Integrated circuits (ICs) are fundamental to all modern security systems. Integrated circuits provide logic and control sensors, and to a large extent, they are sensors themselves. The integrated circuit drives the final components to achieve a safe state, which is the platform on which the software runs. The high level of integration within the semiconductor simplifies system level implementation at the expense of increased internal complexity of the IC. This integration reduces the number of components, improves system reliability, and creates opportunities for improved diagnostic coverage and reduced diagnostic test intervals—all at the expense of moderate security [NK1]. One might think that this high level of integration is a bad thing due to the increased complexity. However, while the complexity of integrated circuits is increased, it can be greatly simplified at the module and system level. Surprisingly, process control, machinery, elevators, variable speed drives, and toxic gas sensors all have functional safety standards, but there are no specific functional safety standards for integrated circuits. Instead, the relevant requirements and knowledge are scattered among IEC 61508 and other Class B and Class C standards. This article provides guidance for interpreting existing semiconductor functional safety standards.
Introduction
Typically, integrated circuits are developed in accordance with IEC 61508 or ISO 26262 standards. In addition, there are sometimes other requirements in the secondary and tertiary standards. Only by developing and evaluating in accordance with functional safety standards can you be assured that these complex integrated circuits are safe enough. When writing IEC 61508, it was aimed at custom systems, not integrated circuits that were mass-produced in the open market. This article will review and comment on the known functional safety requirements for integrated circuits. Although this article focuses on IEC 61508 and its applications in the industrial sector, much of it is related to automotive, avionics and medical applications.
Functional safety
Functional safety is part of security and is related to whether the system is confident in performing safety-related tasks when needed [NK2]. Functional safety is different from other passive forms of safety, such as electrical, mechanical, or intrinsic safety.
Functional safety is an active form of security. For example, it ensures that the motor is turned off fast enough to prevent injury to the operator opening the guard door, or that the robot can slow down and move when someone is nearby.
standard
The main functional safety standard is IEC 61508 1. The first edition of the standard was published in 1998, the second edition was published in 2010, and the work was updated to the third edition in 2017. The possible completion date is 2022. Since the publication of the first edition of IEC 61508 in 1998, the basic IEC 61508 standard has been adapted for different fields, such as automotive (ISO 26262), process control (IEC 61511), PLC (IEC 61131-6), IEC 62061 (mechanical ), variable speed drives (IEC 61800-5-2) and many other fields. Such standards help to explain the very broad IEC 61508 for use in these more restricted areas.
Some functional safety standards, such as ISO 13849 and D0-178/D0-254, are not derived from IEC 61508. Nonetheless, anyone who is familiar with IEC 61508 and reads these standards will not be too surprised by its content.
Within a security system, when the system is running, it is a security function that performs critical functional safety activities. Security features define the actions that must be performed to implement or maintain security. Typical security features include an input subsystem, a logic subsystem, and an output subsystem. Typically, this means detecting a potentially unsafe condition and making a decision based on the detected value, and if the potential hazard [NK3] is considered, instructs the output subsystem to place the system in a defined safe state.
Figure 1. Example of a functional safety standard.
The time when an unsafe state exists to achieve a safe state is critical [NK4]. For example, the safety function may include the following devices: a sensor to detect if the guard on the machine is turned on, a PLC to process the data, and a variable speed drive with a safe torque off input, which is inserted into the machine in [NK5] Turn off the motor before approaching moving parts.
Safety integrity level
SIL stands for Safety Integrity Level and is a means of reducing the level of risk required to achieve an acceptable level. According to the IEC 61508 standard, the security levels are 1, 2, 3, and 4 levels. From one level to the next, security is increased by an order of magnitude. SIL 4 is not seen in machine and factory automation scenarios, as in general, there are usually no more than one person in this situation. SIL 4 targets hundreds of thousands or even thousands of people who may be harmed by nuclear power and railway applications. There are other functional safety standards such as automotive use ASIL (Automotive Safety Integrity Level) A, B, C and D, and ISO 13849 standards. Its performance levels a, b, c, d, and e may correspond to the SIL 1 to SIL 3 scale.
