Improvements in Functional Safety of Automotive ...2017.eurospi.net/images/EuroSPI2017/PPTs/ISO26262-Part-11.pdf · Improvements in Functional Safety of Automotive ... (Hardware)

Improvements in Functional Safety of Automotive Semiconductors and IP through ISO 26262:2018

Part 11

Alison Young & Alastair WalkerLorit Consultancy, Scotland

EuroAsiaSPI 2017, Ostrava

ISO 26262 Part 11

• What’s New in Part 11?• How Part 11 Supports Part 5 (Hardware)• IP Issues• Failure Rates• Diagnostic Coverage• Dependant Failures Analysis• Semiconductor Use Cases

© Lorit Consultancy EuroAsiaSPI 2017 2

ISO 26262 Part 11 - What’s New?

• Introduction of IP topic• Detailed information on failure rates• Detailed information on transient fault• Detailed information on diagnostic coverage• Good examples of DFA and Diagnostic Coverage• Coverage of different semiconductor technologies and use

cases• Introduction of multi processor topics• Repetition of work products but focussed on semiconductors


ISO 26262 Part 11 Support for Part 5

How does ISO 26262 part 11 support teams that have previously used part 5?• A lot more information on the usage of failure rate standards

e.g. IEC TR 62380, SN 29500 & FIDES• Honesty! - information on the conservative estimates of the

above reliability standards• More information on transient faults and their implications• Enhanced information on dependant failures analysis• Many practical examples on component types and their

failure modes


Intellectual PropertyIntellectual property (IP) refers to a reusable unit of logical design or physical design intended to be integrated into a design as a part of a component.

Table 1, section 4.5.1 in ISO26262:11 2nd Edition


Intellectual Property

Enhancements introduced in Part 11:• Definition of IP lifecycle types• Definition of how other sections of ISO 26262 have been

adapted to support IP• List of typical IP work products


Base Failure Rate Considerations


Figure 11, Section 4.6, ISO26262:11 2nd Edition

Base Failure Rate ConsiderationsHighlighting problems of mixing base failure rates with diagnostics:• Reliability standards define diagnostics which can be used to

enhance availability. • Mix of base failure rate with diagnostics can skew safety

evaluation.• ISO 26262 requires separating the two types for the metrics

computation.EXAMPLE: A common SEC-DED EDC-ECC used in many state of the art automotive functional safety electronics. A reported MTTF for an SRAM with SEC-DED EDC-ECC-EDC cannot consider a fault which results in a correctable error – thus mixing effects of base failure rate and diagnostics, which is separated for calculation of ISO 26262 metrics.


Permanent Base Failure Rate


IEC TR 62380, SN 29500 & FIDES referenced as suitable failure rate standardsIEC TR 62380 Automotive mission profile• Several working phases are considered..

– The working rates consider three different internal working temperatures for the equipment, and take into account the annual working hours for each of these temperatures. The overall working time is estimated to be 500 h.

– Two thermal cycles are considered:• Phase 1: 2 night starts;• Phase 2: 4 day light starts.

– Phase 3: non-used vehicle, dormant mode 30 days per year

Table 11, Section 5.8.3 in TR 62380 ©IEC: 2004

Permanent Base Failure Rate• CMOS Digital Circuits of the 74 ACT Family from IEC TR 62380

• Good coverage of how to calculate base failure rates – die, package & stress• EOS – Systematic failure??• Could benefit from more information on transistor numbers, substrate types

and semiconductor technology considerations• Tools to support, with IEC TR 62380, SN29500 & FIDES modules

– Item Toolkit– Isograph Reliability Workbench

Section 7.3.1 in TR 62380 ©IEC: 2004


Permanent Base Failure RateWhen calculating the base failure rate the supplier provides documentation describing the assumptions made and supporting rationale.• For example, assumptions can be:

– the selected method to calculate the failure rate (e.g. industry source or field data)

– how the non-operating time and solder joints were taken into account– which model has been used for failure rate derived from field data

(Weibull or exponential models).• Functional safety ≠ reliability


timeWarranty Period

Highly Accelerated Stress Screening

Constant value during the useful life of the productExponential model

Failure Rate almost constant (continues to decrease slightly)

Failure rate increases due to wear out failuresDelivery to customer

FIT Rate

Transient FaultsTransient faults can appear due to electromagnetic interference which can lead to bit-flips.• Susceptibility to transients – Analogue << Digital• Single Event Upset (SEU)• Single Event Transient (SET)• Analogue Single Event Transients (ASETs)• JESD89A base failure rate for transient faults • Neutron particle flux, altitude, temperature, and supply voltage - relevant to transient

failure rate - soft errors• Transient faults causing soft errors initiated by α, β, neutron, or γ radiation sources are

random hardware failures that can be quantified with a probabilistic method supported by measured data.


