ARM Community: Motor Control Design for Functional Safety - ARM Community

Designing a differentiated motor drive is a complex task. Often these drives are single-processor that combine constraints of real-time embedded designs such as limited memory size and processing time, with the complications that motors bring - electrical noise and faults. When you add functional safety and certification requirements - the new design, test, and documentation deliverables require a significant amount of additional effort.

Today’s systems are also more complex and more dependent on the electronic control of motoring operations that need to meet strict industry functional safety standards. Whether it is the motor in control of the power steering assist in a car, controlling the lift and doors of an elevator, or a directly connected to the drum of a front load washing machine without belts or gears, functional safety in motor operation is fundamentally important. A motor system designed with functional safety will have a lower level of risk from improper operation. When a failure does occur, whether it is a random or systematic fault, the functionally safe design will detect this fault and respond to minimize impact.

International functional safety standards are defined to ensure that functional safety techniques are detailed for a specific industry sector and that these techniques are consistently applied. IEC 61508 is a basic safety standard which is the basis of all IEC and some ISO functional safety standards. It is used as a basis for sector-specific standards but where these do not yet exist, it is also intended for direct use. Some standards that refer to IEC 61508 include: EN 50128 – railway, IEC 60601 – medical equipment, IEC 61511 – process industry, ISO13849/ IEC 62061 – industrial machinery, IEC 60880 – nuclear power industry and IEC 50156 – furnaces.

Automotive designers must comply to ISO 26262 safety requirements to support quality-managed (QM) and ASIL-A to ASIL-D for applications such as steering, braking, transmission, electric vehicle battery management, and advanced driver-assistance systems (ADAS). TI is a member of U.S. and international working groups for ISO 26262.

Designers for household appliances strive to meet IEC 60730, and/or related standards UL 1998 and IEC 60335, supporting Class A to Class C.

A typical motor control system block diagram consists of processing feedback from motor rotor sensors as well as measuring voltages and currents from the inverter (strategically and deterministically), and then processing this data to be used as inputs to regulate compensation of torque, speed and position control loops to finally generate an appropriate pulse-width modulator (PWM) output to the inverter (Figure 1). These closed loops are standard and depend on a great number of components, both hardware and software. TI offers SafeTI™ design packages to help designers more easily design functional safety compliant products. These packages include hardware (analog and embedded processors), tools, software and documentation. TI’s embedded processors in the SafeTI-61508 design package (in this case, microcontrollers) support functional safety throughout these processes.


When measuring the inverter voltages and currents, designers must know if the analog-to-digital converter (ADC) is both functional and producing correct results. A common technique connects a PWM output to an ADC input through a filter. The full-scale ADC range can then be tested. Some TI microcontrollers even integrate a digital-to-analog converter (DAC) to serve this purpose. One method to gain safety coverage is to have multiple ADCs converting the same control signals. This allows a comparison to occur on the actual signal used in the control process. Because many SafeTI MCUs provide multiple ADCs, the same sensor signal can be converted with two separate ADCs, thus reducing common cause failures.

Knowing the motor’s exact rotor position is critical to most motor systems. For safety-critical systems using a resolver, encoder, or hall sensor, TI provides software that estimates the rotor angle to compare to the angle measured by the electro-mechanical sensor. Microcontrollers in SafeTI design packages provide the performance headroom to easily include these “self-sensing” angle-estimation routines. This capability, having two separate and diverse channels to obtain the motor’s rotor angle, can help enable the designer the option to reduce system costs by replacing a more expensive SIL-3 resolver or encoder with a standard version.


The next step is processing these signals. As the leader of commercial lock-step microcontroller architectures, SafeTI microcontrollers provide cycle-by-cycle diagnostics for the CPU. While two CPUs execute the same code, comparison logic guarantees that each software instruction is executed exactly the same for both CPUs and notifies the system immediately if they do not match. Also, every local Flash and RAM access by these CPUs is checked by a single-bit error correcting and double bit error detecting (SECDED) error code correction controller (ECC). To extend coverage further, both the CPU and memory have hardware BIST (built-in self test) to verify functionality at start up. Embedded diagnostics also include self test capability to ensure proper operation before start of safety critical operation.

With the processing now complete, the next step is to output appropriate PWMs to the inverter. These outputs can be verified by connecting them to input captures. SafeTI microcontrollers provide extra input captures for this purpose with eCAP and high-end timer modules. To get more system coverage, a designer can connect the motor phases to the input captures, using appropriate signal conditioning, to verify that the transitions are within expectations.

The latest microcontrollers introduced as new SafeTI-61508 design packages are optimized for motor control in safety-critical designs. They include the Hercules™ RM46x and RM42x ARM® Cortex™-R4 safety microcontrollers and TPS65381-Q1 power supply and are designed for motor control in industrial automation, medical monitoring, and energy applications.

What do you think? Would a “design package” such as this help you with your safety-certified motor control designs?

Guest Partner Blogger:

Jeff Stafford is responsible for worldwide business development of Texas Instruments MCU motor control solutions, with a focus on strategic growth markets that require motors to be controlled smarter, safer, and more efficiently. Jeff joined TI in 1996, supporting motor control designs as a field applications engineer for transportation and industrial customers in the central United States. He holds a bachelor of science in electrical engineering from Western Michigan University.

ARM welcomes its wealth of Partners in the ARM Connected Community (CC) to submit guest blogs to be published on our multiple community blogs. If interested in participating please submit email inquiries to Tell.Us@arm.com.

The ARM Connected Community (CC) is an extensive ecosystem covering all aspects of ARM processor-based design, from chip implementation through to system and device design. The CC provides a platform for collaborative innovation, with multiple types of forums for members to work with one another, and with customers, to solve industry challenges, all with the purpose of enabling designers to focus on differentiating features and an accelerated time-to-market for ARM powered solutions.