8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
1/26
TM
Freescale and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006.
Nov.14th, 2006
Florian Bogenberger
Aspects of Functional Safetyfor Microcontrollers
Safetronic 2006
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
2/26
TMFreescale and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 1
Overview
Observations from the Automotive Industry Safety Relevant Applications
Consequences of Integration
Standards
IEC61508 applied for Micro Electronics Basics
Influences on Safe Operation
Considering the Environment
Improve Safety with new Technology
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
3/26
TMFreescale and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 2
Safety relevant Automotive Applications
Todays Cars Electronic Parking Brake (EPB) Electro Hydraulic Brake (EHB) Electro Magnetic Brake (EMB) Electronic Stability Control (ESC) Electronic Power Steering (EPS)
Active Front Steering (AFS) Steering Wheel Angle Sensor Electronic Throttle Control Electronic Steering Wheel Lock Chassis Management ... etc.
Tomorrows Cars Hybrid Brake Emergency Braking through Automatic
Distance Control (ADC) Steer-by-Wire, Brake-by-Wire ... etc.
Ultimately: Autonomous driving
Already starting:
Cost optimizationdrivesmerge
of safety-relatedprocesses with
non-safetyprocesses
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
4/26
TMFreescale and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 3
Components become Systems
In the past strong separation of
systems and components.
More recently, however, completesystems are being condensed tosingle components.
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
5/26
TMFreescale and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 4
Characteristics
System-level
Lower robustness on PCB
Higher cost
Easier for end-user to inspect
Component-level
Higher robustness on chip
Lower cost
Harder for end-user to inspect
Consequences
Automotive industry needs to specify testable requirements on component levelSemiconductor industry needs to characterize component abilities and limits
HW functions and SW functions need to be closely harmonized
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
6/26
TMFreescale and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 5
Processing Subsystem Philosophies for Safety
Master / Slave Approach Dual Processor Approach
Single Core Self Test
Approach
Dual Core Approach
PeripheralsMemory
MCU #1
Peripherals Memory
MCU #2
ComplexHardware
Watchdog
OutputDrivers
(Valves,pump)
SPIn
n
InputModules
n
Sensors
n
Clock
Mon
COP
LVI
Safety Relay
Safety Relay
CPU
CPU
MCU #2MCU #1
Peripherals Memory
CPU
PeripheralsMemory
Complex
HardwareWatchdog
OutputDrivers
(Valves,pump)
SPIn
n
InputModules
n
Sensors
n
Clock
Mon
COP
LVI
Safety Relay
Safety Relay
CPU
MCU #1
PeripheralsMemory
Memory
Validation
BusValidation
CPUs
Clock
Mon
COP
LVI
Complexhardware
Watchdog
OutputDrivers
(Valves,pump)
SPIn
n
InputModules
n
Sensorsn
Safety Relay
Safety Relay
MCU #1
PeripheralsMemory
ClockMon
COP
LVI
CPU
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
7/26
TMFreescale and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 6
System Integration of Safety Functions
Discrete
Solution
ASIC ASSP
General
Purpose
ICs
(nrofsafetyfunctions)/
(nrofICspersystem)
time
In future more safety functionswill be performed by less devices.
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
8/26
TMFreescale and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 7
System Integration and Functional Safety
Integration of Electronic
Discrete
Solution
ASIC ASSP
General
Purpose
ICs
%o
fIEC61508requirements
that
canbeapplied
nrofsa
fetyfunction
s/
(nrofICspersystem
)
maxmin
max with safety guidelines for ICsmin with safety guidelines for ICs
gapopens
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
9/26
TMFreescale and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 8
Overview
Observations from the Automotive Industry Safety Relevant Applications
Consequences of Integration
Standards
IEC61508 applied for Micro Electronics Basics
Influences on Safe Operation
Considering the Environment
Improve Safety with new Technology
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
10/26
TMFreescale and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 9
Target Failure Rates According To IEC61508
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
11/26
TMFreescale and the Freescale logo are trademarks
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 10
Target Failure Rates according to IEC61508
Safety Budgeting 1% for MicrocontrollerMicrocontroller target dangerous failure rate 10-9/h (1 FIT) for SIL3 systems
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
12/26
TMFreescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 11
What FIT means...
Failure rate () failure/time unit
measured in FIT 1 FIT = 1 failure / 109h
Mean time to failure (MTTF) MTTF = 1/ 1 year MTTF = 1/(24h*365) 114*10-6/h = 114000 FIT 1 FIT 114000 years MTTF
FIT is a unit for failure rates
It does not tell, though, if we talk aboutdangerous or non-dangerous failures
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
13/26
TMFreescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 12
Measurement of Diagnostic Coverage
Current definition in IEC61508
diagnostic coverage DC = dd/ dsafe failure fraction SFF = (s + dd) / ( s + d)
= (s + DC * d) / (s + d)
with s=0: SFF = DC
s : safe failure rate
d : dangerous failure rate
dd : detected dangerous failure rate
ud : undetected dangerous failure rate
d = dd + ud
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
14/26
TMFreescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 13
Diagnostic Coverage versus Test Coverage
dd,int + dd,systematic + dd,extDC =
d,int + d,systematic + d,ext
Counting faults is not sufficient:
nr of det. faultsDC = test coveragenr of all faults
Differences in probabilities of different faults cannot be neglected.
