation:
Tool Classification Report
Tool Qualification Plan
Tool Qualification Report
Tool Safety Manual
ACE SuperTestTM qualification suite
TI compiler validation test cases
Test Automation Unit (TAU)
24hrs of Validas consulting services
TÜV Nord assessment report
TI ARM Compiler
The SafeTI Compiler Qualification Kit was developed to assist customers in qualifying their use of the TI ARM Compiler to functional safety standards such as IEC and ISO This process can be much less restrictive than certified compilers by qualifying the customer’s specific use case and has been assessed by TÜV Nord to comply with both IEC and ISO
The SafeTI Compiler Qualification Kit includes the Qualification Support Tool which assists in tool classification and determining the tests and mitigation measures required, based on the user selected features for the compiler. It also generates the required safety documents such as the Tool Classification Report, Tool Qualification Plan, Tool Qualification Report and the Tool Safety Manual. The kit also comes with the ACE SuperTest Qualification Suite which provides a high level of test coverage by identifying potential issues in compiler features and ANSI C conformance. Test coverage is further enhanced by TI developed compiler validation test cases. All tests can be executed using the Test Automation Unit which can be run in the user’s environment on Hercules target hardware. To further support the user through the qualification process 24hrs of Validas consulting is also included.
The SafeTI Compiler Qualification Kit is one more way TI is making it easier for customers to develop functional safety applications. For more details and ordering information please go to
Approved by
IEC 61508
ISO 26262

38. Typical Usage of Hercules MCU per Functional Safety Standard*
Typical Hercules MCU Usage
Specific Diagnostic Requirements per Standard
IEC 61508
Single MCU for SIL1 - SIL 3, Dual MCU for SIL 4 No
ISO 26262
Automotive
Single Hercules MCU ASIL A to D
EN 50129
Railway
Examples provided, not requirements
ISO 22201
Elevator
Single MCU for SIL1 - SIL 2, Dual MCU for SIL 3
Yes
IEC 61511
Process Safety
IEC 61800
Motor Drive
Single Hercules MCU for SIL1 - SIL 3
IEC 62061
Machine Safety
Single Hercules MCU for SIL1 -SIL 3
ISO 13849
Single MCU for Cat B, 1, 2 from PL a to PLe
Single MCU + Safety Companion for PL d/e CAT3/4
IEC 60730
White Goods
Single MCU for Class A – C, Dual MCU for some Class C
I have talked about the Hercules safety architecture, its diagnostic features, safety manual and the flexible FMEDA worksheet to protect against random failures, as well as our development process, software and its compliance support package, as well as the compiler qualification kit to protect against systematic failures for IEC and ISO standards.
Since all the other application related functional safety standards are referenced to IEC 61508, this means that Hercules MCU and its supporting SafeTI design packages are also well suited to be used in machinery ISO 13849/IEC 62061, process safety IEC 61511, Railway EN 50128/9 and elevator…
The table shows a summary of the various safety standards, and hpw Hercules MCU could be used to achieve to desired safety integrity level.
* Items shown are typical examples. Achieved safety integrity level is the responsibility of the system developer.

39. Project Flowchart ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
HerculesTM MCU data available through SafeTITM design package
Copyright exida

40. Stay tuned for future webinars!
Thank You Contact Information: Chris Hoiman Low:
Stay tuned for future webinars!
In-depth discussion of functional safety development and certification flow
How HerculesTM SafeTITM documentation facilitates the end equipment certification process?