- Home
- Machinery Directive
- History of the Machinery Directive 2006/42/EC
- Machinery directive 2006/42/EC
- Whereas of machinery directive 2006/42/EC
- Articles of machinery directive 2006/42/EC
- Article 1 of machinery directive 2006/42/EC - Scope
- Article 2 of machinery directive 2006/42/EC - Definitions
- Article 3 : Specific Directives of machinery directive 2006/42/EC
- Article 4 : Market surveillance of machinery directive 2006/42/EC
- Article 5 : Placing on the market and putting into service - machinery directive 2006/42/EC
- Article 6 : Freedom of movement - machinery directive 2006/42/EC
- Article 7 : Presumption of conformity and harmonised standards - machinery directive 2006/42/EC
- Article 8 : Specific measures - machinery directive 2006/42/EC
- Article 9 : Specific measures to deal with potentially hazardous machinery - machinery directive 2006/42/EC
- Article 10 : Procedure for disputing a harmonised standard - machinery directive 2006/42/EC
- Article 11 : Safeguard clause - machinery directive 2006/42/EC
- Article 12 : Procedures for assessing the conformity of machinery - machinery directive 2006/42/EC
- Article 13 : Procedure for partly completed machinery - 2006/42/EC
- Article 14 : Notified bodies - machinery directive 2006/42/EC
- Article 15 : Installation and use of machinery - machinery directive 2006/42/EC
- Article 16 : CE marking - machinery directive 2006/42/EC
- Article 17 : Non-conformity of marking - machinery directive 2006/42/EC
- Article 18 : Confidentiality - machinery directive 2006/42/EC
- Article 19 : Cooperation between Member States - machinery directive 2006/42/EC
- Article 20 : Legal remedies - machinery directive 2006/42/EC
- Article 21 : Dissemination of information - machinery directive 2006/42/EC
- Article 22 : Committee - machinery directive 2006/42/EC
- Article 23 : Penalties - machinery directive 2006/42/EC
- Article 24 : Amendment of Directive 95/16/EC - machinery directive 2006/42/EC
- Article 25 : Repeal - machinery directive 2006/42/EC
- Article 26 : Transposition - machinery directive 2006/42/EC
- Article 27 : Derogation - machinery directive 2006/42/EC
- Article 28 : Entry into force - machinery directive 2006/42/EC
- Article 29 : Addressees - machinery directive 2006/42/EC
- ANNEX I of machinery directive 2006/42/EC - Summary
- GENERAL PRINCIPLES of annex 1 of machinery directive 2006/42/EC
- 1 ESSENTIAL HEALTH AND SAFETY REQUIREMENTS of annex 1 - definitions - machinery directive 2006/42/EC
- Article 1.1.2. Principles of safety integration of annex 1 machinery directive 2006/42/EC
- Article 1.1.3. Materials and products annex 1 machinery directive 2006/42/EC
- Article 1.1.4. Lighting - annex 1 machinery directive 2006/42/EC
- Article 1.1.5. Design of machinery to facilitate its handling - annex 1 machinery directive 2006/42/EC
- Article 1.1.6. Ergonomics - annex 1 machinery directive 2006/42/EC
- Article 1.1.7. Operating positions - annex 1 machinery directive 2006/42/EC
- Article 1.1.8. Seating - annex 1 machinery directive 2006/42/EC
- Article 1.2.1. Safety and reliability of control systems - annex 1 of machinery directive 2006/42/EC
- Article 1.2.2. Control devices - annex 1 of machinery directive 2006/42/EC
- Article 1.2.3. Starting - annex 1 of machinery directive 2006/42/EC
- Article 1.2.4. Stopping - annex 1 of machinery directive 2006/42/EC
- Article 1.2.4.4. Assembly of machinery - Annex 1 of machinery directive 2006/42/EC
- Article 1.2.5. Selection of control or operating modes - annex 1 of machinery directive 2006/42/EC
- Article 1.2.6. Failure of the power supply - annex 1 of machinery directive 2006/42/EC
- Article 1.3. PROTECTION AGAINST MECHANICAL HAZARDS - annex 1 of machinery directive 2006/42/EC
- Article 1.4. REQUIRED CHARACTERISTICS OF GUARDS AND PROTECTIVE DEVICES - annex 1 of machinery directive 2006/42/EC
- Article 1.5. RISKS DUE TO OTHER HAZARDS - annex 1 of machinery directive 2006/42/EC
- Article 1.6. MAINTENANCE - annex 1 of machinery directive 2006/42/EC
- Article 1.7. INFORMATION - annex 1 of machinery directive 2006/42/EC
- Article 2. SUPPLEMENTARY ESSENTIAL HEALTH AND SAFETY REQUIREMENTS - annex 1 machinery directive 2006/42/EC
- Article 3. SUPPLEMENTARY ESSENTIAL HEALTH TO THE MOBILITY OF MACHINERY - annex 1 machinery directive 2006/42/EC
- Article 4. SUPPLEMENTARY REQUIREMENTS TO OFFSET HAZARDS DUE TO LIFTING OPERATIONS of machinery directive 2006/42/EC
- Article 5. SUPPLEMENTARY ESSENTIAL HEALTH AND SAFETY REQUIREMENTS FOR UNDERGROUND WORK of machinery directive 2006/42/EC
- Article 6. SUPPLEMENTARY REQUIREMENTS - HAZARDS DUE TO THE LIFTING OF PERSONS of machinery directive 2006/42/EC
- Annex II : Declarations of CONFORMITY OF THE MACHINERY, DECLARATION OF INCORPORATION - machinery directive 2006/42/EC
- Annex III of machinery directive 2006/42/EC - CE marking
- Annex IV of machinery directive 2006/42/EC
- Annex V of machinery directive 2006/42/EC
- Annex VI of machinery directive 2006/42/EC
- Annex VII - Technical file for machinery - machinery directive 2006/42/EC
- Annex VIII - Assessment of conformity of machinery directive 2006/42/EC
- Annex IX of machinery directive 2006/42/EC - EC type-examination
- Annex X of machinery directive 2006/42/EC - Full quality assurance
- Annex XI of machinery directive 2006/42/EC - Minimum criteria for the notification of bodies
- Annex XII of machinery directive 2006/42/EC - Correlation table between machinery directive 2006/42/CE and MD 1998/37/CE
- Machinery directive 1998/37/EC
- considerings of machinery directive 1998/37/CE
- articles of 1998/37/EC machinery directive
- Annex I of 1998/37/CE machinery directive
- Annex II of 1998/37/EC machinery directive
- Annex III of machinery directive 1998/37/CE
- Annex IV of machine directive 1998/37/EC
- Annex V of machines directive 1998/37/CE
- Annex VI of machines directive 1998/37/EC
- Annex VII of machines directive 1998/37/EC
- Annex VIII of 1998/37/CE machine directive
- Annex IX of machinery directive 1998/37/CE
- Machinery directive 1989/392/EC
- whereas of machinery directive machines 1989/392/EEC
- articles of machinery directive 1989/392/EEC
- Annex I of machinery directive 1989/392/EEC
- Annex II of machine directive 1989/392/EEC
- Annex III of machinery directive 1989/392/EEC
- Annex IV of machinery directive 1989/392/EEC
- Annex V of machinery directive 1989/392/EEC
- Annex VI of machine directive 1989/392/EEC
- Annexe VII of machinery directive 1989/392/EEC
- Amendments of 1989/392/EEC directive
- ATEX directives
- ATEX 94/9/EC directive
- Whereas of ATEX 94/9/CE directive
- Articles of ATEX 94/9/CE directive
- article 1 ATEX 94/9/EC directive
- article 2 ATEX 94/9/EC directive
- article 3 ATEX 94/9/EC directive
- article 4 : ATEX 94/9/EC directive
- article 5 : ATEX 94/9/EC directive
