

## Master Radiation and its Effects on MicroElectronics and PhotonicsTechnologies (RADMEP)



## ANALOG FAULT SIMULATION IN AUTOMOTIVE RADAR 77 GHZ CIRCUIT FOR SAFETY REQUIREMENTS

Master Thesis Report

Presented by Felipe Souza Sanches

and defended at University Jean Monnet

11-12 September 2023

Academic Supervisor: Researcher Florence Azaïs, CNRS

Host Supervisor(s): Eng. Mohamed Boulkheir, NXP Semiconductors

Eng. Thierry Mesnard, NXP Semiconductors

Jury Committee: Dr. Arto Javanainen, University of Jyväskylä

Prof. Frédéric Saigné, University of Montpellier

Prof. Dr. Ir. Paul Leroux, KU Leuven

Prof. Sylvain Girard, University Jean Monnet



## Abstract

Nowadays, many electronics are being embedded in road vehicles to assist drivers while they are conducting, and potentially, to prevent accidents. One of the most popular technologies onboarded in vehicles is radar, which detects targets with good precision.

However, all systems embedded in cars must go through safety checks, because during the device's life cycle, it can present random failures. Thus, to reduce and mitigate the risks of electronic failures, some methods must be applied following safety guidelines, such as fault simulation. This is important because, due to safety reasons, it is assumed all faults are dangerous, and will generate failures in the system. However, by simulating, it can be seen which type of failures the device presents and the precise distribution of "dangerous" and "safe" faults.

Hence, in the radar device, inside the transceiver block, "bridges" and "open" faults were injected in both voltage regulator and frequency doubler blocks. To model both "bridge" and "open", a  $10\Omega$  and a  $1G\Omega$  resistor were used. Each fault was injected to interact with each terminal of all component elements inside the studied blocks. Legato, a Cadence simulation tool, was used to execute those simulations.

For the voltage regulator, 2981 faults were systematically simulated, and 3 types of failures were identified, such as undervoltage, overvoltage, and oscillation outside the safety voltage range. Besides that, 78.87% of faults were "safe" and did not affect the main operation of the voltage regulator.

For the frequency doubler, the simulation software presented an error to execute the high-frequency analysis. However, considering this block demands high computational power for each simulation, and in total is expected to simulate 4607 faults, the testbench had to be optimized. After the optimization, the single run time decreased from 45 minutes to 20 minutes. Then, once a new software version is available, fault simulations can be performed to identify the failures in the frequency doubler block.

# Table of Contents

| Abstract             | i                                          |  |  |  |
|----------------------|--------------------------------------------|--|--|--|
| Table of Contents ii |                                            |  |  |  |
| Acknowledgen         | nentiv                                     |  |  |  |
| List of Figures      | V                                          |  |  |  |
| List of Tables.      | vi                                         |  |  |  |
| 1 Introduc           | tion1                                      |  |  |  |
| 1.1 Onb              | oard technologies for automotive industry1 |  |  |  |
| 1.2 Fun              | ctional safety in the automotive industry3 |  |  |  |
| 1.2.1                | Terminology                                |  |  |  |
| 1.2.2                | Functional safety                          |  |  |  |
| 1.3 Failt            | ures and their root-causes4                |  |  |  |
| 1.4 State            | e of the art6                              |  |  |  |
| 1.4.1                | Fault injection techniques                 |  |  |  |
| 1.4.2                | Failure distribution and FMEDA7            |  |  |  |
| 1.5 Scop             | be of the project                          |  |  |  |
| 2 Methodo            | logy10                                     |  |  |  |
| 2.1 Faul             | t model and weights definition on Legato10 |  |  |  |
| 2.2 Faul             | t simulation environment12                 |  |  |  |
| 2.3 DUI              | ۲ and its failure mode definition 12       |  |  |  |
| 2.3.1                | Low-dropout regulator (LDO)12              |  |  |  |
| 2.3.2                | Frequency doubler13                        |  |  |  |
| 2.4 Test             | bench and expected results15               |  |  |  |
| 2.4.1                | Low-dropout regulator (LDO) 15             |  |  |  |
| 2.4.2                | Frequency doubler (FD)17                   |  |  |  |
| 2.5 Post             | -processing and coverage analysis19        |  |  |  |
| 3 Practical          | Results                                    |  |  |  |
| 3.1 LDC              | ) block                                    |  |  |  |
| 3.1.1                | Testbench on Cadence                       |  |  |  |
| 3.1.2                | Nominal simulation                         |  |  |  |
| 3.1.3                | Fault injection simulation                 |  |  |  |
| 3.1.4                | Analysis                                   |  |  |  |
| 3.2 Free             | uency doubler (FD)                         |  |  |  |
| 3.2.1                | Testbench on Cadence                       |  |  |  |
| 3.2.2                | Nominal simulation                         |  |  |  |
| 3.2.3                | Fault injection simulation25               |  |  |  |

