Functional safety poses challenges for semiconductor design
Performing safety analysis at the device level introduces a problem of failure rate allocation. Given only a single probability of failure for a die, how can you determine the failure rate of an individual design element, such as a CPU? Lacking more detailed information, a typical method is to assume that failure rates are equally distributed per unit area on the die.
This can be a valid approach if you consider gate oxide breakdown as the primary failure mode. It falls short, however, when you consider the variety of failure modes recognized in modern semiconductor reliability standards, such as the recently updated Jedec JEP122F standard. For many failure modes, such as a single event upset (SEU) that affects memories or sequential logic, this problem can be solved by the application of failure rates per design element seen in accelerated reliability tests (such as neutron beam bombardment).
Another challenge is to determine safe vs. dangerous failures. In general, those that do not cause a failure of the safety function are labeled safe and have less or no impact on safety metrics. Dangerous safety failures, by contrast, cause a violation of a safety goal.
For most black-box analysis, the detailed information necessary to make a safe-vs.-dangerous determination is not available. Standard practice here is to estimate a ratio of 50 percent safe and 50 percent dangerous faults.
Detailed white-box analysis of a design provides intriguing possibilities for a more thorough quantification of this ratio. For example, analysis of signal propagation and fanout can determine an architectural lower bound for the safe-vs.-dangerous ratio that is independent of application usage. If additional system-level data flow information or system software is available, a further quantification of the ratio is possible.
Confirmation of the diagnostic effectiveness of implemented safety mechanisms is another challenge.
Fault insertion is already used at the system level to verify safety mechanism implementation. Many IC faults however, such as the failure of an on-chip memory controller, cannot be injected at the system level. Fault insertion using design models, such as gate-level netlists, can be used to inject faults and determine whether the safety mechanisms detect them within the expected time.
Challenges include the quality of the fault insertion models, setup of the simulation environment, and selection of test benches and faults to be injected to get representative results. For example, you can’t inject all possible bridging faults in all possible locations, so you must direct that verification process by ranking failure criticality.
The combined gaps and potential solutions noted reveal the need for a deep integration of functional safety techniques in the development of semiconductor products. Figure 2 shows a simplified example of how functional safety can be incorporated with the IC design flow.
Figure 2. A simplified example of how functional safety can be integrated with the IC design flow.
Click on image to enlarge.
Qualitative safety analysis, concurrent to a specification of functional requirements, identifies potential failure modes, flags early safety gaps and defines the safety requirements. Next, quantitative safety analysis predicts failure rates and allows safety-oriented design exploration, or the identification of design safety trade-offs and selection of optimized safety mechanisms.
The end result is a “safety manual” of the IC that clearly lists all the assumptions of use, instructs the system integrator how to use the product in safety systems and provides safety metrics for use in system-level analysis.
About the authors
Karl Greb is functional safety technologist for the Texas Instruments TMS570 line of microcontrollers.
Riccardo Mariani is co-founder and chief technical officer of Yogitech SpA.
Loading comments... Write a comment