## FUNCTIONAL SAFETY COURSE #4

Dr. FRANCK GALTIE DIRECTEUR AUTOMOTIVE FUNCTIONAL SAFETY



COMPANY CONFIDENTIAL



SECURE CONNECTIONS FOR A SMARTER WORLD



# **General Agenda**

- Course #1 : Functional Safety awareness
- Course #2 :

Brainstorming on power inverter architecture, potential failures and safety mechanisms (ie. safety concept)

Course #3:

Continue on Safety Concept

• Course #4:

How to prove our concept and assess it





# Course #4 agenda

- Functional Safety Analysis
- Confirmation measures
- Internship



# 01. SAFETY ANALYSIS FTA, DFA, FMEDA



SECURE CONNECTIONS FOR A SMARTER WORLD

#### Safety Analysis Safety Analysis Flow



NP

#### **Safety Analysis** Qualitative Safety Analysis



| inputs                                             | process                                                  | outputs                                                           |
|----------------------------------------------------|----------------------------------------------------------|-------------------------------------------------------------------|
| Catalog of failure modes /causes (design, process) | Design, Process FMEA<br>Pinout FMEA                      | RPN values                                                        |
| Lessons learnt                                     | Severity ranking                                         | Safety key characteristics                                        |
| HW functions                                       | Measures for Occurrence                                  | Safety measures evidence                                          |
| SW functions                                       | removal & Detection at t=0<br>Safety measures for during | Verification of the Safety<br>Concept and design<br>(SYS, HW, SW) |
| Safety goals/requirements                          | operation                                                | (313, 110, 300)                                                   |
| FMEA no.:<br>y Quality Engineer FMEA date (Org.):  | 1.1.1.1.2.4<br>04/12/2017                                |                                                                   |

| Process: B                 | CC14 FMEA       |                                                                               |         |                                                                                       |     | Process responsibi              | lity:                                                                                        |         |                                                                                                                |       |     | FMEA no.:        |                                                                                     |                                                                                                                                                                                                              |        |      | 1.1  | .1.1.2 |
|----------------------------|-----------------|-------------------------------------------------------------------------------|---------|---------------------------------------------------------------------------------------|-----|---------------------------------|----------------------------------------------------------------------------------------------|---------|----------------------------------------------------------------------------------------------------------------|-------|-----|------------------|-------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------|------|--------|
| Product:                   |                 |                                                                               |         |                                                                                       |     | Prepared by: Store              | z, Antoine, Product R                                                                        | eliabil | ity Quality Engineer                                                                                           |       |     | FMEA date (Org.  | ):                                                                                  |                                                                                                                                                                                                              |        |      | 04/* | 12/20  |
| Diet                       | sch, Jérôme, Ar | blication Engineer; Be<br>rchitect; Givelin, Phili<br>eliability Quality Engi | ppe, De | sylvain, Project Manag<br>sign Lead; Storez,                                          | er; | Completion date: 0              | 4/12/2017                                                                                    |         |                                                                                                                |       |     | FMEA date (Rev.) |                                                                                     |                                                                                                                                                                                                              |        |      | 05/1 | 12/20  |
| unction                    | Requirement     | Potential Failure                                                             | С       | Potential effect(s)                                                                   | S   |                                 | Current preventive                                                                           | 0       | Current detection                                                                                              | D     | RPN | Recommended      | Responsibility &                                                                    | Actio                                                                                                                                                                                                        | n resi | ults |      |        |
|                            |                 | Mode                                                                          |         | of failure                                                                            |     | of failure                      | action                                                                                       |         | action                                                                                                         |       |     | action           | Target Completion<br>Date                                                           | Action taken                                                                                                                                                                                                 | S      | 0    | D    | R      |
| system ele                 | ement: CT Dia   | qnostic module                                                                |         | 1222                                                                                  |     |                                 |                                                                                              | -       | 12.55                                                                                                          | -<br> |     | 1                |                                                                                     | I                                                                                                                                                                                                            | 1      |      |      | _      |
| open<br>bad CT<br>etection |                 | BMS - CT Open<br>load diagnostic<br>triggered without<br>fault                |         | BMS -<br>Diagnostics not<br>working                                                   |     | Resistor - Resistor<br>too low  | PVT (process-<br>voltage-<br>temperature)<br>simulation<br>Givelin, Philippe,<br>Design Lead | 3       | Measure<br>resistance value<br>at lab over full<br>voltage range<br>Castignolles,<br>Marie, CZ Lab<br>Engineer | 2     | 54  |                  | Bereski, Sylvain,<br>Project Manager<br>31/05/2017<br>completed (on 31/<br>05/2017) | D: Measure<br>resistance value<br>at lab over full<br>voltage range with<br>and without open<br>cell (completed<br>on 31/05/2017)<br>D: perform Drift<br>Analysis after<br>HTOL (completed<br>on 31/05/2017) | 9      | 3    | 2    |        |
|                            |                 | BMS - CT Open<br>load diagnostic<br>not triggered with<br>a fault             |         | BMS -<br>Diagnostics not<br>working<br>BMS - Incorrect<br>Cell voltage<br>measurement |     | Resistor - Resistor<br>too high | PVT (process-<br>voltage-<br>temperature)<br>simulation<br>Givelin, Philippe,<br>Design Lead |         | Measure<br>resistance value<br>at lab over full<br>voltage range<br>Castignolles,<br>Marie, Cz Lab<br>Engineer | 2     | 60  |                  | Bereski, Sylvain,<br>Project Manager<br>31/05/2017<br>completed (on 31/<br>05/2017) | D: Measure<br>resistance value<br>at lab over full<br>voltage range with<br>and without open<br>cell (completed<br>on 31/05/2017)                                                                            | 10     | 3    | 2    | 6      |



## Safety Analysis

**Qualitative Safety Analysis** 



#### inputs process **Functional Architecture** FTA (preliminary, system, (System down to basic hardware and software) Elements) Set of rules for failure Allocation of Safety mechanisms to faults Safety goals/requirements Definition of additional required Safety mechanism Safety mechanisms

modes

#### outputs

Safe faults Single Point fault **Common Cause fault** 

Pairs Fault – SM Minimal cutsets

Verification of the Safety Concept and design (SYS, HW, SW)