Table 1. Rough correspondence of security levels in each application area
I don't believe that a single IC may have a safety level that exceeds SIL 3. However, it is worth noting that the table in Appendix F of IEC 61508-2:2010 shows a SIL 4 column.
Three key requirements
Functional safety poses three key requirements for IC development. Let's examine these requirements.
Requirement 1 - follow a rigorous development process
IEC 61508 is a full lifecycle model covering all phases from safety concept to demand collection and maintenance to final material handling [NK6]. Not all of these phases are related to integrated circuits, and which phases are needed for training and experience. IEC 61508 provides a V model for ASICs, as well as reviews, audits, and other requirements. It represents a system that, although not guaranteed, has proven to produce [NK7]-safe systems and ICs.
Due to the high cost of changing faulty [NK8] integrated circuits, most IC manufacturers have established strict new product development standards. For small geometry processes, the cost of just one mask can exceed $500,000. This situation combined with long lead times forced IC designers to implement a rigorous development process and an excellent [NK9] inspection and verification phase [NK10]. One of the major differences in functional safety is that not only must security be achieved, but security must be demonstrated. Even the best IC manufacturers need to add security processes on top of their normal development processes to ensure appropriate evidence of compliance. Create and archive [NK11].
A failure introduced by the development process is called a system failure. These faults can only be resolved through design changes. Failures associated with demand collection, insufficient EMC robustness, and inadequate testing are such failures.
Appendix F of IEC 61508-2:2010 lists a series of specialized measurements that IEC committee experts consider to be suitable for integrated circuit development. Table F.2 applies to FPGAs and CPLDs, and Table F.1 applies to digital ASICs. These measurements are classified into R (recommended) or HR (strongly recommended) depending on the SII and, in some cases, alternative techniques. For IC vendors with good development processes, the requirements are rarely surprising, but the 99% fault coverage requirement for SIL 3 is challenging, especially for small digital or mixed-signal devices. Many circuits are located on the periphery of the module. The requirements in the second edition of the standard apply only to digital ICs, but many of the requirements can also be applied to analog or mixed-signal ICs (the next version of ISO 26262 will contain similar tables and versions for analog and mixed-signal integrated circuits) .
In addition to Tables F.1 and F.2, there are some introductory texts that provide some insights. For example, this introductory text says that it is a reasonable length of time to use 18 months in a project with similar complexity, using a validated tool. This means that it is not necessary to apply all the requirements of IEC 61508-3 for tools.
If a module/system designer has successfully used an IC in the past and is aware of its application and field failure rate, he can claim to be "actually verified." It is much more difficult for IC designers or manufacturers to make such claims because they generally do not know much about the meaning of the final application or the percentage of the field failure unit returned to them for analysis [NK12].
software
All software errors are systematic because the software does not age. Any on-chip software should consider the requirements of IEC 61508-3. Typically, on-chip software may include the core/bootstrap of the microcontroller/DSP. However, in some cases, the microcontroller/DSP may include a small microcontroller pre-programmed by the IC manufacturer to implement a logic block instead of using a state machine. The pre-programmed microcontroller software also needs to comply with IEC 61508-3. Application-level software is usually the responsibility of the module/system designer, not the responsibility of the IC manufacturer, but IC vendors may need to provide tools such as compilers or low-level drivers. If these tools are used for the development of safety-related applications, IC manufacturers need to provide end users with sufficient information to meet the tool requirements in IEC 61508-3:2010, Section 7.4.4.
I also used C language and many other programming languages ​​to do programming. I have also done a small amount of Verilog programming. Verilog and its sister language VHDL are two representative hardware definition languages ​​(HDLs) for designing digital integrated circuits. An interesting question is whether HDL is software, but now it is sufficient to follow IEC 61508-2:2010 Appendix F. In practice, the author found that if Appendix F is followed, then in combination with other requirements of IEC 61508 (lifecycle phase, etc.), it is not important whether HDL is a software issue, because the developer will eventually have to complete all the necessary tasks. A notable related standard is IEC 62566 2, which deals with nuclear industry security functions developed using HDL.
