Electronic – General question about safety-critical use of microcontrollers

There is a whole industry of reliability engineering which is how safety-critical electronics (and everything else) is made.

Amongst many other things, most chip manufacturers have special versions of their products which are specified for military, aerospace, medical and safety control purposes. This starts with simple things like extended temperature ranges. But the difference between these and ordinary products is mostly one of testing and certification, sometimes to the point where parts have individual serial numbers. You can imagine that such parts -- even if they run the identical code at identical speed -- are much more expensive that the kind for ordinary commercial products. As illustration, a given chip design might be rated with a particular clock rate, and perhaps the manufacturer tests 1 part every 10,000 to check it really does. They might sell you parts where each one has been numbered and tested and give you a certificate with it. The testing and tracking costs money. Another point of difference is doing something to make the part more reliable: such as using different packaging materials which have less background radiation, or radiation-hardening the device; all this prevents some of the causes of random behaviour of devices. The functional performance of these devices is unchanged, but you can see how they would be a better choice for safety-critical products.

You may have noticed at the bottom of the Atmel datasheet

SAFETY-CRITICAL, MILITARY, AND AUTOMOTIVE APPLICATIONS DISCLAIMER: Atmel products are not designed for and will not be used in connection with any applications where the failure of such products would reasonably be expected to result in significant personal injury or death (“Safety-Critical Applications”) without an Atmel officer's specific written consent. Safety-Critical Applications include, without limitation, life support devices and systems, equipment or systems for the operation of nuclear facilities and weapons systems. Atmel products are not designed nor intended for use in military or aerospace applications or environments unless specifically designated by Atmel as military-grade. Atmel products are not designed nor intended for use in automotive applications unless specifically designated by Atmel as automotive-grade.

This is how they tell you these are not specified for safety-critical applications. All manufacturers have this kind of thing on their datasheets.

The idea is that while the general specification of the part might make it suitable for a given application, it would be negligent to any particular chip in a safety-critical application without special testing. This is the case whether it's a piece of rope, a screw, or a CPU.

On top of this, there is many design practices, regulations, and certifications of design process which go to make safety-critical engineering. One place to start is the Wikipedia article Safety Engineering

Specifically about aircraft, here are a couple articles from Avionics Stack Exchange

• https://aviation.stackexchange.com/a/52935 8080 in F-16 fighter jet
• https://aviation.stackexchange.com/q/28009 CPUs in airliners