## **Safety Analysis**

Dependent Failure Analysis

## DFA

| inputs                                     | process                                                     | outputs                                                              |
|--------------------------------------------|-------------------------------------------------------------|----------------------------------------------------------------------|
| Pairs faults – SM<br>Minimal cutsets       | DFA                                                         | DFI Elements for FMEDA                                               |
| Catalog of Dependent<br>Failure Initiators | Shared resources<br>Cascaded failure                        | Verification of the Safety<br>measures with fault<br>injection, etc. |
| Co-existing elements                       | Safety measure identification<br>Verification of the Safety | Confirmation for sufficient<br>Independence and freedom              |
| Safety goals/requirements                  | measures                                                    | from interference                                                    |

|              |                   | HV and SV Ele                                 | ments                                  |                       | Г С                             | lependent Failu                                           | re Initiator                                                            |                                                 | Anal                                                                                 | sis                                                                                        |
|--------------|-------------------|-----------------------------------------------|----------------------------------------|-----------------------|---------------------------------|-----------------------------------------------------------|-------------------------------------------------------------------------|-------------------------------------------------|--------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
| ID           | Source (FTA)      | Information                                   | HV and SV Elements Pairs and<br>Groups | Element_Type          | DFL_Family_Type                 | DFI_Type                                                  | Description                                                             | Failure Effect -<br>Yiolation of<br>safety goal | Safety Measure to prevent<br>dependent<br>failures from violating the<br>safety goal | Safety Measure to pr<br>the<br>occurrence of depen<br>failures during oper;                |
|              | EV1932.EV1992_SM1 | Bit Flip in Mirrar Register/VDIOVMONOV        |                                        |                       | Failures of shared<br>resources | Common Voltage<br>regulator or<br>preregulator            | BOSsupply is used by VPREIP and<br>inderectly by VMONx thru VSFS clamp  | Yor                                             | Indirect detection of failure of<br>shared resource                                  | Soparato rozeurcoz te roduc<br>ameunt erzcepo efsharo<br>rozeurcoz                         |
|              | EV1934.EV1992_SM1 |                                               |                                        |                       | Failuros of sharod<br>rosourcos | Common Bandqap                                            | Voltago roforonco                                                       | Yer                                             | Rodundancy                                                                           | Soparato rosourcos to roduc<br>amount or scope of share<br>resources                       |
| Pair 1       | EV1935.EV1992_SM1 | Unintended Test Møde activation/DDIO VMON OV  | VPRE & VDDIO VMON OV (SM1)             | SFuSM                 | Failures of shared<br>resources | Common Current<br>reference orbiar<br>generator           | Current reference                                                       | Yer                                             | Rodundancy                                                                           | Soparato rosourcos to roduc<br>amount orscopo ofsharo<br>rosourcos                         |
|              | GT536.EV1992_SM1  | OSC Main Failure Leading to OVVDDIO VMON OV   | ************************************** | 570511                | Failures of shared<br>resources | Camman Clack<br>element                                   | Clack for lagic and SMPS                                                | Yor                                             | Rodundancy                                                                           | Soparato rosourcos to roduc<br>amount orscopo ofsharo<br>rosourcos                         |
|              |                   |                                               |                                        |                       | Failures of shared<br>resources | Common RAM                                                | OTP                                                                     | Yor                                             | Rodundancy                                                                           | Soparato rosourcos to roduc<br>amount or scopo of sharo<br>rosourcos                       |
|              |                   |                                               |                                        |                       | Random Physical Root<br>causes  | Crarr talk (rubrtrato<br>curront, capacitivo<br>cauplinq) | Crærr talk, latchup, læcal hoating                                      | Yes                                             |                                                                                      | Physicalsoparation<br>(o.q. distance of the die fro<br>local heatsource external o<br>die) |
|              | EV1948.EV1992_SM3 | PRE_SW pinshartod ta qaundVDDIO YMON UV       |                                        |                       | Failures of shared<br>resources | Common Voltago<br>roqulator or<br>proroaulator            | BOS supply is used by VPREIP and<br>inderectly by VMONx thru VSFS clamp | Yer                                             | Indirect detection of failure of<br>shared resource                                  | Soparato rorourcos to roduc<br>amount or scopo of share<br>rosourcos                       |
|              | EV1949.EV1992_SM3 | External Law Side rharted to GNDVDDIO VMON UV |                                        |                       | Failuros of sharod<br>rosourcos | Common Bandqap                                            | Voltago roforonco                                                       | Yer                                             | Rodundancy                                                                           | Soparato rosourcos to roduc<br>amount orscopo of share<br>rosourcos                        |
| <b>∢</b> → … | SG2_GateCu        | tSets   SG1_GateCutSets   DFA_HW_I            | lements DFA_Coexis                     | ting_Elements   DFA_9 | SW_Element                      | s   +                                                     |                                                                         |                                                 | •                                                                                    | •                                                                                          |



#### **Safety Analysis** Quantitative Safety Analysis

# **FMEDA**

| inputs                                            | process                                        | outputs                        |
|---------------------------------------------------|------------------------------------------------|--------------------------------|
| Hardware elements<br>(close to HW implementation) | FMEDA                                          | Single Point Fault Metric      |
| Failure rate                                      | Violation of safety goal                       | Latent Fault Metric            |
|                                                   | directly or in combination with a second fault | PMHF                           |
| Catalog of failure modes                          |                                                |                                |
|                                                   | Safety mechanism allocation                    | (for each Safety goal)         |
| Safety goals/requirements                         | to the fault for Single point                  |                                |
| Safety mechanisms & DC                            | Fault and Latent Fault                         | Confirmation for achieved ASIL |