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
15/26
TMFreescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 14
Assumption & Presumption
Todays assumption: ext > int + systematic
ext : EMC, disturbances of power supply & ground, EOS, ... etc.
Today: Environmental influences dominate internal failure rate?
Zero Defect Initiatives < 1ppm realistic for well established technologies
physical defects - what about the environmental influence? failures caused by the environment are considered as random hardware failures
experience: different IC environment can result in completely different failure ratesfor the same IC
environmental cannot be abstracted to be a property of IC
Past: Low reliability of silicon technology dominates failure rate difficulties to achieve high test coverage for production test
dominating failure root cause: physical defects
IEC61508 considers environment to be well under control and within the ICslimits (derating concept)
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
16/26
TMFreescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 15
Failure Rate depends on Mission Profile
IC FailureRate Table
Mission
Profile
IC EnvironmentSensitivity
Application
Architecture
Monitoring
Concept
Impact ofenvironment
Monitoring
effectiveness
Impact ofapp. arch
Dangerous
failure rate
Controlled
dangerousfailure rate
DFC
data from OEM/Tier
data from IC manufacturer
data for safety assessment
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
17/26
TMFreescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 16
Overview
Observations from the Automotive Industry Safety Relevant Applications
Consequences of Integration
Standards
IEC61508 applied for Micro Electronics Basics
Influences on Safe Operation
Considering the Environment
Improve Safety with new Technology
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
18/26
TMFreescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 17
Fault Error Failure Chain (1)
Impairments to
dependability
Impairments to
dependability
FaultFault
FailureFailureErrorError
Root cause of an error
(e.g. neutron hitting a RAM cell)
Root cause of an error
(e.g. neutron hitting a RAM cell)
Deviation of the delivered servicefrom compliance with the specification
(Transition from correct to incorrect output)
(e.g. calculate wrong value)
Deviation of the delivered service
from compliance with the specification(Transition from correct to incorrect output)
(e.g. calculate wrong value)
Canca
use
on
nextsyste
m
leve
l
Can cause
Can
cau
se
Manifestation ofthe fault in a system
(e.g. RAM bit value toggles)
Manifestation ofthe fault in a system
(e.g. RAM bit value toggles)
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
19/26
TMFreescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 18
Fault Error Failure Chain (2)
Fault propagation can Be very fast : t < 1ns
Be very slow : t > n*hours
Stop without harming the system (resulting in a dormant fault)
Fault propagation stops when
A fault does not lead to an error (e.g. faulty bit that is never read)
An error does not lead to a failure (e.g. faulty bit corrected by ECC)
t1 t2 t3
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
20/26
TMFreescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 19
Environment
Fault Propagation in Microcontrollers
System
SubSystem A SubSystem B
SubSystem C
SubSystem A1 SubSys A2
SubSys A2a
SubSys A2b
SubSystem A3
A1a A1b A1c
B1 B2 B3 B4
UndetectedFault
UndetectedFault
Propagation
Undetectedexternal fault
induced
Fault affectingenvironment
Undetectedexternal fault
causingfaults in the
systemthat affect
the environment
Development ofa commoncause fault
Each subsystem
may containHW and/or SW
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
21/26
TMFreescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 20
Important Observation
Development of common cause failures
takes a time tcrit > 0s
before a microcontroller reachesan uncontrollable state.
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
22/26
TM
Freescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 21
Opportunities of todays Microelectronics ...
Observation: there is a fault specific tcrit,int for device-internal faults
t < tcrit,int : propagation
t >= tcrit,int : common cause failure
there is a fault specific tcrit,ext for device-external faultst < tcrit,ext : different impact on different parts of the devicet >= tcrit,ext : common cause failure
needed: detection, indication & mitigation of faults with t < tcrit
monitors in microelectronics very fast, achievable error detection time can be < 1s high observability of internal states & signals
multiple instances of monitors possible
can detect internal faults & environmental influences causing faults
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
23/26
TM
Freescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 22
... & Constraints of todays Microelectronics
required properties of monitors detection time tdet < tcrit duration of correct operational in presence of a fault top > tdet
tdet < top < tcrit
fault detection fault mitigationapproach suitable for fail silent behavior
single-chip fail operational exceeds todays technology
external saving needed to guarantee safe state for commoncause failures that cannot be mitigated
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
24/26
TM
Freescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 23
What will be the future Trend?
System / ECU / PCB
Monitor& Saving
C
System / ECU / PCB
C
Mon
Mon
Mon
Mon
Trend?
System / ECU / PCB
C
Mon
Mon
Mon
Mon
Mon &Saving
More SafetyUse Technology to improve Safety
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
25/26
TM
Freescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 24
Conclusions
Impact of new Standards need clear requirements for general purpose microcontrollers
leverage innovation potential to improve safety
Considering the Environment is Key todays standards assume clean environment can be hardly
proven, though
mission profile is essential for calculation of failure rates
Relevance of On-chip Monitoring increasing huge innovation potential that can enable early fault detection
indicate and/or mitigate faults before they result in common
cause failures detects internal & external faults
8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety
26/26
TM
Top Related