Nicolaidis M. Soft Errors in Modern Electronic Systems Chapter 5

Nicolaidis M. Soft Errors in Modern Electronic Systems Chapter 1

Transient Fault QualificationMore information could be useful on the scaling and consideration of transient metrics. Little information in Edition 1.• The analysis for transient faults and permanent faults is

done separately.

EXAMPLE: ASIL D Microcontroller FIT rates


Type Part FIT Rate

Permanent Die <10 FIT

Permanent Package <70 FIT

Transient Die ≈2200 FIT

Transient Fault Qualification

ISO 26262-5:2018, 8.4.7, transient faults can be addressed via a single-point fault metric. • No failure mode coverage for latent faults is computed for

transients because the root cause rapidly disappears• They can be addressed either by specifying and verifying a

dedicated target “single-point fault metric” value to them or by a qualitative rationale.

• The number of safe faults can be particularly relevant. • The rational can be derived from fault injection.EXAMPLE: Base failure rate for alpha particles can be influenced by the type of package, e.g. low alpha (LA) or ultra-low alpha (ULA) emitting semiconductor assembly materials.


Transient Fault QualificationThe typical value of the coverage of RAM march test is rated HIGH. However these types of tests are not effective for soft error detection.Therefore, for example, the coverage of RAM march test with respect to transient faults is zero.


VLSI Test Principles and Architecture Ch 8.

Component Package Failure RateIn the estimation of a hardware component failure rate, the semiconductor providers consider the following:• Failures relating to the silicon die• The enclosure/encapsulation (e.g. case)• The connection points (e.g. pins)• The connections between the connection points to the board (e.g.

solder joints) are considered as board failures and are typically considered by the system integrator during the safety analysis at the system or element level.


Dependent Failures Analysis


Description of dependent failure analysis is much more detailed in 2nd Edition of ISO26262.- Part 9 describes how to identify, analyse and mitigate or

reduce dependent failures.- Dependant failure initiators are defined in Annex C.

Part 11 builds on this, including:- Examples of dependent failures to consider- An example workflow- A microcontroller and analogue example in Annex B

The information in part 11 should be useful to everyone performing dependent failure analysis.



Design stages and levels• DFA considers architectural features;

– Similar and dissimilar redundant elements– Different functions implemented with identical software or

hardware elements– Functions and their respective safety mechanisms– Partitions of functions or software elements– Physical distance between hardware elements, with or

without a barrier– Common external resources

• Independence can be threatened by common cause failures and cascading failures, while freedom from interference can only be threatened by cascading failures.



Dependent Failure Initiators



Random hardware faults of shared resources: ISO26262:11 Table 20

DFI Examples Measures to prevent violation of safety goal

Measures to prevent occurrence of dependent failure

Failures in common clock elements

Failures in power supply element

…

Dedicated independent monitoring…

Self-tests at start up…

…

Functional redundancies…

Fault diagnosis and isolation…

…



Random single physical route causes: ISO26262:11 Table 21



Short circuits

Latch up

…

Selective hardening…

Diversification of impact…

…

Dedicated production tests…

Physical separation…

…



Systematic environmental faults: ISO26262:11 Table 22



Temperature

Vibration

…

Diversification of impact…

Direct monitoring…

…

Fault avoidance measures…

Physical separation…

…



Systematic development faults: ISO26262:11 Table 23



Requirement errors

Specification errors

…

Monitors (e.g. protocol checkers)

…

ISO26262 compliant design process…

Diversity…

…



Systematic manufacturing faults: ISO26262:11 Table 24



Faults related to SW flashing…

Faults related to end-of-line trimming…

…


Dedicated production test…

…



Systematic installation faults: ISO26262:11 Table 25



Faults related to wiring harness routing…

Faults related to interchangeability of parts…

…


Dedicated installation test…

…

Dependent Failures Analysis Workflow

© Lorit Consultancy EuroAsiaSPI 2017

List of typical Dependent Failure

Initiators and Exemplary Measures

DFA DecisionIdentify HW and SW elements(1)

Identify dependent failure initiators

Start

Insightsufficient?

