EMBEDDED DESIGN MEMORY
intended for use in ISO 26262
compliant systems must make
diagnostic data available to the host
controller, and provide ways in which
the host can modify the IC’s operation.
Two main features of a NOR Flash IC
provides:
1. An ECC engine, which maintains
data integrity by detecting and
correcting bit errors in Read operations
2. A User Mode which enables
periodic testing of the ECC engine’s
operation.
In conventional NOR Flash ICs,
the ECC engine operates in the
background, detecting and correcting
bit errors, without alerting the host
controller.
ECC data may be used to facilitate
functional safety compliance in various
ways, as it is capable of correcting
single-bit errors (when there is only a
single-bit variance between the main
data bit and the parity bits); and of
detecting (but not correcting) doublebit
errors.
By providing a status register to the
host controller, a NOR Flash device
can indicate whether the most recent
Read operation had one of three
possible outcomes:
• good data with no error correction
required
• good data after error correction
• bad data that were not able to be
corrected
This ‘after the fact’ information
can be used to help maintain longterm
data integrity, but ISO 26262
requires automotive systems to detect
faults when they occur, and to deploy
counter-measures immediately.
In new automotive NOR Flash ICs,
real-time error information may be
provided via a dedicated Error pin. This
pin may be asserted to indicate the
exact location of un-correctable data.
There is also an option for the user
to select whether the Error pin will
indicate corrected single-bit errors, or
detected and un-correctable double-bit
errors.
The host may then use the
information from the status register,
from the Error pin, or from both, to
build an error register – effectively a
‘map’ of the NOR Flash array, logging
the locations of bit errors.
The host may then set a threshold,
so that when the number of errors
occurring at any one location, such
as a particular block, exceeds the
threshold, that location is ‘retired’
from the memory.
Latent failure
So far, the measures described are
concerned with the handling of singlepoint
faults, for which the ISO 26262
standard specifies minimum detection
rates for each ASIL grade. But the
standard also requires automotive
systems to detect ‘latent faults’,
that is a fault which does not violate
functional safety requirements on its
own, but which can violate them in
conjunction with a second fault.
In a NOR Flash IC, there is
potential for such a latent fault – a
malfunctioning ECC engine is an
example. In normal operation, NOR
Flash technology is reliable and
rarely requires error correction. So as
long as an ECC engine failure does
not cause it to wrongly correct good
bits, the failure would normally go
unnoticed. But when a single bad
bit goes uncorrected because of the
failed ECC engine (a latent fault), the
two faults in combination pose a risk
to functional safety.
To enable detection of a latent ECC
engine fault, in Winbond’s automotive
NOR Flash ICs it is possible to provide
special User Mode and ECC Encoder
Read commands, enabling the user
to inject a main data pattern into the
memory, and to read back from the
ECC engine the main data and the
parity data that it generates. If the
parity data are incorrect, the ECC
engine can be flagged as faulty.
Likewise, the User Mode may be
used to check ECC decode operation.
In User Mode, the user loads main
data and parity data into the ECC
engine, and with a special ECC
Decoder Read command the main
data may be read back. Single-bit and
double-bit errors may be introduced
into the main data and parity data
to check whether the ECC engine
performs single-bit error correction and
double-bit error detection properly.
In response to demand from
manufacturers of ADAS products and
other automotive systems, Winbond
is integrating functional safety into
a family of automotive NOR Flash
products available later this year.
By providing both SPI NOR and
Serial NAND solutions for functional
safety applications, Winbond is able
to offer the user the freedom to select
the appropriate Flash memory type for
the requirements of their design.
Figure 2: Minimum
detection rates for
single-point and
latent faults, and
maximum failure
rates as specified
by the ISO 26262
standard
Author details:
Anil Gupta
is Technical
Executive,
Winbond
Figure 3: The error
log in Winbond
Serial NAND helps
identify potential
weak cells or blocks
16 24 March 2020 www.newelectronics.co.uk
/www.newelectronics.co.uk