|       | 3.2.4    | Analysis 2 | 26        |
|-------|----------|------------|-----------|
| 4     | Conclusi | on         | 27        |
| 5     | Future w | ork        | 28        |
| Bibli | ography  |            | <u>29</u> |

## Acknowledgement

First of all, I am thankful for God, and my family that always supported me to pursue my dreams. Because of their help and sacrifice, I was able to achieve great things in life.

I am grateful for the opportunity to be part of the first intake of the RADMEP master's degree. A lot of people worked hard preparing and organizing this course, and I am thankful for that. It was 2 years full of learning and opportunities.

I also want to thank my RADMEP friends. I had the pleasure of meeting incredible people who inspired me to do my best during my studies. We had wonderful moments together, and I will always keep those memories with me.

Besides that, I would like to express my gratitude to both Mohamed Boulkheir and Thierry Mesnard for allowing me to work with them at NXP – Toulouse, France. Their assistance enabled me to do a good performance during my internship project, and I have deep admiration for both of them. I also want to thank Florence Azaïs, whom I had the opportunity to meet during her lectures at the University, for accepting to be my academic supervisor.

# List of Figures

| Figure 1: On-board technologies embedded in road-vehicles for driving assistant.         |
|------------------------------------------------------------------------------------------|
| Figure taken from [4]1                                                                   |
| Figure 2: Block diagram showing the basic operation of a radar system. Figure            |
| adapted from [5]                                                                         |
| Figure 3: FMCW radar example                                                             |
| Figure 4: On-board technologies embedded in road-vehicles for driving assistant.         |
| Figure adapted from [6]                                                                  |
| Figure 5: ASIL distribution based on the system severity, exposure, and controllability. |
|                                                                                          |
| Figure 6: Examples of failures in a device's life cycle                                  |
| Figure 7: Example of an experimental setup to inject faults using a laser                |
| Figure 8: EMP setup used to inject non-intrusive faults7                                 |
| Figure 9: Block diagram representing the transceiver system, with the worked blocks      |
| highlighted in green                                                                     |
| Figure 10: Block diagram of a fault simulation process                                   |
| Figure 11: Fault models for transistor, capacitor, inductor, resistor and diode11        |
| Figure 12: MOS transistors examples with (a) 1 gate, and (b) 2 gates, with a shared      |
| drain area 11                                                                            |
| Figure 13: ADE Assembler Maestro view snapshot                                           |
| Figure 14: Basic representation of an LDO circuit                                        |
| Figure 15: PPDF circuit representation. Figure adapted from [19]14                       |
| Figure 16: Voltage and current behavior representation of PPDF circuit. Figure           |
| adapted from [19]14                                                                      |
| Figure 17: Initial condition file, "spectre.ic", being added to the analysis15           |
| Figure 18: LDO output voltage representation, for both good and faulty circuit cases. 15 |
| Figure 19: Testbench representation for the LDO block, placed on Cadence during          |
| fault simulation                                                                         |
| Figure 20: Testbench representation for the FD block, placed on Cadence during fault     |
| simulation                                                                               |
| Figure 21: PPFD output frequency spectrum for both good and faulty circuit cases18       |
| Figure 22: PPFD output noise representation, for both good and faulty circuit cases18    |
| Figure 23: Waveform obtained from LDO voltage output                                     |
| Figure 24: Waveform obtained from load in the output of the LDO21                        |
| Figure 25: All 2981 fault simulation outputs and the nominal case, highlining the        |
| desired voltage level of 901 mV, and zoom-in from 0 to 450 ns21                          |
| Figure 26: Cases identified during the simulation, with safe and dangerous cases,        |
| representing the sum of all failures                                                     |
| Figure 27: Open and bridge fault distribution in the undervoltage, overvoltage, and      |
| oscillation outside the range                                                            |
| Figure 28: Output spectrum of the frequency doubler circuit                              |
| Figure 29: Output noise simulation of the frequency doubler circuit                      |
| Figure 30: Error message obtained during fault simulation for harmonic balance           |
| analysis                                                                                 |
| Figure 31: DUT and safety mechanism configuration, with all four result combinations.    |
|                                                                                          |

