

# Accounting for Soft Errors with Functional Safety

Jehoda Refaeli Automotive MCU



#### IEEE SER workshop October 2014

Freescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C-Ware, Energy Efficient Solutions logo, Kinetis, mobileGT, PEG, PowerQUICC, Processor Expert, QorlQ, Qorivva, SafeAssure, SafeAssure Logo, StarCore, Symphony and VortiQa are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off, Airfast, Beeklf, BeeStack, CoreNet, Flexis, Layerscape, MagniV, MXC, Platform in a Package, QorlQ Qonverge, QUICC Engine, Ready Play, SMARTMOS, Tower, TurboLink, UMEMS, Vybrid and Xtrinsic are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © 2014 Freescale Semiconductor, Inc.





### **Agenda**

- Functional Safety at Freescale
- Functional Safety and Microcontrollers
- MCU Safety Context and Safety Concepts
- FMEDA
- Soft errors







### A Global Leader in

## Microcontrollers and Digital Networking

**Processors** 



>6,100 Patent Families

**Five** Core Product Groups

Four Primary
Markets

Microcontrollers

Automotive



**Digital Networking** 

**Automotive MCU** 

Analog

RF

Networking











# ealth & Safety

Several Platforms Key to

Making the World a Healthier, Safer Place

Automotive Industrial



- Active Safety Systems
- Advanced Driver Assistance
- Radar, Vision Systems
- Functional Safety



- Connected Home
- Portable Medical
- Factory Automation Systems



We See a Healthier, Safer Population









### Functional Safety. Simplified.

**Simplifies the process** of system compliance, with solutions designed to address the requirements of automotive and industrial functional safety standards

Reduces the time and complexity required to develop safety systems that comply with ISO 26262 and IFC 61508 standards

Supports the most stringent Safety Integrity Levels (SILs), enabling designers to build with confidence

Zero defect methodology from design to manufacturing to help ensure our products meet the stringent demands of safety applications





### SafeAssure - Simplification

- SafeAssure products are conceived to simplify system level functional safety design and cut down time to compliance
- Component safety measures augment system level safety measures
- Key functional safety activities addressed
  - Safety analysis (FMEA, FTA, FMEDA)
  - Hardware integration (Safety Manual)
  - Software integration (Safety Manual)
  - Support interface (Roles & Responsibilities)









## History of Auto MCU Functional Safety Solutions

- Gen 1 Safety More than 10 years experience of safety development in the area of MCU & SBC
- Gen 2 Safety First general market MCU, MPC5643L ⇒ Certified ISO 26262!
- Gen 3 Safety From 2012, multiple MCUs in Body, Chassis and Powertrain are being designed and developed according to ISO 26262

2012

Gen 3 Safety



#### MPC5744P/MPC5777K/etc 55 nm

- 32-bit Dual/Quad-Core MCU
  Developed according to ISO 26262
- Target Applications Chassis & P/T for ASILD
- Safe methodology, Architecture, SW and tools

#### **PowerSBC**

- Voltage Supervision
- Fail-Safe State Machine
- Fail-Safe IO
- Advanced Watchdog

2008

Gen 2 Safety



#### **MPC5643L** - 90 nm

- 32-bit Dual-Core MCU
- Developed according to ISO 26262
- Target Applications for Chassis ASILD



#### **PowerSBC**

- Voltage Supervision
- Fail-Safe State Machine
- · Fail-Safe IO
- Advanced Watchdog

2000

en 1 Safety

#### **Custom** Safety Platform for Braking

- Started to ship in 2000 first safe MCU for braking applications
- IEC 61508 / ISO 26262 compliance achieved at system level (top down approach)
- MCU features are a key enabler for SIL3 / ASILD



#### **Custom IC**







### First ISO 26262 Certified MCU - Qorivva MPC5643L

- Certified by exida an independent accredited assessor
- Certificate issued based on a successful assessment of the product design, applied development & production processes against requirements and work products of ISO 26262 applicable to a MCU
- MPC5643L MCU certified for use for all Automotive Safety Integrity Levels (ASIL), up to and including the most stringent level, ASIL D



#### Reports: Freescale 11/08-067-C

R009 V1 R0
Results of the ISO 26262
Functional Safety
Assessment

#### /alidity:

This assessment is valid for Microcontroller MPC5643L

This assessment is valid until August 31, 2015.

