How Flash Memory ICs can support the requirements of Automotive functional safety

In ADAS, as well as in the instrument cluster and elsewhere, Flash memories are nowadays a component in Automotive systems which are safety-critical.  Therefore OEMs are starting to demand a new breed of Flash ICs which can support the requirements of functional safety design at the system level better than previous generations of devices.

By Anil Gupta, Technical Executive, Winbond,

NOR Flash has been a dependable technology in vehicles for many years, and today is used in various automotive systems, including the instrument cluster and in infotainment and telematics systems (see Figure 1). In these applications, this non-volatile memory provides storage capacity for application code, offering the advantages of reliable operation and Read speed fast enough to support Execute-in-Place (XiP), in which a host processor runs code directly from Flash, bypassing external DRAM.

NOR Flash is also playing an important role in emerging implementations of the ADAS (Advanced Driver Assistance Systems) concept, which in cars available today is already performing semi-autonomous highway-driving functions such as adaptive cruise control and lane-keeping. The pace of development in autonomous driving technology is extremely fast, and so in the next few years more and more of a vehicle’s activity will be controlled by electronics systems containing Flash.

In ADAS, as well as in the instrument cluster and elsewhere, Flash is a component in systems which are safety-critical: any uncontrolled failure of such a system would have the potential to render the vehicle unsafe or uncontrollable. To manage and minimise the risk of systems failing to operate as specified, the automotive industry has implemented the ISO 26262 Functional Safety standard, which:

  • imposes a requirement at the design stage to perform rigorous analysis of the ways in which a system’s designed functions can fail
  • specifies very low maximum failure rates for complete systems
  • requires systems to have the ability to detect functional failures reliably and quickly
  • requires systems to put in place robust means to survive safely, and recover from, any foreseeable functional failure

Fig. 1: the virtual instrument cluster in a 2014 Audi TT. NOR Flash is widely used to enable instant display of essential cluster information at start-up. (Image credit: Robert Basic under Creative Commons licence.)

Automotive systems OEMs are therefore starting to demand a new breed of Flash ICs which can support the requirements of functional safety design at the system level better than previous generations of devices. This article studies the mode of operation of conventional NOR Flash ICs, and explains the features that new automotive serial Flash products will need to offer if they are to fully support system designers’ efforts to comply with the ISO 26262 standard.

These functional safety features will likely be seen both in serial NOR Flash – the Flash memory type most often used today in embedded systems for boot code storage – and in Single Level Cell (SLC) NAND Flash. Serial NAND is in fact a valid alternative to NOR Flash for code storage in applications that do not require a high number of Program/Erase cycles, and that do not need to implement XiP. Winbond’s SLC NAND technology is built in a 46nm process, which offers proven high quality and is preferable in functional safety applications to serial NAND products fabricated at new, smaller geometries. It also offers data retention periods comparable to those of 55-65nm NOR Flash.

The advantage of serial NAND is its inherently lower cost – a NAND Flash bit cell is four times smaller than that of a NOR Flash cell. Supplied by Winbond with an on-board Error Correcting Code (ECC) engine and supporting high-speed continuous/sequential Read capability across page and block boundaries, serial NAND is now being seriously considered by designers of automotive functional safety applications alongside the NOR Flash which is the subject of this article.

Exposing diagnostic data to view

It’s important to state that NOR Flash memory technology is very reliable, and devices’ operating lifetime is highly predictable. NOR Flash ICs have proved their qualities in the field, and automotive OEMs’ preference for the technology is based on experience of its use in millions of vehicles on the road today. For perspective, the ISO 26262 standard specifies reliability and other parameters in four ‘ASIL’ grades (Automotive Safety Integrity Level). The most stringent grade, ASIL-D for the most safety-critical systems such as steering or brakes, sets a maximum system-level failure rate of <10 FIT (Failure In Time) – a measure of the failure rate per billion device-hours (see Figure 2). At the level of individual components such as a NOR Flash IC, this calls for a maximum failure rate of far below 10 FIT.






SPF (Single Point fault) Metric

Not Applicable

> 90%

 > 97%

 > 99%

LF (Latent Fault) Metric

Not Applicable

 > 60%

 > 80%

 > 90%

Failure rate





FIT (failure in time)

< 1,000 FIT

< 100 FIT

< 100FIT

< 10 FIT

Fig. 2: minimum detection rates for single-point and latent faults, and maximum failure rates as specified by the ISO 26262 standard

Nevertheless, automotive manufacturers’ ISO 26262 compliance efforts call for a way to identify any fault that could theoretically still occur in a NOR Flash IC. And at the time of writing (May 2017), NOR Flash ICs are supplied to automotive OEMs as a memory ‘black box’. Functions which maintain data integrity and data retention are, in conventional devices, inaccessible to the user. This closed operation is in conflict with the principles of functional safety, which require the host system to monitor component parts for faults, or for irregular behaviour that indicates a fault is likely to occur, and to implement counter-measures aimed at maintaining proper functioning.