## List of Tables

| Table 1: Manufacturing defects and their root causes. [7]                            | •5 |
|--------------------------------------------------------------------------------------|----|
| Table 2: In-field defects and their root causes. [7]                                 | .6 |
| Table 3: Example for the equal distribution.                                         | 8  |
| Table 4: Example for the area method distribution.                                   | 8  |
| Table 5: Example for the output signal method distribution.                          | 8  |
| Table 6: Standard effects considered in the LDO.                                     | 13 |
| Table 7: Standard effects considered in the FD.                                      | 14 |
| Table 8: Standard effects considered in the LDO and their failure detection criteria | 17 |
| Table 9: Standard effects considered in the FD and their failure detection criteria1 | 8  |

## 1 Introduction

The automotive industry is passing through many changes. The number of technologies that are embedded in road vehicles increase each year. Those elements can be listed as Connectivity Technologies, aiming to provide a comfortable experience to the users, and Electrification, targeting automotive technologies that help CO<sub>2</sub> reduction. In addition, we also have other technologies providing autonomy, to assist drivers while conducting the vehicle and potentially reduce and avoid fatal road accidents, and afterward, fully autonomous road vehicles.

In 2018, the National Motor Vehicle Crash Causation Survey (NMVCCS) released a looking at the critical reasons behind road traffic accidents that were registered in the U.S., and 94% of the crash cases, which represents more than 2 million occurrences, the accident was caused by the driver. The critical reasons for those accidents were due to errors related to recognition, happening in 41% of the cases, to decision, in 33%, and to performance, appearing in 11%. [1]

In Europe, the number of road fatalities involving car users was greater than 8800 cases, in which for almost 2200 accidents, the collision of the vehicle was with another car, and, on the other hand, the European Road Safety Observatory report pointed out that in more than 3800 cases the collision did not involve any other vehicle. [2]

Overall is clear the human factor is the main agent of accidents involving road vehicles, and a possible solution to reduce and prevent accidents is onboarding technologies to assist humans while they are conducting their vehicles.

#### **1.1** Onboard technologies for automotive industry

It is possible to list onboard systems that are very popular in road vehicles, such as LiDAR (LIght Detection And Ranging), which uses a pulse of light to obtain the distance between an object and its sensor, cameras, and ultrasound, commonly used as park assistant, and RADAR (RAdio Detection And Ranging). [3] Figure 1 Illustrate those systems and their applications on automotive vehicles.



*Figure 1: On-board technologies embedded in road-vehicles for driving assistant. Figure taken from [4].* 

The radar principle consists of transmitting a radio-frequency wave and receiving the reflected wave after its interaction with the object. By analyzing the received signal, it is possible to identify the distance of the object, its velocity, and its angle. Figure 2 shows the basic block diagram of a radar operation.



