

How to Use Functional Safety Manual and Dynamic FMEDA to Design Your Safe System EUF-ACC-T1555

Mathieu Blazy-Winning | Automotive MCU

JULY.2015





External Use

Presentie, the Pressons topo, ANNec, C-6, CodeTEST, CodeWarrov, ColdPire, ColdPire, O-New, the Energy Efficient Solutions topo, Kinetis, Magnik, mobiledT, PEO, PowerCLICC, Processer Espent, Curici, Cord Camerage, Carving, Ready Pag, Salekaeae, the Salekaeau topo, SterCire, Streptinov, Vertica, VyOrk and Xirneka are tradomarks of Presented Semiconductor, Inc., Reg, U.S. Pat, & Tm. Off. Artad, BeetCo, BeeStack, Carving Page, Salekaea, Carvine, Tarobalae, Carvin, Ready, Mort, Ready, Salekaea, Carvin, Page, Tarobalae, Carvin, Ready, BeetConductor, Technik, Semiconductor, Inc., Reise, Carving, Carving, Carving, Carving, Carving, Carving, Carving, Page, Carving, Car



- Functional Safety at Freescale
- Freescale Development Process for ISO 26262
- MCU Safety Context and Safety Concepts
- Standard Deliverables to Enable the Customer
  - Safety Manual

External Use

- Dynamic FMEDA



## **Automotive MCU Product Leadership**



| Megatrend            | Safer                                               | Travel                                                  | Electrification<br>Going Green                  | Connectivity                                       |                                                       | fication<br>g Markets                              |
|----------------------|-----------------------------------------------------|---------------------------------------------------------|-------------------------------------------------|----------------------------------------------------|-------------------------------------------------------|----------------------------------------------------|
| Application          | Radar (#1**)                                        | Vision (#2**)                                           | Powertrain (#2*)                                | Gateways (#1*)                                     | General Body<br>and Chassis<br>(#2*)                  | Actuators and<br>Sensors                           |
| Key Technology       | High perf. ADC<br>and DSP                           | Image<br>processing                                     | CPU/timer<br>performance and<br>instrumentation | Communication<br>interfaces<br>Security            | ARM Cortex<br>Software and<br>Tools                   | MagniV with HV<br>analog (#1**)                    |
| Value<br>Proposition | Highest<br>performance<br>and system<br>integration | Leading image<br>processing<br>AND functional<br>safety | Leading<br>performance<br>architecture          | Highest<br>networking<br>bandwidth AND<br>security | Reduce our<br>customers R&D<br>and time-to-<br>market | Reduce system<br>size and<br>manufacturing<br>cost |

\*On Revenue, \*\*On Design Wins



# SafeAssure - Simplification

- SafeAssure products are conceived to simplify system level functional safety design and cut down time to compliance
- Component safety measures augment system level safety measures
- Key functional safety activities addressed
  - Safety analysis (FMEA, FTA, FMEDA)
  - Hardware integration (Safety Manual)
  - Software integration (Safety Manual)
  - Support interface (Roles & Responsibilities)





## The World of Functional Safety Standards





# **History of Auto MCU Functional Safety Solutions**

- **Gen 1 Safety** More than 10 years experience of safety development in the area of MCU & SBC
  - Gen 2 Safety First general market MCU, MPC5643L ⇒ Certified ISO 26262!
  - Gen 3 Safety From 2012, multiple MCUs in Body, Chassis and Powertrain are being designed and developed according to ISO 26262



# Freescale Development Process for ISO 26262







#### **Freescale Development Process for ISO 26262**

- Freescale is **committed** to addressing the requirements of **ISO 26262**
- Freescale MPC564xL is the first MCU to achieve a formal certificate for ISO 26262 ASIL D, as certified (Link) by exida in 2012.
- Selected products are developed as a Safety Element out of Context (SEooC) where Functional Safety Management and Quality Management are integrated in the development process
- ISO 26262 Deployment completed across Freescale during 2011 2014
  - Functional Safety Management
  - Development Processes
  - Product Architecture

#### Standard Process

- All safety activities and deliverables required by ISO 26262 are integrated in the Freescale Quality Maturity System (QMS), used to plan and track ISO 26262 compliance per product development.



