This document defines Class B Safety Software Library intended for PIC MCUs and dsPIC DSCs. The Software Library routines identify the occurrence of Faults in a single channel CPU. These routines have been developed by complying with IEC 60730 standard that supports the Class B certification process. These routines can be incorporated immediately with the end user’s application to test and verify the critical functionalities of a controller without affecting the end user’s application.
This application note also describes the Application Programming Interface (API) functions that are available in the Class B Safety Software Library.
The Class B safety software routines can be called periodically at start-up or run time to test the following components:
- CPU Registers
- CPU Program Counter
- Invariable Memory
- Variable Memory
- Interrupt Handling and Execution
This application note also outlines various techniques, which are not part of the Class B Safety Software Library, to test components such as external communication, timing, I/O periphery, analog I/O and analog multiplexer.
Overview of the IEC 60730 Standard
The IEC 60730 standard defines the test and diagnostic methods that ensure the safe operation of the controlled equipment used in household appliances. Annex H of the IEC 60730 standard classifies the software into the following categories.
- Class A
- Class B
- Class C
The Class B Safety Software Library implements the important test and diagnostic methods that fall into the Class B category. These methods use various measures to detect and respond to the software-related Faults and errors.
According to the IEC 60730 standard, the controls with functions that fall into the Class B category should have one of the following structures:
- Single Channel with Functional Test - In this structure, the Functional test is executed prior to the application firmware execution.
- Single Channel with Periodic Self-Test - In this structure, the Periodic tests are embedded within the firmware, and the self-test occurs periodically while the firmware is in Execution mode.
- Dual Channel without Comparison- In this structure, two independent methods execute the specified operations.
The following system requirements are recommended to run the Class B Safety Software Library:* For the tests that require the independent time slot monitoring, the system hardware must be provided with at least two independent clock sources (e.g., crystal oscillator and line frequency).
The user application determines whether the interrupts need to be enabled or disabled during the execution of the Class B Safety Software Library.
If an interrupt occurs during the execution of the Class B Safety Software Library routine, an unexpected change may occur in any of the registers. Therefore, when the Interrupt Service Routine (ISR) executes, the contents of the register will not match the expected content, and the ISR will return an incorrect result.
Class B Safety Software Library
The Class B Safety Software Library, which applies to 8- bit, 16-bit, and 32-bit devices, includes several APIs, which are intended to maximize application reliability through Fault detection. These APIs help meet the IEC 60730 standard compliance. The following tests can be implemented using this library:
- CPU Register Test
- Program Counter Test
- Variable Memory Test
- Invariable Memory (Flash/EEPROM) Test
- Interrupt Test
- Clock Test
In the following sections, the test description and the implementation details are discussed for each test. In addition, each section also lists the APIs that are required to execute the corresponding test for supported architectures.
Invariable Memory (Flash/EEPROM) Test
The Invariable Memory (Flash/EEPROM) test implements the periodic modified checksum H.126.96.36.199 defined by the IEC 60730 standard. It detects the single bit Faults in the invariable memory. The invariable memory in a system, such as Flash and EEPROM memory, contains data that is not intended to vary during the program execution. The Flash/EEPROM Invariable Memory test computes the periodic checksum using the Cyclic Redundancy Check (CRC). Several standards are used today for the CRC calculation. The characteristics of the CRC divisor vary from 8 to 32 bits depending on the polynomial that is used. The width of a divisor determines its ability to detect the errors. Some commonly used CRC divisors are as follows:
- CRC-16 = 1 1000 0000 0000 0101 = 8005 (hex)
- CRC-CCITT = 1 0001 0000 0010 0001 = 1021 (hex)
- CRC-32 = 1 0000 0100 1100 0001 0001 1101 1011 0111 = 04C11DB7 (hex)
Figure 1 illustrates the flowchart for the Invariable Memory test.
The CRC16 calculation function returns the final CRC value that can be used to perform the following:
- At the system start-up, the computed CRC checksum can be used as a reference checksum if the CRC_Flag is set to 0x00.
- The reference checksum is stored in the Flash or EEPROM memory and the CRC flag is set to 0xFF.
- The CRC16 calculation function can be called periodically if the CRC flag is set to 0xFF.
- The checksum calculated from step 3 is compared with the reference checksum.
- If both values match, a status bit can be set by the user application to indicate that the invariable memory has passed the test and no errors were found.