/1 R1 September, 2012



#### FREESCALE Halbleiter Deutschland GmbH Munich, Germany

Has been assessed per the relevant requirements regarding  $\mu C$  development and verification & validation of:

ISO 26262 : 2011 Parts 2, 4, 5, 7, 8, 9 and 10 (to the extent applicable)

and meets requirements providing:

Systematic Integrity: ASIL D

#### Safety related function:

The  $\mu$ C supports the execution of safety-related software by a dual-core lock-step architecture with memory protection and centralized fault collection and control unit.

#### Application restrictions:

The microcontroller shall be used per the Safety Application Guide requirements.











- Functional Safety at Freescale
- Functional Safety and Microcontrollers
- MCU Safety Context and Safety Concepts
- FMEDA
- Soft errors







### The World of Functional Safety Standards

| 1980                            | 1985            | 1990                | 1995     | 2000                           | 2005            | 2010                                                         | 201  |
|---------------------------------|-----------------|---------------------|----------|--------------------------------|-----------------|--------------------------------------------------------------|------|
|                                 | O 178<br>D 178A | DO 17<br>—<br>ARP 4 | — ARP 47 | 761 DO 25                      | 54              | DO 1<br>ARP 4                                                |      |
| Rail Transport                  |                 |                     | EN 501   | IEC 615<br>55 EN 501<br>EN 501 | 12X             |                                                              |      |
| Generic<br>Standard<br>IEC61508 |                 |                     |          | IEC 61:                        | 508             | IEC 6<br>Ed.                                                 |      |
| Industrial<br>Automation        |                 |                     |          | IEC 619<br>IEC 620             | 511 ISO 1       | 3849 IEC 6<br>Ed.                                            |      |
| Automotive                      |                 |                     |          | (IEC 61                        | 508)            | ISO 2                                                        | 6262 |
| Medical                         |                 |                     |          |                                |                 | IEC 6<br>Ed.                                                 |      |
|                                 |                 |                     |          | designed                       | from the ground | are being defined<br>up to comply with<br>or IEC 61508 Ed. 2 |      |





ISO 13849



### **Comparison of Functional Safety Standards**

**Functional Safety** is the absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical / electronic systems

#### **ISO 26262**

Automotive Industry standard, adaptation of IEC 61508 for electrical / electronic systems within road vehicles

#### **Safety Integrity Levels**

ASIL A, ASILB, ASIL C, ASIL D

#### **Publication date**

15 Nov 2011

#### **IEC 61508**

Generic Industry standard, applicable to electrical / electronic / programmable electronic safety-related systems.

#### **Safety Integrity Levels**

SIL 1, SIL 2, SIL 3, SIL 4

#### **Publication date**

Ed. 2.0 – Apr 2010

Ed. 1.0 - More than 10 years ago

#### ISO 13849

One of two European Standards to achieve compliance with the Machinery Directive 2206/42/EC

#### **Performance Levels**

a, b, c, d, e

#### **Categories**

B, 1, 2, 3, 4

**Freescale** is strengthening its product development cycle, making functional safety an integral part of the process.



## **Example Interaction Between Car OEM, Tier 1 & Tier 2** (Freescale)

Overall ISO 26262 compliance is achieved together, we each own a piece of the puzzle

ISO26262 medium

ISO26262

Relevant scope of ISO26262 high

Relevant scope of

#### **OEM**

- Item definition
- Hazard analysis and risk assessment
- · Safety Goals
- · Functional Safety Concept

Safety Manual & Safety Analysis



Safety Requirements & DIA

#### Tier 1

- Safety Architecture
- Safety Concept
- ASIL Classification of Functions

Safety Manual & Safety Analysis



Safety Requirements & DIA

#### **Tier 2 Supplier - Freescale**

HW / SW offering

-oundation

**Product Safety Measures** (implemented in offering, described in Safety Manual, quantified/qualified by Safety Analysis)

**Development Process & Methods** 

Quality & Quality Data

#### Freescale

Functional Safety Focus Safety Element out of Context













### **Contents**

- Functional Safety at Freescale
- Functional Safety and Microcontrollers
- MCU Safety Context and Safety Concepts
- FMEDA
- Soft errors