*Figure 2: Block diagram showing the basic operation of a radar system. Figure adapted from* [5].

Due to the possibility of obtaining much information about the target, radars are being widely used in the automotive industry. For today's application, the main technique used is a frequency-modulated continuous waveform (FMCW), with a transmitted frequency ranging from 76 GHz to 81 GHz, for long-range radar (LRR) cases. From the TX and RX signals, as seen in Figure 3, two main pieces of information are extracted from the waveform, range, and Doppler, which allows us to determine the velocity of the target. Besides that, the linear frequency sweep in the transmission can be identified as a chirp.



Figure 3: FMCW radar example.

Inne

As an example of radars products to be embedded in vehicles, there is the highperformance 77 GHz RFCMOS automotive radar One-Chip SoC, with an operation range from 76 GHz to 81 GHz. As seen in Figure 4, this SoC is composed of an RF transceiver, radar processing, memory, and connectivity. Inside the RF transceiver, the chip has 4 transmitters, 4 receivers, 4 ADCs, a waveform generator, and a dedicated functional safety block.



Figure 4: On-board technologies embedded in road-vehicles for driving assistant. Figure adapted from [6].

## **1.2** Functional safety in the automotive industry

When a module is being developed for the automotive industry, it is carefully designed to have high robustness. Although the development chain of a product ensures higher quality, still the module might not perform as expected, resulting in failures.

#### 1.2.1 Terminology

By definition, failure is a malfunctioning in the system, due to the manifestation of defects while the module is operational. For example, oscillations in the output of the voltage regulator block, instead of a constant value.

Another important definition is fault and defect. As seen in [7], the IEEE standard for analog defect modeling and coverage, there is no consensus in the community on how to differentiate fault and defect. The IEEE Standards Dictionary presents many definitions for both, and what can be seen is that defect is more focused on the board, while fault can be related to the board, system, or software. They are stated as an unexpected change (physical or electrical) in the circuit, like a flaw or imperfection in the circuit element or connection between circuit elements, making it different from its intended design. Besides, the difference does not need to be permanent.

The defects/faults can be separated into subcategories. The first is the catastrophic (or hard) classification, which is responsible for changing a circuit's topology. The change may be a short (or bridge) circuit node, for example.

The second is the parametric (or soft) classification. They modify the parameters of a circuit element, like changes in the threshold voltage of a MOS device. [7]

### 1.2.2 Functional safety

These concepts are essential because before embedding any system in cars, the system must be robust and have a high level of safety.

Functional safety follows the product starting from its concept phase, passing through the development, up to the verification and testing stages. This happens by presenting systemic approaches supported by ISO 26262, aiming for the absence of unreasonable risks caused by hazards related to malfunctioning behavior in the electrical and electronic systems.

Overall, potential hazards can be determined by three different components. The first is "severity", which indicates the impact of a failure in human life from a scale starting with no injuries, up to fatal injuries. The second is "exposure", which indicates the frequency or duration of the hazardous event that occurs in the vehicle. The last component is "controllability", responsible to indicate how difficult the hazardous situation is to control by drivers or other traffic participants, such as pedestrians. This index starts in fully controllable and ends in either difficult to control or uncontrollable.