Requirement 2 - inherent reliability
IEC 61508 addresses reliability requirements in the form of PFH (average frequency of dangerous faults per hour) or PFD (probability of failure when required). These limitations are related to the risk of adults dying for natural causes and the perception that work or dealing with day-to-day business should not significantly increase this risk. The maximum PFH of the SIL 3 safety function is 10–7/h, or approximately one dangerous failure rate per 1000 years. Expressed as FIT (number of failures / failure rate per billion hours of operation), it is 100 FIT.
Since the typical safety function has one input module, one logic module and one actuator module, and the PFH budget must be assigned to all three modules, the PFH of an IC may be a single digit (<10 FIT). Redundant architectures can be used to increase these numbers. If there are two 100 FIT structures, each can provide the same confidence, resulting in a module reliability of 10 FIT (limited by Common Cause Failure (CCF)). However, redundancy consumes a lot of space and energy and increases costs.
This information is sometimes ignored because this reliability assessment is done in the laboratory under artificial conditions. Industry standards such as SN 295003 or IEC 623804 are recommended, but these standards have some problems:
They predict reliability at 99% confidence, and IEC 61508 only requires data at 70% confidence, so the standard is pessimistic.
They confuse random failure modes with system failure modes. These failure modes should be handled differently according to IEC 61508.
They are not updated frequently.
They do not consider quality differences between different suppliers.
Standards such as the SN 29500 illustrate the reliability of on-chip transistors. If two ICs (each with 500,000 transistors) are used to implement the safety function, each IC has a FIT of 70, then the entire system has a FIT of 140. However, if you replace the two ICs with an IC with 1 million transistors, the IC's FIT is only 80, a reduction of more than 40%.
Soft errors inside the IC are often ignored. Soft errors are different from traditional reliability predictions because soft errors disappear when power is removed and power is turned off. The cause of soft errors is the neutrons in space or alpha particles in the encapsulation material that strike the on-chip RAM cells or flip-flops (FF), changing the values ​​stored therein. ECC (Double Bit Error Detection and Single Bit Error Correction [NK13]) can be used to detect and seamlessly correct errors in RAM at the expense of reduced speed and increased on-chip errors. Parity increases less overhead, but system designers need to address error recovery issues. If you do not use parity or ECC technology, the soft error rate may be up to 1000 times higher than the traditional hard error rate (the RAM value provided by IEC 61508 is 1000 FIT/MB). Techniques for resolving soft errors in FFs (Triggers) that implement logic circuits are less than satisfactory, but watchdog timers, time redundancy in computation, and other techniques can help.
Requirement 3 - Fault tolerance
No matter how reliable the product is, sometimes it will happen. Fault tolerance recognizes this reality and resolves it. Fault tolerance mainly includes two aspects. One is to use redundancy and the other is to use diagnostics. Both aspects recognize [NK14], no matter how good the reliability of the IC or the IC development process, failures will inevitably occur.
Redundancy can be the same or different and can be on-chip or off-chip. Appendix E of IEC 61508-2:2010 provides a set of techniques to demonstrate that adequate measures have been taken to support on-chip redundancy declarations for digital circuits using the same redundancy. Appendix E appears to be for dual-lock-step microcontrollers and does not give any guidance on the on-chip independence of:
Analog and mixed signal integrated circuit
Between the module and its on-chip diagnostics
Using different redundant digital circuits
However, in some cases, Appendix E can be flexibly interpreted for these situations. An interesting part of Appendix E is the beta IC calculation, which measures common causes of failures on the chip. It can be used to determine whether the interval is sufficient, provided that the source of the common cause fault is less than 25%, which is higher than 1%, 5% or 10% in the table of IEC 61508-6:2010.