- article 6 : ATEX 94/9/EC directive
- article 7 : ATEX 94/9/EC directive
- article 8 ATEX 94/9/EC directive
- article 9 : ATEX 94/9/EC directive
- article 10 : ATEX 94/9/EC directive
- article 11 : ATEX 94/9/EC directive
- article 12 : ATEX 94/9/EC directive
- article 13 : ATEX 94/9/EC directive
- article 14 : ATEX 94/9/EC directive
- article 15 : ATEX 94/9/EC directive
- article 16 : ATEX 94/9/EC directive
- ANNEX I of ATEX 94/9/EC directive : CRITERIA DETERMINING THE CLASSIFICATION OF EQUIPMENT-GROUPS INTO CATEGORIES
- ANNEX II of ATEX 94/9/EC : directive ESSENTIAL HEALTH AND SAFETY REQUIREMENTS -EHSR
- ANNEX III of ATEX 94/9/EC directive : MODULE EC-TYPE EXAMINATION
- ANNEX IV of ATEX 94/9/EC directive : MODULE PRODUCTION QUALITY ASSURANCE
- ANNEX V of ATEX 94/9/EC directive : MODULE PRODUCT VERIFICATION
- ANNEX VI of ATEX 94/9/EC directive : MODULE CONFORMITY TO TYPE
- ANNEX VII of ATEX 94/9/EC directive : MODULE PRODUCT QUALITY ASSURANCE
- ANNEX VIII of ATEX 94/9/EC directive : MODULE INTERNAL CONTROL OF PRODUCTION
- ANNEX IX of ATEX 94/9/EC directive : MODULE UNIT VERIFICATION
- ANNEX X of ATEX 94/9/EC directive : CE Marking - Content of the EC declaration of conformity
- ANNEX XI of ATEX 94/9/EC directive: NOTIFICATION OF BODIES
- ATEX 99/92/EC Directive
- ATEX DIRECTIVE 2014/34/UE
- whereas of 2014/34/UE ATEX directive
- Articles of ATEX 2014/34/UE directive
- Annex 1 of ATEX 2014/34/UE directive
- Annex 2 of the ATEX 2014/34/UE directive
- Annex 3 of ATEX 2014/34/UE directive
- Annex 4 of ATEX 2014/34/UE directive
- Annex 5 of ATEX 2014/34/UE directive
- Annex 6 of ATEX 2014/34/UE directive
- Annex 7 of ATEX 94/9/EC directive
- Annex 8 of the ATEX 2014/34/UE directive
- Annex 9 of the ATEX 2014/34/UE directive
- Annex 10 of ATEX 2014/34/UE directive
- Annex 11 of ATEX 2014/34/UE directive
- Annex 12 of the ATEX 2014/34/UE directive
- Audits in Ex field - EN 13980, OD 005 and EN ISO/CEI 80079-34
- New ATEX directive
- RASE european project
- ATEX 94/9/EC directive
- IECEX
- Standardization & European Regulation
- Safety of machines : Standardization and European regulations
- European regulation for machines - standardization for machines - harmonized standards
- Standardization in machinery
- EN ISO 12100 - Décembre 2010
- EN ISO 12100-1 - January 2004
- EN ISO 12100-1:2003/A1
- EN ISO 12100-2 November 2003
- EN ISO 12100-2:2003/A1
- EN ISO 14121-1 September 2007
- ISO/TR 14121-2 - 2007
- EN 50205:2002 standard - Relays with forcibly guided (mechanically linked) contacts
- ISO 11161:2007
- ISO 13849-1:2006
- ISO 13849-2:2012
- ISO 13850:2006 - Safety of machinery -- Emergency stop -- Principles for design
- ISO 13851:2002 - Safety of machinery -- Two-hand control devices -- Functional aspects and design principles
- ISO 13854:1996 Safety of machinery - Minimum gaps to avoid crushing of parts of the human body
- ISO 13855:2010 - Safety of machinery -- Positioning of safeguards with respect to the approach speeds of parts of the human body
- ISO 13856-1:2013 Safety of machinery -- Pressure-sensitive protective devices -- Part 1: General principles
- ISO 13856-2:2013 - Safety of machinery -- Pressure-sensitive protective devices -- Part 2: General principles for design testing
- ISO 13856-3:2013 Safety of machinery -- Pressure-sensitive protective devices - Part 3: General principles for design
- ISO 13857:2008 Safety of machinery -- Safety distances to prevent hazard zones
- ISO 14118:2000 - Safety of machinery -- Prevention of unexpected start-up
- ISO 14119:2013- Interlocking devices associated with guards
- ISO 14120:2002 - Guards -- General requirements for the design and construction
- ISO 14122-1:2001 - Permanent means of access to machinery
- ISO 14122-2:2001 - Permanent means of access to machinery
- ISO 14122-4:2004 - Permanent means of access to machinery
- ISO 14123-1:1998 - Reduction of risks to health from hazardous substances emitted by machinery
- ISO 14123-2:1998 - Reduction of risks to health from hazardous substances emitted by machinery
- ISO 14159:2002 - Hygiene requirements for the design of machinery
- ISO 19353:2005 -- Fire prevention and protection
- ISO/AWI 17305 - Safety of machinery - Safety functions of control systems
- ISO/DTR 22100-2 - Safety of machinery -- Part 2: How ISO 12100 relates to ISO 13849-1
- ISO/TR 14121-2:2012 - Risk assessment - Part 2: Practical guidance
- ISO/TR 18569:2004 - Guidelines for the understanding and use of safety of machinery standards
- ISO/TR 23849:2010 - Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety-related control systems
- STABILITY DATES FOR Machinery STANDARDS
- harmonized standards list - machinery-directive 2006/42/CE
- Publication of harmonised standards for machinery directive 2006/42/EC - 9.3.2018
- Harmonized standard list - machinery directive 2006/42/EC - 9.6.2017
- Harmonized standards for machinery - OJ C 2016/C173/01 of 15/05/2016
- Harmonized standards for machinery -OJ C 2016/C14/102 of 15/01/2016
- Harmonized standards for machinery - corrigendum OJ C 2015/C 087/03 of 13/03/2015
- harmonized standards for machinery - OJ C 2015/C 054/01 of 13/02/2015
- Application guide for machinery directive 2006/42/EC
- Guide to application of the machinery directive 2006/42/CE - July 2017
- Guide to application of the Machinery Directive 2006/42/EC - second edition June 2010
- Guide to application of machinery directive - 1-2 : The citations
- Guide to application of machinery directive - § 3 to § 31 The Recitals
- Guide to application of machinery directive - § 32 to § 156 - The Articles
- Guide to application of machinery directive - § 157 to § 381 - Annex I
- Guide to application of machinery directive - § 382 to § 386 - ANNEX II Declarations
- Guide to application of machinery directive - § 387 - ANNEX III CE marking
- recommendation for use - machinery directive 2006/42/EC
- Notified bodies under the machinery directive 2006/42/CE
- Safety of Ex, ATEX and IECEx equipments : Standardization
- Standardization in Ex Field
- The transposition of the ATEX 94/9/EC Directive to the 2014/34/EU directive
- harmonized standards list - ATEX directive 2014/34/EU
- Harmonized standard list for ATEX 2014/34/UE - 12-10-2018
- Harmonized standard list for ATEX 2014/34/UE - 15.6.2018
- Harmonized standard list for ATEX 2014/34/UE - 12-07-2019
- Harmonized standard list for ATEX 2014/34/UE - 9.6.2017
- Harmonized standards list ATEX 2014/34/UE directive - OJ C 126 - 08/04/2016
- Guide to application of the ATEX Directive 2014/34/EU
- application guide of 2014/34/EU directive - preambule, citations and recitals
- Guide to application of the ATEX 2014/34/UE directive - THE ARTICLES OF THE ATEX DIRECTIVE
- Guide to application of the ATEX 2014/34/UE directive - ANNEX I CLASSIFICATION INTO CATEGORIES