| M ≥ 99,28×<br>M ≥ 99,76×<br>F ≥ 99,28×<br>F 3,65E-10 h <sup>-1</sup><br>5,09E-08 h <sup>-1</sup> | Targeted Safets Integrits       | Is the mean time between                                                                                                                            | LBIST enabled and                                                                    | THING CONTRACT OF                                                                                                            |                                                                      |                                                           |                                                           |                                                                             |                                                                             |                                                                                          |
|--------------------------------------------------------------------------------------------------|---------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|-----------------------------------------------------------|-----------------------------------------------------------|-----------------------------------------------------------------------------|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
|                                                                                                  | Level                           | resets shorter than the<br>multiple-point fault<br>detection interval                                                                               | LBIST enabled and<br>activated within multiple-<br>point fault detection<br>interval | PMC_PMCCR,<br>PMC_SB, PMC_TBIM2,<br>PMC_TRIM3, and<br>PCU_PSTAT vithin fault<br>tolerant time interval                       | External watchdog<br>enabled                                         | Core logic supply low<br>voltage Monitor                  | Core logic supply high<br>voltage Monitor                 | 3.3 ¥ main supply low<br>voltage Monitor                                    | 3.3 V Input/Output supply<br>Low voltage Monitor                            | 3.3 ¥ Flash supply Low<br>voltage Monitor                                                |
|                                                                                                  | Targatud Safety Integrity Level | le tha mean time botwara razute<br>chortor than the multiple-point fasik<br>dotection interval                                                      | LENST                                                                                | Verify context of IPMC_DMCCR,<br>IPMC_DR, PMC_TRMQ,<br>PMC_TRM3, and PCU_PSTAT                                               | Estonal watchdog                                                     | Core logic supply low voltage<br>Monitor                  | Core logic supply high roltage<br>Monitor                 | 0.0 V main supply fow voltage<br>Monitor                                    | 0.0 Y lepot/Output sapply Low<br>voltoge Monitor                            | 3.3 V Flack supply Low voltage<br>Monitor                                                |
| Scope -                                                                                          | ASIL D % SIL3 (99%)             | <ul> <li>TRUE</li> </ul>                                                                                                                            | TRUE                                                                                 | TRUE                                                                                                                         | TRUE                                                                 | TRUE                                                      | TRUE                                                      | TRUE                                                                        | TRUE                                                                        | TRUE                                                                                     |
| Select                                                                                           | ct<br>eted ASIL                 | Is the mean time between<br>destructive resets or between<br>power up and power down<br>shorter than the multiple-point<br>fault detection interval | Diagnostic coverage of LBIST                                                         | Content of PMC_CFGR,<br>PMC_SR, PMC_TRIM2,<br>PMC_TRIM3, and<br>PCU_PSTAT is verified within<br>fault tolerant time interval | Vindow and/or Logical<br>Monitoring external Watchdog<br>implemented | Diagnostic coverage for SMPS                              | Diagnostic coverage for SMPS<br>over voltage              | True                                                                        | Diagnostic coverage for<br>external supply under voltage                    | Diagnostic coverage for<br>external supply under voltage                                 |
| level                                                                                            |                                 | TFLE                                                                                                                                                | DC = 85,0%                                                                           | TRUE                                                                                                                         | TRUE                                                                 | DC + 60,0%                                                | DC = 60,0%                                                | hà.                                                                         | DC = 60,0%                                                                  | DC + 60,010                                                                              |
|                                                                                                  |                                 |                                                                                                                                                     | [IWF031]                                                                             | Diagnostic coverage for CRC                                                                                                  | Diagnostic Coverage of<br>Watchdog                                   | Diagnostic coverage for SMPS<br>drift                     | Diagnostic coverage for SMPS<br>drift                     |                                                                             | Diagnostic coverage for<br>esternal supply drift                            | Diagnostic coverage for<br>external supply drift                                         |
|                                                                                                  |                                 |                                                                                                                                                     |                                                                                      | DC = 93.0%                                                                                                                   | DC + 90.0%                                                           | DC + 0.0%                                                 | DC = 0.0%                                                 | <b>5.3</b>                                                                  | DC = 0.0%                                                                   | DC + 0.0%                                                                                |
|                                                                                                  |                                 |                                                                                                                                                     |                                                                                      | Diagnostis coverage for<br>bandgap and package contacts                                                                      | Diagnostic coverage for SMPS<br>drik<br>DC = 0.0%                    | Diagnostic coverage for SMPS<br>oscillation<br>DC + 90.0% | Diagnostic coverage for SMPS<br>oscillation<br>DC = 90.0% | 2.4                                                                         | Diagnostic coverage for<br>external supply oscillations<br>DC + 90.05       | Diagnostic coverage for<br>esternal supply oscillations<br>DC = 90.05                    |
|                                                                                                  |                                 |                                                                                                                                                     |                                                                                      | [SM_070]                                                                                                                     | Diagnostic coverage for SMPS<br>oscillation                          | [184_087]                                                 | [584_007]                                                 | Diagnostic coverage for<br>bandgap                                          | Diagnostic coverage for<br>bandgap<br>DD = 0.0%                             | Diagnostic coverage for<br>bandgap<br>DC = 0.0%                                          |
|                                                                                                  |                                 |                                                                                                                                                     |                                                                                      |                                                                                                                              | Diagnostic coverage for SMPS<br>power spikes                         |                                                           |                                                           | Diagnostic coverage for<br>bandgap oscillations                             | Diagnostic coverage for<br>bandgap oscillations                             | Diagnostic coverage for<br>bandgap oscillations                                          |
|                                                                                                  |                                 |                                                                                                                                                     |                                                                                      |                                                                                                                              | DC = 0.0%                                                            |                                                           |                                                           | DC = 0.0%                                                                   | DC = 0.0%                                                                   | DC = 0.0%                                                                                |
|                                                                                                  |                                 |                                                                                                                                                     |                                                                                      |                                                                                                                              | Diagnostic coverage for<br>bandgap and package contacts              |                                                           |                                                           |                                                                             |                                                                             | Diagnostic coverage for flas<br>supply contacts regarding op<br>high resistive and short |
|                                                                                                  |                                 |                                                                                                                                                     |                                                                                      |                                                                                                                              | DC + 30,0%                                                           |                                                           |                                                           | n.a.<br>                                                                    | n.a.<br>Diagnostic coverage for<br>esternal supply over voltage             | DC = 98.0%<br>Diagnostic coverage for<br>esternal supply over voltage<br>DC = 0.0%       |
|                                                                                                  |                                 |                                                                                                                                                     |                                                                                      |                                                                                                                              |                                                                      |                                                           |                                                           | Diagnostic coverage for PCM<br>voltage regulator over ucltage<br>DC = 60.0% | Diagnostic coverage for PCM<br>voltage regulator over voltage<br>DC = 00.0% | Diagnostic coverage for PC<br>voltage regulator over volta<br>DC = 60.010                |
|                                                                                                  |                                 |                                                                                                                                                     |                                                                                      |                                                                                                                              |                                                                      |                                                           |                                                           | voltage regulator oscillation<br>and spikes                                 | voltage regulator oscillation<br>and spikes                                 | Diagnostic coverage for PC<br>voltage regulator oscillatio<br>and spikes                 |
|                                                                                                  |                                 |                                                                                                                                                     |                                                                                      |                                                                                                                              |                                                                      |                                                           |                                                           | DC = 0,0%                                                                   | DC = 0.0%                                                                   | DC = 0,0%                                                                                |