## **Example Interaction Between Car OEM, Tier 1 & Tier 2** (Freescale)



#### **Functional Safety Process – Definition to Test**



## **Freescale Processes Aligned with ISO 26262**

 Freescale standard ISO 26262 process complies with all applicable ISO 26262 ASIL D requirements for MCU SEooC development

| ISO 26262                 | Freescale Process                                                       | ASIL A                         | ASIL B | ASIL C | ASIL D |
|---------------------------|-------------------------------------------------------------------------|--------------------------------|--------|--------|--------|
| Part 2<br>Management      | Safety Plan, Safety Case, Confirmation Measures                         | Yes                            |        |        |        |
| Part 3<br>Concept         | OEM / Tier 1 responsibility                                             |                                | N      | Ά      |        |
| Part 4<br>System          | System assumptions & MCU Safety<br>Requirements – HW/SW                 | Yes, only partially applicable |        |        |        |
| Part 5<br>Hardware        | MCU HW – Safety requirements traced to implementation and testing       | Yes                            |        |        |        |
| Part 6<br>Software        | MCU SW – Safety requirements traced to implementation and testing       | Yes                            |        |        |        |
| Part 7<br>Production      | Standard processes, aligned with ISO 26262                              | Yes                            |        |        |        |
| Part 8<br>Processes       | Standard processes, aligned with ISO 26262                              | Yes                            |        |        |        |
| <b>Part 9</b><br>Analysis | FMEDA & DFA                                                             | Yes                            |        |        |        |
| Part 10<br>Guideline      | MCU SEooC Development & application<br>of ISO 26262 to Microcontrollers | Yes, MCU SEooC development     |        |        |        |

- One process for all products, regardless of safety architecture ASIL target
- Only difference is for Confirmation Measures which are tailored to ASIL target



### **Freescale ISO 26262 Confirmation Measures**

Freescale performs ISO 26262 Confirmation Reviews (CR), Audit and Assessment as required by ISO 26262 for MCU SEooC development

| Confirmation<br>Measures | ASIL A | ASIL B | ASIL C | ASIL D |
|--------------------------|--------|--------|--------|--------|
| CR Safety Analysis       | Yes    | Yes    | Yes    | Yes    |
| CR Safety Plan           |        | Yes    | Yes    | Yes    |
| CR Safety Case           |        | Yes    | Yes    | Yes    |
| CR Software Tools        |        |        | Yes    | Yes    |
| Audit                    |        |        | Yes    | Yes    |
| Assessment               |        |        | Yes    | Yes    |

- Confirmation Measures (CM) performed depending on ASIL
  - All checks executed with independence level I3 by Freescale Quality organization
  - Freescale Assessors certified by SGS-TÜV Saar as Automotive Functional Safety Professional (AFSP)
  - Freescale CM process certified (Link) by SGS-TÜV Saar as ISO 26262 ASIL D
  - Included as part of Freescale Analog & Sensor HW certificate

External Use

Note: The following confirmation reviews are not applicable: hazard analysis and risk assessment, item integration and testing, validation plan & proven in use argument



# MCU Safety Context and Safety Concepts







# Hazard Analysis and Risk Assessment (HARA)

- Identify and categorize the hazards that can be triggered by malfunctions in the system
- The Risk Assessment is carried out using three criteria
  - Severity how much harm is done?

| Class       | S0          | S1                             | S2                                                       | S3                                                                   |
|-------------|-------------|--------------------------------|----------------------------------------------------------|----------------------------------------------------------------------|
| Description | No injuries | Light and moderate<br>injuries | Severe and life-threatening injuries (survival probable) | Life-threatening injuries<br>(survival uncertain), fatal<br>injuries |

- Exposure – how often is it likely to happen?

| Class       | E0         | E1                   | E2              | E3                 | E4               |
|-------------|------------|----------------------|-----------------|--------------------|------------------|
| Description | Incredible | Very low probability | Low probability | Medium probability | High probability |