- Guide to application of the ATEX 2014/34/UE directive - ANNEX II ESSENTIAL HEALTH AND SAFETY REQUIREMENTS
- Guide to application of the ATEX 2014/34/UE directive - ANNEX III MODULE B: EU-TYPE EXAMINATION
- Guide to application of the ATEX 2014/34/UE directive - ANNEX IV MODULE D: CONFORMITY TO TYPE
- Guide to application of machinery directive - § 388 - ANNEX IV machinery and mandatory certification
- Guide to application of the ATEX 2014/34/UE directive - ANNEX V MODULE F: CONFORMITY TO TYPE
- Alignment of ten technical harmonisation directives - Decision No 768/2008/EC
- ATEX 94/9/EC directive documents
- ATEX 94/9/EC guidelines
- ATEX 94/9/EC guidelines 4th edition
- 1 INTRODUCTION of ATEX 94/9/EC guidelines 4th edition
- 2 OBJECTIVE OF THE ATEX DIRECTIVE 94/9/EC - ATEX 94/9/EC guidelines 4th edition
- 3 GENERAL CONCEPTS of ATEX 94/9/EC directive ATEX 94/9/EC guidelines 4th edition
- 4 IN WHICH CASES DOES DIRECTIVE 94/9/EC APPLY - ATEX 94/9/EC guidelines 4th edition
- 5 EQUIPMENT NOT IN THE SCOPE OF DIRECTIVE 94/9/EC - ATEX 94/9/EC guidelines 4th edition
- 6 APPLICATION OF DIRECTIVE 94/9/EC ALONGSIDE OTHERS THAT MAY APPLY - ATEX 94/9/EC guidelines 4th edition
- 7 USED, REPAIRED OR MODIFIED PRODUCTS AND SPARE PARTS - ATEX 94/9/EC guidelines 4th edition
- 8 CONFORMITY ASSESSMENT PROCEDURES - ATEX 94/9/EC guidelines 4th edition
- 9 NOTIFIED BODIES - ATEX 94/9/EC guidelines 4th edition
- 10 DOCUMENTS OF CONFORMITY - ATEX 94/9/EC guidelines 4th edition
- 11 MARKING - CE marking -ATEX 94/9/EC guidelines 4th edition
- 12 SAFEGUARD CLAUSE AND PROCEDURE - ATEX 94/9/EC guidelines 4th edition
- 13 EUROPEAN HARMONISED STANDARDS - ATEX 94/9/EC guidelines 4th edition
- 14 USEFUL WEBSITES - ATEX 94/9/EC guidelines 4th edition
- ANNEX I: SPECIFIC MARKING OF EXPLOSION PROTECTION - ATEX 94/9/EC guidelines 4th edition
- ANNEX II: BORDERLINE LIST - ATEX PRODUCTS - ATEX 94/9/EC guidelines 4th edition
- ATEX 94/9/EC guidelines 4th edition
- Harmonized standards list - ATEX 94/9/EC directive
- Harmonized standards list ATEX 94/9/EC directive - OJ C 126 - 08/04/2016
- Harmonized standards list ATEX 94/9/EC - OJ C 335 - 09/10/2015
- Harmonized standards list ATEX 94/9/EC - OJ-C 445-02 - 12/12/2014
- Harmonized standards list ATEX 94/9/EC - OJ-C 076-14/03/2014
- Harmonized standards list ATEX 94/9/EC - OJ-C 319 05/11/2013
- ATEX 94/9/EC guidelines
- European regulation for ATEX 94/9/EC ATEX directive
- Guide to application of ATEX 2014/34/EU directive second edition
- Safety of machines : Standardization and European regulations
- Latest news & Newsletters
- Functional safety
- Terms and definitions for functional safety
- Safety devices in ATEX
- The SAFEC project
- main report of the SAFEC project
- Appendix 1 of the SAFEC project - guidelines for functional safety
- Appendix 2 of the SAFEC project
- ANNEX A - SAFEC project - DERIVATION OF TARGET FAILURE MEASURES
- ANNEX B - SAFEC project - ASSESSMENT OF CURRENT CONTROL SYSTEM STANDARDS
- ANNEX C - safec project - IDENTIFICATION OF “USED SAFETY DEVICES”
- Annex D - SAFEC project - study of ‘ Used Safety Devices’
- Annex E - Determination of a methodology for testing, validation and certification
- EN 50495 standard for safety devices
- The SAFEC project
- Safety components in Machinery
- STSARCES - Standards for Safety Related Complex Electronic Systems
- STSARCES project - final report
- STSARCES - Annex 1 : Software engineering tasks - Case tools
- STSARCES - Annex 2 : tools for Software - fault avoidance
- STSARCES - Annex 3 : Guide to evaluating software quality and safety requirements
- STSARCES - Annex 4 : Guide for the construction of software tests
- STSARCES - Annex 5 : Common mode faults in safety systems
- STSARCES - Annex 6 : Quantitative Analysis of Complex Electronic Systems using Fault Tree Analysis and Markov Modelling
- STSARCES - Annex 7 : Methods for fault detection
- STSARCES - Annex 8 : Safety Validation of Complex Components - Validation by Analysis
- STSARCES - Annex 9 : safety Validation of complex component
- STSARCES - Annex 10 : Safety Validation of Complex Components - Validation Tests
- STSARCES - Annex 11 : Applicability of IEC 61508 - EN 954
- STSARCES - Annex 12 : Task 2 : Machine Validation Exercise
- STSARCES - Annex 13 : Task 3 : Design Process Analysis
- STSARCES - Annex 14 : ASIC development and validation in safety components
- Functional safety in machinery - EN 13849-1 - Safety-related parts of control systems
- STSARCES - Standards for Safety Related Complex Electronic Systems
- History of standards for functional safety in machinery
- Basic safety principles - Well-tried safety principles - well tried components
- Functional safety - detection error codes - CRC and Hamming codes
- Functional safety - error codes detection - parity and chechsum
- Functional safety and safety fieldbus
- ISO 13849-1 and SISTEMA
- Prevention of unexpected start-up and machinery directive
- Self tests for micro-controllers
- Validation by analysis of complex safety systems
- basic safety principles - safety relays for machinery
- Download center
- New machinery regulation
- Revision of machinery directive 2006/42/EC
- security for machines
STSARCES - Annex 14 : innovative technologies and designs
Annex 14 - Innovative Technologies and Designs - ASIC development and validation in safety components
Final Report of WP5
European Project STSARCES
Contract SMT 4CT97-2191
Table of contents
1. Summary
2. Introduction
3. New topics in research
3.1. Definitions
3.2. von Neumann versus Harvard block structures
3.3. Components design examples
3.4. Relevant components
3.5. Favourable and unfavourable criteria
3.6. Point on complexity
3.7. Failure behaviour
4. Testing ASICs
4.1. In service tests
4.2. Descriptive levels and domains of an ASIC
4.3. Fault hypotheses
4.4. Fault models
4.5. The functional test at the design stage and on completion of production
4.6. Behavioural tests in the presence of faults
4.7. Method for Safety Validation – black-box test
5. Conclusion
6. Bibliography
Figures
Figure 1 : Von-Neumann (CISC)
Figure 2 : Harvard (RISC)
Figure 3 : Von Neumann design example
Figure 4 : Harvard classic design example
Figure 5 : Harvard with ROM testing capability design example
Figure 6 : The families of ASICs
Figure 7 : Life cycle of an ASIC
Figure 8 : Descriptive domains and levels for an ASIC
Figure 9 : First fault hypothesis
Figure 10 : The external test
Figure 11 : Adding test points
Figure 12 : Testability by partitioning with multiplexers
Figure 13 : Structured test method based upon a serial access register
Figure 14 : Built-in self test (BIST)
Figure 15 : Faults sequence according category 4 of EN 954
Figure 16 : Built-in fault injector
Figure 17 : Additional forcing point
Figure 18 Inserting a faulty signal at an input
Figure 19 : Redundant structure
Tables