This means that NOR Flash ICs intended for use in ISO 26262-compliant systems must make diagnostic data available to the host controller, and provide ways in which the host can modify the IC’s operation in response to a heightened risk of failure indicated by the data.

Two main features of a NOR Flash IC provide these data:

  • the ECC engine, which maintains data integrity by detecting and correcting bit errors in Read operations
  • a User Mode which enables periodic testing of the ECC engine’s operation

How ECC data support functional safety operations

In conventional NOR Flash ICs, the ECC engine operates in the background, detecting and correcting bit errors with multi-byte granularity silently, without alerting the host controller. in fact, however, these ECC data may be used to facilitate functional safety compliance in various ways. An ECC engine is capable of correcting single-bit errors (when there is only a single bit variance between the main data bit and the parity bits); and of detecting (but not correcting) double-bit errors.

By providing a status register to the host controller, a NOR Flash device can indicate whether the most recent Read operation had one of three possible outcomes:

  • good data with no error correction required
  • good data after error correction
  • bad data that were not able to be corrected

This ‘after the fact’ information can be used to help maintain long-term data integrity, as we shall see. But ISO 26262 requires automotive systems to detect faults when they occur, and to deploy counter-measures immediately. In new automotive NOR Flash ICs from Winbond, real-time error information may be provided via a dedicated Error pin. This pin may be asserted to indicate the exact location of uncorrectable data. There is also an option for the user to select whether the Error pin will indicate corrected single-bit errors, or detected and uncorrectable double-bit errors.

The host may then use the information from the status register, from the Error pin, or from both, to build an error register – effectively a ‘map’ of the NOR Flash array, logging the locations of bit errors. The host may then set a threshold, so that when the number of errors occurring at any one location, such as a particular block, exceeds the threshold, that location is ‘retired’ from the memory. This is a sensible precautionary measure: the repeated occurrence of corrected single-bit errors in a particular block of memory cells might indicate that the block is weak, and at risk of premature failure.

Measures to identify a latent failure

So far, the measures described are concerned with the handling of single-point faults, for which the ISO 26262 standard specifies minimum detection rates for each ASIL grade. But the standard also requires automotive systems to detect ‘latent faults’. A latent fault is a fault which does not violate functional safety requirements on its own, but which can violate them in conjunction with a second fault.

In a NOR Flash IC, there is potential for such a latent fault – a malfunctioning ECC engine is an example. In normal operation, NOR Flash technology is highly reliable and rarely requires error correction. So as long as an ECC engine failure does not cause it to wrongly correct good bits, the failure would normally go unnoticed. But when a single bad bit goes uncorrected because of the failed ECC engine (a latent fault), the two faults in combination pose a risk to functional safety.

To enable detection of a latent ECC engine fault, Winbond’s automotive NOR Flash ICs provide special User Mode and ECC Encoder Read commands: this enables the user to inject a main data pattern into the memory, and to read back from the ECC engine the main data and the parity data that it generates. If the parity data are incorrect, the ECC engine can be flagged as faulty.

Likewise, the User Mode may be used to check ECC decode operation: in User Mode, the user loads main data and parity data into the ECC engine, and with a special ECC Decoder Read command the main data may be read back. Single-bit and double-bit errors may be introduced into the main data and parity data to check whether the ECC engine performs single-bit error correction and double-bit error detection properly. Winbond’s recommendation is that this ECC engine check should be performed every time the system powers up.

New functional safety features available in production parts

In response to demand from manufacturers of ADAS products and other automotive systems, Winbond is now integrating the functional safety features described above into a new family of automotive NOR Flash products. The Quad 3V family, featuring a maximum 80MB/s data transfer rate, is available for sampling in a density of 256Mbits as of May 2017. A 512Mbit part (two stacked 256Mbit dies) will be available in the second half of 2017. In 2018, Winbond will release a 512Mbit part with a monolithic die, and a 1Gbit part made from two 512Mbit stacked dies.

Winbond’s Octal 1.8V family, featuring a data rate of more than 300MB/s, will be available in densities from 256Mbits, with samples planned for late 2018. Proliferation into other densities will follow later. Winbond also offers Serial NAND products with functional safety features: as of May 2017, products are available for sampling at densities of 512Mbits, 1Gbit and 2Gbits (made of two stacked 1Gbit dies).

Winbond Serial NAND products, such as the 1Gbit W25N01GV, support functional safety compliance by providing information to a status register showing whether data read out were good without ECC, good with ECC, or uncorrectable. The Serial NAND page size is 2kbytes and 1-bit embedded ECC is offered at the sector level (512 bytes). This means that up to 4-bit correction can be performed on a 2kbyte page. Winbond Serial NAND also offers the ability to read the location of a failed page when prompted by an additional user command.

