Integrated circuits are special. At least it seems so according to IEC 61508-2:2010 7.4.6.1. where note 1 states, “This standard does not contain specific requirements relating to the avoidance of systematic faults during the design of mass-produced electronic integrated circuits such as standard microprocessors. This is because the likelihood of faults in such devices is minimized by stringent development procedures, rigorous testing, and extensive experience of use with significant feedback from users.
Translated with some Irish slang thrown in – the semiconductor boys are a great bunch of lads and never make any mistakes.
But let’s step back a moment.
Integrated circuits are at the heart of any modern safety function.
It is not wrong to say they are the building blocks of modern function safety.
So, what is an integrated circuit? An integrated circuit is a collection of fundamental devices, typically mosfets, which turn on and off and can be combined in their thousands, millions, and billions to implement very complex functions, including CPUs, RAMs, Flash memory, ADC, DAC…. Despite the many transistors, integrated circuits are relatively cheap because thousands of integrated circuits are simultaneously manufactured on a single wafer before being diced (cut up) and packaged to facilitate mounting them on a PCB (printed circuit board). While analog circuits such as OP-AMPS and ADC cores are still designed using schematics, digital circuits are designed using an HDL (hardware description language). Then using something similar to a compiler, they are converted into individual MOSFETs on a chip. Getting the first of a new IC taped out to a fab, fabricated, packaged, and debugged can easily cost tens of millions of dollars, but thereafter, they can be produced for less than a dollar each in many cases.
Note - See a related blog on the topic of Verilog software here.
Figure 1 A package containing several die and some passive components
The design of integrated circuits uses a lot of software tools to
Because of the high price of getting that first revision right, the IC development process has a lot of verification and validation, even when functional safety is not a concern. At the risk of annoying my software colleagues, developing an IC is unlike developing software where you can make a change and recompile. Iterating to a new revision of silicon requires the changes to be made, tape-outs to a wafer fab, producing a mask set, and then production of the new wafer, dicing it, and packaging it, which can cost millions of dollars and six months of a delay. To avoid this cost, most techniques advocated to reduce design errors in a semiconductor are followed even by those who have never heard of IEC 61508. Those techniques are found in IEC 61508-2:2010 Annex F and Table F.1. I recently blogged on this Annex. See here.
Figure 2 is an extract of the recommended techniques for an integrated circuit design from IEC 61508:2010
Normally, if developing a safety system, you would develop your hardware and software to IEC 61508 or one of its sector-specific versions, such as IEC 61800-5-2. However, IEC 61508 specifically allows you to develop a safety system using standard integrated circuits that were not developed to a safety standard. There isn’t a lot of guidance in IEC 61508:2010 to cover this, but revision 3 will have more (CDV due out February/March 2025). There is a document from the IFA in Germany, which, while not written with integrated circuits in mind, has a good discussion of the topic.
Figure 3 A relevant document from the IFA in Germany
For the element or sub-system integrating the IC, let’s look at what is required for route 1S (development in full compliance to the standard) according to IEC 61508-2:2010. Because integrated circuits are special the semiconductor design companies, or at least their customers, can make a mass-produced claim for the integrated circuits as shown below.
Only in the case of newly released integrated circuits that are not shipping in volume do you need to worry about IEC 61508-2:2010 Annex F. Only if there is doubt that the semiconductor is shipping in volume do you have to worry about meeting the field experience requirements. The paragraph talks about doubt, but nobody seems to have such doubt. Even if there is doubt, the required quantities are quite low.
Figure 5 Examples of low and high effectiveness for field experience from IEC 61508-2:2010 table B.6
Combining table B.6 and the note from IEC 61508-2:2010 B.5.4 means that you need for
Proven in use (route 2S) has similar arguments based on confidence from the field but the quantities based on IEC 61508-7:2010 Annex D are much larger at
SIL 2 – 3,000 devices for 1 year
SIL 3 – 30,000 devices for 1 year
SIL 4 – 300,00 devices for 1 year
Despite the fact that proven in use requires much higher evidence from the field, conventional wisdom is that proven in use is not available to complicated ICs like uC, but the mass-produced argument is!
Another interesting requirement from the table above is the confidence level requirements. Normally, you only require a 70% confidence level on your reliability predictions. The table above requires 95% for SIL 1,2 and 99% by interpolation for SIL 3. Since most people use something like SN29500 for their reliability predictions, they are already at the 99% confidence level (I have been told SN29500 is at the 99% confidence level but have never seen this in SN29500).
With the mass-produced route available for industrial safety designs, it probably explains why there are very few safety-rated integrated circuits available for industrial, whereas in automotive, being ISO 26262 certified is table stakes
There are some additional constraints that the likes of TUV, Exida, SIRA, and UL… insist on if using standard components instead of those developed to a safety standard, but these are not clearly laid out in IEC 61508:2010. They will be better set out in the new IEC 61508 revision 3, currently scheduled for release in 2027. These include the requirements to
These approaches are not unique to semiconductors, for instance, see this paper entitled “Differences between using standard components or safety components to implement safety functions of machinery” from the IFA in Germany.
If you compare the above to synthesis of elements in IEC 61508-2:2010 7.4.3 where you are only allowed combine two independent SC(systematic capability) 2 elements to make an SC 3 element the above approach for integrated circuits allows you to claim either SC 0 = SC 3 or SC 0 with an independent SC 0 = SC 3. I heard someone criticize this once as rubbish + rubbish = rubbish. We still have work to be done on IEC 61508:2027.
In this series, I will write a future blog comparing proven in-use and field experience in more detail.
Check back next month on the second Tuesday for the next blog in this series. Until then, I hope to post “mini-blogs” on the other Tuesdays in the month directly from my LinkedIn account. Please follow me on LinkedIn if interested.
For previous blogs in this series, see here
For the full suite of ADI blogs on the EngineerZone platform, see here
For the full range of ADI products, see here