Diagnostics is an area where integrated circuits can really shine. On-chip diagnostics can:
Designed to accommodate the expected failure of the on-chip module [NK15] mode
Does not increase PCB space because external pin requirements are limited
Run at high speed (diagnostic test interval is extremely small [NK16])
No need for redundant devices to diagnose by comparison
This means that on-chip diagnostics minimize system cost and area. In general, the diagnosis is varied (different implementations), depending on the on-chip items it monitors [NK17], so they are unlikely to fail in the same way and at the same time as the monitored item [NK18]. When a fault does occur [NK19], they are most likely experiencing the same problem (often related to EMC, power problems and over temperature), even if the diagnostics are implemented on a separate chip. Although this standard does not include this requirement, there are problems associated with the use of on-chip power monitors and watchdog circuits, and these are the final diagnostics. [NK20] Some external evaluators will insist that such diagnoses be placed off-chip.
In general, the diagnosis of a simpler integrated circuit will be controlled by a remote microcontroller/DSP, and the measurements are done on-chip, but the results are sent out-of-chip for processing.
IEC 61508 requires a minimum level of diagnostic coverage [NK21], given by SFF (Safety Failure Factor [NK22]), which considers safety and dangerous faults, but is related to but different from DC (diagnostic coverage) that ignores safety faults. The degree of success of a diagnosis that has been implemented can be measured using quantitative FMEA or FMEDA. However, the diagnostics implemented in the IC can also cover devices external to the IC, and the items [NK23] in the IC can be overwritten by system level diagnostics. When an IC developer performs FMEDA, it must be assumed that the IC developer is generally unaware of the details of the final application [NK24]. In the ISO 26262 terminology, this is called SEooC (the security element [NK25] out of the background). For end users who want to take advantage of IC-level FMEDA, they must be convinced that the above assumptions remain true for their system.
Although Table A.1 of IEC 61508-2:2010 (actually Tables A.2 to A.14) provides good guidance on IC failure, it should be considered when analyzing ICs, but the appendix of IEC 60730:2010 5 H provides a better discussion of the subject.
Integrated circuit development solution
There are several options for developing integrated circuits for functional safety systems. There is no requirement in the standard to use only integrated circuits that conform to the standard, but rather to require the module or system designer to be confident that the selected integrated circuit is suitable for the target system.
Available options include:
u Option 1: Developed in full compliance with the IEC 61508 standard, using external evaluation and safety manuals
u Option 2: Developed in accordance with IEC 61508, no external evaluation, but with a safety manual
u Option 3: Develop in accordance with the standard development process of the semiconductor company, but will issue a safety data sheet
u Option 4: Develop in accordance with the standard process of semiconductor companies [NK26]
Note: Devices that are not developed in accordance with IEC 61508 may be referred to as safety data sheets or similar names to avoid confusion with devices developed in accordance with the safety manual.
For semiconductor manufacturers, Option 1 is the most costly, but may be most beneficial to the module or system designer. Having a device in which the application shown in the integrated circuit security concept matches the application of the system can reduce the risk of problems encountered by the module or system for external evaluation. The additional design effort for SIL 2 security features may be 20% or more. Even without functional safety, semiconductor manufacturers have often implemented rigorous development processes and may have more extra work.
Option 2 saves the cost of external evaluation, but the impact is otherwise the same. This solution is appropriate if the customer has to externally authenticate the module/system anyway and the integrated circuit is an important part of the system.
Option 3 is best suited for already released integrated circuits, and providing a secure data sheet allows the module or system designer to obtain additional information needed for a safe design at a higher level. This includes the following information: details of the actual development process used, FIT data for the integrated circuit, details of any diagnostics, and ISO 9001 certification for the manufacturing site.
However, Option 4 is still the most common method of developing integrated circuits. Developing a security module or system using such a device would require additional components and expense for the module/system design because these devices do not have sufficient diagnostic capabilities and require a dual-channel architecture for comparison rather than a single-channel architecture. Without a safety data sheet, module/system designers need to make conservative assumptions and treat the integrated circuit as a black box.
In addition, semiconductor companies need to develop their own interpretation of the standard, the author's own company developed internal documents ADI61508 and ADI26262. The ADI61508 uses seven parts of IEC 61508:2010 and explains the requirements based on integrated circuit development.