| Α.         | D                                           | 0                  | E     | r                                                     | G                                                                                | 1      | J                          | ĸ         | L                                                                                           | м          | н                                          | 0                                          |                                                                                    | Q       | n                                                                                                                |
|------------|---------------------------------------------|--------------------|-------|-------------------------------------------------------|----------------------------------------------------------------------------------|--------|----------------------------|-----------|---------------------------------------------------------------------------------------------|------------|--------------------------------------------|--------------------------------------------|------------------------------------------------------------------------------------|---------|------------------------------------------------------------------------------------------------------------------|
|            |                                             |                    |       |                                                       |                                                                                  |        |                            |           |                                                                                             |            | SPFM =                                     | 99,19%                                     |                                                                                    |         | L                                                                                                                |
| •          | Function 👻                                  | Sak black          |       | Failure made 🗸 🗸                                      | Failura mode that<br>has the patential to<br>violate the cal<br>cost is observed |        | Failura ana da<br>rata 🗸 🗸 |           | Safaty Mackanirm(r) allowing to provent<br>the failure mode from violating the re-<br>gents | \$150 2421 | Failura moda<br>Cavaraga de<br>vialation 🗸 | Raridual of<br>aingle pairs<br>fault fails | Failurs muds that may<br>load to the violation of<br>refety quels in<br>continuity | Sefety  | Safaty Hackenirm(r) ellening to<br>provent the latent failure mode f<br>violating the safety quality for<br>take |
| FM1        | High Taltage Back regulator<br>Enternal FET | PRE-REGULATOR      | 1,285 | Regulated Output in averagitage                       | Yee                                                                              | 14,29× | 0,111                      | \$1154    | Onervalhage detection as TDD00H0N                                                           | 0.2.1.2    | **×                                        | 0,80331                                    | Na                                                                                 | •       | Nat applicable                                                                                                   |
| FM2        | High Taltage Dack regulator<br>Enternal/ET  | PRE-REGULATOR      | 1,265 | Regulated Output is undervaltage                      | Yes                                                                              | 14,29× | 0,115                      | \$7110    | Undersalt age datestian an VDD10990H                                                        | 0.2.0.2    | 99%                                        | 0,00101                                    | Ne                                                                                 |         | Nat applicable                                                                                                   |
| FH3        | High Taltage Back regulator<br>Enternal FET | PRE-REGULATOR      | 1,265 | Regulated Output effected by zpikez                   | Yee                                                                              | 14,29% | 0,101                      | 57490     | OverfUndervaltage detection on VDDIOHOH                                                     | 0.2.4.2    | <b>99</b> X                                | 0,00101                                    | No                                                                                 |         | Hat applicable                                                                                                   |
| FI14       | High Teltage Back regulator<br>Enternal FET | PRE-REGULATOR      | 1,285 | Regulated Output drift                                | Na                                                                               | 14,29× | 0,111                      |           | Nat applicable                                                                              |            | 62                                         | 0,00000                                    | Ne                                                                                 |         | Matapplicable                                                                                                    |
| FMS        | High Taltage Dack regulator<br>External FET | PRE-REGULATOR      | 1,245 | la carro staturt-up time                              | Yee                                                                              | 14,29× | 0,111                      | \$2410    | Undersaltage data stias as VDD10990N                                                        | 0.2.1.2    | **×                                        | 0,66191                                    | Ne                                                                                 |         | Nat applicable                                                                                                   |
| F2456      | High Taltage Dack regulator<br>Enternal/ET  | PRE-REGULATOR      | 1,265 | Regulated Output Ozcillatian inzide regulation range  | Na                                                                               | 14,29% | 0,115                      |           | Mat appEcable                                                                               |            | <b>6</b> %                                 | 0,00000                                    | Ne                                                                                 |         | Mat applicable                                                                                                   |
| FHT        | High Teltage Back regulator<br>Enternal FET | PRE-REGULATOR      | 1,265 | Requieted Output Orcillation matride requietion range | Yee                                                                              | 14,29% | 0,111                      | SMIC      | OverfUndervaltage detection on VDDIOHOH                                                     | 0.2.4.2    | ***                                        | 0,60331                                    | No                                                                                 |         | Mat applicable                                                                                                   |
| FMS        | 80051                                       |                    |       |                                                       |                                                                                  |        |                            |           |                                                                                             |            |                                            |                                            |                                                                                    |         |                                                                                                                  |
| FM9        | BOOSTint FETruitching<br>resolutor          | BOOST Law Side FET | 0,547 | Louride suitch RDSON too high when turned ON          | N.                                                                               | 33,33× | 0,049                      |           | Mat applicable                                                                              |            | 0×                                         | 0,00000                                    | Ne                                                                                 |         | Natapplicable                                                                                                    |
| 71110      | BOOSTIALFETruitching<br>resolutor           | BOOSTLau Sida FET  | 0,547 | Lauri de suit chaharte d'(Drais ta Savena)            | н.                                                                               | 22,22× | 0,049                      |           | Nan appEcable                                                                               |            | 6x                                         | 0,00000                                    | Na                                                                                 |         | Mart app Excelute                                                                                                |
| <b>∢</b> → | System                                      | Assumptions        | Sa    | fety Goal or Requirement Sa                           | afety Mechar                                                                     | nisms  | Failure Ra                 | te IECTR6 | 2380   Block Failure Ra                                                                     | ate FM     | EDA_PM                                     | FMEDA                                      | _VMON   1.                                                                         | • + : • |                                                                                                                  |

