The Safety MCU directly controls the power and recovery pins of Orin and provides access to the BMC Module.
The following list provides the functions and features for the Safety MCU.
Has connections necessary for implementation of functional safety solution with IGX Module.
Has Target SPI connection to IGX Module FSI SPI interface.
Access to IGX Module VRS to monitor temperature, voltages, and currents.
Access to SMBus connections of all PCIe endpoints to allow monitoring of status and ability to provide safety control to PCIe peripherals. This includes PCIe slot cards and M.2 NVMe drives SMART status.
Access to monitor system temperature and relevant voltages and currents on the motherboard.
Directly controls PSU enable pins.
Always-on.
Capable of authenticating with BMC Module on boot.
Functional Safety Background
Functional safety refers to the practice of implementing automatic functions to minimize health and safety risks to people interacting with machines. Functional safety is emerging as a primary concern in the fields of robotics, manufacturing, medicine, avionics, and autonomous vehicles.
There are many standards that govern functional safety certification. Some deal with general principles while others deal with implementation specifics. IEC 61508 and ISO 13849 are two notable safety standards.
IEC 61508 is a basic functional safety standard applicable to all types of industries. It addresses system hardware and software through all aspects of a safety function life cycle:
Concept and scope definition,
Hazard
Risk analysis
Realization
Validation
Maintenance
Repair
End of life
NoteIEC 61508 uses a probabilistic failure approach and defines safety metrics.
ISO 13849 applies to parts of machine control systems that are assigned to providing safety functions. This standard is not technology-specific. It defines “Performance Levels” (a->e) along with predefined architectures, called “Categories,” that target different performance levels. For example, a Category 2 architecture is characterized by safety through periodic safety checks using test equipment. Category 3 architecture is characterized by the fact that a single fault to any part of the function does not lead to a fault in the safety function.
In an industrial context, functional safety is implemented in layers, as shown in Figure 1‑2.
Figure 1‑2. Functional Safety Layers
Safety at the thing (Layer A) has the most stringent requirements for safety certification and is therefore the costliest. There is typically a one-to-one mapping between safety controls and things (for example, one safety control system on each robotic arm in the factory) and the safety controls have failsafe measures such as redundant control paths. Safety at Layer A is also more costly because engaging these safety mechanisms can result in lost productivity. For example, cutting power to a robotic arm halts the assembly line.
Safety at the platform (Layer B and Layer C) has less stringent requirements for safety certification and is therefore less costly. There is typically a one-to-many mapping between a safety platform and the things that it supervises. For example, one platform running a vision analytics application can supervise several robotic arms in a factory. Safety functions implemented at Layer B and Layer C are concerned with pre-empting costly shutdowns by preventing or warning of hazards before they require a response from the thing. For example, a safety platform can sound an alarm warning the human about wandering into the robot arm’s path.
Product Overview
The NVIDIA technology portfolio addresses a range of industry 4.0 functional safety use cases from simulation to robotic control. The primary use case for the IGX Orin is for proactive safety, which means identifying safety events before they happen. In addition to monitoring safety conditions, the IGX Orin can aggregate sensor data from devices in the factory. AI inference and training, play a critical role in proactive safety. Models trained in virtual worlds can be used to predict systematic failures and to create probability distributions for component failures.
Figure 1‑3. IGX Orin Board Positioned for Proactive Safety
Functional Safety Use Case
The initial use case for IGX Orin Board is to supervise preventative and proactive safety functions using AI functions such as vision analytics.
In a complex functional safety use case, the IGX Orin Board complements the safety functions implemented at the thing level to improve functional safety. Figure 1‑4 shows an example of a complex functional safety use case with the IGX Orin Board. The yellow boxes represent IGX Orin Board.
Figure 1‑4. Complex Functional Safety with IGX Orin Board
The figure represents a typical system architecture:
A type of machinery (for example, robotic arm) is equipped with local sensors, a PLC, a control system including reactive safety device running safety functions responsible for detecting and controlling faults (such as ESTOP, PSTOP).
Other type of machinery (for example, conveyor belt) is equipped with a PLC and a control system but relies to IGX platform to execute reactive safety functions.
On IGX, data from cameras and other sensors are used for proactive safety supervision such as potential safety violations generate protective stops for the machinery (PLC), and trigger alarms.
Safety-related data (for example, fault detection and control alarms) are exchanged with a safe industrial protocol (e.g. Profisafe) between IGX and the devices connected to the machinery (for example, to tell machinery to stop, move, change function to replace faulty device, and so on.).
Safety-related data are aggregated, pre-processed, and stored at the cloud for predictive safety (accidents recording, safety analytics and confidence view). They can be used for retraining and OTA transfer back to devices.