SFFS631A May   2023  – May 2024 TPS389006-Q1

PRODUCTION DATA  

  1.   1
  2.   Trademarks
  3. 1Introduction
  4. 2Hardware Component Failure Modes Effects and Diagnostics Analysis (FMEDA)
    1. 2.1 Random Fault Estimation
      1. 2.1.1 Fault Rate Estimation Theory for Packaging
      2. 2.1.2 Fault Estimation Theory for Silicon Permanent Faults
      3. 2.1.3 Fault Estimation Theory for Silicon Transient Faults
      4. 2.1.4 The Classification of Failure Categories and Calculation
    2. 2.2 Using the FMEDA Spreadsheet Tool
      1. 2.2.1 Mission Profile Tailoring Tab
        1. 2.2.1.1 Confidence Level
        2. 2.2.1.2 Geographical Location
        3. 2.2.1.3 Life Cycle
        4. 2.2.1.4 Use Case Thermal Management Control (Theta-Ja) and Use Case Power
        5. 2.2.1.5 Safe vs Non-Safe (Safe Fail Fraction) for Each Component Type
        6. 2.2.1.6 Analog FIT Distribution Method
        7. 2.2.1.7 Operational Profile
      2. 2.2.2 Pin Level Tailoring Tab
      3. 2.2.3 Function and Diag Tailoring Tab
      4. 2.2.4 Diagnostic Coverage Tab
      5. 2.2.5 Customer Defined Diagnostics Tab
      6. 2.2.6 Totals - ISO26262 Tab
      7. 2.2.7 Details - ISO26262 Tab
      8. 2.2.8 Totals - IEC61508 Tab
      9. 2.2.9 Details - IEC61508 Tab
    3. 2.3 Example Calculation of Metrics
      1. 2.3.1 Assumptions of Use for Calculation of Safety Metrics
      2. 2.3.2 Summary of ISO 26262 Safety Metrics at Device Level
  5. 3Revision History

2.3.1 Assumptions of Use for Calculation of Safety Metrics

A number of assumptions must be made in order to calculate the safety metrics according to ISO 26262:2018 or IEC 61508:2010. The assumptions of use for the reference are detailed below:

  • Confidence level applied to permanent FIT rates: 99%
  • Confidence level applied to transient FIT rates: 99%
  • Neutron flux: set to 1 (equivalent to exposure at sea level, as measured in New York City)
  • Thermal management (Theta-Ja): 53.4 Deg.C/W
  • Average use case power: 10mW
  • Safe vs non-safe: All permanent faults other than ROM are considered 0% safe by default. Permanent faults of ROM are considered to be 50% by default. Transient faults of digital SRAM, digital logic, and flash are considered 50% by default.
  • Operational (mission) profile used: IEC62380 Motor Control profile

  • FMEDA considers the voltage supervisor and monitoring safety goals

  • Special considerations on pin level tailoring: In the out of context FMEDA

    • TPS389006-Q1 6-channel voltage supervisor and monitor was used to set the pin tailoring

  • Special considerations on function and diag tailoring: In the out of context FMEDA

    • TPS389006-Q1 6-channel voltage supervisor and monitor was used in the function and diag tailoring

  • Special considerations on the application of diagnostics: In the out of context FMEDA

    • The system transitions to a safe state as determined by the assumed MCU within the reaction time when the TPS38900x-Q1 signals a safety related error using NIRQ pin and/or polled I2C response

    • The system will meet the data sheet requirements for voltage and current for the supply input of the TPS38900x-Q1. In the event of voltage error, the system including TPS38900x-Q1 will be transitioned to a safe state.

    • The MCU reads the error status of the TPS38900x-Q1 when the TPS38900x-Q1 sends an interrupt signal to the MCU

    • If the TPS38900x-Q1 reports self-test errors, the MCU-software takes the necessary action to prevent violation of the system safety-goal. This may include cutting of power to certain power domains.

    • The MCU-software has a safety mechanism which performs a Cyclic Redundancy Check on the information the MCU receives from the TPS38900x-Q1 through the I2C interface. In case of a PEC error, the MCU-software takes the necessary action to prevent violation of the system safety-goal.

    • The MCU-software provides the correct configuration for the expected power sequencing for both Active and Sleep transitions. Readback of the register configuration to confirm the write is required at a system level. This is only required if violating sequencing of power rails violates a safety goal. In some systems sequencing of power rails is not mandatory.

    • The system-integrator validates the configuration registers of the TPS38900x-Q1 and TPS38900x-Q1 Safety Mechanisms register settings against System Safety Requirements, either as provided by Texas Instruments, or modified by the system-integrator at run time. Configuration of OV/UV thresholds, deglitch times and masking of faults duration during startup shall be verified.

    • System integrator is responsible for determining FTTI and determining if FTTI can be achieved by use of TPS38900x-Q1

    • System-integrator is responsible for verifying I2C communication with each TPS38900x-Q1 is established since each will have a unique address based on resistor used on ADDR pin. When there are multiple instances of TPS38900x-Q1 on a board communication must be established with each unique device.