|              | FMEDA_OP | FMEDA_PM | FMEDA_MON |
|--------------|----------|----------|-----------|
| SPFM         | 99,19%   | 99,19%   | NA        |
| LFM          | 96,00%   | 96,57%   | 95,26%    |
| PMHF (10^-9) | 0,433    |          |           |



## What is Failure Rate and Why Do We Want to Evaluate It?

#### Many standardized models use a "bathtub curve" simplication, which assumes:

- Early life defects are screened by the supplier (Infant mortality).
- The useful lifetime of components must not be exceeded.( wear-out period).
- A constant failure rate is assumed by the probabilistic estimation method and requested by ISO 26262
- The reference conditions must be known : NXP preferred standards is IEC62380



### Safety Analysis FMEDA Process

Two types of Safety Mechanisms:

- to prevent faults from being SPF
   Diagnostics shall be effective within the FTTI at system level
- to prevent faults from being LF
   Diagnostics shall be effective within the MPFTI at system level

#### Safety Mechanism implementation:

- 1. embedded in the IC (INT SM)
- 2. external to the IC (EXT SM)
- 3. combined embedded and external

(for instance requiring MCU decision for the reaction to a safe state)

4. Hardware and or Software solution (HW SM, SW SM)

Safety mechanism requirements are defined in the safety concept



**Collection of Safety Mechanisms** 

Fault IC MCU

#### Safety Analysis FMEDA Process

#### Diagnostic Coverage of the Safety Mechanisms

Proportion of the hardware **element failure rate** that is detected or controlled by the implemented **safety mechanisms** 





### **Safety Analysis**

#### **Examples of Safety Mechanisms and Diagnostic Coverage**

| #    | Safety mechanism                   | § ISO 26262                  | Level of<br>Diagnostic<br>coverage | Used? | DC (%) |
|------|------------------------------------|------------------------------|------------------------------------|-------|--------|
| -    | Not applicable                     | -                            | -                                  | -     | 0%     |
| SM1  | Overvoltage detection on VDDIOMON  | D.2.8.2                      | High                               | Yes   | 99%    |
| SM2  | Undervoltage detection on VDDIOMON | D.2.8.2                      | High                               | Yes   | 99%    |
| SM23 | CRC check on SPI protocol          | D.2.7.6, D.2.7.7,<br>D.2.7.8 | High                               | Yes   | 99%    |

| Safety mechanism                                     | Diganostic Coverage<br>numbers |
|------------------------------------------------------|--------------------------------|
| Assumed LBIST                                        |                                |
| for stuck-at                                         | 90%                            |
| for bridging                                         | 90%                            |
| for open                                             | 70%                            |
| Average coverage                                     | 85%                            |
| Assumed MBIST                                        | 90%                            |
| SRAM                                                 |                                |
| ECC data and address random data coverage(SECDED)    | 69%                            |
| ECC data and address random address coverage(SECDED) | 75%                            |
| ECC data and address random data coverage(SEDDED)    | 99%                            |
| Flash EEPROM                                         |                                |
| ECC multiple data random failure coverage (SECDED)   | 71,48%                         |
| ECC multiple data random failure coverage (SEDDED)   | 99,61%                         |



