How Flash Memory ICs can support the requirements of Automotive functional safety

In ADAS, as well as in the instrument cluster and elsewhere, Flash memories are nowadays a component in Automotive systems which are safety-critical.  Therefore OEMs are starting to demand a new breed of Flash ICs which can support the requirements of functional safety design at the system level better than previous generations of devices.

By Anil Gupta, Technical Executive, Winbond, www.winbond.com


NOR Flash has been a dependable technology in vehicles for many years, and today is used in various automotive systems, including the instrument cluster and in infotainment and telematics systems (see Figure 1). In these applications, this non-volatile memory provides storage capacity for application code, offering the advantages of reliable operation and Read speed fast enough to support Execute-in-Place (XiP), in which a host processor runs code directly from Flash, bypassing external DRAM.

NOR Flash is also playing an important role in emerging implementations of the ADAS (Advanced Driver Assistance Systems) concept, which in cars available today is already performing semi-autonomous highway-driving functions such as adaptive cruise control and lane-keeping. The pace of development in autonomous driving technology is extremely fast, and so in the next few years more and more of a vehicle’s activity will be controlled by electronics systems containing Flash.

In ADAS, as well as in the instrument cluster and elsewhere, Flash is a component in systems which are safety-critical: any uncontrolled failure of such a system would have the potential to render the vehicle unsafe or uncontrollable. To manage and minimise the risk of systems failing to operate as specified, the automotive industry has implemented the ISO 26262 Functional Safety standard, which:

  • imposes a requirement at the design stage to perform rigorous analysis of the ways in which a system’s designed functions can fail
  • specifies very low maximum failure rates for complete systems
  • requires systems to have the ability to detect functional failures reliably and quickly
  • requires systems to put in place robust means to survive safely, and recover from, any foreseeable functional failure

Fig. 1: the virtual instrument cluster in a 2014 Audi TT. NOR Flash is widely used to enable instant display of essential cluster information at start-up. (Image credit: Robert Basic under Creative Commons licence.)

Automotive systems OEMs are therefore starting to demand a new breed of Flash ICs which can support the requirements of functional safety design at the system level better than previous generations of devices. This article studies the mode of operation of conventional NOR Flash ICs, and explains the features that new automotive serial Flash products will need to offer if they are to fully support system designers’ efforts to comply with the ISO 26262 standard.

These functional safety features will likely be seen both in serial NOR Flash – the Flash memory type most often used today in embedded systems for boot code storage – and in Single Level Cell (SLC) NAND Flash. Serial NAND is in fact a valid alternative to NOR Flash for code storage in applications that do not require a high number of Program/Erase cycles, and that do not need to implement XiP. Winbond’s SLC NAND technology is built in a 46nm process, which offers proven high quality and is preferable in functional safety applications to serial NAND products fabricated at new, smaller geometries. It also offers data retention periods comparable to those of 55-65nm NOR Flash.

The advantage of serial NAND is its inherently lower cost – a NAND Flash bit cell is four times smaller than that of a NOR Flash cell. Supplied by Winbond with an on-board Error Correcting Code (ECC) engine and supporting high-speed continuous/sequential Read capability across page and block boundaries, serial NAND is now being seriously considered by designers of automotive functional safety applications alongside the NOR Flash which is the subject of this article.

Exposing diagnostic data to view

It’s important to state that NOR Flash memory technology is very reliable, and devices’ operating lifetime is highly predictable. NOR Flash ICs have proved their qualities in the field, and automotive OEMs’ preference for the technology is based on experience of its use in millions of vehicles on the road today. For perspective, the ISO 26262 standard specifies reliability and other parameters in four ‘ASIL’ grades (Automotive Safety Integrity Level). The most stringent grade, ASIL-D for the most safety-critical systems such as steering or brakes, sets a maximum system-level failure rate of <10 FIT (Failure In Time) – a measure of the failure rate per billion device-hours (see Figure 2). At the level of individual components such as a NOR Flash IC, this calls for a maximum failure rate of far below 10 FIT.

