Safety Computer-on-Modules: More Performance for Functional Safety

By Zeljko Loncaric

Marketing Engineer

congatec Inc.

October 24, 2022


Collaborative robots need high computing performance for situational awareness.

Applications with functional safety (FuSa) require more powerful embedded computing platforms because of the increasingly performance-hungry integrated sensor technology. This is why multicore processors such as the FuSa-qualified Intel Atom processors are so attractive today. They can also be used to consolidate non-critical functions on a single mixed-critical system, which is a major advantage. If there are then also Computer-on-Modules (COMs) that support the FuSa functions of these processors, OEMs benefit from application-ready building blocks that are already fully qualified for the safety certification of their customer applications, and that can be scaled to the required performance. congatec is one of the first companies to manufacture such COMs.

Situational awareness sensors are arguably the biggest drivers behind the growing demand for more performance in functional safety applications. Take cobot environments, for example. Here, FuSa-qualified sensors and switches are not only needed to bring robots to a halt when they enter the manufacturing cage. Rather, any movement must be detected. Consequently, the use of collaborative robots and autonomous logistics vehicles in manufacturing also requires the processing and analysis of camera, lidar and laser data. This increasingly involves the use of artificial intelligence. Sometimes, this data needs comparing with geoposition data from other sensors to enable evasive maneuvers when certain predefined parameters are met.

All of this must take place in real time and, above all, in a functionally safe manner. And not all examples are as elaborate as autonomous vehicles. Even a digital rearview mirror, installed on an industrial truck operated by a human driver, is a complex sensor. To be functionally safe, it must be constantly checked to verify that it is operating correctly. After all, a frozen image could cause the driver to completely misjudge the situation.

Increasingly performance-hungry sensor technology

Admittedly, the performance-hungry function blocks that are being used in functional safety environments do not always have to be functionally safe. For example, it is being discussed how to implement environmental detection in vehicles without the burden of ISO26262 [1]. However, there is no doubt that they require significantly more performance to interact with functionally safe solutions than the functionally safe elements of a system ever needed to fall back to the safe side.

Today, more performance is primarily required in applications that need situational awareness with artificial intelligence. The real-time connectivity of such systems also adds to the need for fast, low-latency data throughput, for example when higher-level control logic is used for autonomously guided systems that are connected via private 5G networks.

Mixed-critical systems on the rise

Unlike the previously common FuSa controllers, today’s application processors must ideally be able to also host the system GUI, in addition to situational awareness and artificial intelligence. In mobile machines, for example, this would be driver assistance systems. This is what makes x86 technology highly interesting for such mixed-critical systems. Primarily, because there is an expectation that this generic multi-core processor technology will see further homogeneous development. And not least, because the first processors of this type today integrate controllers with FuSa functions. For instance, the Intel Atom x6000E processor technology is already qualified to support applications that require certification analog to IEC 61508 Safety Integrity Level 2 (SIL2).

Application areas for SIL2 are found in industrial machines, collaborative robots and Industry 4.0 products such as IoT gateways and edge servers. Other markets arise from the requirements of automated intralogistics for autonomous logistics vehicles and range from factory mobility to all new markets found within autonomous driving, from agricultural and construction machinery to smart city vehicles, AUVs and UAVs. Last but not least, target markets also include medical devices as well as hardware for train and track control or avionics. Safety certification is required in these areas, for example, to prevent hazards or injuries from electric shock, fire and explosions, or crushing, collision or being run over. This makes redundancy and the ability to implement fail-safe processes a must.

Functionally safe Computer-on-Modules

Manufacturers of embedded computer technology are therefore increasingly qualifying their offering for functional safety. For example, the vendor-independent standardization body PICMG – which is responsible for embedded computer form factors such as COM-HPC and COM Express – announced a FuSa extension to the COM-HPC hardware specification at embedded world 2022. It defines signal pinouts to support FuSa applications. This is required to be able to support the FuSa-qualified Safety Islands of modern chipsets or System-on-Chips (SoCs). This is a special part of the hardware that is separated from the main chipset or SoC together with supporting firmware and software.

The Safety Island monitors the state and status of the main chipset or SoC and reports results, for instance, via dedicated FuSa GPIOs and a dedicated FuSa SPI slave interface to a FuSa system safe-state agent or safety controller, which is implemented as a FuSa SPI master on the carrier board and prepares safety and status information for further use. The final specification is expected before the end of the year, or in early 2023 at the latest.

(Thanks to its Safe Island controller, Intel Atom multicore processor technology enables the design of mixed-critical systems that host secure applications in real-time virtual machines. They can even host sophisticated sensor technology for situational awareness.)