Table 1 : ASIC families scored from 1 to 5
Table 2 : Failure causes and modes in integrated circuits
Glossary
Acronyms |
Definition |
ASIC |
Application specific integrated circuit |
CPLD |
Complex Programmable Logic Device |
CPU |
Central Processing Unit |
EEPROM |
Electrically Erasable Programmable Read Only Memory |
EMC |
Electro-Magnetic Compatibility |
EPLD |
Erasable Programmable Logic Device |
FPGA |
Field Programmable Gates Array |
HCPLD |
High Capacity Programmable Logic Device |
MCM |
Multi Chip Module |
PED |
Programmable Electronic Device |
PLC |
Programmable logic controller |
RAM |
Random Access Memory |
ROM |
Read Only Memory |
Statecharts |
Specification method based on transition systems |
SW |
SoftWare |
WD |
Watchdog |
1. Summary
The main objective of this work package is to focus the manufacturers view of near-future safety related products.
It joins INERIS as test-house and JAY as manufacturer, and takes into account the foreseeable evolutions in the concepts and designs of safety related systems owing to continuing progress in the electronic technologies, to ensure that future standards do not hinder innovation and progress in safety functions.
As a matter of interest for all professionals involved in safety devices related to machine safe control, manufacturers and Test-Houses, new products are going to appear on the market, which make an increasing use of Application Specific Integrated Circuits. Such products can probably allow to achieve improved performances in terms of speed and compactness, with low costs on the market. However safety requirements must be adapted to this technology all along its life-cycle, from the design by the manufacturer onwards the validation of the product.
A typical product under development was the basis of the study : a single way safety light barrier with a dual ASIC designed for a category 4 certification. The first part deals with techniques and requirements for ASICs design and the second one is based on methods and techniques for ASICs validation.
2. Introduction
Application-Specific Integrated Circuits (ASICs)[1] are used in electronic systems dedicated to the management of safety functions. These complex circuits may incorporate several million transistors, and so cause problems for the evaluation of the functional safety of the systems that include them.
For discrete components (relays, transistors, resistors, capacitors, etc.) the analyst can evaluate the safety level by simulating virtually all the device’s fault situations, using a practically exhaustive list of possible failures[1].
For complex electronic circuits such as ASICs, this exhaustive approach is not possible[3]. To evaluate the operational safety characteristics it is necessary to know the failure modes of the components used, and this is not possible for these circuits. The traditional methods of testing performance in the presence of faults are inadequate. It is therefore necessary to tackle the evaluation not only by updating subsequent tests on the finished products but also by extending the field of investigation from the origin of the faults considered: errors of specification, design or production, internal faults, or external effects.
This study describes the integrated circuits used for specific applications, the tests in general, and ways of evaluating safety.
3. New topics in research
3.1. Definitions
· ASIC : is characterised by the small size of the component, the great number of elementary functions, collective process and as the consequence of these characteristics, the impossibility to reach any elementary function if this is not an initial design condition. Also some inside parts can be tested only by an adequate simulation.
· Complex or programmable composant : a monolithic, hybrid or module circuit where the internal connections are not accessible, which satisfies one or more of the criteria below :
- more than 1000 gates are used in the digital mode,
- more than 24 functionally different external electrical connections are available for use,
¨ the functions can be programmed.
The classic field of microprocessors is split in two structures :
* “von Neumann” the more popular and known structure usually connected with the complete set of instructions (CISC as Complete Instruction Set Computer).
* “Harvard” initial solution for computers and have today a new youth due the research of performances, usually connected with the reduced set of instructions (RISC as Reduced Instruction Set Computer).
If we take in reference the ASIC definition and the relevant component which could be orderly in this classification , microprocessors are in this class. Small size of the component, great number of elementary functions, collective process and as the consequence of these characteristics the impossibility to reach any elementary function if this is not an initial design condition, plus for the microprocessor a particular temporal behaviour as a consequence of the software flow.
3.2. von Neumann versus Harvard block structures
Figure 1 : Von-Neumann (CISC)
Figure 2 : Harvard (RISC)
m = as a function of memory size
As we can see these structures are different :
· In von-Neuman structure you can explore program memory and make any operation on data memory by by the mean of CPU.
· In Harvard the memory is split in two parts and the CPU can’t explore or make operations on such parts.
The testing strategy described in documents such as EN 61508 annex c part 7 is clearly matched with von-Neumann structure. Any tentative to use a Harvard structure with a safety behaviour suppose that particulars means need to be use to reinforce the testing of memory field. The goal is to reach the same coverage testing in the two structures.
3.3. Components design examples
3.3.1. von Neumann
It is obvious that in such structure, if we want to do a check-sum test on the ROM memory area, we can read (R) the current value corresponding to the address CS n-1 in RAM and add by the mean of (ALU) successively the instruction code corresponding to the address n in ROM and Write (W) the new current check-sum value in RAM.
We are also able to imagine sketch calculations for the RAM.(see WP1.2 “Guide for software test”).
Figure 3 : Von Neumann design example
3.3.2. Harvard classic
In this Harvard classic structure if it is able to test RAM area memory things are impossible for ROM area. In fact the (ALU) execute the successive instructions pointed out by the program counter. We can’t read an instruction code corresponding to a choosing address, we can only execute this instruction code by the (ALU). To reach the same testing coverage level than in von-Neumann structure we must imagine other strategy of test. As for example dedicated code for instructions corresponding to a CRC with a hard decoder .