### **Functional Safety – Risk definition**



Risk: Combination of the probability and extent of damage







### Hazard Analysis and Risk Assessment (HARA)

- Identify and categorize the hazards that can be triggered by malfunctions in the system
- The Risk Assessment is carried out using three criteria
  - Severity how much harm is done?

| Class       | S0          | S1                          | <b>S2</b>                                                | <b>S</b> 3                                                           |
|-------------|-------------|-----------------------------|----------------------------------------------------------|----------------------------------------------------------------------|
| Description | No injuries | Light and moderate injuries | Severe and life-threatening injuries (survival probable) | Life-threatening injuries<br>(survival uncertain), fatal<br>injuries |

Exposure – how often is it likely to happen?

| Class       | E0         | E1                   | E2              | E3                 | E4               |
|-------------|------------|----------------------|-----------------|--------------------|------------------|
| Description | Incredible | Very low probability | Low probability | Medium probability | High probability |

Controllability – can the hazard be controlled?

| Class       | C0                      | C1                  | C2                    | C3                                     |
|-------------|-------------------------|---------------------|-----------------------|----------------------------------------|
| Description | Controllable in general | Simply controllable | Normally controllable | Difficult to control or uncontrollable |







### **Determination of ASIL and Safety Goals**

- For each Hazardous event, determine the ASIL based on Severity, Exposure & Controllability
- Then formulate safety goals to prevent or mitigate each event, to avoid unreasonable risk

Table 4 — ASIL determination

| Cavarity alasa | Drahahility alasa |    | Controllability class |    |  |  |  |
|----------------|-------------------|----|-----------------------|----|--|--|--|
| Severity class | Probability class | C1 | C2                    | C3 |  |  |  |
|                | E1                | QM | QM                    | QM |  |  |  |
| <b>S</b> 1     | E2                | QM | QM                    | QM |  |  |  |
| 31             | E3                | QM | QM                    | Α  |  |  |  |
|                | E4                | QM | A                     | В  |  |  |  |
|                | E1                | QM | QM                    | QM |  |  |  |
|                | E2                | QM | QM                    | Α  |  |  |  |
| S2             | E3                | QM | A                     | В  |  |  |  |
|                | E4                | Α  | В                     | С  |  |  |  |
|                | E1                | QM | QM                    | Α  |  |  |  |
| <b>S</b> 3     | E2                | QM | Α                     | В  |  |  |  |
|                | E3                | А  | В                     | c  |  |  |  |
|                | E4                | В  | С                     | D  |  |  |  |

Reference ISO 26262-3:2011







### **Target Metrics for ASIL**

- Associate the following target metrics to each safety goal
  - Single-point fault metric (SPFM)

Table 4 — Possible source for the derivation of the target "single-point fault metric" value

|                           | ASIL B | ASIL C | ASIL D |
|---------------------------|--------|--------|--------|
| Single-point fault metric | ≥90 %  | ≥97 %  | ≥99 %  |

### Latent-fault metric (LFM)

Table 5 — Possible source for the derivation of the target "latent-fault metric" value

|                     | ASIL B | ASIL C | ASIL D |
|---------------------|--------|--------|--------|
| Latent-fault metric | ≥60 %  | ≥80 %  | ≥90 %  |

### Probabilistic Metric for random Hardware Failures (PMHF)

Table 6 — Possible source for the derivation of the random hardware failure target values

| ASIL | Random hardware failure target values |
|------|---------------------------------------|
| D    | <10 <sup>-8</sup> h <sup>-1</sup>     |
| С    | <10 <sup>-7</sup> h <sup>-1</sup>     |
| В    | <10 <sup>-7</sup> h <sup>-1</sup>     |







### Example - EPS System

- Application Context
  - Safety Goal 1 (SG1): The EPS does not apply unintended force to the steering system (ASIL D).
    - Hazard: Unintended steering assist
    - Risk Assessment
      - S3: Life threatening injuries (survival uncertain), fatal injuries
      - E4: High probability
      - C3: Difficult to control or uncontrollable
  - Typical FTTI = 20 ms
  - System Safe State: disable EPS and notify driver of problem (fail-safe, fail-indicate)
- MCU Assumptions
  - Safety Function 1 (SF1): Execute software instructions, process data, write back result (ASIL D)
     mapped to SG1
  - Portion of FTTI: 10 ms
    - 50% of SG1 FTTI for HW safety measures
  - Define portion of ASIL target allocated to each safety function
    - SPFM: 99%, LFM: 90%, PMHF: 10<sup>-10</sup> hour<sup>-1</sup> (1% of safety goal ASIL target)
  - MCU Safe State (fail safe, fail indicate)
    - Reset, indicating an error







