SWRU598A June   2022  – April 2024 AWR1243 , AWR1642 , AWR1843 , AWR2243 , AWR2944 , AWR6443 , AWR6843 , AWRL1432 , AWRL6432 , IWR6843

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction
  5. 2Functional Safety Design Life Cycle
    1. 2.1 Step-1 : End Equipment Requirements
    2. 2.2 Step-2 : Typical System Block Diagram
    3. 2.3 Step-3 : Platform Selection
    4. 2.4 Step-4 : Design and Analysis
    5. 2.5 Step-5: Certification
  6. 3References
  7. 4Acronyms
  8. 5Revision History

2.4 Step-4 : Design and Analysis

Once the platforms are selected for all the blocks of the system in the Platform Selection step, the design of the mmWave Radar sensor system has to be analyzed for FuSa compliance. This step is comprehensive, important and could be the time consuming part of the proposed FuSa design life cycle since the system design is analyzed here properly and refined by addressing faults to meet the benchmarks of FuSa certification levels. The reliability of FuSa in the sensor system design is checked in this step by following the Design and Analysis flow. The flow starts with performing Failure Modes, Effects and Diagnostic Analysis(FMEDA) on the system design and the resultant metrics are compared with applicable FuSa certification level benchmarks for finalizing the topology of sensor system design. The functional safety issues that could arise in the system are addressed in this step by updating/configuring the safety hooks/ mechanisms of the system.

GUID-8E294F0F-4C8E-4760-B9EB-1AFEB6A750B1-low.png Figure 2-7 Design and Analysis

  1. Perform FMEDA: A FMEDA is a common functional safety analysis technique used to determine the effectiveness of a functional safety architecture. FMEDA provides insightful information regarding safety goals met by safety related parts in the system by providing quantitative safety metrics of the system to measure random hardware failure metrics of a design according to the applicable FuSa standards ISO 26262/IEC 61508. TI has created a FMEDA for the mmWave Radar device that allows the user to tailor the metrics to their specific use case based on which features or design blocks are being used as part of the safety function. This tool additionally allows the user to modify the environmental factors, device power consumption, and other factors that affect the raw (base) FIT rates. Using TI FMEDA tool, we can configure the sensor system through Mission profile tailoring, Pin level tailoring, Function and Diagnostic tailoring.
    • Mission profile tailoring : This sheet allows the users to control the following parameters to update the calculations accordingly: Package Type, Life Cycle for the device (in hours) up to a maximum of 20 years, safe vs non-safe control for each component type, ambient temperature, etc.
    • Pin level tailoring : This sheet takes the raw (base) package FIT rate and distributes it equally among each of the pins (or balls) of the device. The user should use the FMEDA and safety manual to determine which device pins are used in their application for a safety-related function. The unused device pins have to be removed from the FIT calculation.
    • Function and Diagnostic tailoring : This sheet captures raw FIT rate for permanent, transient and latent fault and distributes them among each of the design blocks (sometimes referred to hardware elements or IP blocks) of the device. Each row represents the lowest part of this analysis and each row gets a percentage of the FIT based on its transistor count or memory size. The user should refer to the Safety Manual in combination with this FMEDA to determine which design blocks are used in their application for a safety-related function. The unused design blocks have to be removed from the FIT calculation.
  2. Analyze Metrics: FMEDA is mainly used to know Diagnostic Coverage (DC) and Failure in time (FIT) of the system. For Industrial applications, as per IEC 61508, FMEDA reports safety metrics Safe Failure Fraction(SFF) and Probability of Failure on Demand per Hour(PFH). Similarly for Automotive applications, as per ISO 26262, FMEDA reports safety metrics Probabilistic Metrics for Hardware Failures(PMFH), Single Point Fault Metric(SPFM) and Latent Fault Metric(LFM). The Pin Failure Modes and Effects Analysis is performed on the system/device pins to check the pin damages that could result in malfunction of the system/device.
  3. Certification Level Benchmark: The metrics of the sensor system from the FMEDA tool are compared with the safety integrity level benchmarks as per FuSa standards ISO26262/IEC61508 to check the safety capabilities of the design. If the metrics meets the targeted safety level benchmarks then the system design can become the final system topology. Else, customer could move to step 4 and step 5 for improving the system safety. The certification level benchmarks according to ISO 26262 and IEC 61508 are mentioned in Table 2-3 and Table 2-4 respectively.

