The use of fail-safe hardware safety interlocks is a key tenet of semiconductor equipment engineering, to protect equipment and ensure personnel safety. The idea of fail-safe technology has existed for a long time, however, as engineers through history work to keep progressively more complex machines and operators safe. An inventor named George Westinghouse, for instance, developed the railway air brake in 1868, a pneumatic system where air pressure was required to release the brakes. In creating a system where pressure loss in the pneumatic lines would revert the brakes to their “normally closed” state, Westinghouse’s device dramatically improved the safety of the widely-used locomotive. As with a runaway train, semiconductor fab accidents can also cause serious problems. Thus, semiconductor equipment safety systems should operate the same way; upon the occurrence of an event, such as loss of power or a leak, a tool or component should shut down the relevant portions of the process in a safe manner.
Safe Failure Modes
When possible, the mechanical engineer should design all semiconductor equipment and the components within to fail in a safe mode. For some components, safe failure requires a “normally closed” configuration, meaning that they close their circuits or shut their valves. In the event of a power outage, maintenance mistake, fire, earthquake, or other incident, it’s important to ensure that no hazardous production material is flowing unregulated through gas lines; therefore, most process gas valves close by default if they lose power or signal. Other components may require a “normally open” configuration instead, in which valves and relays open by default. Exhaust vents should stay wide open in an emergency to ensure that they can continue to exhaust that any dangerous process gases from the room. An electrical system composed of normally open relays can deny power to ovens or plasma sources if anything malfunctions. The mechanical engineer designing the system should perform a thorough failure modes effect analysis (FMEA) for the entire system, from gas cabinets through the gas panel and exhaust, to ensure that they have identified and accounted for all possibilities of failure. This process can also be known as a failure modes effect criticality analysis (FMECA), and is used in many industries.
Hardware Interlock, Not Software
Once the mechanical engineer, electrical engineer, or relevant discipline has determined the possible points of failure, he or she needs to select a foolproof method of shutting down each failure point. If the valves on a piece of semiconductor equipment are all electronically controlled, in the event of a power outage the computer won’t be available to shut those valves and stop gas flow. Therefore, the engineer should specify normally-closed valves, which will close off gas flow if they receive no signal or lose power. Safety sensors should similarly use hardware solutions when possible. For instance, some types of sensors use solid state devices (semiconductors and transistors), but these can generally fail in both the open and closed states; obviously, this could be dangerous if an exhaust sensor or the like failed but continued to send an all-clear signal.
Humans are not a substitute for fail-safe hardware interlocks!
One critically important point to remember is that a system should never rely on a human being as part of its safety interlocks in semiconductor equipment. It can never be sufficient to rely on the user’s assurance that they know not to open doors when the equipment is active or that there will always be in the room while the process is running. This is especially important for emergency situations; in the event of a fire, earthquake, or tornado, the first and only responsibility of anyone in the lab is to evacuate. They should not have to take the time to deactivate equipment and processes before they can get themselves to safety.
The table below shows a simplified logic table for hazardous events and the associated interlocks needed for the components used in a semiconductor process.
[table id=intlk /]
The Possibilities of Safe Systems
It is important not to think of safety as a burden, but to think of what it makes possible. A colleague of mine used to run an Indy race team. The person who fueled the car during a race had to keep his foot on a switch, known as the “dead man’s switch.” If there was an explosion and he lost control, and took his foot off of the switch, the flow of fuel to the Indy race car would stop. This is an example of a fail-safe feature, protecting the team in the event of injury or emergency. Indy Car racing is still a dangerous sport for all involved, but safety measure like these allow for faster pit stops and safer repairs. Still, having a choice when attending the races and helping, I chose to help entertain the corporate sponsors and super models in the suite overlooking the track, instead of manning the “dead man’s” on the fuel hose. Who said engineering was not a glamour profession?
Trains have long employed deadman switches in case the engineer is incapacitated. Similar devices have been envisioned for detecting people who fall asleep at the wheel by watching the driver’s eyes. If the eyes drop or close for long enough then the car can automatically move to the side of the road. This will have to wait for self driving cars, of course, but until then a loud noise to wake the person could suffice. This would not account for those who are incapacitated by stroke, heart attack, seizure or drugs, but other similar safety features could make it possible for those with disabilities to regain their mobility by being allowed to drive safely without endangering others. Furthermore, these safety features could call for emergency assistance as needed. As an engineering design challenge, at a fundamental safetly level, semiconductor fabs are not that different from other industries, but do involve more high technology. Engineers and product managers should think of the capabilities that safety features enable, not the burden of incorporating them into a design.