Home    Bloggers    Messages    Webinars    Resources   
Tw  |  Fb  |  In  |  Rss
William Murray

FPGA Design: Cost vs. Safety Level

William Murray

Possibly the most detailed prescription for design cost vs. safety level comes out of the Aviation Industry. There, the DO-254 standard for FPGA and programmable electronic hardware development spells out in great detail what is to be performed for each level of required safety. Other industries spell this out for software and then treat programmable logic as software, although new guidance in this area is coming.

When software is involved in a system, the development and design assurance of that software is often governed by the DO-178B document titled "Software Considerations in Airborne Systems and Equipment Certification." The severity of consequence identified by the hazard analysis establishes the criticality level of the software. Software criticality levels range from A to E, corresponding to severities of Catastrophic to No Safety Effect. Higher levels of rigor are required for level A and B software, and corresponding functional tasks and work products in the system safety domain are used as objective evidence of meeting safety criteria and requirements.

The following safety-related severity definitions are compiled from Wikipedia and the DO178/DO254 standards:

Severity = Catastrophic
Results in multiple fatalities and/or loss of the system.

Severity = Hazardous
Reduces the capability of the system or the operator ability to cope with adverse conditions to the extent that there would be:

  • Large reduction in safety margin or functional capability
  • Crew physical distress/excessive workload such that operators cannot be relied upon to perform required tasks accurately or completely
  • Serious or fatal injury to small number of occupants of aircraft (except operators)
  • Fatal injury to ground personnel and/or general public

Severity = Major
Reduces the capability of the system or the operator ability to cope with adverse conditions to the extent that there would be:

  • Significant reduction in safety margin or functional capability
  • Significant increase in operator workload
  • Conditions impairing operator efficiency or creating significant discomfort
  • Physical distress to occupants of aircraft (except operator) including injuries
  • Major occupational illness and/or major environmental damage, and/or major property damage

Severity = Minor
Does not significantly reduce system safety. Actions required by operators are well within their capabilities. This category includes:

  • Slight reduction in safety margin or functional capabilities
  • Slight increase in workload such as routine flight plan changes
  • Some physical discomfort to occupants or aircraft (except operators)
  • Minor occupational illness and/or minor environmental damage, and/or minor property damage

Severity = No Safety Effect
Has no effect on safety.

The DO-254 standard also uses this approach for FPGA's in aviation (commercial and some military). The IEC 61508 standard, which is employed in industrial automation, also uses a multi-level approach to certification and safety (SIL 1-3).

Data from Hi-Rely shows that the development cost of a Level A project can be 240 percent more than that of a Level E project, while a Level D project can cost 160 percent more to develop than a level E project. However, the lifecycle costs of a Level A project are often lower due to fewer field related issues, because once such a product is fielded, it remains "as-is" and under the same configuration.

The policies and procedures at the aircraft level are developed to cover equipment failure conditions. Some items -- such as DSP and Math -- are quite difficult to realize at a Level A standard. Thus, systems are designed with redundancy to allow them to be implemented at, say, a Level C or D and to be completed economically. Other items -- such as radios, which are subject to interference, sun spot activity, and lightning -- simply cannot be made reliable enough to be Level A or B, and as such are left at Level C or D. If an FPGA is just used for a data-bus, for example, it is left at Level C or D.

At Level A, every item in the assurance chain is ratcheted up to full. Code coverage is performed for all conditions of each conditional statement -- low-level requirements are generated and traced to code and tests -- and all items are kept under configuration management control. At Level D, requirements are only traced to test results, and only a minimum of items are maintained under configuration management.

Given that we all enjoy the benefits of safe, low-cost air travel, how is safety vs. cost managed for FPGAs in your industry?

Page 1 / 3   >   >>
JezmoSSL
JezmoSSL
7/27/2012 2:09:42 AM
User Rank Blogger
Re: Automotive Safety Applications
Pretending ???pah I just had the batteries in the wrong way round.

50%
50%
Myplanet
Myplanet
7/24/2012 12:43:20 PM
User Rank Guru
Re: Automotive Safety Applications
@Max, thanks for the clarrification. I thought its a different language, which you peoples are using (Spanish, French etc)

50%
50%
Max Maxfield
Max Maxfield
7/24/2012 10:47:05 AM
User Rank Blogger
Re: Automotive Safety Applications
@Myplanet: Brian just emailed me to explain that you were talking about the strange messages that were posted in this thread.