Figure 4 : Harvard classic design example
3.3.3. Harvard with ROM testing capability
In this structure derived from. Harvard classic all the testing strategies are applicable. It is obvious that the same testing method is appicable for RAM testing than in Harvard classic. But for ROM testing , by the mean of table counter we are able to point out any memory cell an execute it by the (ALU) or store it RAM in consequence we can follow this flow ,if we want to do a check-sum test on the ROM memory area ,we can read (R) the current value corresponding to the address CS (n-1) in RAM and add by the mean of (ALU) successively the instruction code corresponding to the address n in ROM pointed out by the table counter and Write (W) the new current check-sum value in RAM.
Figure 5 : Harvard with ROM testing capability design example
As describe above von-Neumann and Harvard with ROM testing capability structures are available for use under safety behaviour by using classic bibliographic described testing strategies. Harvard classic need more investigations to imagine adapted testing strategies.
CISC or RISC designation are relevant of instruction set and is not safety relevant.
3.4. Relevant components
ASICs may be divided into three main families : programmable circuits, prediffused arrays, and precharacterised arrays.
Figure 6 : The families of ASICs
3.4.1. Programmable circuits
Programmable circuits are components made up of matrices of gates, connecting tracks and complex cells such as registers, bistable devices, and so on. The user makes the interconnections between the cells according to his application purposes using a programming tool. The different arrangements of cells, the complexity available and the interconnection technologies used determine the different sub-families of programmable logic devices (PLDs) :
- Programmable Array Logic (PAL) circuits consisted solely of one programmable AND matrix and another fixed OR matrix.
- Programmable Logic Array (PLA) circuits consisted of programmable AND and OR matrices.
These circuits can very easily incorporate more complex cells, but are now obsolete.
- Complex Programmable Logic Device (CPLD) and High Capacity PLD (HCPLD) circuits are a development of PLDs containing a large number of very complex basic cells.
In all these PLD circuits, the cells are interconnected in arrays and the user removes the unwanted connection points by breaking the track. This programming is not reversible.
- The Erasable Programmable Logic Device (EPLD) is a PLD that can be programmed electrically and erased using UV light using the EPROM memory technique.
- The Electrically Erasable Programmable Logic Device (EEPLD) is a PLD that can be programmed and erased electrically using the EEPROM memory technique.
These two sub-families encompass erasable and reprogrammable PLDs, techniques that are very useful in prototyping.
- Field Programmable Gates Array (FPGA) circuits employ two interconnection techniques: the non-melt technique for which the user sets up connection points by breaking down a dielectric (an irreversible configuration) and SRAM for which the configuration of the connections, stored in a ROM memory, is automatically loaded into a solid-state RAM each time the circuit is switched on. The interconnections are made by MOS transistors turned on by commands from the RAM (reconfigurable). They include complex cells such as registers, multiplexers, etc., and represent strong competition for the pre-diffused family.
3.4.2. Prediffused arrays
A prediffused circuit is an incomplete circuit. The deep layers of the component are made beforehand by the constructor. The user designs the interconnections of his circuit in tracks provided for this purpose using a CAD method. The circuit will then be finished by the constructor who creates these connections on a final layer of aluminium. This family is subdivided into three sub-groups :
- Gate Arrays are organised into rows of basic cells and interconnection tracks that are fixed in location and size.
- Seas of Gates or “silicon seas” are circuits with a high density of transistors but no tracks. The interconnections are made on top of these transistors by a special metal layer, giving the user considerable flexibility for defining functions and connections.
- Embedded Arrays offer composite solutions that employ the best features of the various families : the complexity and optimisation of precharacterised circuits, the short development time of prediffused circuits, the high density of seas of gates, and so on.
3.4.3. Precharacterised arrays
With this family, the user has a software library of standard cells that are defined and characterised by the constructor. He chooses the cells necessary for producing the functions required and can design all the interconnection masks. This circuit is more optimised than a prediffused circuit.
The most evolved form of precharacterised circuit is the silicon compilation. This circuit is optimised as regards the parametrisable cells, RAM, ROM, multiplexers, connection of logic functions, and so on, using a description of the component in a high level language.
3.4.4. The technologies
The technology of an ASIC depends on the type of basic transistors it contains. There are six types:
· CMOS, combining high complexity and a good ratio of power consumption to speed. Moreover the protection against Latch-up and electrostatic discharges are ± 200 mA and 4 kV respectively.
· TTL which is practically no longer found in ASICs.
· Bipolar in its very fast ECL version which however is under threat from BICMOS.
· BICMOS which incorporates bipolar and MOS transistors.
· Gallium arsenide (AsGa) that can reach speeds of several GHz with better integration and immunity to noise.
· Silicon on sapphire (SOS) which has excellent resistance to radiation, latch-up and temperature (+ 250°C).
3.5. Favourable and unfavourable criteria
Generally speaking an application developed using an ASIC will be more reliable than one with standard circuits. First of all, reliability is inversely proportional to the number of connections between units and, secondly, low power also means better reliability.
However, for these complex components :
· Knowledge of faults, and any cause/fault correlation, are no more than partial.
· Reducing the physical size of the basic components creates new faults.
· The growing complexity increases the probability that design faults will appear.
· The more limited spread of ASICs compared with standard circuits means that interpreting the feedback of experience is more difficult.
From the technological point of view, the dominant type on the market – CMOS – appears in its stabilised types (1.2 to 0.8 µm) to be the most proven technique as a result of its noise margin, low consumption and good protection against electrostatic discharges and latch-up. These advantages also apply to the BICMOS in applications where higher speed is required.
On the other hand the mediocre noise margin and high consumption do not favour the ECL. The BICMOS or even the AsGa will be preferable.
In terms of safe operation, reliability, testability and consumption, the choice of a family may fall upon non-melt FPGA or EPLD for programmable circuits.
Prediffused arrays are the circuits that offer the best compromise between reliability, consumption and testability, closely followed by the precharacterised arrays.
The electrically reprogrammable circuits such as the EEPLDs are not recommended. They are insufficiently robust with regard to electromagnetic interference (information may be lost).
|
Families |
|||
Parameters |
Full Custom |
Precharacterised |
Prediffused |
Standard circuits |
Testability |
1 |
3 |
4 |
5 |
Reliability |
5 |
4 |
4 |
1 |
Consumption |
5 |
4 |
4 |
1 |
Table 1 : ASIC families scored from 1 to 5
Note: The score 1 is the lowest.
ASIC circuits of very great complexity should be avoided so as not to degrade testability.
All these recommendations can do is to avoid introducing a weak link in a safety application. Validation should be carried out at every stage of the life cycle.
3.6. Point on complexity
· Design
For ASIC component the input document is the technical specification, software Design and simulation gives the layers. The usual schema generated is only a thinking aid but it is not the viewing of the exact chip result (integrity of compilers).
· Core based ASIC
Generated blocks are assumed to be „correct by construction“, based on design rules. Pre-layouted or generated macros are process specific but may be ported to different technologies.
· FPGA
Standard IC, using one-time programmable or re-programmable elements to define the connection between functional blocks and to configure the functionality of the individual blocks. It is not possible to test one-time programmable FPGA completely during production due to the nature of the programmable element.
· Microprocessors
If for Von Neumann structure some rules are well known (as RAM and ROM testing). These rules are not applicable for Harvard structure. This component is impossible to use in safety application without other strategy of test.