- Controllability - can the hazard be controlled?

| Class       | C0                      | C1                  | C2                    | C3                                     |
|-------------|-------------------------|---------------------|-----------------------|----------------------------------------|
| Description | Controllable in general | Simply controllable | Normally controllable | Difficult to control or uncontrollable |



Reference ISO 26262-3:2011



# **Determination of ASIL and Safety Goals**

- For each Hazardous event, determine the ASIL based on Severity, Exposure & Controllability
- Then formulate safety goals to prevent or mitigate each event, to avoid unreasonable risk

| Severity class | Probability class | Controllability class |    |    |  |  |
|----------------|-------------------|-----------------------|----|----|--|--|
| Seventy class  | Probability class | C1                    | C2 | C3 |  |  |
|                | E1                | QM                    | QM | QM |  |  |
| S1             | E2                | QM                    | QM | QM |  |  |
| 51             | E3                | QM                    | QM | А  |  |  |
|                | E4                | QM                    | Α  | В  |  |  |
|                | E1                | QM                    | QM | QM |  |  |
| S2             | E2                | QM                    | QM | А  |  |  |
| 52             | E3                | QM                    | Α  | В  |  |  |
|                | E4                | A                     | В  | С  |  |  |
|                | E1                | QM                    | QM | А  |  |  |
| <b>S</b> 3     | E2                | QM                    | A  | В  |  |  |
|                | E3                | A                     | В  | С  |  |  |
|                | E4                | В                     | С  | D  |  |  |

Table 4 — ASIL determination

Reference ISO 26262-3:2011



# **Target Metrics for ASIL**

- Associate the following target metrics to each safety goal
  - Single-point fault metric (SPFM)

Table 4 — Possible source for the derivation of the target "single-point fault metric" value

|                           | ASIL B | ASIL C | ASIL D |
|---------------------------|--------|--------|--------|
| Single-point fault metric | ≥90 %  | ≥97 %  | ≥99 %  |

- Latent-fault metric (LFM)

Table 5 — Possible source for the derivation of the target "latent-fault metric" value

|                     | ASIL B | ASIL C | ASIL D |
|---------------------|--------|--------|--------|
| Latent-fault metric | ≥60 %  | ≥80 %  | ≥90 %  |

- Probabilistic Metric for random Hardware Failures (PMHF)

Table 6 — Possible source for the derivation of the random hardware failure target values

| ASIL | Random hardware failure target values |
|------|---------------------------------------|
| D    | <10 <sup>-8</sup> h <sup>-1</sup>     |
| С    | <10 <sup>-7</sup> h <sup>-1</sup>     |
| В    | <10 <sup>-7</sup> h <sup>-1</sup>     |



Reference ISO 26262-5:2011



## Where the Failures Come From

- Typically, dangerous failures in a safety system come from a combination of the following
  - Development bugs Software or hardware
  - Insufficient system safety architecture
  - Transient failures in semiconductors, primarily SRAM very high rate of occurrence
  - Permanent failures in hardware
- For a MCU the break down of Failures is typically:

|                                    |          |      |        |             |          | Failure rate |
|------------------------------------|----------|------|--------|-------------|----------|--------------|
| Failure Type                       | per hour | FIT  | %      | $\square$ / | 1.00E-05 | MCU Raw      |
| MCU SRAM Transient Failure rate    | 7.00E-07 | 700  | 70.00% |             | 1.00E-06 |              |
| MCU FF Transient Failure rate      | 2.00E-07 | 200  | 20.00% |             | 1.00E-07 |              |
| MCU Package Permanent Failure rate | 8.00E-08 | 80   | 8.00%  |             | 1.00E-08 | MCU ASIL B 🖌 |
| MCU Die Permanent Failure rate     | 2.00E-08 | 20   | 2.00%  |             | 1.00E-09 | MCU ASIL D   |
| MCU Total Failure rate             | 1.00E-06 | 1000 | 100%   |             | 1.00E-10 |              |