Improveinformation

Consolidate List of relevant Dependent Failure Initiators

Identify necessary safety measures(2) to control or mitigate dependent failure

initiators

Include the quantifiable Dependent Failure Initiators that originate from random

hardware faults in the estimation of the metrics (SPFM, LFM, PMHF) according to

ISO 26262-5:2018

Link to quantitative analyses

YES

NO

Input information

Link toQuantitative analyses

Input information


Consolidate List of Safety Measures

Evaluate effectiveness to control or to avoid the dependent failure

Sufficient risk reduction?

Improvesafety measures

YES

NO

YES

NO


Insightsufficient?

Include the safety mechanism and estimation of the metrics (SPFM, LFM, PMHF) according to ISO 26262-5:2018

Improveinformation

End

26

Figure 15, Section 4.7.6, ISO26262:11 2nd Edition

Fault Injection

• Not mandated• Support the evaluation of hardware architectural metrics

– Use in estimating diagnostic coverage of safety mechanism– Evaluating the diagnostic time interval and the fault reaction time interval– Confirming the fault effect, e.g. does the fault cause an observable effect?

• Supporting the functional verification of safety mechanisms• Carried out to support

– Dependent failures analysis, digital, analogue and programmable logic

• Results of fault injection can be used to verify the safety concept and the underlying assumptions.

EXAMPLE: The evaluation of the diagnostic coverage for stuck-at faults for a CPU software-based hardware test by fault injection at the gate level have a high confidence level.


Semiconductor Use Cases


• Digital components & memories• Analogue / mixed signal components• Programmable logic devices• Multi-core components• Sensors and transducers

Digital components & Memories


Complements the tables in ISO26262:5 Annex D- Details fault models for each type of technology, including

more detail of aspects to be considered.- Describes how techniques that feature in early parts of the

standard can be applied to digital logic and memory:- E.g. information needed to perform qualitative and quantitative

analysis- Techniques to detect or prevent systematic failures- Appropriate verification techniques- Applicable safety documentation- Example safety mechanisms, including:

- Overview of techniques- Diagnostic coverage considered achievable.


Failure mode abstraction

The choice of failure modes of an IP block depend on the level ofabstraction that is useful. Failure modes should be selected that:

- Allow the mapping of underlying technology faults to failure modes.- Facilitate the rationale for diagnostic coverage of applied safety

measures.- Are ideally disjunctive, i.e. each of the originating faults ideally leads

to only one particular failure mode.

Failure mode classification of digital components― Func on omission: func on not delivered when needed (FM1);― Func on commission: func on executed when not needed (FM2);― Func on ming: func on delivered with incorrect ming (FM3); ― Func on value: func on provides incorrect output (FM4).



Example of evaluation of a DMA safety mechanism – Annex A4 safety mechanisms defined:- SafMech_01_DMA_MPU- SafMech_02_E2E_Protection- SafMech_03_Timeout_Mon- SafMech_04_IR_Source_Mon

Based on use case and safety mechanisms, the following failure modes are defined:


DMA_FM1: no requested data transfer SafMech_03_Timeout_Mon DC = 100%

DMA_FM2: data transfer without a request

- previous message (DMA_FM2.1)

SafMech_02_E2E_Protection DC = 100%

- random value (DMA_FM2.2)

SafMech_02_E2E_Protection DC = 99.98%

DMA_FM3: data transfer too early/too late (further elaborated…)

Further elaborated…

DMA_FM4: incorrect output (further elaborated…)

Further elaborated…


DMA Safety Mechanism Example• SafMech_02_E2E_Protection:• The DMA transfers messages which are end-to-end protected by:



DMA Safety Mechanism ExampleDMA_FM2.1: data transfer without a requestThe previous message will be detected via the message counter or the message ID of the E2E protection. The DC DMA_FM2.1 is estimated as 100 %;

DMA_FM2.2: In the case of a random value:― The probability pCRC-legal of randomly matching a legal CRC value is 1/28;― The probability pID-legal of randomly matching a legal ID is 12/16;― The probability pCounter-legal of randomly matching the correct counter value is 1/24 (since only one of the 24 values is the correct one);― The overall probability pRF that no error is triggered ispRF = pCRC-legal * pID-legal * pCounter-legal = 0,000183; andThe DC DMA_FM2.2 is estimated as 1 - pRF so equal to 99,98 %.