Fig. 3: the error log in Winbond Serial NAND helps identify potential weak cells or blocks

By providing both SPI NOR and Serial NAND solutions for functional safety applications, Winbond offers the user the freedom to select the appropriate Flash memory type for the requirements of their design.

For more product information, please visit Winbond Code Storage Flash Memory


PCAP Touch displays - what does the future hold?

In this article the author compares three different touch technologies and examines their suitability for industrial applications. Figure 1. Example of a touch panel with Force Touch in a medic...


Dialog Semi walks through their latest IC solutions for battery chargers

In this video an engineer from Dialog Semiconductor walks us through their latest ICs for battery chargers at APEC 2018. Dialog's Qualcomm Quick Charge adapter solutions offer high efficiency to e...

Steve Allen of pSemi explains their latest LED driver solution

Steve Allen of pSemi explains their latest LED boost product based on Arctic Sand's two-stage architecture. Their PE23300 has a charge-pump, switched-capacitor architecture that offloads most of t...

Teledyne describes their latest 12-bit Wavepro HD oscilloscope

In this video Teledyne LeCroy describes their latest Wavepro HD oscilloscope to Alix Paultre of Power Electronics News at the company's launch event. The WavePro HD high-definition oscilloscope de...

Dialog Semi walks through their latest IC solutions for battery chargers

In this video an engineer from Dialog Semiconductor walks us through their latest ICs for battery chargers at APEC 2018. Dialog's Qualcomm Quick Charge adapter solutions offer high efficiency to e...

ROHM explains their latest wireless battery charger solution kit

In this video an engineer from ROHM goes over their latest wireless power development kit, co-developed with Würth for embedded development. The kit provides a complete wireless power transfer sy...

Tektronix describes their latest mixed-signal oscilloscope

In this video Tektronix explains the features in their latest 5 Series MSO Mixed Signal Oscilloscope. Features include an innovative pinch-swipe-zoom touchscreen user interface, a large high-definitio...

AVX shows a supercapacitor demonstrator at APEC

In this video Eric from AVX explains their supercapacitor demonstrator box at APEC 2018 in San Antonio, Texas. The box shows how a 5V 2.5-farad supercapacitor can quickly charge up using harvested ene...

OnSemi explains their latest passive smart wireless sensor for industrial applications

In this video On Semiconductor explains their latest wireless sensor for hazardous environments at APEC in San Antonio, Texas. Intended for applications like high-voltage power cabinets and other plac...

TI demonstrates an improved gaming power system at Embedded World

In this video Texas Instruments' explains Significant reduction in ripple, which results in improved reliability and increased design margins, among other advantages. Another benefit that improve...

Infineon explains their latest motor drive technology at APEC 2018

In this video Infineon demonstrates new gate drivers using their LS-SOI technology at APEC 2018. In the demo Victorus, an Infineon application engineer, shows in real time how much better thermal the ...

STMicro goes over their latest wireless-enabled microcontroller for the IoT

In this video STMicroelectronics goes over their latest wireless-enabled STM32WB microcontroller for the IoT and intelligent devices in several live connectivity demonstrations at Embedded World 2018....

Infineon explains their latest wireless charging solution at Embedded World

In this video Infineon goes over their latest wireless charging solutions at the Embedded World show in Nuremberg, Germany. The spokesperson explains the difference between their Qi-compatible solutio...

Grammatech talks about the importance of software in engineering

In this video Mark Hermeling of Grammatech talks to Alix Paultre after the Embedded World show in Nuremberg about the importance of software verification for security and safety in electronic design. ...

Lattice Semi walks through their booth demos at Embedded World

In this video Lattice Semiconductor walks us through their booth demonstrations at Embedded World 2018. The live demonstrations include an operating IoT remote vehicle, a low-power network used for vi...

Maxim describes their latest security solution at Embedded World 2018

In this video Scott from Maxim Integrated describes their latest security solution at Embedded World 2018. In the live demo he shows the DS28E38 DeepCover Secure ECDSA Authenticator, an ECDSA public k...

Garz & Fricke at Embedded World 2018 - Embedded HMIs and SBCs “Made in Germany”

You are looking for a HMI-system or single components as touches, displays and ARM-based SBCs? Welcome at Garz & Fricke – the Embedded HMI Company! Our offering ranges from typical single co...

ECRIN Systems myOPALE: Remote Embedded Modular Computers

myOPALE™ offers disruptive technology to multiply capabilities of your next Embedded Computers in a smaller foot print thanks to PCI Express® over Cable interconnect, standard 5.25’&rs...

TechNexion rolls out embedded systems, modules, Android Things kits at Embedded World 2018

In this video John Weber of TechNexion talks to Alix Paultre about how the company helps its customers getting products to market faster. By choosing to work with TechNexion, developers can take advan...

Mike Barr talks cybersecurity

In this video Mike Barr, CEO of the Barr Group, talks to Alix Paultre about cybersecurity at the Embedded World conference in Nuremberg, Germany. Too many designers, even in critical spaces like milit...