Best Practices when Designing Safety-Critical Applications Using Microcontrollers

Introduction

While we all care about the safety of the electronically controlled systems we surround ourselves with, most people do not realize the effort required to develop safety-critical products. Any electronically controlled product that may potentially cause harm to people, the environment, or property is likely to have a set of safety functions intended to protect you and me. What most people do not realize is that safety-critical systems go one step further: the international safety standards, such as IEC 61508, require that the system verifies that the safety features are operating as intended and are safe even if the safety features fail. Well, the truth is that faults can never be avoided 100%, so what safety engineers and safety managers actually do is reduce the risk of dangerous faults of such systems to an acceptable level. This is done by following rigorous safety-compliant specifications and design and verification processes where all possible (and impossible) faults of the system are assessed and mitigated.

Professional safety engineers or safety managers understand the top-level safety requirements of the system they design and are the undisputed experts in their field. Their expertise may, however, fall short as the safety requirements are broken down to the component level, and it may not be obvious how to use a given electronic component (for example, a microcontroller) in the safest possible way. This is where the support of the component vendor is instrumental to ensure that the system is as safe as possible while keeping the cost of the product within the budget to remain competitive.

Best practices are beyond the datasheet

When evaluating the safe use of an IC—let’s stay with a microcontroller as these are much used safety-critical systems—you can no longer just use the datasheet of the microcontroller. You need documentation about how the microcontroller can fail on a hardware level, whether this is a temporary fault caused by an electromagnetic disturbance or a permanent hardware fault caused by background radiation, for example. What you need are the device Failure Mode, Effect, and Diagnostic Analysis report (FMEDA) and safety manual! Microchip distributes such documentation in what is referred to as safety packages.

The FMEDA is a document that describes all the identified failure modes of each function in the microcontroller and the effect (symptom) of each of these faults so that it is possible to diagnose (detect) them. Here it is important to understand that a diagnosed fault is normally considered safe, as the system can take appropriate actions when the fault is detected. The FMEDA even provides the statistical probability of the faults based on recognized statistical models so that it is possible to determine the failure rate of the product, taking the applied diagnostic measures into account. This is necessary information to assess if the safety-critical system is safe – that the risk is sufficiently mitigated.

The other critical document that you need to develop a safe embedded system is the safety manual. The safety manual describes how to detect the faults described in the FMEDA from an implementation perspective. It also provides a comprehensive description of “dos and don’ts” when using the microcontroller, where the strictest of these are the Assumptions of Use (AoU), which you must follow to reach the level of safe claimed in the documentation.

Both the FMEDAs and the safety manuals contain information that is virtually impossible to produce for anyone but the vendor of the microcontroller. Auditors of the safety-critical systems understand this and applaud the use of such documentation as it helps ensure that all aspects of the safe use of the microcontroller are covered.

Best practices are beyond the standard development tools

While the FMEDA and safety manual can help mitigate the risk of hardware faults in the microcontroller of the embedded system, you must also consider faults in the software. Such faults are classified as systematic faults, which is because software cannot have random faults like hardware. Obviously, the software may fail if the hardware fails, but this is classified as a hardware fault. Systematic faults can be controlled by strict and thorough processes, specifications, and verification. Many industries use well-developed software processes to reduce software faults, but in safety-critical systems, there is an extra layer: you need to assess if a development tool can cause errors in the end product, and if so, what impact they may have on safety and if they are detectable.

A tool classification analysis will reveal if a tool can cause errors, and if so, it is required to qualify the tool for use when developing safety-critical systems. As you can imagine, a compiler is a tool that can potentially cause errors in the software running on the microcontroller used in the embedded system, and it may even be difficult to detect unless you have extremely high test coverage. So, this is where the vendor-driven tool qualification is helpful: Microchip has development tools for PIC and AVR microcontrollers that are qualified for use in safety-critical systems. This is a formal process where an independent 3rd party assesses if the product is designed, verified, and documented well enough to qualify it for use in safety-critical systems. As for the microcontrollers, this means that such development tools come with additional documentation: for example, a safety manual.

The MPLAB development tools are supporting both common best practices, such as static code analysis and code coverage reports, and the more specialized safety requirements.

For more information

The webinar “Best Practices when Designing Safety-critical Applications using Microcontrollers” provides a brief overview of both functional safety and the processes used when developing products according to the IEC 61508 safety standard. It also provides information about the safety collateral and development tools you can get for Microchip PIC and AVR microcontrollers.

Sign up for the webinar here: https://event.on24.com/wcc/r/3846286/B1FA21901DA6E9FA3A288BD9AF167C21?partnerref=blog

You can also learn more about functional safety from the Microchip University on-demand class “Introduction to Functional Safety” or find information about products recommended for safety-critical designs on the dedicated functional safety web pages of DigiKey and Microchip.