Note: Assumption - MCU is allocated only 10% of System ASIL target



# **MCU Safety Context**

- Applications have different safety requirements driven by different safety contexts, but the need for safe SW execution is common across all
- The objective is to make SW execution safe to achieve ASIL B

|                                          |                                                       | ASIL B                   | ASIL D                   | ]                                  |
|------------------------------------------|-------------------------------------------------------|--------------------------|--------------------------|------------------------------------|
| Detect                                   | Fault Detection Time Interval                         | 10                       | ) ms                     | Residual Failure rate              |
| incorrect<br>operation<br>during         | Diagnostic Coverage<br>(transient & permanent faults) | 90%                      | 99%                      | 1.00E-05<br>1.00E-06 MCU Raw       |
| runtime                                  | Residual Failure rate                                 | 1 x 10 <sup>-8</sup> / h | 1 x 10 <sup>-9</sup> / h | 1.00E-07<br>1.00E-08 MCU ASIL B    |
| Start-up /<br>Shut-down<br>periodic test | Diagnostic Coverage<br>(permanent faults)             | 60%                      | 90%                      | 1.00E-09<br>1.00E-10<br>MCU ASIL D |
| MCU HW t                                 | MCU HW to support SW Independence                     |                          | IPU                      | ]                                  |

Note: Assumption - MCU is allocated only 10% of System ASIL target



# **Defining the MCU Safety Concept**

- Objective
  - Define how MCU ASIL targets will be achieved between a mix of on-chip HW safety measures and system level safety measures (HW/SW)
- ISO 26262-5 Annex D Elements related to MCU
  - Low application dependency: Power, Clock, Flash, SRAM & Processing Unit
  - High application dependency: Digital IO & Analog IO



Figure D.1 — Generic hardware of a system Reference ISO 26262-5:2011



## **Module Classification - Safety**

 Each module on the MCU is classified as Safety Related or Not Safety Related

| Elements in ISO<br>26262-5, Table<br>D.1 | MPC5744P<br>FMEDA | MPC5744P Module                                         | Part of<br>Software<br>Execution<br>Function | Safety<br>Mechanism | Comments                                                             |
|------------------------------------------|-------------------|---------------------------------------------------------|----------------------------------------------|---------------------|----------------------------------------------------------------------|
| Power Supply                             | Power             | Power Management Controller (PMC)                       | YES                                          |                     |                                                                      |
| 1 ower Suppry                            | Tower             | Power Control Unit (MC_PCU)                             | YES                                          |                     |                                                                      |
| Clock                                    | Clock             | Phase Lock Loop (2 x PLL)                               | YES                                          |                     |                                                                      |
|                                          |                   | Clock Monitor Unit (5 x CMU)                            |                                              | YES                 |                                                                      |
|                                          |                   | Clock Generation Module (MC_CGM)                        | YES                                          |                     |                                                                      |
|                                          |                   | External Oscillator (XOSC)                              | YES                                          |                     |                                                                      |
|                                          |                   | Internal RC Oscillator (IRCOSC)                         | YES                                          |                     |                                                                      |
| Non-Volatile<br>Memory                   | Flash             | Embedded Flash Memory (c55fmc)                          | YES                                          |                     |                                                                      |
|                                          |                   | Flash Memory Controller (PFLASH)                        | YES                                          |                     |                                                                      |
|                                          |                   | End-to-end Error Correction Code (e2eECC)               |                                              | YES                 |                                                                      |
|                                          | SRAM              | System SRAM                                             | YES                                          |                     |                                                                      |
| Volatile Memory                          |                   | RAM Controller (PRAMC)                                  | YES                                          |                     |                                                                      |
|                                          |                   | End-to-end Error Correction Code (e2eECC)               |                                              | YES                 |                                                                      |
| Processing Unit                          | Core              | Main Core_0 (e200z4251n3)                               | YES                                          |                     |                                                                      |
|                                          |                   | Checker Core_0s (e200z424) (Delayed Lockstep)           |                                              | YES                 |                                                                      |
|                                          |                   | Crossbar Switch (XBAR)                                  | YES                                          |                     |                                                                      |
|                                          |                   | JTAG Controller (JTAGC)                                 |                                              |                     | Not Safety Related module - Debug logic                              |
|                                          |                   | Nexus debug modules (NXMC, NPC, NAL & NAP)              |                                              |                     | Not Safety Related module - Debug logic                              |
|                                          |                   | Cyclic Redundancy Check (CRC)                           |                                              | YES                 |                                                                      |
|                                          |                   | Fault Collection and Control Unit (FCCU)                |                                              | YES                 |                                                                      |
|                                          |                   | Memory Error Management Unit (MEMU)                     |                                              | YES                 |                                                                      |
|                                          |                   | Self-Test Control Unit (STCU2) (includes MBIST & LBIST) |                                              | YES                 |                                                                      |
|                                          |                   | Register Protection (REG_PROT)                          |                                              | YES                 |                                                                      |
| Communication<br>(External)              | Peripheral        | CAN (3 x FlexCAN)                                       |                                              |                     | Peripheral module - High application dependency (failure rates only) |
|                                          |                   | Serial Interprocessor Interface (SIPI)                  |                                              |                     | Peripheral module - High application dependency (failure rates only) |
|                                          |                   | 10/100-Mbps Ethernet MAC (ENET)                         |                                              |                     | Peripheral module - High application dependency (failure rates only) |
| Analogue I/O and<br>Digital I/O          |                   | Peripheral Bridge (2 x PBRIDGE)                         |                                              |                     | Peripheral module - High application dependency (failure rates only) |
|                                          |                   | System Integration Unit Lite2 (SIUL2)                   |                                              |                     | Peripheral module - High application dependency (failure rates only) |
|                                          |                   | Analog to Digital Converter (4 x ADC)                   |                                              |                     | Peripheral module - High application dependency (failure rates only) |
|                                          |                   | Wakeup Unit (WKPU)                                      |                                              |                     | Peripheral module - High application dependency (failure rates only) |



