06 11 14 Semiconductor Aspects Regarding Safety

Aspects of Functional Safety
for Microcontrollers
Safetronic 2006
Nov.14th, 2006
Florian Bogenberger
TM
Freescale™ and the Freescale logo are trademarks

of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006.
Overview
Observations from the Automotive Industry

• Safety Relevant Applications
• Consequences of Integration
• Standards
IEC61508 applied for Micro Electronics

• Basics
• Influences on “Safe Operation”
• Considering the Environment
Improve Safety with new Technology
TM
of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © Freescale Semiconductor, Inc. 2006. 1
Safety relevant Automotive Applications
Today’s Cars
• Electronic Parking Brake (EPB)
• Electro Hydraulic Brake (EHB)
• Electro Magnetic Brake (EMB)
• Electronic Stability Control (ESC) Already starting:
• Electronic Power Steering (EPS)
• Active Front Steering (AFS)
• Steering Wheel Angle Sensor Cost optimization
• Electronic Throttle Control
• Electronic Steering Wheel Lock drives
• Chassis Management
• ... etc. merge
Tomorrow’s Cars of safety-related
•
•
Hybrid Brake
Emergency Braking through Automatic
processes with
Distance Control (ADC) non-safety
• Steer-by-Wire, Brake-by-Wire
• ... etc. processes
Ultimately: Autonomous driving
TM
Components become Systems
In the past strong separation of

systems and components.
More recently, however, complete

systems are being condensed to
single components.
TM
Characteristics
System-level Component-level
Lower robustness on PCB Higher robustness on chip
Higher cost Lower cost
Easier for end-user to inspect Harder for end-user to inspect
Consequences
Automotive industry needs to specify testable requirements on component level
Semiconductor industry needs to characterize component abilities and limits
HW functions and SW functions need to be closely harmonized
TM
Processing Subsystem Philosophies for Safety
Master / Slave Approach Dual Processor Approach
MCU #1 MCU #2
MCU #1 CPU CPU
CPU
MCU #2 LVI
Clock
Mon
Clock
LVI
CPU
Mon
COP
COP
Memory Peripherals Peripherals Memory

Memory Peripherals
Peripherals Memory
Safety Relay Safety Relay

Output SPI Output n
SPI n
n Drivers n Drivers
(Valves,pump) (Valves,pump)
Complex n Complex n
Hardware Hardware
Input Input
Watchdog
Modules n Sensor
Watchdog
Modules n Senso
Safety Relay s Safety Relay
rs
Single Core Self Test Dual Core Approach

Approach
MCU #1
MCU #1 CPU’s
Bus
Validation
CPU
COP
Clock
Mon
Memory
LVI
Validation
Clock Mon
LVI
Memory Peripherals
Safety Relay
COP
Output
SPI
Drivers
n
n
(Valves,pump)
Memory n
Peripherals Complex
hardware Input
Watchdog Modules n Sensors
Safety Relay
TM
System Integration of Safety Functions
(nr of safety functions) /

(nr of ICs per system) ASIC ASSP
Discrete General
Solution Purpose
ICs
time
In future more safety functions

will be performed by less devices.
TM
System Integration and Functional Safety
% of IEC61508 requirements
ASIC ASSP
nr of safety functions /
that can be applied
(nr of ICs per system)

gap opens
Discrete General
Solution Purpose
ICs
Integration of Electronic
max max with safety guidelines for ICs

min min with safety guidelines for ICs
TM
Overview

• Standards

• Basics
TM
Target Failure Rates According To IEC61508
TM
Target Failure Rates according to IEC61508
Safety Budgeting 1% for Microcontroller ⇒

Microcontroller target dangerous failure rate ≤ 10-9/h (1 FIT) for SIL3 systems
TM
What “FIT” means...
“Failure rate” (λ)

• failure/time unit
• measured in “FIT” – 1 FIT = 1 failure / 109h
“Mean time to failure” (MTTF)

• MTTF = 1/ λ
• 1 year MTTF ⇒ λ = 1/(24h*365) ≈ 114*10-6/h = 114000 FIT
• 1 FIT ⇒ 114000 years MTTF
FIT is a unit for failure rates
It does not tell, though, if we talk about

dangerous or non-dangerous failures
TM
Measurement of Diagnostic Coverage
Current definition in IEC61508
„diagnostic coverage“ DC = ∑λdd / ∑ λd

