How flash memory can support functional safety requirements
With the increased reliance of automotive and industrial systems on electronic control, failure of the underlying computing systems can have serious consequences for people and property. Consequently, these systems are typically designed with many safety-related features in hardware and software so that a single malfunction is not hazardous. For these mission-critical systems, designs trace those features to requirements specified in ISO 26262 for the automotive industry and IEC 61508 for industrial control systems.
ISO 26262 defines functional safety as “The absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical/electronic systems.” In electronic systems, the cause of failures leading to system malfunctions can be systematic faults in design or random faults due to soft error or probabilistic reliability failures over time. Functional safety ISO 26262 and IEC 61508 standards define safety integrity levels (e.g ASIL A to ASIL D for automotive and SIL 1 to SIL 4 for industrial systems) with each level denoting more stringent safety levels and less likelihood of failures.
Although meeting functional safety requirements is an expansive undertaking, safety critical system design can benefit significantly from the ability of individual components to support those requirements (Figure 1). For example, safety features implemented in a typical design's Flash components free up the MPU/MCU and the SPI bus from reading Flash contents periodically to ascertain integrity of its contents.
click for larger image
Figure 1: Safety implementation in automotive systems. (Source: Cypress)
Like many semiconductor products, NOR Flash has evolved from the narrow scope of its original purpose. In fact, advanced NOR Flash architectures integrate a processor core with additional logic IP and firmware that provide advanced functionality to system designers (Figure 2). For functional safety applications, devices such as the Cypress Semper NOR Flash family extend this architecture with features designed to meet the automotive industry’s ISO 26262 functional safety standard.
click for larger image
Figure 2: Embedded processor core in Cypress Semiconductor's advanced Semper NOR Flash architecture. (Source: Cypress)
NOR Flash uses a relatively larger memory cell compared to NAND Flash to provide high endurance and long data retention. Combined with a byte-addressable architecture, NOR Flash is ideal for boot code—including execute-in-place systems—and transaction data. Applications such as factory automation are demanding Flash memories that are optimized for performance, reliability and fail-safe operation.
Here's a list of the most impactful functional safety features found in today’s NOR Flash devices designed for safety critical applications.
Error Correction Code (ECC)
Memories may encounter soft errors or hard errors. Hard errors are permanent once they manifest. They are caused by defects in the silicon, a disturbed bit, or metallization of the package because of aging, vibration, or environmental stress. Soft errors are caused by charged particles, radiation, or cosmic rays. When a Flash memory cell is affected with such errors, the read data will be corrupted and might impact the application’s functionality. NOR Flash devices support Single Error Correction and Double Error Detection (SECDED) by generating an embedded ECC during memory array programming. This ECC is then used for error detection and correction during read operations.
NOR Flash designed for Functional Safety applications also implement Data CRC functions. These perform a Cyclic Redundancy Check (CRC) calculation over a user-defined address range. The CRC process calculates the check value on the data contained at the starting address through the ending address to detect any faults during system boot or per user command.
Modern NOR Flash devices are high-frequency memories supporting up to 200 MHz double-data-rate speed. Raw data might be corrupted because of a noisy channel or errors introduced by the transmitter, receiver, or both. To keep the system running safely, one of the most-critical aspects of communication between a host and a slave device is ensuring the integrity of the information transferred. NOR Flash designed for functional safety applications have an Interface CRC, which is an error-detecting code used in devices to detect accidental faults during data transmission between the host and memory.
SafeBoot – Bootup Failure Recovery
Many industrial applications use NOR Flash to store code used during boot up. If the NOR Flash device itself does not boot up correctly, then the respective application may not initialize correctly. To prevent this outcome, the NOR Flash will either stay in the busy state or report a boot failure through the status register upon boot failure.
Configuration Data Corruption
A power brownout or a hardware reset occurring during the update of the nonvolatile configuration registers means that the nonvolatile configuration data used to configure the device may get corrupted. NOR Flash can detect a corrupted configuration and enter a default mode where the device can be accessed.
Advanced Sector Protection (ASP)
If the bits in a Program/Erase transaction sent by the host change because of a noisy channel or random failure, the Flash device may perform the operation on incorrect sectors, which can cause system operation failure. NOR Flash implements sector protection features which protects any sectors from inadvertent program and erase operations.
Sector Erase Power Loss Detection
In conventional Flash devices, if a power failure occurs when the system is performing a sector erase operation, the system remains unaware of the status of the respective sector erase operation. This can be problematic in applications requiring functional safety. NOR Flash optimized for these applications implement an erase power loss indicator for every sector to tag brownout events during sector erase.
In situations when the Flash device stops responding to the host/system, the Safe Reset feature can initiate a SPI Flash hardware reset, independent of the device’s operating state using existing SPI signals: Chip Select (CS#), Serial Clock (CK), and Serial Input (SI/DQ0).
All Flash memory is subject to physical degradation that can eventually lead to device failure. Some industrial functions require high endurance while others need high retention in Flash devices, and lower data retention or endurance may affect the system functionality. With endurance/retention partitioning, such as is implemented in Cypress’ EnduraFlex architecture, a single NOR Flash can be divided into multiple partitions, each independently configured for either high endurance or long retention. For frequent data writes, a partition can be configured to deliver up to 1.28 million program-erase cycles for 512 Mb density parts and 2.56 million cycles for 1 Gb parts. For code and configuration storage, a partition can be configured to retain data for 25 years.
NOR Flash is favored over NAND Flash for storing boot and application code as well as application data. Although designers can find a wide range of NOR Flash products, choosing a NOR Flash designed for functional safety applications provides architectural benefits and helps speed up system-level functional safety implementation.
Manish Garg works with the Memory Products Division at Cypress Semiconductor in Product Marketing. Previously, he has worked in different roles in Product Planning and Marketing at Altera (now Intel PSG) and Lattice Semiconductor. He holds a MS in Electrical Engineering from the University of Wisconsin and an MBA from Santa Clara University.