Simplify the Industry 4.0 Design Process with Sitara Processors

1. An embedded processor requires multiple layers of security. (Source: TI: “Building your application with security in mind: Guide to embedded security” PDF)

TI has authored a guide to embedded security that discusses each element in more detail.

Industry 4.0 Requirements: Functional Safety

The definition of functional safety goes beyond the traditional assumption of the equipment operating correctly in response to its inputs. It includes the “safe management of likely operator errors, hardware and software failures, and environmental failures,” according to German safety agency TUV.

Functional safety concepts have been adopted in numerous fields, including automotive and rail transportation, industrial processes, medical equipment, and aviation. Figure 2 shows some of the applicable standards.

2. A variety of specifications define functionally safe operation in different industries. (Source: TI “The state of functional safety in Industry 4.0” PDF)

Clearly, not every failure has a disastrous result. In industrial operations, IEC 61508 measures the confidence of safety implementation in a system via safety integrity levels (SILs), which indicate the relative level of risk reduction provided by a safety function.

There are four levels defined by the standard, ranked as SIL-1 to SIL-4 (lowest to highest). Smart factory systems typically conform to SIL-2 or SIL-3. Systems with potentially catastrophic, large-scale failure consequences (such as nuclear reactors) conform to SIL-4. Figure 3 shows the IEC61508 functional safety standards.

3. An Industry 4.0 design must meet IEC61508 SIL-2 or SIL-3 standards. (Source: TI “Designing industrial control for Industry 4.0 with Sitara AM6x processors” PDF, p. 8)

To meet these standards, a product manufacturer must design hardware and software that doesn’t pose an unacceptable risk if it malfunctions. The product must include features such as redundancy, diversity, internal self-testing, etc., that increase its robustness against both random and systematic failures.

Sitara AM6x—Designed for Industry 4.0

The Sitara family of microcontrollers from Texas Instruments is designed for industrial applications. It’s a scalable portfolio of single-chip solutions based around Arm Cortex-A cores and co-processors with flexible peripherals for real-time communications, as well as optional graphics accelerators and display functions for user interfaces. Sitara also includes software support for popular fieldbuses such as EtherCAT, Ethernet/IP and PROFINET.

4. The Sitara family accommodates a range of industrial applications. (Source: TI Sitara Processors Overview)

Figure 4 provides an overview of the Sitara processor portfolio. Sitara devices are optimized for a range of applications, but the high-end AM6x is designed specifically for Industry 4.0. Depending on the model, the five AM6x family members feature:

• Dual or quad Cortex-A53 cores running at up to 1.1 GHz
• A microcontroller subsystem (MCUSS) with two Cortex-R5F cores designed for real-time and safety-critical applications
• Up to 3X Programmable Realtime Unit – Industrial Communication Subsystem (PRU-ICSS) blocks with gigabit capability. PRU-ICSS is a specialized co-processor for interfacing to industrial communication networks.
• Security enabler: cryptographic acceleration, device identity, secure boot, debug security, external memory protection, trusted execution environment, networking security, secure storage, software IP protection, initial secure programming, secure FW and SW update
• 3D graphics accelerator
• Camera interfaces: MIPI, CSI-2, parallel interface
• Error-correcting-code (ECC) memory
• Support for many industrial protocols: TSN, EtherCAT, EtherNet/IP, HSR, PRP, POWERLINK, PROFIBUS, PROFINET RT/IRT, Sercos III

Figure 5 shows the block diagram of the Sitara AM6x. The part includes features that support the specialized Industry 4.0 requirements discussed above.

5. The Sitara AM6x is a complex SoC device with support for Industry 4.0 functions. (Source: TI “Designing industrial control for Industry 4.0 with Sitara AM6x processors” PDF, p. 3)

Functional Safety

The AM6x architecture integrates features to help designers meet functional-safety requirements up to IEC61508 SIL-3 for industrial control applications.

For example, the AM6x processor includes Cortex-R5F MCU technology from the TI Hercules product family. For functional safety-enabled AM6x devices, the Cortex-R5F can be configured to run in lock-step mode instead of dual-core mode. The MCUSS can be isolated by internal SPI interfaces to create a chip-within-a-chip architecture for freedom from interference just as if the safety MCU was external to the SoC.

Designing a functionally safe system requires adherence to a rigorous set of guidelines, for example:

• The AM6x hardware and software follow independently certified development processes, including requirements for tracking, documentation, and validation.
• TI provides a software-compliance package and compiler qualification kit to manage systematic failures.
• TI also provides a configurable “failure mode effects and diagnostics analysis” (FMEDA) tool for the AM6x. This details random failure modes and metrics from the device design, plus diagnostic coverage.
• The SafeTI-61508 functional-safety package includes a safety analysis report—a certification summary from a third-party assessment of the AM6x as a safety element out of context (SEooC).
• The AM6x Safety Manual details the hardware, software, and combined hardware/software diagnostics available with the AM6x processor.

Security

The AM8x manages security via its device management security controller (DMSC). The DMSC controls device management, boot sequence, reset, power management, and security. It also controls all isolation via on-chip firewalls, fulfilling access requests and managing secure authentication requests.  