#### **Realizing the MCU Safety Concept - MPC5744P**





# Standard Deliverables to Enable the Customer







#### External Use 22

#### What You Get

To support the customer to build his safety system, the following deliverables are provided as **standard** for **all** ISO 26262 developed products.

#### Public Information available via Freescale Website

- Freescale Quality Certificates (Link)
- Safety Manual
- Reference Manual
- Data Sheet
- Confidential Information available under NDA
  - Safety Plan
  - ISO26262 Safety Case
  - ISO26262-10 Table A.8 Checklist
  - Permanent Failure Rate data (Die & Package) IEC/TR 62380 or SN29500
  - Transient Failure Rate data (Die) JEDEC Standard JESD89
  - FMEDA & Report

'eescale'

- DFA & Report
- PPAP
- Confirmation Measures Report (summary of all applicable confirmation measures)







# **Safety Manual**



## **Safety Manual**

#### Objective

- Enables customers to build their safety system using the MCU safety mechanisms and defines system level HW & SW assumptions
- Simplify integration of Freescale's safety products into applications
- A comprehensible description of all information relating to FS in a single entity to ensure integrity of information

#### Content

- MCU Safety Context
- MCU Safety Concept
- System level hardware assumptions
- System level software assumptions
- FMEDA summary
- Dependent Failures Analysis summary

#### Safety Manual for MCU Solution





# Safety Manual: Structure

- MCU Safety Context
  - Safe states, Fault tolerant time interval

#### MCU Safety Concept

- Describes the safety concept of the device (what is implemented and how does it work)

#### System level hardware assumptions

- Describes the functions required by external hardware to complement the MCU safety concept (Error out monitor)

#### System level software assumptions

- Description of necessary or recommended sw mechanisms for each module (Initial checks, configuration & runtime checks)

#### Failure Rates and FMEDA

- Short introduction to FMEDA

#### Dependent Failure Analysis

- βic IEC 61508 Ed. 2.0 part 2, Annex E: Analysis of dependent failures
- Countermeasures against common cause failures on chip level

