Page 19

EETE NOVEMBER 2012

- Memory integrity check at start-up. - secure communication by crc or parity bit. It’stIME The analysis is weighted by the area of the block under investigation, taking into account that failures are equally likely to be triggered at any location during normal operation. Large blocks therefore require proportionately more lengthy examina- tion. fIT rate for that block, and a residual fIT rate for the danger- tO BRINGThe output of the analysis of any one block is a ratio of theous and undetected (DU) faults – see table 1. Summing up thisanalysis over all blocks leads to the safe failure fraction (SFF). ANALOG (ISO26262 uses the term ‘single-point fault metric’): SFF = safe faults/(safe plus DU faults) the other hand, the method takes the probability of faults into TOGETHER.The method seems formal, which might explain why many engineers have been reluctant to follow this approach! But on account by weighting attention towards the large blocks with a high failure rate. This provides a kind of ranking which raises the quality of the analysis far higher than pure engineering judg- ment can possibly achieve. (It should, however, be noted that engineering judgment alone informs the block analysis which underlies the entire FMEDA process.) When fMeda was implemented by ams on the position sensor shown in figure 2, the result of the first iteration revealed that a large share of the dangerous and undetected faults originated from the eePrOM and the signal path from the Hall sensor to the cOrdIc processing unit – a path that occupies a relatively large area of the die. furthermore, faults in the protected high-current output driver could not be diagnosed, contributing a large proportion of the undetected faults. as a result, monitoring and diagnosis features were implemented – features that would not have been added had ams not carried out the fMeda process: continuous eePrOM content check, through calculation of the crc and comparison with a reference crc Magnetic self-test of the signal-processing chain, whereby a micro-coil is employed to generate a test magnetic field. The test measurement is scheduled in the main measurement cycle. The resulting output is compared with a stored value. read-back of the status of the output drivers using a com- parator. If a failure is detected, the output is switched to a failure band (1-4% PWM duty cycle). These features, together with many others implemented dur- ing the development of the device, have resulted in a success- ful asIc which boasts a single-point fault metric of 90%, and which is thus qualified for ASIL B. Conclusion development and design according to IsO26262 is becoming a standard requirement for Ics for automotive safety applica- tions. The use of the fMeda helps development teams to focus on those Ic functional blocks with the highest failure rates and largest chip area – a contrast with traditional design-for-safety methods which relied much more on engineers’ judgment. close collaboration between the Ic developer and the user, for instance by using diagnosis functions external to the chip to support the IC’s operation, enables the more cost-effective implementation of safety features. www.electronics-eetimes.com


EETE NOVEMBER 2012
To see the actual publication please follow the link above