„safe failure fraction“ SFF = (∑λs + ∑λdd) / (∑ λs + ∑ λd)
= (∑λs + DC * ∑λd) / (∑λs + ∑λd)
with λs=0: SFF = DC
∑λs : safe failure rate

∑λd : dangerous failure rate
∑λdd : detected dangerous failure rate

∑λud : undetected dangerous failure rate
∑λd = ∑λdd + ∑λud
TM
Diagnostic Coverage versus Test Coverage
∑λdd,int + ∑λdd,systematic + ∑λdd,ext

DC = ——————————————————
∑λd,int + ∑λd,systematic + ∑λd,ext
“Counting” faults is not sufficient:
nr of det. faults
DC ≠ —————————— = test coverage
nr of all faults
Differences in probabilities of different faults cannot be neglected.
TM
Assumption & Presumption
Past: Low reliability of silicon technology dominates failure rate
• difficulties to achieve high test coverage for production test
• dominating failure root cause: physical defects
• IEC61508 considers environment to be well under control and within the ICs
limits (derating concept)
Today‘s assumption: ∑λext << ∑λint + ∑λsystematic
Presumption: ∑λext >> ∑λint + ∑λsystematic
Today: Environmental influences dominate internal failure rate?

• “Zero” Defect Initiatives ⇒ < 1ppm realistic for well established technologies
• physical defects ↓↓ - what about the environmental influence?
• failures caused by the environment are considered as “random hardware failures”
• experience: different IC environment can result in completely different failure rates
for the same IC
⇒ environmental cannot be “abstracted” to be a property of IC
∑λext : EMC, disturbances of power supply & ground, EOS, ... etc.
TM
Failure Rate depends on Mission Profile
data from OEM/Tier
Architecture
Application
Monitoring
Concept
Mission
Profile
data from IC manufacturer
data for safety assessment
Monitoring
DFC
effectiveness
Dangerous
IC Failure Impact of failure rate
Rate Table app. arch
Controlled
dangerous
IC Environment Impact of failure rate
Sensitivity environment
TM
Overview

• Standards

• Basics
TM
Fault – Error – Failure Chain (1)
Root
Root cause
cause ofof an
an error
error
(e.g.
(e.g. neutron
neutron hitting
hitting aa RAM
RAM cell)
cell)
Fault
Fault
Ca ext s el
se
n
au
n c yst
nc
au em
Ca Impairments to
lev
se
on
dependability
Error
Error Failure
Failure
Can cause
Manifestation Deviation
Deviation of
of the
the delivered
delivered service
service
Manifestation of of
the from compliance with the specification
from compliance with the specification
the fault
fault in
in aa system
system
(e.g. (Transition
(Transition from
from correct
correct to
to incorrect
incorrect output)
output)
(e.g. RAM
RAM bitbit value
value toggles)
toggles)
(e.g.
(e.g. calculate
calculate wrong
wrong value)
value)
TM
Fault – Error – Failure Chain (2)
∆t1 ∆t2 ∆t3

Fault propagation can
• Be very fast : ∆t < 1ns
• Be very slow : ∆t > n*hours
• Stop without harming the system (resulting in a dormant fault)
Fault propagation stops when

• A fault does not lead to an error (e.g. faulty bit that is never read)
• An error does not lead to a failure (e.g. faulty bit corrected by ECC)
TM
Fault Propagation in Microcontrollers
Undetected
Environment external fault
induced
Development of
System
a common
Undetected
cause fault
external fault
SubSystem A SubSystem
causing B
faults in the
Undetected system B2
B1 B3 B4
Fault
SubSystem A1 SubSys A2
that affect
Propagation the environment
A1a A1b A1c SubSys A2a
Undetected
Fault
SubSys A2b Each subsystem
SubSystem A3 may contain
SubSystem C
HW and/or SW
Fault affecting
environment
TM
Important Observation
Development of common cause failures

