An ISO 13849 compatible emergency stop system on a high-performance systemon- chip hardware platform

Abstract

This thesis presents the design, implementation, and evaluation of a heterogeneous dual-channel Emergency Stop safety function on a Xilinx ZCU104 evaluation board. Channel A is deployed on the Cortex-R5 in the Processing System and Channel B on a MicroBlaze soft processor in the Programmable Logic, introducing diversity through processor architecture, memory organisation, and timing model. Both channels independently sample the E-Stop inputs, execute a four-state safety state machine, and exchange safety words over a mailbox for bidirectional cross monitoring. Diagnostic coverage is estimated using the simplified ISO 13849-1 Annex E method. Each channel implements the three measures required for the logic subsystem: dualcopy variable memory with per-tick byte comparison, periodic CRC signature verification of invariable memory, and processing-unit self tests. Independent watchdog supervision is provided on each channel. A UART fault injection interface enables deterministic validation of all diagnostic fault paths. The overall diagnostic coverage is 96% for Channel A and 93% for Channel B, both in the medium range. The common cause failure score is estimated at 80, exceeding the Annex F minimum required for Category 3. An MTTFD analysis yields a capped value of 100 years (High tier). With Category 3 architecture, high MTTFD, medium DCavg, and a passing CCF score, both channels achieve Performance Level d.