This came about because JezmoSSL said "I dunno what with this and my day job i'll never get my time machine working"

And I responded that he could borrow mt time machine if he wanted, and he replied "!!!! gnikrow enihcam emit ym tog yllanif i !! ooHooW"

This is just English written backwards from right-to-left ... he's pretending that he is in a time machine when he's writing this (well, I'm assuming he's pretending -- when I responded back to him I really did use *my* time machine :-)

 

50%
50%
Max Maxfield
Max Maxfield
7/24/2012 9:27:53 AM
User Rank Blogger
Re: Automotive Safety Applications
@Myplanet: What do you mean -- are you talking about the pseudo language I used in my Verilog and VHDL blog(s)?

50%
50%
Myplanet
Myplanet
7/23/2012 11:54:12 PM
User Rank Guru
Re: Automotive Safety Applications
Max, which languages you are using, it resembles like some new scripts.

50%
50%
William Murray
William Murray
7/23/2012 8:12:52 PM
User Rank Blogger
Re: Safety Critical Systems
There are other industries such as the petroleum industry where IEC61508 is used in some of the equipment, but in other equipment it still has to be implemented in practice.

50%
50%
ab6vu
ab6vu
7/23/2012 4:44:13 PM
User Rank Guru
Safety Critical Systems
William,


Earlier this year, we hosted the first ever industry workshop on safety critical systems (using programmable logic and systems).  Look for next years announcement of the workshop date (or contact your Xilinx FAE).


We had attendees from around the world, and papers on 61508 (general), and 26262 (automotive) as well as all of the other markets now covered by this set of standards.  The FAA was there, along with private companies who provide the necessary flight certification (the entire airplane is certified:  it can not be done in pieces!!!! Thank Goodness.)


What was nice to see is that people had been using our devices in these applications for a long while, there was now some standardization on HOW such systems should be designed, tested, and accepted for these uses.

As someone who goes ot a dcoctor's office (when unwell), flies in airplanes, drives a car, takes a train (when in Europe, mostly) and uses electricity in my home, I am very concerned about safety, and I work with, and have worked with many companies in advising them how to proceed (if they are new to the business).


For those in the business (all the auto-makers, civil aero, medical, industrial controls), they already know what they have to do, as they all came to San Jose to re-assure us they had a handle on the new standards.

 

 

50%
50%
Max Maxfield
Max Maxfield
7/23/2012 11:58:59 AM
User Rank Blogger
Re: Automotive Safety Applications
!nirG

50%
50%
Brian
Brian
7/23/2012 11:54:04 AM
User Rank Guru
Re: Automotive Safety Applications
 

!(daer dna) tuo erugif ot setunim wef a koot taht ,woW

 

50%
50%
Max Maxfield
Max Maxfield
7/23/2012 10:18:31 AM
User Rank Blogger
Re: Automotive Safety Applications
!nwod edispu ti ni gnittis tsuj era uoy ebyaM ?erus uoy erA

50%
50%
Page 1 / 3   >   >>
More Blogs from William Murray
Today's FPGAs already integrate a substantial amount of "stuff" (MCU cores, programmable fabric, on-chip memory, etc.), so what's left to integrate and why is this being left for the future?
When extreme thermal cycling causes circuit boards and chip packages and the silicon die in the packages to expand and contract at different rates, problems may ensue.
In order to simulate a design we need models that represent the functionality and timing characteristics of our design elements, but the timing aspects of these models may be based on uncertain data.
A large amount of skill is required to write custom test code for custom hardware. Even more skill is required to test a CPU, RAM, or ROM.
Designing high-temperature electronics can present many challenges for "down-hole" petroleum equipment, ovens and micro-waves, automotive, medical, aerospace, and other applications.
flash poll
information resources
sponsored content by Xilinx
All resources
follow us on twitter
follow Xilinx on twitter
like us on facebook
like Xilinx on facebook
All Programmable Planet     About Us     Contact Us     Help     Register     Twitter     Facebook     RSS