3.7. Failure behaviour
Devising tests for complex integrated circuits necessitates knowledge of how these components fail. Unfortunately, such knowledge and that of the causes/failure correlation are only partial (15% of failures are not characterised on common components). Also, there are very few statistical results specific to ASICs. However their failure modes are practically the same as those of standard circuits, since the technologies and production processes are the same for the two categories.
The following table shows the main causes and failure modes whatever the technology employed.
Failure causes or mechanisms |
Consequences |
Design
|
Open circuit (OC) OC, Short circuit (SC) Threshold drift Logic fluctuations Logic fluctuations |
Production
|
Short circuit Open circuit Threshold drift Threshold drift Open circuit, short circuit |
Operation
|
Open circuit Logic fluctuations Open circuit, short circuit Logic fluctuations |
Table 2 : Failure causes and modes in integrated circuits
It is interesting to note that the causes of failures show up in a limited number of failure modes :
· short circuits and open circuits at various levels of components (pins, gates, transistors),
· drifts in threshold voltage and logic fluctuations (steady or intermittent reversal of levels).
During production the main failure mechanism is corrosion which shows up mainly as short circuits. In operation, melting caused by electrical overloads leads to short circuits and open circuits at various component levels.
To avoid any unsafe behaviour the following rationale could be used, after choosing the relevant category :
· For external signals we can use the catalogue of single faults which is the annex B of EN 61496-1 [1].
· For internal signals the followings topics need to be analysed :
[1] Rules of design, including fault simulation, see IEC 61508 [5] and DIN V VDE 801 A2 [6], where some failures are described :
* signal stucked,
* loss of a function,
* loss of time synchronism,
* components drift,
* signal unwanted oscillations,
* intermittent failures.
[2] Tools of design-compilers integrity, certified versions. Low or high level langage ?
[3] Suggested safety strutures (e.g. 1998 project report §3.2).
* Rules of fault detection as already depicted for software (EN 61508, annex C part 7).
[4] Process stable and known technologie.
* If there is a change in the process some test or analysis need to be replay as in the design phase.
4. Testing ASICs
4.1. In service tests
The life cycle of an ASIC is shown below : testing is applied at different stages.
Phase 1 : Specification |
Phase 2 : Design development |
||
Phase 3 : Place& route to Packaging |
Phase 4 : Validation |
||
|
Phase 5 : Qualification |
|
|
Figure 7 : Life cycle of an ASIC
Note : Behaviour Under Fault Condition (BUFC)
Throughout the life cycle of an ASIC, prototype tests, and checks on time and frequency characteristics, electrical levels, etc. are carried out, together with tests to detect physical anomalies. These tests are more a matter for the silicone producer than the user. However two types of test are of concern to the user or the expert whose task is to analyse a device incorporating an ASIC :
· The functional test. In this type of logic test, a test sequence is applied to the component inputs, which may be in the form of a simulation on the model at the design stage or directly on the circuit on completion of production. Procedures are used to detect the presence of an internal fault at the outputs. At the design stage, this test allows the fault to be corrected after identification. During production, it leads to acceptance of satisfactory circuits or rejection of those that are unsatisfactory.
· The performance test in the presence of internal faults. In this test of integrity, which can be used at the design stage (on a model) or in operation (either on a model or physically), a fault model is simulated or injected into the component or its representation, and the behaviour of its outputs observed. This test is fundamental for safety applications and analyses the ability of the architecture to detect faults.
4.2. Descriptive levels and domains of an ASIC
Tests conducted at different stages in the life cycle of an ASIC will be carried out in different domains that are more or less abstract (models) or concrete (the circuit itself). In addition, different levels of exploration fineness are defined and used according to the need for the test to be representative. These domains and levels are shown on Gajski’s Y graph.
The physical domain is the most concrete, and describes the real elements of the chip at different levels of fineness. The structural domain is an abstract domain in schematic form (block or detailed circuit diagrams). The behavioural domain describes the function of the circuit from the most general level (algorithm) to the finest level (transistor).
Figure 8 : Descriptive domains and levels for an ASIC
4.3. Fault hypotheses
Owing to the complexity of modern integrated circuits, any exhaustive check on their performance covering all possible faults that could affect them is becoming impossible. Accordingly the philosophy of testing has evolved by comparison with that applying to discrete components, starting from the assumption that a reduced and known set of consequences of faults is sufficiently representative of the physical causes, multiple and unknown faults of these failures.
Figure 9 : First fault hypothesis
These failure models are described by a number of fault models according to logic and technological criteria. Reasonable confidence in the test will be obtained by checking that these faults are absent in production, or that they have no effect on normal performance in operation.
A different problem arises when one considers simultaneous faults. The designers of integrated circuits regard these as highly unlikely. As a result, the production tests are based on the second hypothesis according to which the fault is unique.
Finally, a third assumption is that the failure is permanent.
4.4. Fault models
The modes of failure of digital integrated circuits can be placed into four categories : short circuits, open circuits, permanent or intermittent logic fluctuations and the drift of thresholds.
The model of equipotentials stuck at logic levels 0 and 1 is the one most used. It represents about a third of the physical faults identified. Also when this model is applied at “gate” level in the structural domain it is independent of the technology, and the observability of the line affected allows other anomalies to be detected. However this method, although practically exhaustive for bipolar and MOS technologies, is inadequate for CMOS. For this technology, short circuits and open circuits do not necessarily lead to sticking. The outputs may show either analogue behaviour due to threshold drifts, or sequential behaviour. Output short circuits no longer automatically lead to hardwired ANDs or ORs, although “doubtful” output voltages may appear. Finally, threshold drifts and external spurious signals can lead to more or less temporary logic fluctuations.
These phenomena make modelling at transistor level essential, and the following models are used :
· Transistor stuck open. This model represents physical faults such as the absence of source-drain contact, or a broken line. These faults mean that the node concerned remains in the previous state instead of changing over ; this is sequential behaviour.
· Transistor stuck on. In this case, the transistor concerned still conducts regardless of the grid signal. This may be due to a drain-source short circuit or to the threshold voltage being wrongly set. The circuit behaves in an analogue manner. The output voltage can take any value, outside the guaranteed ranges of logic levels, and depends on the value of the external bias resistors used. If this output voltage is very different from that expected, the failure shows up as a logic error (reversal of state).
· Bridging. These models of short circuits at different levels represent spurious links between interconnections due to metal expansion, diffusion errors or breakdowns of insulation between levels. Different types of bridging can be envisaged :
¨ between two gate outputs,
¨ between two internal nodes,
¨ between grid, drain or source of a transistor,
¨ between two neighbouring metal levels.
These bridging models represent analogue behaviour and logic errors.
· Open circuits. The model of a track gap represents either a transistor omitted in the design, or a physical break in the line. Most of the time these faults show up as complex analogue behaviour.
All the fault models presented above lead to short circuits and open circuits at different component levels.
For a circuit subject to an integral line test that is intended to provide a safety function, the following fault models are applicable :
* A short circuit between one diffusion and the next closest diffusion A short circuit between one diffusion and the next closest diffusionv ;
* A broken equipotential: poly-Si and floating grid.
For the thorough production test on a safety component, any short circuits must be at a minimum.
None of these models take into account faults due to spurious electromagnetic signals or radiation. Spurious electromagnetic signals in operation or the erroneous setting of a threshold at the design stage may lead, at the inputs and outputs of a circuit, to intermittent or continuous changes in logic state. These phenomena cannot be absolutely checked by screening and other electromagnetic compatibility precautions, and the design tests may not perceive these threshold faults. We therefore believe it appropriate to consider these problems.
