06 11 14 semiconductor aspects regarding safety

8/8/2019 06 11 14 Semiconductor Aspects Regarding Safety

1/26

TM

Freescale and the Freescale logo are trademarks

of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006.

Nov.14th, 2006

Florian Bogenberger

Aspects of Functional Safetyfor Microcontrollers

Safetronic 2006


2/26

TMFreescale and the Freescale logo are trademarks

of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 1

Overview

Observations from the Automotive Industry Safety Relevant Applications

Consequences of Integration

Standards

IEC61508 applied for Micro Electronics Basics

Influences on Safe Operation

Considering the Environment

Improve Safety with new Technology


3/26



Safety relevant Automotive Applications

Todays Cars Electronic Parking Brake (EPB) Electro Hydraulic Brake (EHB) Electro Magnetic Brake (EMB) Electronic Stability Control (ESC) Electronic Power Steering (EPS)

Active Front Steering (AFS) Steering Wheel Angle Sensor Electronic Throttle Control Electronic Steering Wheel Lock Chassis Management ... etc.

Tomorrows Cars Hybrid Brake Emergency Braking through Automatic

Distance Control (ADC) Steer-by-Wire, Brake-by-Wire ... etc.

Ultimately: Autonomous driving

Already starting:

Cost optimizationdrivesmerge

of safety-relatedprocesses with

non-safetyprocesses


4/26



Components become Systems

In the past strong separation of

systems and components.

More recently, however, completesystems are being condensed tosingle components.


5/26



Characteristics

System-level

Lower robustness on PCB

Higher cost

Easier for end-user to inspect

Component-level

Higher robustness on chip

Lower cost

Harder for end-user to inspect

Consequences

Automotive industry needs to specify testable requirements on component levelSemiconductor industry needs to characterize component abilities and limits

HW functions and SW functions need to be closely harmonized


6/26



Processing Subsystem Philosophies for Safety

Master / Slave Approach Dual Processor Approach

Single Core Self Test

Approach

Dual Core Approach

PeripheralsMemory

MCU #1

Peripherals Memory

MCU #2

ComplexHardware

Watchdog

OutputDrivers

(Valves,pump)

SPIn

n

InputModules

n

Sensors

n

Clock

Mon

COP

LVI

Safety Relay

Safety Relay

CPU

CPU

MCU #2MCU #1

Peripherals Memory

CPU

PeripheralsMemory

Complex

HardwareWatchdog

OutputDrivers

(Valves,pump)

SPIn

n

InputModules

n

Sensors

n

Clock

Mon

COP

LVI

Safety Relay

Safety Relay

CPU

MCU #1

PeripheralsMemory

Memory

Validation

BusValidation

CPUs

Clock

Mon

COP

LVI

Complexhardware

Watchdog

OutputDrivers

(Valves,pump)

SPIn

n

InputModules

n

Sensorsn

Safety Relay

Safety Relay

MCU #1

PeripheralsMemory

ClockMon

COP

LVI

CPU


7/26



System Integration of Safety Functions

Discrete

Solution

ASIC ASSP

General

Purpose

ICs

(nrofsafetyfunctions)/

(nrofICspersystem)

time

In future more safety functionswill be performed by less devices.


8/26



System Integration and Functional Safety

Integration of Electronic

Discrete

Solution

ASIC ASSP

General

Purpose

ICs

%o

fIEC61508requirements

that

canbeapplied

nrofsa

fetyfunction

s/

(nrofICspersystem

)

maxmin

max with safety guidelines for ICsmin with safety guidelines for ICs

gapopens


9/26



Overview



Standards






10/26



Target Failure Rates According To IEC61508


11/26



Target Failure Rates according to IEC61508

Safety Budgeting 1% for MicrocontrollerMicrocontroller target dangerous failure rate 10-9/h (1 FIT) for SIL3 systems


12/26

TMFreescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 11

What FIT means...

Failure rate () failure/time unit

measured in FIT 1 FIT = 1 failure / 109h

Mean time to failure (MTTF) MTTF = 1/ 1 year MTTF = 1/(24h*365) 114*10-6/h = 114000 FIT 1 FIT 114000 years MTTF

FIT is a unit for failure rates

It does not tell, though, if we talk aboutdangerous or non-dangerous failures


13/26


Measurement of Diagnostic Coverage

Current definition in IEC61508

diagnostic coverage DC = dd/ dsafe failure fraction SFF = (s + dd) / ( s + d)

= (s + DC * d) / (s + d)

with s=0: SFF = DC

s : safe failure rate

d : dangerous failure rate

dd : detected dangerous failure rate

ud : undetected dangerous failure rate

d = dd + ud


14/26


Diagnostic Coverage versus Test Coverage

dd,int + dd,systematic + dd,extDC =

d,int + d,systematic + d,ext

Counting faults is not sufficient:

nr of det. faultsDC = test coveragenr of all faults

Differences in probabilities of different faults cannot be neglected.


