This document is a Safety Analysis Report for the Texas Instruments TPS3704x-Q1. Device numbers covered by this Safety Analysis Report include the products as shown in the device naming convention. For non automotive grade parts remove the -Q1 from the part number:

The following information is documented in the Device Safety Manual, and will not be repeated in this document. This document will be referred to as the Safety Manual through the remainder of this document.

• An overview of the superset product architecture
• An overview of the development process utilized to reduce systematic failures
• An overview of the safety architecture for management of random failures
• The details of architecture partitions and implemented safety mechanisms

The following information is documented in the Safety Report (or certificate), and will not be repeated in this document:

• Results of assessments of compliance to targeted standards

The user of this document should have a general familiarity with the TPS3704x-Q1. This document is intended to be used in conjunction with the pertinent data sheets, technical reference manuals, and other documentation for the products under development.

The following functional safety analyses are described in this document:

• Hardware component FMEDA (Failure Modes Effects and Diagnostics Analysis) - The complete FMEDA is provided as a separate Excel document. Quantitative Functional Safety Analysis Report Windsor_rev1. The assumptions made in the FMEDA and the settings for tailoring the FMEDA to a specific application are described in this document.

This section describes the device FMEDA, the assumptions made within, the options for tailoring, and provides an example calculation of device functional safety metrics.

In order to conduct quantitative failure analysis, estimates of the random failure rates for the components that will be considered in the analysis must be generated. There are many different models and techniques that can be used for failure rate estimation. Neither IEC 61508 nor ISO 26262 mandate the use of a particular failure estimation methodology. Estimation methods commonly used include:

• IEC/TR 62380:2004, "Reliability Data Handbook - Universal Model for Reliability Prediction of Electronics, PCBs, and Equipment"
• Siemens Norm SN29500:2010, "Failure Rates of Components"
• IEC 61709:2017, "Electric components - Reliability - Reference conditions for failure rates and stress models for conversion"
• Supplier reliability data from similar products already in production and deployed under similar operating conditions
• Targeted studies and experiments that seek to induce failures on silicon under conditions that simulate accelerate lifespan (such as temperature, voltage, frequency, vibration, humidity, or radiation exposure).

Estimations of failure rate are often defined in terms of Failures In Time (FIT). TI's data respects FIT in terms of failures per 10^9 hours of operation, as is consistent with most handbooks. However, certain handbooks, such as those for military applications, may refer to FIT based on failures per 10^6 hours of operation. Take care when using such data to respect a common definition of FIT in all calculations.

In TI's experience, all of the models generate estimations of failure rate that are not consistent with failure rates which are observed and reported in the field or predicted based on data generated from targeted experiments. The models consistently predict higher failure rates than those observed in the field or predicted via targeted experiments. One possible reason for this discrepancy is that these standards consider reliability data that does not make a distinction between random and systematic failure. In both IEC 61508 and ISO 26262, the focus for quantitative analysis is on random failure rate. TI's data indicates that the vast majority of field failure issues seen in semiconductors are due to systematic failures, whether traced to semiconductor supplier, system integrator, or end user. TI has quality and reliability programs in place that constantly improve our products and processes to reduce these systematic failures.

The failure rates derived from SN29500 tend to be conservative as compared to TI product field failure rate data or TI accelerated lifetime testing. TI considers the IEC 61709 to be similar to the SN29500 and we refer to this model as the IEC 61709/SN29500 model in the FMEDA. The IEC/TR 62380, while still conservative, provides the closest match available to TI product data. Although this standard has been formally withdrawn, the equations have been incorporated inside ISO 26262-11:2018 section 4.6.2. As such, TI has used IEC/TR 62380 as the basis for our random failure rate estimation, augmented with data from targeted studies for failure modes not considered in the base model.

When considering failure rates for semiconductors, TI applies the following partition and methodology:

TI uses the IEC/TR 62380 model to estimate package FIT rate for the SOT-23 package used for this device. The IEC/TR 62380 package model is primarily concerned with wear-out due to thermal expansion between the package and the PCB. The model includes several variables that have been replaced with device-specific data when available, such as power consumption and package thermal characteristics. It is highly recommended that the user applies their own application mission profile in the 'Mission Profile Tailoring' tab as this has a large impact on the base package FIT rate. The automotive motor control profile is used as the default in TI's estimates.

TI uses the IEC/TR 62380 model to estimate FIT rate due to silicon permanent faults. The IEC/TR 62380 model focuses primarily on gate oxide integrity type faults that are accelerated by voltage and temperature. This is a traditional approach to semiconductor fault modeling, as gate oxide failure is a primary wear-out mechanism. However, in recent product generations additional failure modes have become significant and are not always accelerated by the same conditions as a gate oxide failure. JEDEC JEP122G, "Failure Mechanisms and Models for Semiconductor Devices", can provide additional details. Management of these failure modes may require additional testing and diagnostics, which are not well comprehended in IEC 61508:2010 and ISO 26262:2011.