SIL 2/3 development
Sometimes, integrated circuits can be developed in accordance with all system requirements of SIL 3. This means that all relevant projects for SIL 3 in IEC 61508-2:2010 Table F.1 are followed, and all design reviews and other analyses are performed in accordance with SIL Level 3. However, hardware metrics may only be good enough for SIL 2. Such a circuit can be identified as SIL 2/3 or more typically SIL M/N, where M represents the highest SIL level that can be declared according to hardware metrics, and N represents the highest SIL level that can be declared according to system requirements. Two SIL 2/3 integrated circuits can be used to implement a SIL 3 module or system, because according to hardware metrics, two SIL 2 projects in parallel will upgrade the combination to SIL 3, but in terms of system requirements, each project is already SIL 3. If the integrated circuit is only SIL 2/2, then connecting two such integrated circuits in parallel does not make it a SIL 3 because it is at best SIL 3/2.
Apply hardware metrics to integrated circuits
In addition to the fact that almost all safety functions are implemented by integrated circuits, it is difficult to specify SFF, DC or PFH limits for semiconductors. Taking SFF as an example, SIL 3 requires SFF greater than 99%, which is suitable for complete security functions, not just integrated circuits. If the integrated circuit is 98%, it can still be used to implement SIL 3 security functions, but other parts of the system need to achieve higher coverage to compensate. The safety manual or safety data sheet for integrated circuits requires the publication of λDD, λDU and λ for system level FMEDA.
Ideally, IC requirements are derived in a system-level analysis, but this is usually not the case. Development is actually a SEooC (see ISO 26262, the background security element [NK27]). In the case of SEooC, IC developers need to assume how the IC will be used in the system. The system or module designer must then compare these assumptions with the actual system to determine if the functional safety of the IC is sufficient for the system. These assumptions can determine whether the diagnosis is implemented on the IC or at the system level, and thus affects IC-level features and functions.
Confidentiality
The security and confidentiality of the system are inseparable. Currently, the only guidance related to confidentiality in IEC 61508 or ISO 26262 is for the reader to refer to IEC 62443 Series 6. However, IEC 62443 seems to be more about larger components, such as the entire PLC component, rather than a single IC. The good news is that most of the requirements in the functional safety standards to eliminate system failures also apply to confidentiality. It's interesting to have no references, because in some cases, hardware can provide hardware trust roots and functions like PUF (physically unclonable features), which is important for security and confidentiality.
in conclusion
Existing IEC 61508 covers everything from integrated circuit development to refineries. Although there are specialized industry specialties for fields such as machinery and process control.
Standards are used, and some guidance on integrated circuits is available in the second edition of IEC 61508, but there are no specific standards for integrated circuits. Lack of specific requirements leads to arbitrarily explained requirements, so there may be conflicts between the expectations of different customers and external evaluators.
This means that industries will tend to present industry-specific requirements for integrated circuits to higher levels of standards. Such requirements can already be seen in standards such as EN 50402 7 , but the most special is the 2016 draft of ISO 26262, in which the new section 11 deals specifically with integrated circuits.
The author hopes that the third edition of IEC 61508, to be released around 2021, will expand and clarify guidance on integrated circuits. I am very fortunate to be able to join the IEC TC65/SC65A MT61508-1/2 and MT 61508-3 drafting teams, and have the opportunity to participate in such work. Perhaps the future revision will have a specific part for semiconductors, so that the industry can be consistent, so that the integrated circuit developed can meet the requirements of all industries.
Even so, the standard is unlikely to contain everything an IC manufacturer needs to design an IC that meets functional safety requirements. Requirements related to confidentiality, EMC, etc. still need to be derived from system application knowledge.Wireless Charger Car Phone Holder
Wireless Charger Car Phone Holder,In Car Phone Holder Wireless Charger,Car Phone Holder And Charger,Phone Car Mount With Wireless Charger
Ningbo Luke Automotive Supplies Ltd. , https://www.car-phone-holder.com