Describes how to divide up an analogue device to aid safety analysis.

Shows how techniques that feature in early parts of the standard can be applied to analogue and mixed signal components:

- Possible failure modes.- Information needed to perform

qualitative and quantitative analysis- Techniques to detect or prevent

systematic failures- Appropriate verification techniques- Applicable safety documentation

Tables 36–39 describe example safety mechanisms, however:- No “Typical diagnostic coverage achievable” included.- Diagnostic coverage strongly depends on the specific technology, type of circuit, use case, etc.

Analogue & Mixed Signal Components

Component (mixed signal)

e.g. driver

OOOOO

Part (analogue)

bias

Part (analogue)e.g. reference and

bias

Part (digital)e.g. state machine

Part (mixed)e.g. ADC

Sub-parts(analogue)

Sub-parts(digital)

Component (analogue)

e.g. amplifier

OOOOO

Part (analogue)

bias

Part (analogue)e.g. reference and

bias

Part (analogue)e.g. buffer



Safe Faults• ISO 26262-10:2018, 8.1.7 states that safe faults can be faults of one of two

categories:– all n point faults with n > 2, unless the safety concept shows them to be a relevant

contributor to a safety requirement, or– faults that will not contribute to the violation of a safety requirement.

Analogue components have an inherent capability to tolerate faults. These faults are safe faultsEXAMPLE: A resistor is used to limit the current flowing through a specific branch. A failure in the accuracy of the resistor increasing its value (e.g. of 50 %) but not preventing the current limiting function would be a safe fault.


Additional analogue examples very helpful e.g. Annex D

However could benefit from further rational for diagnostic coverage value.

Figure D.1, Annex D, ISO26262:11 2nd Edition


Programmable Logic Devices (PLD)


• Key failure modes are highlighted• An example metric calculation is included in Annex E• Describes how techniques described in the rest of the

standard can be adapted to apply to PLDs, including:– Verification techniques– Dependent failure analysis– Example safety mechanisms– Example documentation– Avoidance of systematic faults

• Modularisation• Design description in HDL• Restricted use of asynchronous constructs• Functional test all levels• Code checker• Simulation & timing verification

Fixed function IP

Logic blocks

User MemoryUser Memory

Logic blocks

Fixed function IP

Logic blocks


Logic blocks

Fixed function IP

Logic blocks


Logic blocks

Configuration Technology

I/O I/O I/O I/O I/O I/O I/O I/O I/O I/O

I/O

I/O

I/O

I/O

I/O

I/O

I/O

I/O

I/O I/O I/O I/O I/O I/O I/O I/O I/O I/O

I/O

I/O

I/O

I/O

I/O

I/O

I/O

I/O

Figure 17, Section 5.3.1.1 ISO26262:11 2nd Edition

Multi-core Components• Primarily offers clarification of safety requirements assigned

to multiple cores within a system, that were previously assigned to separate HW components.

• Focuses only on:– ASIL decomposition – Freedom from interference


CPU core and L1 caches

CPU core and L1 caches

Bus Interface and L2 cache

Generic diagram of a dual core systemFigure 19, ISO26262:11 2nd Edition

ASIL decomposition in the context of multi-coreFigure 20, ISO26262:11 2nd Edition

SW 1(PE1)

SW 2(PE2)

Redundant safety

requirement 1

Redundant safety

requirement 2

Initial safety

requirement

Summary


• ISO26262:11 2nd Edition offers a significant amount of useful information over the content of the first addition.– Includes additional detail on possible safety mechanisms over the 1st Edition.– Unfortunately less information is now available on typical dignostic coverage

achievable for analogue safety mechanisms.

• Information on how to apply areas of the standard to semiconductors is very useful.

• Some areas, e.g. PLDs and sensors/transducers, are covered in detail for the first time.

• Detailed examples are helpful, however details on how diagnostic coverage values are reached remains unclear in many cases.

Contact & Connect


DE +49 (0)3056 795165UK +44 (0)7708 360023

www.lorit-consultancy.com

[email protected]@lorit-consultancy.com

Follow us on:

http://www.lorit-consultancy.com

mailto:[email protected]

mailto:[email protected]

Documents

Improvements in Functional Safety of Automotive ...2017.eurospi.net/images/EuroSPI2017/PPTs/ISO26262-Part-11.pdf · Improvements in Functional Safety of Automotive ... (Hardware)