#### **Safety Analysis** Example of FMEDA: SPFM Evaluation

| ٨              | В                                                                          | D                                                                                                            | E              | F                                                                         | G                                                                                                        | 1                            | J                    | к                                      | L II                                                                                                                                        |                                                              | or the<br>ety goal                |
|----------------|----------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|----------------|---------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|------------------------------|----------------------|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|-----------------------------------|
|                |                                                                            |                                                                                                              |                |                                                                           |                                                                                                          |                              |                      |                                        |                                                                                                                                             | SPFM                                                         | l = 99,18%                        |
| •              | Function                                                                   | Function Description                                                                                         | λ<br>•         | Failure mode                                                              | Failure mode that has<br>the potential to<br>violate the safety<br>goal in absence of<br>safety mechanis | Failure rate<br>distribution | Failure mode<br>rate | Applicable<br>Safety<br>mechanism<br>▼ | Safety Mechanism(s) alloving to prevent<br>the failure mode from violating the safety<br>goals                                              | Failure mode<br>coverage wrt.<br>violation of<br>safety goal | Hesidual of<br>single point fault |
| FM1            | HV BUCK<br>High Voltage Buck regulator<br>External FET                     | Pre-regulator connected to Battery. EXT HS and LS                                                            | 2,738          | Regulated Output in overvoltage                                           | Yes                                                                                                      | 14,29%                       | 0,391                | SM1A                                   | Overvoltage detection on VDDIOMON                                                                                                           | 99%                                                          | 0,00391                           |
| FM2            | High Voltage Buck regulator<br>External FET                                | Pre-regulator connected to Battery, EXT HS and LS                                                            | 2,738          | Regulated Output in undervoltage                                          | Yes                                                                                                      | 14,29%                       | 0,391                | SMIB                                   | Undervoltage detection on VDDIOMON                                                                                                          | 99%                                                          | 0,00391                           |
| FM3            | High Voltage Buck regulator<br>External FET                                | Pre-regulator connected to Battery, EXT HS and LS                                                            | 2,738          | Regulated Output affected by spikes                                       | Yes                                                                                                      | 14,29%                       | 0,391                | SMIC                                   | Over/Undervoltage detection on VDDIOMON                                                                                                     | 99%                                                          | 0,00391                           |
| FM4            | High Voltage Buck regulator<br>External FET                                | Pre-regulator connected to Battery, EXT HS and LS                                                            | 2,738          | Regulated Output drift                                                    | No                                                                                                       | 14,29%                       | 0,391                |                                        | Not applicable                                                                                                                              | 0%                                                           | 0,00000                           |
| FM5            | High Voltage Buck regulator<br>External FET<br>High Voltage Buck regulator | Pre-regulator connected to Battery, EXT HS and LS                                                            | 2,738          | Incorrect start-up time<br>Regulated Output Oscillation inside regulation | Yes                                                                                                      | 14,29%                       | 0,391                | SM1B                                   | Undervoltage detection on VDDIOMON                                                                                                          | 99%                                                          | 0,00391                           |
| FM6            | External FET<br>High Voltage Buck regulator                                | Pre-regulator connected to Battery, EXT HS and LS                                                            | 2,738          | range<br>Regulated Output Oscillation outside regulation                  | No                                                                                                       | 14,29%                       | 0,391                |                                        | Not applicable                                                                                                                              | 0%                                                           | 0,00000                           |
| FM7<br>FM146   | External FET                                                               | Pre-regulator connected to Battery, EXT HS and LS                                                            | 2,738          | range                                                                     | Yes                                                                                                      | 14,29%                       | 0,391                | SMIC                                   | Over/Undervoltage detection on VDDIOMON                                                                                                     | 99%                                                          | 0,00391                           |
| FM147          | Voltage monitor VCOREMON                                                   | Voltage monitoring of the BUCK1 (UV)                                                                         | 0,506          | Undervoltage never detected                                               | No                                                                                                       | 50,00%                       | 0,253                |                                        | Not applicable                                                                                                                              | 0%                                                           | 0,00000                           |
| FM148          | Voltage monitor VCOREMON                                                   | Voltage monitoring of the BUCK1 (UV)                                                                         | 0,506          | Undervoltage always detected                                              | No                                                                                                       | 50,00%                       | 0,253                |                                        | Not applicable                                                                                                                              | 0%                                                           | 0,00000                           |
| FM149          | Voltage monitor VCOREMON                                                   | Redundant DVS DAC aligned with DVS dac in Main. Fully<br>independent                                         | 0,309          | reference voltage output too low                                          | No                                                                                                       | 50,00%                       | 0,155                |                                        | Not applicable                                                                                                                              | 0%                                                           | 0,00000                           |
| FM150          | Voltage monitor VCOREMON                                                   | Redundant DVS DAC aligned with DVS dac in Main. Fully<br>independent                                         | 0,309          | reference voltage output too High                                         | No                                                                                                       | 50,00%                       | 0,155                | •                                      | Not applicable                                                                                                                              | 0%                                                           | 0,00000                           |
| FM151          | Voltage monitor VCOREMON                                                   | Voltage monitoring of the BUCK1 (OV)                                                                         | 0,506          | Overvoltage never detected                                                | No                                                                                                       | 50,00%                       | 0,253                | •                                      | Not applicable                                                                                                                              | 0%                                                           | 0,00000                           |
| FM152<br>FM153 | Voltage monitor VCOREMON<br>Voltage monitor VCOREMON                       | Voltage monitoring of the BUCK1 (OV)<br>Redundant DVS DAC aligned with DVS dac in Main. Fully<br>independent | 0,506<br>0,309 | Overvoltage always detected<br>reference voltage output too low           | No                                                                                                       | 50,00%<br>50,00%             | 0,253<br>0,155       |                                        | Not applicable<br>Not applicable                                                                                                            | 0%<br>0%                                                     | 0,00000<br>0,00000                |
| FM154          | Voltage monitor VCOREMON                                                   | Redundant DVS DAC aligned with DVS dac in Main. Fully<br>independent                                         | 0,309          | reference voltage output too High                                         | No                                                                                                       | 50,00%                       | 0,155                |                                        | Not applicable                                                                                                                              | 0%                                                           | 0,00000                           |
| FM441          | PLL Clock                                                                  |                                                                                                              |                |                                                                           |                                                                                                          |                              |                      |                                        |                                                                                                                                             |                                                              | 0                                 |
| FM442          | Internal clock PLL                                                         | PLL in the Main domain                                                                                       | 0,376          | Output is stuck Low                                                       | Yes                                                                                                      | 16,67%                       | 0,063                | SM20                                   | Over/Undervoltage detection on Voltage Monitoring<br>(VCOREMON, or VDDIOMON, or VMONx)                                                      | 99%                                                          | 0,00063                           |
| FM443          | Internal clock PLL                                                         | PLL in the Main domain                                                                                       | 0,376          | Output is stuck High                                                      | Yes                                                                                                      | 16,67%                       | 0,063                | SM20                                   | Over/Undervoltage detection on Voltage Monitoring<br>(VCOREMON, or VDDIOMON, or VMONx)                                                      | 99%                                                          | Residual o                        |
| FM444          | Internal clock, PLL                                                        | PLL in the Main domain                                                                                       | 0,376          | Frequency of the output signal is too high                                | Yes                                                                                                      | 16,67%                       | 0,063                | SM20                                   | Over/Undervoltage detection on Voltage Monitoring<br>(VCOREMON, or VDDIOMON, or VMONx)                                                      | 99%                                                          | SPF                               |
| FM445          | Internal clock, PLL                                                        | PLL in the Main domain                                                                                       | 0,376          | Frequency of the output signal is too low                                 | Yes                                                                                                      | 16,67%                       | 0,063                | SM20                                   | Over/Undervoltage detection on Voltage Monitoring<br>(VCOREMON, or VDDIOMON, or VMONx)<br>Over/Undervoltage detection on Voltage Monitoring | 99%                                                          | Failure ra                        |
| FM446          | Internal clock PLL                                                         | PLL in the Main domain                                                                                       | 0,376          | Jitter too high of the output signal                                      | Yes                                                                                                      | 16,67%                       | 0,063                | SM20                                   | (VCOREMON, or VDDIOMON, or VMONx)<br>Over/Undervoltage detection on Voltage Monitoring                                                      |                                                              |                                   |
| FM447          | Internal clock PLL                                                         | PLL in the Main domain                                                                                       | 0,376          | Incorrect duty cycle                                                      | Yes                                                                                                      | 16,67%                       | 0,063                | SM20                                   | (VCOREMON, or VDDIOMON, or VMONx)                                                                                                           | 99%                                                          |                                   |