Functionally safe virtual machines

Real-Time Systems (RTS) also vouched to address FuSa at embedded world with its RTS Safe Hypervisor, an operating system independent Type 1 hypervisor for x86 processor technology that will be certified for functional safety. It targets mixed-critical workloads based on x86 multicore processor technology and will be available worldwide. Bundling the certified real-time hypervisor with functionally safe and non-secure virtual machines and a certified secure operating system such as Linux-based Zephyr or QNX, it will be delivered as a complete OEM package. This package addresses any commercial or custom embedded computing platform equipped with FuSa-enabled x86 processors. Initial implementations will be based on Intel Atom x6000E series processors with integrated Intel Safety Island. An expansion to products based on 11th generation Intel Core processors is another option for the future.

The goal of RTS is to provide developers with the most efficient route to fully functional safety-compliant applications by providing pre-certified platforms. Secure real-time hypervisor technology is key to this, connecting everything from secure hardware, secure Type 1 virtual machines and secure operating systems to non-secure domains running multi-purpose operating systems. Ultimately, application developers only need to worry about the safety-critical part of their application to obtain functional safety certification.

OEMs leveraging such hardware platforms for mixed-critical application designs save costs as there are less systems to deploy, which leads to an improved mean time between failures (MTBF) compared to installations with multiple systems. Another benefit is that developers can manage critical and non-critical applications on a single chip or hardware, which facilitates application development and testing, as well as data exchange between these applications. And despite the single-system approach, such a hypervisor implementation allows all non-safety-critical applications to be continuously updated and modified without the need to recertify safety-critical components. This is absolutely critical – not only for innovation, but also for enhanced cybersecurity.

Real-time operating systems for safety and cybersecurity

congatec also confirmed its intent to invest significantly in the functional safety market. In an earlier step, at the end of 2021, the company had already announced a strategic partnership with SYSGO, Europe's leading provider of secure real-time operating systems. The aim of the cooperation is to provide not only solution platforms for x86 but also for Arm processors that are specifically tailored to functional safety and cybersecurity requirements. First implementations, which depending on the design can be certified up to ASIL B or SIL 2, will be made available on x86 and Arm Cortex-based Computer-on-Modules. A typical use case is Safety Element out of Context (SEooC) as defined by ISO 26262.

The full-service offering provided under the new partnership agreement is designed to simplify and shorten the development process for safety-critical systems. It includes comprehensive certification support for the various safety standards analog to IEC 61508 for functionally safety electronic systems. Supported are SYSGO PikeOS RTOS- and hypervisor-based platforms for railroad applications (EN 50129 / EN 50657), commercial and agricultural vehicles (ISO 26262), civil aviation technology (DO 254), as well as PLCs in automation and process control (IEC 61508) and medical applications (IEC 62304).

Intel Atom x6000E processor technology on COMs

The combination of functionally safe processor technology and OS/hypervisors becomes particularly attractive when provided on application-ready Computer-on-Modules. congatec showed an example of such FuSa building blocks at embedded world in a live demo. This FuSa demo application featured the functional-safety-ready COM Express Mini module conga-MA7 with FuSa-qualified Intel CPU x6427FE with Safety Island support in combo with the RTS Hypervisor and integrated real-time Linux.

This FuSa demo was an impressive proof of how far congatec has already advanced in the qualification process of the first Computer-on-Modules based on Intel Atom x6000E processor technology (formerly codenamed Elkhart Lake). OEMs can already begin to implement congatec's functional-safety-qualified modules and BSPs into their application platforms, along with own software components. congatec is also ready to assist OEM customers with any customization that may be required to meet specific certification demands – from component selection and implementation on carrier boards, to OS and hypervisor support, or I/O driver implementation.

Reaching the goal faster with pre-certified solution modules

To qualify Computer-on-Modules for safe operation, all components as well as the entire BSP must be readied for FuSa certification – including the safety manuals and all other necessary documentation. All organizational processes and documents created during development and testing – such as FMEDA (Failure Modes, Effects and Diagnostic Analysis) and the Verification and Validation (V&V) process – must also be brought into line with the certification requirements and reviewed by external assessors. congatec provides all this out of the box, so that customers can start their FuSa projects immediately to get to market quicker, save costs, and lower their implementation risk.

x86-based embedded multicore platforms thus offer a solid ecosystem for functional safety. What makes this ecosystem stand out in particular are the homogeneous processor roadmaps that are not tied to just one processor manufacturer. Standardized Computer-on-Modules also provide the foundation to scale the performance across all processor sockets and manufacturers. OEMs deploying Computer-on-Modules that are pre-certified for functional safety as application-ready building blocks – including all relevant software components such as bootloader, hypervisor and BSP – can also save a lot of time and money. All they have to do is qualify the customer-specific carrier board and adaptations for certification.

[1] Source:, Roland Rathmann, May 5, 2021, retrieved June 12, 2022