Teacher working with student

Techniques and Measures to Avoid Systematic Faults During Integrated Circuit Design

This blog will be relevant to anyone designing an integrated circuit for use in a safety system or using one to build a safety system.

IEC 61508-2:2010 Annex F is an informative annex of revision 2 of IEC 61508. It gives the techniques and measures to be applied during the design of an integrated circuit claiming compliance with the standard.

Note – in the 2010 version it uses the term ASIC but in revision 3 of IEC 61508 it will just say semiconductor.

The use of Annex F is called out from the main body of IEC 61508-2 as shown below.

Figure 1 Callout of IEC 61508-2 Annex F in main body of the standard

Annex F is referenced again later more strongly in sub-clause 7.4.6.7 where it states “An appropriate group of techniques and measures shall be used that are essential to prevent the introduction of faults during the design and development of ASICs” with a note then referring to Annex F. So it doesn’t rule out using a different set of techniques but does informatively tell you about annex F.

This means that for a new IC the use of completed table F.1 is a way to show that the new IC, with no experience in the field, is good enough to use in a safety design according to IEC 61508.

The main content of Annex F are two tables F.1 and F.2. I refer to them regardless as checklists. There are two checklists, one for ASICs and one for the users of FPGA. The start of the ASIC checklist is shown below.

Figure 2 - A sample from IEC 61508-2 Annex F table F.1

The techniques and measures are listed by design phase including “Design entry”, “Synthesis” and “chip manufacturing”. This can lead to what looks like repetition in the table where something like test coverage is mentioned across several sections.

Each technique has a number and a brief description with an additional description of each technique given in Annex E of part 7.

Thereafter depending on the SIL of the intended safety function the application of the technique is marked as NR (not recommended), R(recommended), HR (highly recommended) and HR*(effectively mandatory but not allowed say mandatory as it’s an informative annex).

Note – I am not 100% certain of this but I now believe an informative annex can contain mandatory requirements according to the ISO/IEC rules. The use of the annex can be optional and the annex informative but if you do choose to follow it then those mandatory requirements are mandatory.

If something is marked as “R” or “HR” you cannot simply ignore it. If you choose not to do to something which is recommended, you need to explain why it doesn’t need to be done in your case. If you don’t do something which is highly recommended your justification should be more elaborate.

Some techniques can have the same level of recommendation independent of the SIL of the safety function, but others can go from R to HR to HR* as the SIL goes from 1 to 4. Personally, I am not sure I like the idea of a single IC being SIL 4!

Some of the requirements are not just binary choices. An example of technique number 27 is shown below. It covers scan test coverage which shows a recommended scan coverage figure of 99% for SIL 3 and higher.

Figure 3 an example requirement

There is a second table F.2 that applies to programmable logic ICs such as FPGA and CPLD. The requirements are similar to table F.1 but with one big thing to remember. While table F.1 applies to the companies that design FPGA such as Xilinx (now part of AMD) table F.2 applies to the users of FPGA i.e. Xilinx/AMDs customers. This is because the users of FPGA are effectively also designing an IC.

It should be noted that there are additional requirements in F.1 that are not part of the tables. These include things such as

Item b) All tools, libraries and manufacturing processes should be proven in use

But most of these additional requirements are already covered by other items in the checklist.

In the latest draft of IEC 61508 revision 3 due out around 2027 the checklist from 2010 has been augmented including

  • Column headings are now SC (systematic capability) as opposed to SIL
  • Tables F.1 (ASICS) and table F.2(FPGA) have been combined
  • The tables have been extended to almost 100 techniques and measures to support analog and mixed signal ICs included
  • The checklist is now part of a much larger annex which is normative

What is described above is from IEC 61508. ISO 26262 has its own version of this checklist depending on the technology type. For digital ICs see ISO 26262-11:2018 table 31. Many of the ISO 26262 techniques use exactly the same wording as found in IEC 61508 but the techniques are not modulated by ASIL and are specifically called out only as examples. ISO 26262:2018 already has tables with techniques for analog and mixed signal ICs.

Check back next month on the second Tuesday of the month for the next blog in this series. Until then I hope to post “mini blogs” on the other Tuesdays in the month directly from my LinkedIn account. Please follow me on LinkedIn if interested.

For previous blogs in this series see here.

For the full suite of ADI blogs on the EngineerZone platform see here.

For the full range of ADI products see here.