 

ASIL-A

ASIL-B

ASIL-C

ASIL-D

SPF (Single Point fault) Metric

Not Applicable

> 90%

 > 97%

 > 99%

LF (Latent Fault) Metric

Not Applicable

 > 60%

 > 80%

 > 90%

Failure rate

10-6/hour

10-7/hour

10-7/hour

10-8/hour

FIT (failure in time)

< 1,000 FIT

< 100 FIT

< 100FIT

< 10 FIT

Fig. 2: minimum detection rates for single-point and latent faults, and maximum failure rates as specified by the ISO 26262 standard

Nevertheless, automotive manufacturers’ ISO 26262 compliance efforts call for a way to identify any fault that could theoretically still occur in a NOR Flash IC. And at the time of writing (May 2017), NOR Flash ICs are supplied to automotive OEMs as a memory ‘black box’. Functions which maintain data integrity and data retention are, in conventional devices, inaccessible to the user. This closed operation is in conflict with the principles of functional safety, which require the host system to monitor component parts for faults, or for irregular behaviour that indicates a fault is likely to occur, and to implement counter-measures aimed at maintaining proper functioning.

This means that NOR Flash ICs intended for use in ISO 26262-compliant systems must make diagnostic data available to the host controller, and provide ways in which the host can modify the IC’s operation in response to a heightened risk of failure indicated by the data.

Two main features of a NOR Flash IC provide these data:

  • the ECC engine, which maintains data integrity by detecting and correcting bit errors in Read operations
  • a User Mode which enables periodic testing of the ECC engine’s operation

How ECC data support functional safety operations

In conventional NOR Flash ICs, the ECC engine operates in the background, detecting and correcting bit errors with multi-byte granularity silently, without alerting the host controller. in fact, however, these ECC data may be used to facilitate functional safety compliance in various ways. An ECC engine is capable of correcting single-bit errors (when there is only a single bit variance between the main data bit and the parity bits); and of detecting (but not correcting) double-bit errors.

By providing a status register to the host controller, a NOR Flash device can indicate whether the most recent Read operation had one of three possible outcomes:

  • good data with no error correction required
  • good data after error correction
  • bad data that were not able to be corrected

This ‘after the fact’ information can be used to help maintain long-term data integrity, as we shall see. But ISO 26262 requires automotive systems to detect faults when they occur, and to deploy counter-measures immediately. In new automotive NOR Flash ICs from Winbond, real-time error information may be provided via a dedicated Error pin. This pin may be asserted to indicate the exact location of uncorrectable data. There is also an option for the user to select whether the Error pin will indicate corrected single-bit errors, or detected and uncorrectable double-bit errors.

The host may then use the information from the status register, from the Error pin, or from both, to build an error register – effectively a ‘map’ of the NOR Flash array, logging the locations of bit errors. The host may then set a threshold, so that when the number of errors occurring at any one location, such as a particular block, exceeds the threshold, that location is ‘retired’ from the memory. This is a sensible precautionary measure: the repeated occurrence of corrected single-bit errors in a particular block of memory cells might indicate that the block is weak, and at risk of premature failure.

Measures to identify a latent failure

So far, the measures described are concerned with the handling of single-point faults, for which the ISO 26262 standard specifies minimum detection rates for each ASIL grade. But the standard also requires automotive systems to detect ‘latent faults’. A latent fault is a fault which does not violate functional safety requirements on its own, but which can violate them in conjunction with a second fault.

In a NOR Flash IC, there is potential for such a latent fault – a malfunctioning ECC engine is an example. In normal operation, NOR Flash technology is highly reliable and rarely requires error correction. So as long as an ECC engine failure does not cause it to wrongly correct good bits, the failure would normally go unnoticed. But when a single bad bit goes uncorrected because of the failed ECC engine (a latent fault), the two faults in combination pose a risk to functional safety.

To enable detection of a latent ECC engine fault, Winbond’s automotive NOR Flash ICs provide special User Mode and ECC Encoder Read commands: this enables the user to inject a main data pattern into the memory, and to read back from the ECC engine the main data and the parity data that it generates. If the parity data are incorrect, the ECC engine can be flagged as faulty.

Likewise, the User Mode may be used to check ECC decode operation: in User Mode, the user loads main data and parity data into the ECC engine, and with a special ECC Decoder Read command the main data may be read back. Single-bit and double-bit errors may be introduced into the main data and parity data to check whether the ECC engine performs single-bit error correction and double-bit error detection properly. Winbond’s recommendation is that this ECC engine check should be performed every time the system powers up.

New functional safety features available in production parts

In response to demand from manufacturers of ADAS products and other automotive systems, Winbond is now integrating the functional safety features described above into a new family of automotive NOR Flash products. The Quad 3V family, featuring a maximum 80MB/s data transfer rate, is available for sampling in a density of 256Mbits as of May 2017. A 512Mbit part (two stacked 256Mbit dies) will be available in the second half of 2017. In 2018, Winbond will release a 512Mbit part with a monolithic die, and a 1Gbit part made from two 512Mbit stacked dies.