In order to simulate these failures, mainly those resulting from spurious electromagnetic signals, we believe it is useful to propose a model for the change of state of one or more bits at the inputs and outputs. This change of state may be transient, periodic or permanent.
Finally, the different possible short circuits together with internal cross-talk can modify the output signals from an entire system or the outputs from different functional units. We shall see subsequently that the test on the finished product finds it difficult to “penetrate” the interior of a complex component. It therefore seems to us to be important at this stage to consider models of change at functional level : the “black box” system approach or that involving functional modules.
4.5. The functional test at the design stage and on completion of production
The off-line functional test involves applying a relevant test sequence to the inputs of the circuit under test in order to reveal the presence of internal faults at the outputs. Depending on the complexity of the circuit concerned, three approaches to the functional test can be considered :
* The external test.
* The external test on an improved circuit.
* The integral test.
4.5.1. The external test
In this type of test, the tester, comprising the test sequence generator and the functions necessary for observing the outputs, is outside the circuit to be tested.
Figure 10 : The external test
The test sequences are generated in a deterministic manner by automatic test program generators. The method most frequently used is “path sensitisation” or the D-algorithm, based upon the sticking model at gate level, and involves finding the input logic sequence or sequences capable of propagating a line sticking fault along an internal path to show up at an observable output.
Another method is the “exhaustive” test, in which the circuit to be tested is regarded as a black box for which only the logic function is known. This involves injecting all the possible combinations of inputs, which total 2n for a circuit with n inputs. This coarser technique is easy to use but much more involved than the D-algorithm method.
This method is very suitable for simple combinational circuits. However, for practical applications, increasing use is being made of circuits that are both sequential and combinational. For these circuits, the previous methods lead to increasingly complex testers, that are costly and involve prohibitive test times. Also modern circuits can no longer be tested by these methods at nominal speed. It therefore seems necessary to make circuits easier to test.
4.5.2. The external tests on circuits with improved testability
Improving the testability involves modifying the circuit to be tested by incorporating additional functions in it to make the test possible. To do this, action must be taken on the two components of testability : the commandability which represents the ease with which the input sequences can activate the different parts of the circuit, and the observability which determines the ability of the circuit to propagate faults to the output.
There are two approaches to improving testability: ad hoc methods and structured methods.
· Ad hoc methods. These techniques are specific to each application. Two main variants are used :
* Addition of test points. Unit C is functionally inaccessible from the outside. This unit is rendered commandable by creating the special input Es and its observability by an output Ss.
Figure 11 : Adding test points
* Partitioning. This involves partitioning the circuit in which functional or structural units A and B are separated by multiplexers whereby they can be commanded and observed. This technique is relatively easy to do but necessitates about 30% of additional silicon and raises the problem of the integrity of the multiplexers.
Original circuit
Figure 12 : Testability by partitioning with multiplexers
· Structured methods. These methods can be adapted to any circuit and are particularly suitable for complex combinational and sequential components.
Figure 13 : Structured test method based upon a serial access register
The overall principle is to access all the memory points in the circuit using bistable devices B1, B2, … Bn. These bistable devices together form an offset register with serial access. The inputs (commands) are loaded using a clock H1, and the outputs (observation) by a clock H2.
Many component manufacturers have developed a number of variants of this structured technique : SCAN PATH of NEC, Level Sensitive Scan Design (LSSD) of IBM, Scan Set Logic of Univac, Random Access Scan of Fujitsu, and so on.
The main attraction of structured test methods is to reduce the test on a sequential circuit to one on a single combinational circuit. The natural registers in the circuit are used as bistable devices in order to constitute the offset register. However the offset logic can use up to 20% of additional silicon and the passage of the data through serial links makes the test relatively long.
4.5.3. The integral test
The integral test, also known as the built-in self-test, involves incorporating in the silicon not only the test facilities but also the tester, encompassing the generation of test sequences and the functions for observing the results. The latter are nearly always based on data compression methods.
Figure 14 : Built-in self test (BIST
The advantages of this technique are as follows:
· The slowing-down of the test caused by the serial link between tester and circuit is eliminated ;
· Because the tester uses the same technology as the circuit to be tested, the test takes place at nominal speed ;
· It is possible to envisage the exhaustive “black box” test of combinational units ;
· The integral test, subject to certain adaptations, can also be used as an in-line test when the circuit is on a card, whereupon the circuit becomes self-checking in operation.
The decision to install a BIST is subject to the following constraints:
* Additional silicon necessary ;
* Maximum test duration acceptable ;
* Speed of tester ;
* Ease of application ;
* Test quality obtained ;
* Tester cannot be modified once integrated in the silicon.
Various methods can be envisaged for generating the test sequence:
· Data stored in ROM. The test sequences stored in a ROM are applied to the logic units to be tested by internal buses or serial offset register paths (for example SCAN PATH). Sequences are generated in a deterministic and automatic manner. This method is expensive in computer time and in the area of silicon dedicated to the test (storage ROM). It is very suitable for circuits that already have an internal ROM. The test shows good quality but the speed is limited by that of the ROM.
· Exhaustive generation for each unit. This is a simple method that does not require a fine analysis of the circuit. Each internal unit receives an exhaustive set of sequences (2n possibilities for a unit with n inputs). The generator can be a simple general counter for all the units or there can be one for each unit. The test obtained is of good quality depending on the selected cut-off level, but does require fairly substantial additional silicon.
· Pseudo-random generation. This is the method most used, which involves injecting a pseudo-random test sequence of sufficient length for the test to be relevant into the inputs of the circuit under test. The length of this sequence can be estimated in two different ways :
* One method is to simulate faults by a random sequence applied to the inputs of the circuits to be tested. The sequence is halted when it is considered that test coverage is adequate. This method requires very long computer time.
* A second method is based on the concept of the fault that is most difficult to detect. This technique requires fine analysis of the circuit.
The best known method of pseudo-random generation seems to be the “Built-In Block Observer” (BIBLO) which employs the techniques of both the offset register and signature analysis.
4.5.4. The built-in self test
The BIST test methods described above involved testing the circuit off-line. It is also possible to envisage integrating self-tests on the silicon that can be used in service (on-line test). Various detection mechanisms have been developed. Some are based on LFSR such as cyclic codes and signature analysis, and others could be envisaged : watchdog, detector codes, similarity tests, and so on.
The on-line BIST approach is fairly expensive in silicon and calls for a far-reaching study of the circuit. It is reserved for circuits directly controlling safety functions or applications with a very high level of availability.
4.6. Behavioural tests in the presence of faults
On classics circuits, tests for the effects of single faults shall be carried out on all the relevant components. If further faults occur as a result of the first single fault, the first and all consequent faults shall be considered as a single fault. In order to reduce unnecessary testing where the results of a combination of faults can be precisely defined theoretically, an analysis statement shall be included as part of the test results statement.
Figure 15 : Faults sequence according category 4 of EN 954
Testing for the accumulation of more than three faults need to be carried out provided that the probability of more than three faults, (largely independent of each other and having to appear in a specific sequence in time), is low.
As far as ASICs are concerned, it is a matter of observing some or all of the output performances when they are affected by an internal fault. This test can indicate the influence of the fault on the circuit functions in terms of functional safety.