Violation of the safety goal in absence of SM Applicable Safety Mechanism **Total SPFM** 

#### **Safety Analysis** Example of FMEDA: LFM Evaluation

| FM2 FM3 FM4 FM5 FM5                                 | Function                                                                                                                                  | Function Description  Function Description  Fre-regulator connected to Battery, EXT HS and LS  Pre-regulator connected to Battery, EXT HS and LS  Pre-regulator connected to Battery, EXT HS and LS | 2,738          | Failure mode<br>Regulated Output in overvoltage                  | Failure mode that may<br>lead to the violation of<br>safety goals in<br>combination with an<br>independent failure of<br>another block ? | Detection means ?<br>Safety mechanism(s)<br>allowing to prevent<br>the failure mode from<br>being latent ? | Safety Mechanism(s) allowing to<br>prevent the latent failure mode from<br>violating the safety goals | Failure mode<br>coverage with<br>respect to laten<br>failures |                    |
|-----------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------|---------------------------------------------------------------|--------------------|
| FM2 FM3 FM4 FM5 | External FET<br>High Voltage Buck regulator<br>External FET<br>High Voltage Buck regulator<br>External FET<br>High Voltage Buck regulator | Pre-regulator connected to Battery, EXT HS and LS                                                                                                                                                   |                | Regulated Output in overvoltage                                  | Ne                                                                                                                                       |                                                                                                            |                                                                                                       | · · · · · · · · · · · · · · · · · · ·                         |                    |
| FM3 FM4 FM5 FM5                                     | External FET<br>High Voltage Buck regulator<br>External FET<br>High Voltage Buck regulator                                                |                                                                                                                                                                                                     | 2,738          |                                                                  | No                                                                                                                                       |                                                                                                            | Not applicable                                                                                        | 0%                                                            | 0,00000            |
| FM4<br>FM5                                          | High Voltage Buck regulator<br>External FET<br>High Voltage Buck regulator                                                                | Pre-regulator connected to Battery, EXT HS and LS                                                                                                                                                   |                | Regulated Output in undervoltage                                 | No                                                                                                                                       |                                                                                                            | Not applicable                                                                                        | 0%                                                            | 0,00000            |
| FM5                                                 | High Voltage Buck regulator                                                                                                               |                                                                                                                                                                                                     | 2,738          | Regulated Output affected by spikes                              | No                                                                                                                                       |                                                                                                            | Not applicable                                                                                        | 0%                                                            | 0,00000            |
| FIMD                                                |                                                                                                                                           | Pre-regulator connected to Battery, EXT HS and LS                                                                                                                                                   | 2,738          | Regulated Output drift                                           | No                                                                                                                                       |                                                                                                            | Not applicable                                                                                        | 0%                                                            | 0,00000            |
| FM6                                                 | High Voltage Buck regulator<br>External FET                                                                                               | Pre-regulator connected to Battery, EXT HS and LS                                                                                                                                                   | 2,738          | Incorrect start-up time                                          | No                                                                                                                                       |                                                                                                            | Not applicable                                                                                        | 0%                                                            | 0,00000            |
|                                                     | High Voltage Buck regulator<br>External FET                                                                                               | Pre-regulator connected to Battery, EXT HS and LS                                                                                                                                                   | 2,738          | Regulated Output Oscillation inside regulation<br>range          | No                                                                                                                                       |                                                                                                            | Not applicable                                                                                        | 0%                                                            | 0,00000            |
| EM7                                                 | High Voltage Buck regulator<br>External FET                                                                                               | Pre-regulator connected to Battery, EXT HS and LS                                                                                                                                                   | 2,738          | Regulated Output Oscillation outside regulation<br>range         | No                                                                                                                                       |                                                                                                            | Not applicable                                                                                        | 0%                                                            | 0,00000            |
| FM146 ¥0                                            | COREMON                                                                                                                                   |                                                                                                                                                                                                     |                |                                                                  |                                                                                                                                          |                                                                                                            |                                                                                                       |                                                               | 0                  |
|                                                     | oltage monitor VCOREMON                                                                                                                   | Voltage monitoring of the BUCK1 (UV)                                                                                                                                                                | 0,506          | Undervoltage never detected                                      | Yes                                                                                                                                      | SM13                                                                                                       | ABIST                                                                                                 | 60%                                                           | 0,10113            |
|                                                     | /oltage monitor VCOREMON<br>/oltage monitor VCOREMON                                                                                      | Voltage monitoring of the BUCK1(UV)<br>Redundant DVS DAC aligned with DVS dac in Main. Fully                                                                                                        | 0,506<br>0,309 | Undervoltage always detected<br>reference voltage output too low | Yes<br>No                                                                                                                                | SM13<br>-                                                                                                  | ABIST<br>Not applicable                                                                               | 60%<br>0%                                                     | 0,10113<br>0,00000 |
| FM150 Vo                                            | /oltage monitor VCOREMON                                                                                                                  | independent<br>Redundant DVS DAC aligned with DVS dac in Main. Fully                                                                                                                                | 0,309          |                                                                  | No                                                                                                                                       |                                                                                                            | Not applicable                                                                                        | 0%                                                            | 0,00000            |
| FM151 Vo                                            | oltage monitor VCOREMON                                                                                                                   | independent<br>Voltage monitoring of the BUCK1 (OV)                                                                                                                                                 | 0,506          | reference voltage output too High<br>Overvoltage never detected  | Yes                                                                                                                                      | SM13                                                                                                       | ABIST                                                                                                 | 60%                                                           | 0,10113            |
|                                                     | oltage monitor VCOREMON                                                                                                                   | Voltage monitoring of the BUCK1 (OV)                                                                                                                                                                | 0,506          | Overvoltage always detected                                      | Yes                                                                                                                                      | SM13                                                                                                       | ABIST                                                                                                 | 60%                                                           | 0,10113            |
| FM153 Vo                                            | oltage monitor VCOREMON                                                                                                                   | Redundant DVS DAC aligned with DVS dac in Main. Fully<br>independent                                                                                                                                | 0,309          | reference voltage output too low                                 | No                                                                                                                                       |                                                                                                            | Not applicable                                                                                        | 0%                                                            | 0,00000            |
| FM154 Vo                                            | /oltage monitor VCOREMON                                                                                                                  | Redundant DVS DAC aligned with DVS dac in Main. Fully<br>independent                                                                                                                                | 0,309          | reference voltage output too High                                | No                                                                                                                                       |                                                                                                            | Not applicable                                                                                        | 0%                                                            | 0,00000            |
| FM441 PI                                            | LL Clock                                                                                                                                  |                                                                                                                                                                                                     |                |                                                                  |                                                                                                                                          |                                                                                                            |                                                                                                       |                                                               | 0                  |
| FM442                                               | Internal clock PLL                                                                                                                        | PLL in the Main domain                                                                                                                                                                              | 0,376          | Output is stuck Low                                              | No                                                                                                                                       |                                                                                                            | Not applicable                                                                                        | 0%                                                            |                    |
| FM443                                               | Internal clock, PLL                                                                                                                       | PLL in the Main domain                                                                                                                                                                              | 0,376          | Output is stuck High                                             | No                                                                                                                                       |                                                                                                            | Not applicable                                                                                        | 0% L                                                          | atent multi        |
| FM444                                               | Internal clock, PLL                                                                                                                       | PLL in the Main domain                                                                                                                                                                              | 0,376          | Frequency of the output signal is too high                       | No                                                                                                                                       |                                                                                                            | Not applicable                                                                                        | 0%                                                            | point fault        |
| FM445                                               | Internal clock, PLL                                                                                                                       | PLL in the Main domain                                                                                                                                                                              | 0,376          | Frequency of the output signal is too low                        | No                                                                                                                                       | -                                                                                                          | Not applicable                                                                                        | 0%                                                            | failure rate       |
| FM446                                               | Internal clock, PLL                                                                                                                       | PLL in the Main domain                                                                                                                                                                              | 0,376          | Jitter too high of the output signal                             | No                                                                                                                                       |                                                                                                            | Not applicable                                                                                        | 0%                                                            |                    |
| FM447                                               | Internal clock, PLL                                                                                                                       | PLL in the Main domain                                                                                                                                                                              | 0,376          | Incorrec                                                         |                                                                                                                                          |                                                                                                            | Not applicable                                                                                        | 0%                                                            | 0,00000            |
|                                                     |                                                                                                                                           |                                                                                                                                                                                                     |                | Violatio<br>safety goal in                                       |                                                                                                                                          | on Sa                                                                                                      | Applicable<br>fety Mechanism                                                                          |                                                               |                    |

