# Driver Assistance Pushes New Flash Functionalities Anil Gupta Technical Executive Winbond Electronics Corporation # **Automotive and ADAS terminology** ECC use to increase reliability of Flash (to extend useful life) not disclosed to host system • ADAS, Advanced Driver Assistance Systems: ADAS are systems to help the driver in the driving process #### Functional Safety: Functional safety is the part of the overall safety that depends on a system or equipment operating correctly in response to its inputs #### ISO26262: ISO 26262 is an international standard for functional safety of electronic systems in automobiles defined by the International Organization for Standardization (ISO) # **Automotive and ADAS terminology** (contd.) #### • ASIL, Automotive Safety Integrity Level: ASIL is a risk classification scheme defined by the ISO 26262, ASIL-D (e.g. inadvertent airbag deployment) ranks highest whereas ASIL-A (e.g. rear light malfunction) ranks lowest for safety level | | ASIL-A | ASIL-B | ASIL-C | ASIL-D | |---------------------------------|--------------|-----------|-----------|----------| | SPF (Single-point Fault) Metric | Not relevant | > 90% | > 97% | > 99% | | LF (Latent Fault) Metric | Not relevant | > 60% | > 80% | > 90% | | Failure rate | < 1,000 FIT | < 100 FIT | < 100 FIT | < 10 FIT | #### SPF (Single Point Fault) Metric: SPF results to a single-point failure "which leads directly to the violation of a safety goal", and therefore quick detection or mitigation is highly recommended #### • LF (Latent Fault) Metric: LF doesn't violate functional safety goal(s) itself, but can violate functional safety goal(s) in conjunction with second fault #### • SEC (Single-bit error correction) and DED (double-bit error detection): 1-bit or single-bit error correction (and, 2-bit or double-bit error detection) may be performed by ECC at multi-byte granularity in NOR Flash. The terms SEC and DED are self explanatory # Flash Memory reporting ECC information to Host System #### Two methods to report ECC/Error information to Host system: 1. Status Register can be used to indicate if preceding read had (i) good data without usage of ECC; (ii) good data, corrected by ECC (e.g. SEC); or (iii) bad data, uncorrectable by ECC (e.g. DED) 2. Error pin can indicate occurrence and address location of SEC or DED in real time (choice of SEC or DED selectable by customer). Error pin can be also used for host system interrupt, e.g. in case of DED # Error information can help retire "weak" (i.e. not robust) Flash memory **Flash Memory** (Illustrative example only) - NOR Flash is generally quite robust, and ECC usage should be very minimal - Host may build Error Reg. (in Flash Array), based on status reg. and/or information by Error pin - Host system may decide to assert interrupt when Error Reg. count reached predetermined level - Error count more than predetermined level may indicate "weak" (not robust) Flash memory # **Example/illustration of SPF (Single-point Fault)** - In an example, ECC engine malfunction corrupts fault free data output from Flash Array - Such SPF malfunction must be quickly detected (ASIL-B:90%, ASIL-D:99%) to mitigate adverse effects - Simple test by host system will show that output data (read from Flash Array) doesn't match with expected data Note: Only main data bits are shown (and parity bits are not shown) # **Example/illustration of LF (Latent Fault)** Note: Both LF in same functional path - ECC engine not performing ECC correction may be LF, as long as it doesn't corrupt fault free data (b2), since it won't have adverse affect if ECC is not required for data from Flash array. The ISO26262 recommends LF coverage level of only 60% for ASIL-B and 90% for ASIL-D - One bad Flash bit (a1, potentially correctable by ECC engine) is another example of LF, since good ECC engine should be able to correct the bad bit - But both faults put together, i.e. (1) ECC engine not performing ECC correction, (2) one bad Flash bit (a1), can create "fatal" fault (a2) - Therefore checking for ECC engine is recommended at each power-up cycle Note: 1. Although other means such as CRC can indicate error, it is also important to identify location of error 2. Only main data bits are shown (and parity bits are not shown) # User Mode commands to check ECC Engine User Mode command to load data pattern to check ECC Engine calculation Main Data Parity Data - ECC Encoder Check - Special user Mode command to load "main data" pattern - Enable with special ECC Encoder Read command - Read out "main data + parity data" with any read command - ECC Decoder Check - Special user Mode command to load "main data + parity data" pattern - Gives ability to inject single/multiple bit errors to check ECC engine - Enable with special ECC Decoder Read command - Read out "main data" with any read command | . <u>Load Pattern</u> | | | 2. ECC output (selectable for Encoder or Decoder) | | | | | |-----------------------|---------|--------------|---------------------------------------------------|------|---------|--------------|---------------------------| | CS/ | | | | CS/ | | | | | DI | Command | Data Pattern | | DO ( | Command | Dummy clocks | Encoder or Decoder output | ### <u>User margin mode to help perform proactive "refresh"</u> - User margin read modes give ability to detect "weak 1" and "weak 0" bits - Weak "0" is more common due to charge loss - Weak "0" bit such as (1), can be proactively refreshed by programming - Proactive "refresh" helps to alleviate potential failure in future time ## Summary of New features in Flash and potential checks by host system Flash Memory [Winbond new Quad (3V) and Octal (1.8V) families incorporate some of these features] #### Following features are recommended in Flash, with **special considerations to functional safety**: - 1. ECC: SEC (Single Error Correction) and DED (Double Error Correction) on multi-byte boundary - 2. Status Reg. indicates: Good data without/with(SEC) ECC, and uncorrectable data (e.g. DED) - **3. Error pin**: Indicates output data is uncorrectable by ECC (i.e. DED) - Pin is asserted (in real time) to indicate exact address location of uncorrectable data - Selectable option (thru status reg. bit) for Error pin to indicate SEC or DED (default DED) - 4. Error Reg/Count: Host can build Error reg. in Flash from Status Reg. or Error pin information - Host may decide to take action (e.g. interrupt) if error count exceeds predetermined level - 5. Check ECC engine: Special user instructions provided to inject error(s) and check ECC engine - Such check of ECC engine/logic may be performed by Host system each power-on cycle - 6. CRC: Cyclic redundancy check feature may be added to check data integrity efficiently in Flash - Host can still detect error by CRC (or, check sum) without special feature offered by Flash - 7. User margin mode: Role of traditional margin test mode can be extended as user accessible - Host can be proactive to detect and refresh weak Flash bit(s), before it has chance to fail # Thank You