25

External Use





# **Safety Support – System Level Application Notes**

#### **Design Guidelines for**

- Integration of Microcontroller and Analog & Power Management device
- Explains main individual product Safety features
- Uses a typical Electrical Power steering application to explain product alignment
- Covers the ASIL D safety requirements that are satisfied by using both products:
  - MPC5643L requires external measures to support a system level ASIL D safety level
  - MC33907/08 provides those external measures:
    - External power supply and monitor
    - External watchdog timer
    - Error output monitor

#### Integrating the MPC5643L and MC33907/08 for ISO26262 ASIL-D Applications

This application note provides design guidelines for integrating the Pressale NPCS643L microcontroller unit (NCU) and Pressale MC33907/08 System Basis Chip in automotive electric (electronic systems that target the ISO 25252 functions safety standard. It provides an overview of the NPCS643L and the NC33907/05 feature set and covers the functional safety requirements that are satisfied in order to achieve ASLD level of safety.

Integrating the VPC5643L and VIC33907/VIC33908 in a system provides many advantages for the customer. Freescale's ISO 25262 solutions, that form part of the Freescale SafeAssure program, help system manufacturers more easily achieve system compliance with functional safety standards by simplifying the system architecture.

#### 1. MPC5643L Overview

This section describes the MPCS643L features that are of interest when integrating the device with the MC33907/08.

#### A. Safety Concept

The MPC3643L is built around a dual e20024d core Sphere of Replication (SoR) safety platform with a safety concept targeting (SO 25262.46)L 0 integrity level, in order to minima additional software and module level features to reach this target, on-chipredundancy is offered for the critical comparents of the NCU (CPU core, OMA controller, interrupt controller, prostater tous system, memory protection unit, flash memory and RAM controllers, perspheral bus bridge, system timers, and watchdog timer). ARedundancy control and checker unit (RCCU) is implemented at each output of this SoR. ECC is available for on-chip RAM and flash memories. The programmable Raw (Colection and Control Unit (PCCU) monitors the integrity status of the device and provides flexible safe state control.

#### B. Power Supply Requirements

The on-chip voltage regulator module provides the following features: Single high supply requires nominal 3.30. An external balax transitor is used to reduce dissipation capacity at high temperature but an embedded transistor can be used if power dissipation is maintained within package dissipation capacity (lower frequency of operation). All (Os are at same woltage





# Dynamic FMEDA



 $\langle \rangle$ 

# Safety Support – Dynamic FMEDA

#### Objective

- Tailor FMEDA to match application configuration
- Enables customers, by supporting their system level architectural choices

#### Content

- FMEDA methods aligned with functional safety standards
  - SPFM & LFM, PMFH ISO 26262
  - SFF & PFH- IEC 61508 Ed. 2.0
  - $\beta$ ic IEC 61508 Ed. 2.0 part 2, Annex E
- Dynamic FMEDA covers elements with low application dependency: Clock, Power Supply, Flash, SRAM, Processing Unit...

#### Work flow and result

- Customer specifies the failure model (dependent on Safety Integrity Level) required by their application, and then confirms the Safety Measures that will be used or not be used
- A tailored FMEDA is then supplied to customer's for their specific application