### **Defining the MCU Safety Concept**

- Objective
  - Define how MCU ASIL targets will be achieved between a mix of on-chip HW safety measures and system level safety measures (HW/SW)
- ISO 26262-5 Annex D Elements related to MCU
  - Low application dependency: Power, Clock, Flash, SRAM & Processing Unit
  - High application dependency: Digital IO & Analog IO



Figure D.1 — Generic hardware of a system Reference ISO 26262-5:2011







### **Contents**

- Functional Safety at Freescale
- Functional Safety and Microcontrollers
- MCU Safety Context and Safety Concepts
- FMEDA
- SER







### Safety Support – Tailoring of FMEDA

#### **Objective**

- Tailor FMEDA to match application configuration
- Enables customers, by supporting their system level architectural choices

#### Content

- FMEDA methods aligned with functional safety standards
  - SPFM & LFM, PMFH ISO 26262
  - SFF & PFH- IEC 61508 Ed. 2.0
  - βic IEC 61508 Ed. 2.0 part 2, Annex E
- Dynamic/Tailored FMEDA covers elements with low application dependency: Clock, Power Supply, Flash, SRAM, Processing Unit...

#### Work flow and result

- Customer specifies the failure model (dependent on Safety Integrity Level) required by their application, and then confirms the Safety Measures that will be used or not be used
- A tailored FMEDA is then supplied to customer's for their specific application

| time                      | ration in hot climate | equivalen       | t "average" temperat      | lire               |
|---------------------------|-----------------------|-----------------|---------------------------|--------------------|
| t <sub>passive</sub> in h | temper                | ature           | Logic Gate                | SEL                |
| 0 h                       | T <sub>mediate</sub>  | Tamblent in °C  | failure acceleration GATE | failure accelerati |
| 80 h                      | -30 °C                | -40 through -20 |                           |                    |
| 400 h                     | -10 °C                | -20 through 0   | 4,01E-07                  | 1,84E-02           |
| 1000 h                    | 20 °C                 | 0 through 40    | 5,57E-06                  | 3,75E-02           |
| 1400 h                    | 50 °C                 | 40 through 60   | 1,47E-04                  | 9,12E-02           |
| 3000 h                    | 70 °C                 | 60 through 80   | 2,12E-03<br>9,67E-03      | 1,88E-01           |
| 1700 h                    | 90 °C                 | 80 through 100  | 3,74E-02                  | 2,84E-01           |
| 300 h                     | 110 °C                | 100 through 120 | 1,25E-01                  | 4,10E-01           |
| 120 h                     | 130 °C                | 120 through 140 | 3,73E-01                  | 5,69E-01           |
| 0 h                       | 150 °C                | 140 through 160 | 1,00E+00                  | 7,65E-01           |
| 8000 h                    | 170 °C                | 160 through 180 | 2,45E+00                  | 1,00E+00           |
| 000011                    | 130 °C                |                 | 2,43E+00                  | 1,28E+00           |









### What is an FMEDA



FMEDA calculates absolute:

Uncontrolled Failure per hour and relative values

Controlled /

Total Failure per hour

various failure reaction

failure rate

each gate may have various possible failure modes

**Gates** 







## ISO 26262-5 (elements and failure models) Table D.1 — Analyzed faults or failures modes in the derivation of diagnostic coverage