In addition, the DMSC stores securely all critical assets such as keys and configuration data to reduce the opportunity for attacks. The DMSC ensures that all secure resources are working in harmony and that a security hack in one part of the device doesn’t lead to the collapse of the entire SoC. The secure portion of the DMSC firmware is only available in binary form.

The AM6x design supports an enhanced firewall architecture that permits dynamic access control to all SoC resources, such as memories, peripherals, and cores. The DMSC provides the ability to promote or demote firewall access to resources. DMSC resources are accessible through defined application programming interfaces (APIs).

The AM6x cryptographic subsystem meets the latest cryptographic requirements and includes hardware support for: 

• The National Institute of Standards and Technology’s (NIST) Elliptic Curve Digital Signature Algorithm (ECDSA)
• Deterministic random bit generator (DRBG)
• Advanced Encryption Standard (AES)
• Triple Data Encryption Algorithm (3DES)
• Secure Hash Algorithm-1 and -2 (SHA-1, SHA-2)
• Message Digest 5 (MD5)

Enhanced control available with the AM6x device allows for security-aware debugging. For example, the SoC provides the ability to lock the secure world while debugging in the public world. Other security features include run-time security and secure boot with programmable keys.

Networking

The AM6x includes multiple blocks to enhance connectivity. There are three next-generation industrial communication systems (ICSSs), each containing four programmable real-time units (PRUs) running at up to 250 MHz. PRUs are reduced instruction-set computer (RISC) cores with no cache and no pipeline to enable deterministic, single-cycle processing. Each PRU-ICSSG has two Reduced Gigabit Media Independent Interface (RGMII)- based Ethernet ports to support TSN up to gigabit speeds, as well as other popular industrial Ethernet protocols. An additional Ethernet media access controller (MAC) supports RGMII. A single AM6x can communicate up to seven Ethernet ports concurrently.

Sitara Example: Servo-Motor Drive

Servo motors have been a staple in manufacturing and automation for many years. Now, though, with the rise of Industry 4.0 and smart factories, demand is increasing for smarter servo drives that can control a greater number of axes.

Historically, high-end microcontrollers and large field-programmable gate arrays (FPGAs) performed the low-level control algorithms. They also included peripherals to drive the output block and read motor feedback.

However, the requirements for a servo-drive controller are rapidly changing. To reduce overall size and cost, control boards are increasingly including general-purpose programmable-logic-controller (PLC) functionality and networked communications, in addition to Industry 4.0 requirements such as functional safety and predictive maintenance.

A servo-motor control system typically contains several control-loop layers arranged in a cascade; each loop has its own real-time processing requirements. Figure 6 shows a typical cascaded control topology.

6. A standard servo-motor system with three cascaded loops. (Image Source: TI “Utilizing Sitara processors for Industry 4.0 servo drives” PDF, p. 3)

The inner torque/current loop uses a field-oriented-control (FOC) algorithm to drive the phase windings via three half-bridge power blocks. This loop is the tightest, with the highest update rate; upstream are the speed loop, the position loop, and a higher-level motion-control loop. Each loop runs at a multiple of the loop before it and provides the input reference to its downstream loop.

The blocks in Figure 6 lend themselves well to logical partitioning across cores within a heterogeneous processor, or between a processor and microcontroller. Spreading the various loops among the different cores in a multicore processor maximizes the processing bandwidth dedicated to each loop. When a processor core receives its control-loop input data, it can run the algorithm to completion as quickly as possible, provide the reference value for the downstream loop, and then continue providing other services until the next set of input data is ready.

Processors with higher raw performance can finish the control processing faster and have more bandwidth available to provide additional services and features. Fast processing is especially crucial when cycle times approach 31.25 µs in a 32-kHz control loop or when inputs from multiple axes must be processed practically simultaneously.

7. Several TI processing solutions are suitable for servo-drive applications, including Sitara, Hercules, and C2000 controllers. (Source: TI “Utilizing Sitara processors for Industry 4.0 servo drives” PDF, p. 6, fig. 5)

Several TI processors can support the servo-drive application (Fig. 7), but the AM65x also will accommodate Industry 4.0 functional safety, security, networking, and communication requirements.  Figure 8 shows a Sitara AM65x processor configured for a servo-processing application. The servo loops are split between two ARM cores: one Cortex R5F in the MCUSS handles the fast current loop and a Cortex-A53 processes the speed and position loops.

8. A servo processor with integrated Industry 4.0 features using the AM65x. (Source: TI “Utilizing Sitara processors for Industry 4.0 servo drives” PDF, p. 6, fig. 6)

The other Cortex R5F is devoted to functional safety, while the other Cortex A53 manages communication and other Industry 4.0 services. The ICSSG0 block implements several gigabit industrial Ethernet ports. The remaining ICSSG blocks provide the PWM drive signals to the servo-motor power board; read the digitized voltage and current signals from the stator phases; handle fault and diagnostic inputs; and read the outputs from the precision encoders.

 Sponsored Resources: 

• Utilizing Sitara™ processors for Industry 4.0 servo drives
• The state of functional safety in Industry 4.0
• Designing industrial controls for Industry 4.0 with Sitara™ AM6x processors