    Table 2-3 Certification Level Benchmarks According to ISO 26262-5

    ASIL Level

    SPFM

    LFM

    PMHF (in FIT; Failures in Time)

    ASIL-B

    		 ≥90% ≥60% ≤100 FIT

    ASIL-C

    		 ≥97% ≥80% ≤100 FIT

    ASIL-D

    		 ≥99% ≥90% ≤10 FIT

    Table 2-4 Certification Level Benchmarks According to IEC 61508

    SIL Level

    SFF

    PFH (in FIT; Failures in Time)

    SIL-2

    ≥90%

    ≥100 FIT to <1000 FIT

    SIL-3

    ≥99%

    ≥10 FIT to <100 FIT
  4. SM’s Enable/Disable or Additional Software based Safety Hooks: If certification level benchmarks are not met, the customer can configure the available safety mechanisms(enabling/disabling) to bring down the failures of the system. The customer must repeat the step 1, 2 and 3 of this flow after configuration changes. In order to further improve the diagnostic coverage of faults and reduce the faults of the system, the customer may add some additional software safety mechanisms. However, the steps 1, 2 and 3 have to be repeated again.

  5. Modify Hardware schematic design: To improve the system's safety, the customer can also modify system hardware design starting with minor changes in parallel to the software safety hooks step. In order to further improve the safety and reduce the faults, the customer might have to replace that hardware part by performing the platform selection or sometimes even change the system block diagram. After updating these changes, the system design metrics are expected to meet the FuSa certification level benchmarks.

  6. Final system Topology: Once the FMEDA metrics meet the targeted FuSa certification level benchmarks(SIL-1/2/3/4 or ASIL-A/B/C/D), the system block diagram can be called as final sensor system topology. This final sensor system topology will now be ready for FuSa Cerification step.

Note:
  • Faults can either be Random or Systematic. Both IEC 61508 and ISO 26262 exclude systematic faults while calculating random hardware metrics. The faults leading from human error in hardware development, software development and the tools used in designing the system are systematic faults, and can be avoided by following the best design practices.
  • FMEDA tool for the respective TI mmWave Radar sensor can be shared with the customers under NDA with TI.
  • Estimations of failure rate are often defined in terms of Failures In Time (FIT - failures for 10^9 hours of operation).
  • Base Failure Rates (BFR) of the system are based on IEC 62380 standard that quantifies the intrinsic reliability of the semiconductor components while operating under normal environmental conditions.
  • While developing any system, designing and refining of the system block diagram should be done in parallel to avoid architectural changes which might occur later. Refinement can be in Hardware design or Software design or both.

From the corner radar example, after all the blocks of sensor system are selected from the Platform selection step, the system design has to be analyzed for its reliable usage in safety applications. The corner radar system is checked for Diagnostic coverage and FIT rate by performing the FMEDA on the system design. Let us consider that the customer infers from good engineering judgment and FMEDA metrics that most faults caused by the power supply rails in the system are not letting the system meet the certification level benchmarks. To improve the safety, the customer can choose to add software safety hook like resetting the entire system if the power supply to a certain block is found below the minimal operational range. Or, the customer can add hardware power management component like VMON for asserting the reset signal on detecting these faults. As mentioned, the updated design have to go through 1,2 and 3 steps of Design and Analysis flow again. The FMEDA results after updating the design might meet the Certification level benchmarks and then design can be referred as Final system Topology for that system application.

Key Deliverables from the "Step-4: Design and Analysis" is preparing the final sensor system topology, ready for FuSa certification. This could be the most critical and probably the most time taking step of the FuSa design life cycle. The refinement of the system design through analysis is done either by software changes or hardware changes or both to meet the applicable FuSa standards benchmarks. This step validates the Final sensor system design for reliability with FuSa compliance level benchmarks.