Once all risks are assessed, it is possible to classify their Automotive Safety Integrity Level (ASIL) in five indexes, QM (standing for Quality Managed), A, B, C, and D, as seen in Figure 5. By this classification, the hazards and risks can be pointed out, and by the ISO 26262 guideline, they can be mitigated and properly prevented.

| S = Severity | E = Exposure  | C = Controllability   |    |                |  |  |
|--------------|---------------|-----------------------|----|----------------|--|--|
|              |               | C1 – SIMPLE C2 – NORM |    | C3 – DIFFICULT |  |  |
|              | E1 (very low) | QM                    | QM | QM             |  |  |
|              | E2 (low)      | QM QM                 |    | QM             |  |  |
| ST LIGHT     | E3 (medium)   | QM                    | QM | А              |  |  |
|              | E4 (high)     | QM A                  |    | В              |  |  |
|              | E1 (very low) | QM                    | QM | QM             |  |  |
|              | E2 (low)      | QM                    | QM | A              |  |  |
| SZ SEVERE    | E3 (medium)   | QM                    | Α  | В              |  |  |
|              | E4 (high)     | Α                     | В  | С              |  |  |
|              | E1 (very low) | QM                    | QM | А              |  |  |
| 82 EATAI     | E2 (low)      | QM                    | Α  | В              |  |  |
| 53 FAIAL     | E3 (medium)   | А                     | В  | С              |  |  |
|              | E4 (high)     | В                     | С  | D              |  |  |

*Figure 5: ASIL distribution based on the system severity, exposure, and controllability.* 

In the automotive industry, Fault Tree Analysis (FTA), and Failure Mode, Effect, and Diagnostic Analysis (FMEDA) are widely used in safety, and depending on the desired ASIL, some methods might be mandatory. The FMEDA outstands from other methods for its completeness of information. By using it, it is possible to asses failure rates in the system, failure mode distribution, and the diagnostic and prevention measures in the system.

#### **1.3** Failures and their root-causes

FMEDA is widely used in functional safety. However, to obtain higher precision while executing these analysis techniques in the product or system, the failures in the system must be properly identified. By doing fault injection, this goal can be reached.

In electronic devices, it is possible to identify many types of failures. During the development lifecycle of a product, it goes through a verification process, mainly to identify systematic failures created during the fabrication. However, from the moment the system starts to be used, the failures can be separated into 3 main categories, as seen in Figure 6.

Firstly, there are early failures, concentrated predominantly in the device's infant mortality period, and decrease over time. On the other hand, there is wear-out failure, that increases during the lifecycle. The last is random failures, having failures equally distributed during the time.

As seen in [8], the root cause of random failures could be alpha particles, electrostatic discharge, crosstalk, or even electromagnetic interference [9] [10]. Table 1 and Table 2 present defects commonly observed in integrated circuits, with their root causes.





To understand how the system behaves in the presence of a fault, it is possible to do fault injection intentionally. For a system that complies with ASIL B, C, and D, it is mandatory to execute fault injection whereas for ASIL A, it is compulsory.

Doing this by practical experiments might be time-consuming, and challenging, mainly if a high coverage is targeted during the tests. On the other hand, doing systematic simulations can be a better approach, mainly during the development phase of the product, when there is no physical device to be tested.

Thus, Fault-injection simulation can output the system behavior for each fault, potentially have good coverage, and give a more accurate failure mode distribution for the given system.

| Category             | Location       | Example of root causes                                                                                                                                         |  |  |  |
|----------------------|----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|
| Showt                | Same layer     | Dust or metal flake                                                                                                                                            |  |  |  |
| Short                | Between layers | Pinhole in oxide                                                                                                                                               |  |  |  |
| Open                 | Same layer     | Missing contact                                                                                                                                                |  |  |  |
| Open                 | Between layers | Gate oxide too thick                                                                                                                                           |  |  |  |
| AC coupling          | Same layer     | Optical Proximity<br>Correction (OPC) distortion                                                                                                               |  |  |  |
|                      | Between layers | Oxide thinning                                                                                                                                                 |  |  |  |
| Lookaga              | PN junction    | Electro-static discharge<br>(ESD) during handling or<br>testing                                                                                                |  |  |  |
| Leakage              | Gate oxide     | Time-dependent dielectric<br>breakdown (TDDB) during<br>over-voltage test                                                                                      |  |  |  |
| Extreme<br>variation |                | Doping non-uniformity<br>Variation in optical focus,<br>exposure, or mask<br>alignment<br>Variation in etch rates or<br>chemical mechanical<br>polishing (CMP) |  |  |  |