Winbond’s Octal 1.8V family, featuring a data rate of more than 300MB/s, will be available in densities from 256Mbits, with samples planned for late 2018. Proliferation into other densities will follow later. Winbond also offers Serial NAND products with functional safety features: as of May 2017, products are available for sampling at densities of 512Mbits, 1Gbit and 2Gbits (made of two stacked 1Gbit dies).

Winbond Serial NAND products, such as the 1Gbit W25N01GV, support functional safety compliance by providing information to a status register showing whether data read out were good without ECC, good with ECC, or uncorrectable. The Serial NAND page size is 2kbytes and 1-bit embedded ECC is offered at the sector level (512 bytes). This means that up to 4-bit correction can be performed on a 2kbyte page. Winbond Serial NAND also offers the ability to read the location of a failed page when prompted by an additional user command.

Fig. 3: the error log in Winbond Serial NAND helps identify potential weak cells or blocks

By providing both SPI NOR and Serial NAND solutions for functional safety applications, Winbond offers the user the freedom to select the appropriate Flash memory type for the requirements of their design.

For more product information, please visit Winbond Code Storage Flash Memory


Related



In Search of the Best Op Amp for Remote Devices

Portable and remote devices are integral to medical, home, and business systems that manage the collection of analog data. The trend today is to create smaller, more energy efficient devices to shrink...

 


Bs&T at PCIM2018

powerlosstester presenting BsT-pulse 3 phase version and BsT-SQ for powerloss measurement of inductive components new findings of tester, the highest Bs ferrite material D9B for SiC application GaN fe...


Würth and AnDAPT describe their new programmable power solution

In this video an engineer from AnDAPT describes their new programmable power solution and their partnership with Würth at the APEC exhibition  in San Antonio, Texas. Drawing from Würth&...


MAGMENT: Magnetizable concretes, sole enablers for dynamic inductive wireless charging.

MAGMENT is a patented material technology, engineered from cement and magnetic particles from recycled electronic waste. We are the inventors and sole company worldwide to offer both the concrete mate...


A look at Analog Devices' wireless power demonstration at APEC 2018

In this video Steve from Analog Devices walks us through a wireless power transmission demonstration at APEC 2018 in San Antonio, Texas. The LTC4120 is a constant-current/constant-voltage wireless rec...


Analog Devices talks about their Power over Ethernet solutions at APEC

In this video Analog Devices talks about their Power over Ethernet solutions at APEC 2018 in San Antonio, Texas. Their LTC4291 provides four PSE Ports with two power channels per port, and is fully co...


Silicon Labs demonstrates their latest PoE solutions at APEC 2018

In this video John Wilson of Silicon Labs demonstrates their latest Power over Ethernet solutions at APEC 2018 in San Antonio, Texas. The live demonstration shows how a remote device can effectively p...


Vitrek explains their advanced testing solutions at APEC 2018

In this video Vitrek explains their advanced testing solutions at APEC 2018 in San Antonio, Texas. The devices displayed includes their 4700 high-voltage meter, which can measure up to 10kV and can pe...


Dirk Giesen describes the Parasoft tool suite for Embedded Software Development

Are you responsible for embedded software development in your organization? Your goal should be to create safe, secure, and reliable software. To make sure your device will work properly, deploy Paras...


Ross Sabolik of Silicon Labs talks about advanced Power over Ethernet

In this video Ross Sabolik of Silicon Labs talks about smart  Power over Ethernet systems with Alix Paultre at their APEC exhibit in San ANtonio, Texas. As PoE migrates to higher power levels and...


Dialog Semi walks through their latest IC solutions for battery chargers

In this video an engineer from Dialog Semiconductor walks us through their latest ICs for battery chargers at APEC 2018. Dialog's Qualcomm Quick Charge adapter solutions offer high efficiency to e...


Steve Allen of pSemi explains their latest LED driver solution

Steve Allen of pSemi explains their latest LED boost product based on Arctic Sand's two-stage architecture. Their PE23300 has a charge-pump, switched-capacitor architecture that offloads most of t...


Teledyne describes their latest 12-bit Wavepro HD oscilloscope

In this video Teledyne LeCroy describes their latest Wavepro HD oscilloscope to Alix Paultre of Power Electronics News at the company's launch event. The WavePro HD high-definition oscilloscope de...