# 02. FUNCTIONAL SAFETY CONFIRMATION MEASURE





SECURE CONNECTIONS FOR A SMARTER WORLD



## **ISO 26262 Functional Safety Audit/Assessment**

| Requirement                                                         | Confirmation review                                                                               | Functional safety audit                                           | Functional safety assessment                                                        |
|---------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|-------------------------------------------------------------------|-------------------------------------------------------------------------------------|
| Subject for evaluation                                              | Work product                                                                                      | Implementation of the processes required for<br>functional safety | Item as described in the item definition in accordance with ISO 26262-3:—, Clause 5 |
| Result                                                              | Confirmation review reporta                                                                       | Functional safety audit reporta in accordance with 6.4.8          | Functional safety assessment report in accordance with 6.4.9                        |
| Responsibility of the persons that perform the confirmation measure | Evaluation of the compliance of the work product with the corresponding requirements of ISO 26262 | Evaluation of the implementation of the required processes        | Evaluation of the achieved functional safety                                        |
|                                                                     |                                                                                                   |                                                                   |                                                                                     |
|                                                                     | Process or technical                                                                              | Process review                                                    | Technical review<br>Peer review                                                     |



# 03. INTERNSHIP



SECURE CONNECTIONS FOR A SMARTER WORLD



#### Stage ingénieur Sureté de Fonctionnement

Lieu : TOULOUSE – Automotive Functional Safety Profil recherché : Electronique / Systèmes embarqués REFERENCE POUR POSTULER : R-2000 sur www.careers.com

#### Contexte

La sureté de fonctionnement (appelée aussi « <u>Functional Safety</u> ») est un incontournable du développement des systèmes et composants pour l'automobile. L'avènement des fonctions d'aide à la conduite et finalement du véhicule autonome renforcent encore l'importance d'assurer la sécurité de fonctionnement des systèmes embarqués, incluant les composants électroniques et logiciels.

Tout développement se doit de respecter la norme ISO26262 qui inclue, notamment, différentes analyses, vérification and évaluations indépendantes.

Dans ce cadre, un outil tel que « Medini Analyze » peut être utiliser pour faciliter les analyses (HARA, FTA, DFA, FMEDA) tout en les liant aux exigences du cahier des charges.

Dans le cadre de ce stage, l'élève ingénieur sera responsable de :

supporter le déploiement d'un projet pilote dans l'outil,

- réaliser les tutoriels nécessaires à l'utilisation future de l'outil,

 proposer des méthodes d'évaluation (« assessment ») des analyses en mettant à profit les avantages de l'outil,

former des futurs utilisateurs.

De plus, l'élève ingénieur pourra être amené à supporter des activités en rapport avec l'injection de faute. En effet, une nouvelle méthodologie doit être développée afin de supporter l'analyse de type FMEDA (<u>Failure Mode Effect and Diagnostic Analysis</u>) incorporée dans l'outil « <u>Medini</u> <u>Analyze</u> ».



## SECURE CONNECTIONS FOR A SMARTER WORLD

NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners. © 2018 NXP B.V.