#### ISO 26262-5 (Elements and Failure Models)

|              | Element                        | See    | Analyz                                                                                       | ed failure modes for 60                                                                                                                                                              | %/90 %/99 % DC                                                                                                                                                                                                                |  |
|--------------|--------------------------------|--------|----------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
|              | Element                        | Tables | Low (60 %)                                                                                   | Medium (90 %)                                                                                                                                                                        | High (99 %)                                                                                                                                                                                                                   |  |
|              | General semiconductor elements |        |                                                                                              |                                                                                                                                                                                      |                                                                                                                                                                                                                               |  |
| FMEDA Supply | Power supply                   | D.9    | Under and over<br>Voltage                                                                    | Drift<br>Under and over<br>Voltage                                                                                                                                                   | Drift and oscillation<br>Under and over Voltage<br>Power spikes                                                                                                                                                               |  |
| FMEDA Clock  | Clock                          | D.10   | Stuck-at <sup>a</sup>                                                                        | d.c. fault model <sup>b</sup>                                                                                                                                                        | d.c. fault-model <sup>b</sup><br>Incorrect frequency<br>Period jitter                                                                                                                                                         |  |
| FMEDA Flash  | Non-volatile memory            | D.5    | Stuck-at <sup>a</sup> for data and<br>addresses and<br>control interface, lines<br>and logic | d.c. fault model <sup>®</sup> for<br>data and addresses<br>(includes address lines<br>within same block) and<br>control interface, lines<br>and logic                                | d.c. fault model <sup>b</sup> for data,<br>addresses (includes address<br>lines within same block) and<br>control interface, lines and logic                                                                                  |  |
| FMEDA SRAM   | Volatile memory                | D.6    | Stuck-at <sup>a</sup> for data,<br>addresses and<br>control interface, lines<br>and logic    | d.c. fault model <sup>®</sup> for<br>data, addresses<br>(includes address lines<br>within same block and<br>inability to write to cell)<br>and control interface,<br>lines and logic | d.c. fault model <sup>b</sup> for data,<br>addresses (includes address<br>lines within same block and<br>inability to write to cell) and<br>control interface, lines and logic<br>Soft error model <sup>c</sup> for bit cells |  |
|              |                                |        |                                                                                              | Soft error model <sup>c</sup> for bit cells                                                                                                                                          |                                                                                                                                                                                                                               |  |
| Failure Rate | Digital I/O                    |        | Stuck-at <sup>a</sup> (including<br>signal lines outside of<br>the microcontroller)          | d.c. fault model <sup>b</sup><br>(including signal lines<br>outside of the<br>microcontroller)                                                                                       | d.e. fault model <sup>b</sup> (including<br>signal lines outside of the<br>microcontroller)<br>Drift and oscillation                                                                                                          |  |
| Table        | Analogue I/O                   | D.7    | Stuck-at <sup>a</sup> (including<br>signal lines outside of<br>the microcontroller)          | d.c. fault model <sup>b</sup><br>(including signal lines<br>outside of the<br>microcontroller)<br>Drift and oscillation                                                              | d.c. fault model <sup>b</sup> (including<br>signal lines outside of the<br>microcontroller)<br>Drift and oscillation                                                                                                          |  |

Table D.1 — Analyzed faults or failures modes in the derivation of diagnostic coverage



Reference ISO 26262-5:2011

#### ISO 26262-5 (Elements and Failure Models)

Table D.1 — Analyzed faults or failures modes in the derivation of diagnostic coverage