|                         | See    | Analyz                                                                                       | ed failure modes for 60                                                                                                                                                                             | %/90 %/99 % DC                                                                                                                                                                                                                |  |
|-------------------------|--------|----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Element                 | Tables | Low (60 %)                                                                                   | Medium (90 %)                                                                                                                                                                                       | High (99 %)                                                                                                                                                                                                                   |  |
|                         |        | General semicondu                                                                            | General semiconductor elements                                                                                                                                                                      |                                                                                                                                                                                                                               |  |
| Power supply            | D.9    | Under and over<br>Voltage                                                                    | Drift<br>Under and over<br>Voltage                                                                                                                                                                  | Drift and oscillation Under and over Voltage Power spikes                                                                                                                                                                     |  |
| Clock                   | D.10   | Stuck-at <sup>a</sup>                                                                        | d.c. fault model <sup>b</sup>                                                                                                                                                                       | d.c. fault model <sup>b</sup> Incorrect frequency Period jitter                                                                                                                                                               |  |
| Non-volatile memory D.5 |        | Stuck-at <sup>a</sup> for data and<br>addresses and<br>control interface, lines<br>and logic | d.c. fault model <sup>b</sup> for<br>data and addresses<br>(includes address lines<br>within same block) and<br>control interface, lines<br>and logic                                               | d.c. fault model <sup>b</sup> for data,<br>addresses (includes address<br>lines within same block) and<br>control interface, lines and logic                                                                                  |  |
| Volatile memory         | D.6    | Stuck-at <sup>a</sup> for data,<br>addresses and<br>control interface, lines<br>and logic    | d.c. fault moder for<br>data, addresses<br>(includes address lines<br>within same block and<br>inability to write to cell)<br>and control interface,<br>lines and logic<br>Soft error model for bit | d.e. fault model <sup>b</sup> for data,<br>addresses (includes address<br>lines within same block and<br>inability to write to cell) and<br>control interface, lines and logic<br>Soft error model <sup>c</sup> for bit cells |  |
|                         |        |                                                                                              | cells                                                                                                                                                                                               |                                                                                                                                                                                                                               |  |
| Digital I/O             |        | Stuck-at <sup>a</sup> (including signal lines outside of the microcontroller)                | d.c. fault model <sup>b</sup><br>(including signal lines<br>outside of the<br>microcontroller)                                                                                                      | d.c. fault model <sup>b</sup> (including<br>signal lines outside of the<br>microcontroller)<br>Drift and oscillation                                                                                                          |  |
| Analogue I/O            | D.7    | Stuck-at <sup>a</sup> (including signal lines outside of the microcontroller)                | d.c. fault model <sup>b</sup><br>(including signal lines<br>outside of the<br>microcontroller)<br>Drift and oscillation                                                                             | d.c. fault model <sup>b</sup> (including<br>signal lines outside of the<br>microcontroller)<br>Drift and oscillation                                                                                                          |  |

**FMEDA SRAM** 

Reference ISO 26262-5:2011







### ISO 26262-5 (elements and failure models)

Table D.1 — Analyzed faults or failures modes in the derivation of diagnostic coverage

|                 |                    | Element                                                                                                         | See         | Analyz                                                                 | ed failure modes for 60                                                      | %/90 %/99 % DC                                                                                                                                                      |
|-----------------|--------------------|-----------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------|------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **              |                    | Element                                                                                                         | Tables      | Low (60 %)                                                             | Medium (90 %)                                                                | High (99 %)                                                                                                                                                         |
|                 |                    |                                                                                                                 |             | - Openiilo essiliesid                                                  |                                                                              |                                                                                                                                                                     |
|                 |                    | ALU - Data Path                                                                                                 | D.4/D.13    | Stuck-at <sup>a</sup>                                                  | Stuck-at <sup>a</sup> at gate level                                          | d.c. fault model <sup>b</sup><br>Soft error model <sup>c</sup> for<br>sequential parts)                                                                             |
|                 | A spinn Bu Sessing | Registers (general<br>purpose registers<br>bank, DMA transfer<br>registers),<br>internal RAM                    | D.4         | Stuck-at <sup>a</sup>                                                  | Stuck at at gate level                                                       | d.c. fault model <sup>b</sup> including no,<br>wrong or multiple addressing or<br>registers<br>Soft error model <sup>o</sup>                                        |
| FMEDA           |                    | Address calculation<br>(Load/Store Unit,<br>DMA addressing<br>logic, memory and<br>bus interfaces)              | D.4/D.5/D.6 | Stuck-at <sup>a</sup>                                                  | Stuck-ats at gate level Soft error model <sup>o</sup> (for sequential parts) | d.c. fault model <sup>b</sup> including no,<br>wrong or multiple addressing<br>Soft error model <sup>b</sup> (for<br>sequential parts)                              |
| Processing Unit |                    | Interrupt handling                                                                                              | D.4/D.10    | Omission of or continuous interrupts                                   | Omission of or continuous interrupts Incorrect interrupt executed            | Omission of or continuous interrupts Incorrect interrupt executed Wrong priority Slow or interfered interrupt handling causing missed or delayed interrupts service |
|                 |                    | Control logic<br>(Sequencer, coding<br>and execution logic<br>including flag<br>registers and stack<br>control) | D.4/D.10    | No code execution<br>Execution too slow<br>Stack<br>overflow/underflow | Wrong coding or no execution Execution too slow Stack overflow/underflow     | Wrong coding, wrong or no execution  Execution out of order  Execution too fast or too slow  Stack overflow/underflow                                               |
|                 |                    | Configuration<br>Registers                                                                                      | D.4         | _                                                                      | Stuck-at <sup>a</sup> wrong value                                            | Corruption of registers (soft errors) Stuck-ata fault model                                                                                                         |
|                 |                    | Other sub-elements not belonging to previous classes                                                            | D.4/D.13    | Stuck-at <sup>a</sup>                                                  | Stuck-at <sup>a</sup> at gate level                                          | d.c. fault model <sup>b</sup> Soft error model <sup>c</sup> (for sequential part)                                                                                   |







