In this talk I explore the concepts of Failsafe Design and an example of implementing failsafe at the firmware/hardware interface, using LTSpice as a system tool to model and verify the failsafe approach. This has been applied to real systems that really exhibit the modeled failsafe behavior.

1. 26 e 27 de Agosto, 2014
Transamérica Expo Center, São Paulo/SP
Safe IoT:
Using LTSpice
to Model Failsafe Logic in
Embedded Systems
Jonny Doin, CEO, GridVortex

2. Agenda
• Safety: What is Safety?
• Failure: What constitutes Failure?
• Design for Safety: Failsafe Design
• Failure in Embedded Systems
• LT Spice as a system modelling tool
• Modelling the Firmware/Hardware interfaces
• Simulating Software failure at the interface
• Circuit behavior under failure scenarios
• Final thoughts

3. Safety: What is Safety?
A Safe System is one that exhibits:
• Deterministic responses
• Controlled Behaviors for all inputs
• Never place its outputs in a hazardous
state

4. Safety: What is Safety? (2)
REALITY: ALL SYSTEMS WILL FAIL

5. Safety: What is Safety? (3)
In the real world, systems are always
connected to other systems.
Hazardous output states must be
qualified from the downstream (external)
systems point of view

6. Failure
Failure is a malfunction on the system, or
a deviation on designed behavior.
On any system, such a deviation on the
chain of processing can lead to system
failure.

7. Failure (2)
Designs can handle system failures at the
critical interfaces, by identifying input
failure and insuring a known output state.
This design pattern is recursive, i.e., can
be applied to subsystems down to the
smaller modules, to ensure that the whole
system fails in a safe mode.

8. Failsafe Design
Identifying the failure modes of the inputs
and the safe state of the outputs are the
main concerns of FailSafe Design.
The hazards must be assessed, e.g.,
following a FME(C)A methodology and
possibly a FTA fault-tree analysis for the
critical components.

9. Failsafe Design (2)
Once identified, the Hazardous behaviors
can be used to direct system design from
the ground up, designing for maximum
avoidance of such behaviors.
Failsafe Responses must be triggered by
an internal or external failure.

10. Failsafe Design (3)
Failsafe design can be “costly” in system
resources. For example, achieving
functional safety in Firmware may lead to
fully redundant processors, running in
lockstep mode.
Identifying critical system points can lead
to safe designs at low cost.

11. Failure in Embedded Systems
Mixed signal embedded systems are
ubiquitous, running from factory
automation to car engines.
The interconnected embedded systems,
also called IoT devices, need to be
designed as critical nodes for functional
safety.

12. Failure in Embedded Systems (2)
Aside from failsafe Firmware design
techniques, the Firmware/Hardware
interface is one critical design node.
Designing such interface for safety,
simulating and testing the failure modes
are essential safety critical design
concerns.

13. LT Spice as a System Tool
LT Spice is a very fast and accurate
professional circuit simulation tool.
Used as a circuit simulator, LT Spice can
predict actual behavior with high
precision.
Modelling interaction of Firmware and
Analog hardware in the design stage is a
powerful capability.

14. LT Spice as a System Tool (2)
LT Spice allows modeling mixed-signal
systems, including Firmware behavior
interaction with Analog hardware:
• Behavioral sources (B)
• Digital Gate primitives (Axxx)
• Hierarchical subcircuits
• Waveform and data file generators

15. Modelling system interfaces
Designing the Fw/Hw interface as a
failsafe node has a number of
advantages:
• Functional Decoupling of Firmware and
Hardware
• Addresses CPU failure
• Lower cost of implementation

16. Modelling system interfaces (2)
Examples:
• Failsafe “Passive” drivers
• AC coupled commands
• Failsafe “ON” actuators

17. Example: Failsafe “passive”
Output analog drivers can be designed to fail
in high-impedance mode

18. Example: Failsafe “passive” (2)
The 2 analog outputs are buffered with failsafe
drivers that go high impedance when VCC is
lost

19. Example: Failsafe “passive” (3)
• Each output is buffered and isolated with
2 NPN bipolar transistors.
• When VCC fails, the transistors cut off,
with very high impedance.
• A 68K resistor is seen by the output
current source and will drive the output
voltage to 6.8V, bringing the output to
100%.
• This failsafe guarantees the downstream
system is ON, even on loss of control.

20. Example: AC-coupled cmds
On a firmware failure, toggling signals will stop at VCC or GND.
AC-coupled commands can detect such firmware failures.

21. Example: AC-coupled cmds (2)

22. Example: Failsafe “ON”
When the failsafe behavior is to keep an actuator ON, the
firmware commands are designed to turn it OFF.
A firmware failure will keep the actuator ON.

23. Example: Failsafe “ON” (2)

24. Final Thoughts
Embedded Mixed Signal Systems are
becoming a major part of infrastructure and
control systems.
Using LT Spice for failsafe design and
verification on embedded systems can increase
safety, even on low-cost IoT devices.

25. THANK YOU
Jonny Doin
jonnydoin@gridvortex.com