|            |       | Element                                                                      | See                                                                                    | Analyzed failure modes for 60 %/90 %/99 % DC                           |                                                                            |                                                                                             |  |
|------------|-------|------------------------------------------------------------------------------|----------------------------------------------------------------------------------------|------------------------------------------------------------------------|----------------------------------------------------------------------------|---------------------------------------------------------------------------------------------|--|
|            |       | Element                                                                      | Tables                                                                                 | Low (60 %)                                                             | Medium (90 %)                                                              | High (99 %)                                                                                 |  |
|            |       |                                                                              |                                                                                        |                                                                        |                                                                            |                                                                                             |  |
|            |       |                                                                              |                                                                                        |                                                                        |                                                                            | d.c. fault model <sup>b</sup>                                                               |  |
|            |       | ALU - Data Path                                                              | D.4/D.13                                                                               | Stuck-at <sup>a</sup>                                                  | Stuck-at <sup>a</sup> at gate level                                        | Soft error model <sup>e</sup> (for sequential parts)                                        |  |
|            |       | Registers (general<br>purpose registers<br>bank, DMA transfer<br>registers), | D.4                                                                                    | Stuck-at <sup>a</sup>                                                  | Stuck-at <sup>a</sup> at gate level<br>Soft error model <sup>o</sup>       | d.c. fault model <sup>b</sup> including no,<br>wrong or multiple addressing of<br>registers |  |
|            |       | internal RAM                                                                 |                                                                                        |                                                                        |                                                                            | Soft error model <sup>c</sup>                                                               |  |
|            |       | Address calculation<br>(Load/Store Unit,                                     | d/Store Unit,<br>addressing D.4/D.5/D.6 Stuck-at <sup>a</sup> Soft<br>, memory and sec | Ctuck at                                                               | Stuck-at <sup>a</sup> at gate level                                        | d.c. fault model <sup>b</sup> including no,<br>wrong or multiple addressing                 |  |
|            |       | logic, memory and<br>bus interfaces)                                         |                                                                                        | Soft error model <sup>c</sup> (for sequential parts)                   | Soft error model <sup>c</sup> (for sequential parts)                       |                                                                                             |  |
| MEDA       | units | Interrupt handling                                                           | D.4/D.10                                                                               | Omission of or<br>continuous interrupts                                | Omission of or<br>continuous interrupts<br>Incorrect interrupt<br>executed | Omission of or continuous interrupts                                                        |  |
| Processing | bu    |                                                                              |                                                                                        |                                                                        |                                                                            | Incorrect interrupt executed                                                                |  |
| Unit       | ssi   |                                                                              |                                                                                        |                                                                        |                                                                            | Wrong priority                                                                              |  |
| •••••      | Proce |                                                                              |                                                                                        |                                                                        |                                                                            | Slow or interfered interrupt<br>handling causing missed or<br>delayed interrupts service    |  |
|            |       | Control logic<br>(Sequencer, coding                                          | D.4/D.10                                                                               | No code execution<br>Execution too slow<br>Stack<br>overflow/underflow | Wrong coding or no execution                                               | Wrong coding, wrong or no execution                                                         |  |
|            |       | and execution logic<br>including flag<br>registers and stack<br>control)     |                                                                                        |                                                                        | Execution too slow<br>Stack<br>overflow/underflow                          | Execution out of order                                                                      |  |
|            |       |                                                                              |                                                                                        |                                                                        |                                                                            | Execution too fast or too slow                                                              |  |
|            |       |                                                                              |                                                                                        |                                                                        |                                                                            | Stack overflow/underflow                                                                    |  |
|            |       | Configuration<br>Registers D.4                                               | _                                                                                      | Stuck-at <sup>a</sup> wrong value                                      | Corruption of registers (soft errors)                                      |                                                                                             |  |
|            |       |                                                                              |                                                                                        |                                                                        |                                                                            | Stuck-at <sup>a</sup> fault model                                                           |  |
|            |       | Other sub-elements                                                           |                                                                                        |                                                                        | d.c. fault model <sup>b</sup>                                              |                                                                                             |  |
|            |       | not belonging to<br>previous classes                                         | D.4/D.13                                                                               | Stuck-at <sup>a</sup>                                                  | Stuck-at <sup>a</sup> at gate level                                        | Soft error model <sup>c</sup> (for sequential part)                                         |  |



# **Dynamic FMEDA Metrics**



- target relative metrics (SPFM, LFM)
- Sum of individual PMHF must fulfill the absolute target



# **Dynamic FMEDA**

- Failure Mode, Effect and Diagnostic Analysis
- A systematic way to identify and evaluate failure modes, effects and diagnostic techniques, and to document the system.
- FMEDA can be **tailored** to **application** use-case:
  - FMEDA allows adaptation of temperature profile and ASIL level
  - FMEDA allows selection of package used
  - FMEDA allows selection / de-selection of modules
  - FMEDA allows selection / de-selection of diagnostic measures
  - FMEDA allows to change particular DCs

Called "Dynamic FMEDA"

- FMEDA can generate a specific (static) "customer FMEDA"



# **Dynamic FMEDA**



#### Additionally - FMEDA Report

 Summarizing the assumptions and the method of the inductive functional safety analysis activities based on the FMEDA carried out for the MCU





## **Supporting Material for Functional Safety**

- SafeAssure @ www.freescale.com/SafeAssure
- Certification Package under NDA
- App-Notes, White Papers, Articles
- On-demand Training











www.Freescale.com

© 2015 Freescale Semiconductor, Inc. | External Use