There are two possible ways of conducting this test: using software to simulate faults, or physically injecting faults. The growing complexity of ASICs is increasingly imposing the approach involving software simulation of faults on models of the circuit. With this method it is possible to reach fine levels of the component. It involves abstract representations of the circuit which in fact reflect its reality only imperfectly.
The physical injection of faults is the only method that generates anomalies in the real circuit, but the test cannot “penetrate” beyond the connecting pins. It is therefore less detailed than the test by simulation.
4.6.1. Software simulation of faults
The software simulation of faults employs CAD tools, models of the circuit and the fault models used at the design stage. Before simulating faults, it is as well to ensure that the circuit is operating satisfactorily. For this purpose the design tests will be repeated so as to verify the functional characteristics as regards timing, frequency, voltage, current, and so on. The next phase is to simulate faults at different points in the component in order to observe the behaviour at the outputs.
As at the design stage, the models of faults are : sticking equipotentials, open circuits, short circuits at various levels, continuous or intermittent logic fluctuations, perturbations of functions and transistors stuck open or closed.
The test methodology is of the top-down type, with faults initially simulated at system level with the component being generally regarded as a black box. The same tests are then applied to structural or functional units.
4.6.2. Physical injection of faults
The physical injection of faults involves two approaches :
· Creating faults internal to the circuit ;
· The external injection of faults at the component connector.
4.6.2.1. Internal injection of faults
Internal faults can be injected by applying electrical interference to the component supply leads. With this technique, the fault is propagated in a random manner and the results are not reproducible.
4.6.2.2. Injection of faults at the connector
The models of faults generally used are :
* Sticking at 0 and 1 ;
* Sticking at an intermediate value which can resemble the simulation of analogue behaviour in CMOS technology outputs ;
* Line gaps modelling anomalies in this technology ;
* Level inversions and physical bridging which simulate phenomena caused by various types of electrical interference ;
* Changed function at inputs and outputs.
The faults can be applied using the forcing technique. With the component still wired to its card, the fault injected at a pin is propagated over all the lines connected to it.
4.6.3. Improving testability
In complex circuits, the behaviour test in the presence of faults encounters the same problems as the production test. Access to the functional pins alone considerably limits the extent of the test. It therefore seems essential to incorporate Built-In Fault Injection Logic into the silicon. This method involves incorporating, on the signal processing chip, an offset register followed by a decoder which can select the critical nodes in each of the functional units of the processor to be tested.
Figure 16 : Built-in fault injector
This ad hoc method seems an attractive approach for memories and processor systems. Its advantages are, first, that it enhances the extent of the test and, secondly, it requires less external test equipment. On the other hand, the preliminary selection of relevant test points is a slow process.
For ASICs of average complexity, adding additional test points would permit greater depth of analysis using the forcing technique.
Figure 17 : Additional forcing point
The input E1 allows the point p to be forced to 1 or 0 or to an intermediate voltage, either continuously or temporarily. This method is very simple and cheap in terms of silicon ; it is very attractive on condition that the relevant test points are well defined and that precautions to limit current are taken on the tester so as not to destroy the circuit being tested.
A variant of this method is to make the inputs and outputs of the functional units accessible from the outside.
Figure 18 Inserting a faulty signal at an input
4.7. Method for Safety Validation – black-box test
This black-box method is divided in five phases :
- Functional Testing to reveal failures during the specification and design phases ;
- Functional testing under environmental conditions to validate the safety-related system against typical environmental influences ;
- Fault insertion testing to introduce or simulate faults in the system hardware and document the response ;
- Worst case testing to validate the system and the component under highest environmental conditions values.
- Expanded functional testing to check the behaviour of the safety-related system in the event of rare or unspecified inputs
5. Conclusion
The increasingly common use of digital ASICs in electronic systems managing safety functions, such as virtual barriers and two-hand commands, is part of the normal progress of these electronic components.
Indeed the inherent advantages of these circuits – smaller size, lower power consumption, greater speed and reliability, and so on, make them attractive components and they are increasingly replacing standard electronic circuits.
As regards operating safety, the compactness and low consumption of ASICs ensure a more reliable solution than the same design using standard circuits. On the other hand, growing complexity means that less is known about the failure modes of these components. Some 15% of the faults that may affect these circuits are at present unknown.
A critical analysis of the available families and technologies has begun by identifying a few criteria of choice as regards ASICs for safety applications. It is essential to avoid too much complexity as well as the electrically erasable programmable arrays (SARM and EEPLD) which are too sensitive to spurious signals.
Testing should take place throughout the life cycle of an ASIC and take place as follows :
· A functional specification should be drawn up, including a description of the integrable part, the family, chosen technology, characteristics, risk analysis, architectural approaches, testability, and test programs.
· At the design stage, whatever the method used, a high level language scheme should be drawn up. This phase should include a simulation stage for detecting design faults and observing the behaviour of the circuit outputs in the presence of faults.
· During production, it is essential to provide the constructor with the circuit test programs. These tests will be used to determine whether the circuit should be accepted or rejected. The test sequences are prepared using automatic test generation programs. Solutions for improving, first, the testability should be integrated in the silicon (additional test points, partitioning, Scan path, LSSD, BIST, self-checking circuit, depending on complexity) and, secondly, the architecture of self-tests and self-tests outside the ASIC, and even global redundancy.
In this structure one ASIC (1) make the control of the application the other (2) use monitoring informations provided by the application and with a correct phase regarding control orders. Each ASIC use its proper clocks. A link between the to ASICs ensure that the state of the work relevant of each is at the same level or follow a predicted sequence.
The two ASICs can use the same input/output ressource, or two separate relevant of an other level of redundancy.
Figure 19 : Redundant structure
All these detection mechanisms should be validated by means of physical fault injection methods using models applicable at connector level : sticking, short circuits and open circuits.
Analysis of operating safety can be broken down into five main phases :
· Verification of the technological and architectural choices, characteristics and safety functions.
· Risk analysis leading to a classification of the level of integral safety.
· Analysis of circuits : safety solutions adopted, study of fault behaviour.
· Simulation of behaviour in the presence of faults on the implanted models using a CAD development tool.
· Validation of the architectural approaches using black box methods :
* Functional tests ;
* Environmental tests ;
* Physical injection of faults ;
* Environmental tests at the limits ;
* Extension of functional tests to rare situations.
6. Bibliography
- IEC 61496-1 : Safety of machinery - Electrosensitive protective equipment - Part 1 : General requirements and tests.
[2]Les circuits intégrés spécifiques (ASIC) dans les applications de sécurité. Analyse et évaluation. C. Vigneron. Les notes scientifiques et techniques de l’INRS, Ed NS0133.
[3]Modes de défaillances des circuits intégrés. Document ISDF du groupe de travail « Mode de Défaillances des Circuits Intégrés », 26 avril 1994.
[4]EN 954-1 - Sécurité des machines : Parties des systèmes de commandes relatives à la sécurité - Partie 1 : Principes généraux de conception.
[5]CEI 61508 : Sécurité fonctionnelle des systèmes électriques / électroniques / électroniques programmables relatifs à la sécurité. Ed. 99. Parties 1 à 7.
[6] DIN V VDE 0801 Amendment A2 : Principles for computers in safety-related systems.
- The term “ASIC” relates more to a design method than to a product. The development of an ASIC necessitates a joint approach by user and manufacturer.
English