15/26


Assumption & Presumption

Todays assumption: ext > int + systematic

ext : EMC, disturbances of power supply & ground, EOS, ... etc.

Today: Environmental influences dominate internal failure rate?

Zero Defect Initiatives < 1ppm realistic for well established technologies

physical defects - what about the environmental influence? failures caused by the environment are considered as random hardware failures

experience: different IC environment can result in completely different failure ratesfor the same IC

environmental cannot be abstracted to be a property of IC

Past: Low reliability of silicon technology dominates failure rate difficulties to achieve high test coverage for production test

dominating failure root cause: physical defects

IEC61508 considers environment to be well under control and within the ICslimits (derating concept)


16/26


Failure Rate depends on Mission Profile

IC FailureRate Table

Mission

Profile

IC EnvironmentSensitivity

Application

Architecture

Monitoring

Concept

Impact ofenvironment

Monitoring

effectiveness

Impact ofapp. arch

Dangerous

failure rate

Controlled

dangerousfailure rate

DFC

data from OEM/Tier

data from IC manufacturer

data for safety assessment


17/26


Overview



Standards






18/26


Fault Error Failure Chain (1)

Impairments to

dependability

Impairments to

dependability

FaultFault

FailureFailureErrorError

Root cause of an error

(e.g. neutron hitting a RAM cell)

Root cause of an error

(e.g. neutron hitting a RAM cell)

Deviation of the delivered servicefrom compliance with the specification

(Transition from correct to incorrect output)

(e.g. calculate wrong value)

Deviation of the delivered service

from compliance with the specification(Transition from correct to incorrect output)

(e.g. calculate wrong value)

Canca

use

on

nextsyste

m

leve

l

Can cause

Can

cau

se

Manifestation ofthe fault in a system

(e.g. RAM bit value toggles)

Manifestation ofthe fault in a system

(e.g. RAM bit value toggles)


19/26


Fault Error Failure Chain (2)

Fault propagation can Be very fast : t < 1ns

Be very slow : t > n*hours

Stop without harming the system (resulting in a dormant fault)

Fault propagation stops when

A fault does not lead to an error (e.g. faulty bit that is never read)

An error does not lead to a failure (e.g. faulty bit corrected by ECC)

t1 t2 t3


20/26


Environment

Fault Propagation in Microcontrollers

System

SubSystem A SubSystem B

SubSystem C

SubSystem A1 SubSys A2

SubSys A2a

SubSys A2b

SubSystem A3

A1a A1b A1c

B1 B2 B3 B4

UndetectedFault

UndetectedFault

Propagation

Undetectedexternal fault

induced

Fault affectingenvironment

Undetectedexternal fault

causingfaults in the

systemthat affect

the environment

Development ofa commoncause fault

Each subsystem

may containHW and/or SW


21/26


Important Observation

Development of common cause failures

takes a time tcrit > 0s

before a microcontroller reachesan uncontrollable state.


22/26

TM

Freescale and the Freescale logo are trademarksof Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. Freescale Semiconductor, Inc. 2006. 21

Opportunities of todays Microelectronics ...

Observation: there is a fault specific tcrit,int for device-internal faults

t < tcrit,int : propagation

t >= tcrit,int : common cause failure

there is a fault specific tcrit,ext for device-external faultst < tcrit,ext : different impact on different parts of the devicet >= tcrit,ext : common cause failure

needed: detection, indication & mitigation of faults with t < tcrit

monitors in microelectronics very fast, achievable error detection time can be < 1s high observability of internal states & signals

multiple instances of monitors possible

can detect internal faults & environmental influences causing faults


23/26

TM


... & Constraints of todays Microelectronics

required properties of monitors detection time tdet < tcrit duration of correct operational in presence of a fault top > tdet

tdet < top < tcrit

fault detection fault mitigationapproach suitable for fail silent behavior

single-chip fail operational exceeds todays technology

external saving needed to guarantee safe state for commoncause failures that cannot be mitigated


24/26

TM


What will be the future Trend?

System / ECU / PCB

Monitor& Saving

C

System / ECU / PCB

C

Mon

Mon

Mon

Mon

Trend?

System / ECU / PCB

C

Mon

Mon

Mon

Mon

Mon &Saving

More SafetyUse Technology to improve Safety


25/26

TM


Conclusions

Impact of new Standards need clear requirements for general purpose microcontrollers

leverage innovation potential to improve safety

Considering the Environment is Key todays standards assume clean environment can be hardly

proven, though

mission profile is essential for calculation of failure rates

Relevance of On-chip Monitoring increasing huge innovation potential that can enable early fault detection

indicate and/or mitigate faults before they result in common

cause failures detects internal & external faults


26/26

TM

06 11 14 semiconductor aspects regarding safety

Documents