TI's application of the IEC/TR 62380 model follows the guidance found in ISO 26262-11:2018. Permanent faults are separated into five classes, each estimated with a separate intrinsic FIT rate: MOS digital circuits, low-power consumption SRAM, ROM, block erasable flash, and low voltage linear (analog). The process FIT factor of the five circuitry types is averaged, as the standard does not comprehend a process that allows integration of digital, analog, ROM, SRAM, and flash. Please note that some devices may not have every category listed above, in that case, the absent categories are excluded from the calculation. The automotive motor control profile is used as default in TI's estimates.

TI uses experimental data collected on process test chips to estimate silicon transient faults. Other data from vendors and foundries may also be used in this calculation, depending on the process technology used for the device. TI has been conducting targeted radiation exposure testing on process test chips since 2000 and is considered an industry leader in this area. TI's data correlates strongly to estimates for soft error provided in the International Technology Roadmap for Semiconductors (ITRS). At present, TI is not aware of any failure estimation standard that includes models to estimate FIT rate for transient faults.

Data taken on test chips has been utilized to establish base failure rates for single event upset (SEU) on SRAM bits and sequential digital logic. A further estimation is made for single event transient (SET) events for combinatorial logic. This failure mode is theoretically possible but TI has not been able to generate this failure mode in any testing done to date. ROM, analog, and package FIT have no contribution to transient faults and are therefore excluded from this calculation.

SEU failure rates consider exposure to two elementary particles: alphas and neutrons. Alpha particle exposure occurs primarily from radioactive material in the package mold compound. Low-alpha mold compound is utilized to minimize this failure rate. Neutron particle exposure is primarily due to cosmic particles bombarding the Earth. The altitude of operation and location on the Earth have impact on the rate of exposure, with high altitude locations near the equator having worst exposure. There is no effective way to manage neutron particles other than operation of the unit behind several feet of lead, water, or similar barrier. All of the estimations used in this report are based on JEDEC JESD89A, Measurement and Reporting of Alpha Particle and Terrestrial Cosmic Ray Induced Soft Errors in Semiconductor Devices, with assumption of neutron flux = 1 (measured exposure to neutrons as seen at sea level in New York City, USA).

TI uses ISO 26262-10, Figure 9 as the basis for all FMEDA calculations. Each of the rows in the FMEDA is given a portion of the overall device failure rate based on its transistor count or area (package FIT is calculated separately based on the number of device pins). Then based on the selections that are made in Section 2.2.3, the FMEDA will categorize the failure rate accordingly. The user can see the details of this categorization in the 'Details - ISO26262' tab and/or the 'Details - IEC 61508' tab. The calculation for IEC 61508 categories is slightly different than in IEC 61508, especially regarding the failures of diagnostic functions in single-channel structures (HFT=0). For these calculations, TI follows the Machinery Directive Recommendation for Use (CNB/M/11.059):

1. The diagnostic functions are considered as separate functions and shall fulfill the requirements as shown in the table below.
   Table 2-2 Machinery Directive RfU Table

   Safety Function	Diagnostic Function
   SIL 1	Basic safety principles
   SIL 2	SIL 1
   SIL 3	SIL 2

2. A failure in a diagnostic function that increases the probability that the safety function does not operate correctly when required, shall be classified as dangerous failure according to IEC 61508-4:2010, clause 3.6.7. A failure in a diagnostic function that leads directly to the safe state shall be classified as safe failure according to IEC 61508-4:2010, clause 3.6.8.”

A FMEDA is a common functional safety analysis technique used to determine the effectiveness of a functional safety architecture. For failure modes of the design blocks identified, a probability of occurrence is quantified. For diagnostics implemented, the effectiveness of the diagnostic is quantified. The quantification of these values enables the calculation of safety metrics per targeted functional safety standards such as the IEC 61508 safe failure fraction or the ISO 26262 single point fault metric, which estimates the effectiveness of the implemented safety architecture.

TI has created a FMEDA for this device that allows the user to tailor the metrics to their specific use case based on which features or design blocks are being used as part of the safety function. This tool additionally allows the user to modify the environmental factors, device power consumption, and other factors that affect the raw (base) FIT rates. Finally, this tool allows the user to customize the diagnostics that are applied that can detect faults within the device itself. All of the green cells in the spreadsheet can be modified by the user. All other cells have been populated by TI based on the specifics of the device or are calculated based on the user selections. This Excel workbook is locked to protect the user from incorrectly modifying the calculations. The sections below go into detail on how to use these tailoring options. Any tab not mentioned below is informational.

See Section 2.3.1 for the default values of these fields in this device's FMEDA.