The use of fail-safe hardware safety interlocks is a key tenet of semiconductor equipment engineering, to protect equipment and ensure personnel safety. The idea of fail-safe technology has existed for a long time, however, as engineers through history work to keep progressively more complex machines and operators safe. An inventor named George Westinghouse, for instance, developed the railway air brake in 1868, a pneumatic system where air pressure was required to release the brakes. In creating a system where pressure loss in the pneumatic lines would revert the brakes to their “normally closed” state, Westinghouse’s device dramatically improved the safety of the widely-used locomotive. As with a runaway train, semiconductor fab accidents can also cause serious problems. Thus, semiconductor equipment safety systems should operate the same way; upon the occurrence of an event, such as loss of power or a leak, a tool or component should shut down the relevant portions of the process in a safe manner.
Safe Failure Modes
When possible, the mechanical engineer should design all semiconductor equipment and the components within to fail in a safe mode. For some components, safe failure requires a “normally closed” configuration, meaning that they close their circuits or shut their valves. In the event of a power outage, maintenance mistake, fire, earthquake, or other incident, it’s important to ensure that no hazardous production material is flowing unregulated through gas lines; therefore, most process gas valves close by default if they lose power or signal. Other components may require a “normally open” configuration instead, in which valves and relays open by default. Exhaust vents should stay wide open in an emergency to ensure that they can continue to exhaust that any dangerous process gases from the room. An electrical system composed of normally open relays can deny power to ovens or plasma sources if anything malfunctions. The mechanical engineer designing the system should perform a thorough failure modes effect analysis (FMEA) for the entire system, from gas cabinets through the gas panel and exhaust, to ensure that they have identified and accounted for all possibilities of failure. This process can also be known as a failure modes effect criticality analysis (FMECA), and is used in many industries.
Hardware Interlock, Not Software
Once the mechanical engineer, electrical engineer, or relevant discipline has determined the possible points of failure, he or she needs to select a foolproof method of shutting down each failure point. If the valves on a piece of semiconductor equipment are all electronically controlled, in the event of a power outage the computer won’t be available to shut those valves and stop gas flow. Therefore, the engineer should specify normally-closed valves, which will close off gas flow if they receive no signal or lose power. Safety sensors should similarly use hardware solutions when possible. For instance, some types of sensors use solid state devices (semiconductors and transistors), but these can generally fail in both the open and closed states; obviously, this could be dangerous if an exhaust sensor or the like failed but continued to send an all-clear signal.
Humans are not a substitute for fail-safe hardware interlocks!
One critically important point to remember is that a system should never rely on a human being as part of its safety interlocks in semiconductor equipment. It can never be sufficient to rely on the user’s assurance that they know not to open doors when the equipment is active or that there will always be in the room while the process is running. This is especially important for emergency situations; in the event of a fire, earthquake, or tornado, the first and only responsibility of anyone in the lab is to evacuate. They should not have to take the time to deactivate equipment and processes before they can get themselves to safety.
The table below shows a simplified logic table for hazardous events and the associated interlocks needed for the components used in a semiconductor process.