### **Contents**

- Functional Safety at Freescale
- Functional Safety and Microcontrollers
- MCU Safety Context and Safety Concepts
- FMEDA
- Soft Errors







### How SER is measured?

JEDEC specifies SER test and analysis procedures in JESD89A

- System-level Tests
- Data in1000 devices is monitored for > 1000 hours (2 months)
- Measure number of failures in 106 device-hours
- Used to scale accelerated results to field conditions

#### **Accelerated Tests**

- Data in 2 to 10 devices exposed to an accelerated source is monitored for a few minutes
- Results are decelerated to operating conditions
- Tests require little time to collect substantial data (10<sup>8</sup> acceleration)
- JEDEC standards for converting to operating conditions
- Most SER characterization is performed with accelerated tests







### Alpha Accelerated (αASER) Tests

- Freescale uses a <sup>232</sup>Thorium foil to accelerate alpha particles
  - Th232 foil flux 3.2e6 alpha.cm2/hr.
- The active-side of the device must be exposed to the Thorium foil
  - Any Mold compound must be removed
  - Cannot perform  $\alpha$ ASER on lead-over-chip (e.g. bumped) devices
- Source-to-die spacing : <1mm</li>
- Alpha source calibration : done periodically
- Type and number of devices tested: 4 die from 2 wafers
- Number of errors per unit time: typically < 5% of bit fails on 1Mb after 1min</li>
  - No multiple events can flip fails back into a passing mode
- Noise: no errors in the DUT for the total test time when no source was present
- Latchup: no high-current behavior observed during the testing
- Package lid: removed, Polyimide: removed, if used







### **Neutron Accelerated (nASER) Tests**

- Type of neutron source used: Los Alamos WNR or TRIUMF, broad energy spectrum.
- Beam fluence (flux\*testing\_time): a minimum of 1E8 neutrons/cm2 struck the DUT
- Beam divergence with distance : DUTs are located close to the beam output
- Neutron scattering in the parallel DUTs: avoided with a 30cm DUT-to-DUT spacing
- Type and number of devices tested : 4 dies from 2 wafers
- Number of errors per unit time: typically < 1% of bit fails on 1Mb after 1hour</li>
  - No multiple events can flip fails back into a passing mode
- Noise: no errors in the DUT for the total test time when no source was present
- Latchup: no high-current behavior observed during the testing
- Multiple Bit Upset: checked at topology and system level
- nASER data is decelerated to NYC ground-level conditions.







# **Example Results for nASER Showing ECC Effectiveness Against Multi-Bit Upsets**









### **Supporting Material for Functional Safety**

- SafeAssure @ www.freescale.com/SafeAssure
- Certification Package under NDA
- App-Notes, White Papers, Articles
- **On-demand Training**







Software that seanlessly integrates with hardware to achieve

 Comprehensive support capabilities that extend from customerspecific training and system design reviews regarding. functional patety architecture to extensive patety documentation and technical support.

system-level functional safety goals



hardware and software integration. Helping you achieve your

system-level functional safety compliance - simply