takes a time ∆tcrit > 0s
before a microcontroller reaches
an uncontrollable state.
TM
Opportunities of today’s Microelectronics ...
Observation:
• there is a fault specific tcrit,int for device-internal faults
t < tcrit,int : propagation
t >= tcrit,int : common cause failure
• there is a fault specific tcrit,ext for device-external faults

t < tcrit,ext : different impact on different parts of the device
t >= tcrit,ext : common cause failure
⇒ needed: detection, indication & mitigation of faults with ∆t < tcrit
⇒ monitors in microelectronics
• very fast, achievable error detection time can be < 1µs
• high observability of internal states & signals
• multiple instances of monitors possible
⇒ can detect internal faults & environmental influences causing faults
TM
... & Constraints of today’s Microelectronics
• required properties of monitors

• detection time tdet < tcrit
• duration of correct operational in presence of a fault top > tdet
tdet < top < tcrit
• fault detection ≠ fault mitigation

⇒ approach suitable for “fail silent” behavior
⇒ single-chip “fail operational” exceeds today’s technology
• external saving needed to guarantee safe state for common

cause failures that cannot be mitigated
TM
What will be the future Trend?
Monitor Mon Mon

& Saving
µC Trend? µC
Mon Mon
System / ECU / PCB System / ECU / PCB
Mon &
Saving
Mon Mon
µC
Use Technology to improve Safety
Mon
More Safety Mon
System / ECU / PCB
TM
Conclusions
Impact of new Standards

• need clear requirements for general purpose microcontrollers
• leverage innovation potential to improve safety
Considering the Environment is Key

• today’s standards assume “clean” environment – can be hardly
proven, though
• mission profile is essential for calculation of failure rates
Relevance of On-chip Monitoring increasing

• huge innovation potential that can enable early fault detection
• indicate and/or mitigate faults before they result in common
cause failures
• detects internal & external faults
TM
TM

06 11 14 Semiconductor Aspects Regarding Safety

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

06 11 14 Semiconductor Aspects Regarding Safety

Hochgeladen von

Copyright:

Verfügbare Formate

Aspects of Functional Safety

Freescale™ and the Freescale logo are trademarks

Observations from the Automotive Industry

IEC61508 applied for Micro Electronics

Improve Safety with new Technology

In the past strong separation of

More recently, however, complete

Memory Peripherals Peripherals Memory

Safety Relay Safety Relay

Single Core Self Test Dual Core Approach

(nr of safety functions) /

In future more safety functions

(nr of ICs per system)

max max with safety guidelines for ICs

Observations from the Automotive Industry

IEC61508 applied for Micro Electronics

Improve Safety with new Technology

Safety Budgeting 1% for Microcontroller ⇒

“Failure rate” (λ)

“Mean time to failure” (MTTF)

FIT is a unit for failure rates

It does not tell, though, if we talk about

„diagnostic coverage“ DC = ∑λdd / ∑ λd

with λs=0: SFF = DC

∑λs : safe failure rate

∑λdd : detected dangerous failure rate

∑λd = ∑λdd + ∑λud

∑λdd,int + ∑λdd,systematic + ∑λdd,ext

“Counting” faults is not sufficient:

Differences in probabilities of different faults cannot be neglected.

Today‘s assumption: ∑λext << ∑λint + ∑λsystematic

Presumption: ∑λext >> ∑λint + ∑λsystematic

Today: Environmental influences dominate internal failure rate?

data from OEM/Tier

data for safety assessment

Observations from the Automotive Industry

IEC61508 applied for Micro Electronics

Improve Safety with new Technology

∆t1 ∆t2 ∆t3

Fault propagation stops when

Development of common cause failures

• there is a fault specific tcrit,ext for device-external faults

⇒ needed: detection, indication & mitigation of faults with ∆t < tcrit

⇒ can detect internal faults & environmental influences causing faults

• required properties of monitors

tdet < top < tcrit

• fault detection ≠ fault mitigation

• external saving needed to guarantee safe state for common

Monitor Mon Mon

System / ECU / PCB System / ECU / PCB

System / ECU / PCB

Impact of new Standards

Considering the Environment is Key

Relevance of On-chip Monitoring increasing

Das könnte Ihnen auch gefallen