 Table 1: Manufacturing defects and their root causes. [7]

| Category    | Location              | Example of root causes      |  |  |
|-------------|-----------------------|-----------------------------|--|--|
|             |                       | Extra material in package   |  |  |
| Short       | Between bond wires    | Whiskers from metals        |  |  |
|             |                       | Single Event Latch-up (SEL) |  |  |
| Open        | Contact via           | Current or voltage stress   |  |  |
| Open        | Contact, via          | Thermal or physical stress  |  |  |
|             | PN junction           | Electro-static discharge    |  |  |
| Leakage     | i în function         | (ESD)                       |  |  |
|             | Cata ovida            | Time-dependent dielectric   |  |  |
|             | Gate oxide            | breakdown (TDDB)            |  |  |
| Dogradation | Transistor paramotors | Voltage or thermal stress   |  |  |
| Degradation | Transistor parameters | Hot carrier injection (HCI) |  |  |

Table 2: In-field defects and their root causes. [7]

#### **1.4** State of the art

Following ISO26262 specification, many test methods are done during product development to achieve the desired safety level. All those test methods are performed on the system level, and on the system element level. At the system element level, fault injection can be useful to detect and mitigate different faults with high accuracy.

#### **1.4.1 Fault injection techniques**

It is quite common to see experimental methods to inject faults in the circuit. As seen in [11], the usage of laser is very popular in cryptographic circuits. In this method, the secret key in the circuit can be found by comparing the fault result with the correct one. Figure 7 shows how the testbench is prepared to execute such a technique.

Aside from that, it is also possible to have electromagnetic fault injection. This method produces electromagnetic waves, or pulses, depending on how the test is performed, that are capable of going through the integrated circuit package and disturbing the circuit internally. It affects, for example, the clock generator, and it can also induce a sudden current flow [12]. Figure 8 presents the setup of this experiment.

Although there are good methods to execute fault injection on integrated circuits, having a good test coverage with them takes a lot of time, and consequently, has some costs too. Using software to execute simulations, can guarantee a higher test coverage, and potentially, having a final result faster, in comparison with a laboratory approach.



Figure 7: Example of an experimental setup to inject faults using a laser.



Figure 8: EMP setup used to inject non-intrusive faults.

For analog fault injection simulation, it is possible to list DRAFTS (Discretized Analogue Circuit Fault Simulator), having good results for linear analog circuits. Besides, the tool optimizes its simulation by working on a discrete domain. [13] Following the same idea, it is also possible to find other software such as ANTICS, mainly used for catastrophic faults, in which have their faults written in a SPICElike language, as seen in [14].

In addition, another software can be used for the same purpose, RMSCAT is a platform able to be integrated with Cadence, and besides the fault simulation, it allows the user to execute test generation and test optimization in circuits. [15] Although there are many software, the best so far to execute fault injection in analog blocks is Legato, from Cadence. This software is aligned with IEEE P2427, and it is becoming popular among semiconductor industries that want to perform analysis for functional safety.

## 1.4.2 Failure distribution and FMEDA

For the functional safety analysis, it is essential to identify all failures that can be found on the circuit. The idea is to list all the ways the circuit can fail, during the device's life cvcle.

When it is necessary to understand why the device had a failure, having a special focus on the past, it is called Failure Cause. If it is desired to focus on the consequences of the failure, especially interested in the future impact, it is referred to as Failure Effects. Considering the main focus is how the device cannot work as expected, it is used the term Failure Mode. [16]

Overall, the list of failures present in the block or device is created based on behaviors previously identified by designers and people who work with verification and testing. Taking into account that this list can be really extensive, by having a big number of possible failure modes, it is essential to understand its distribution to produce safety reports, using the FMEDA method.

According to the international standard, it is possible to use three different methods to execute the failure distribution.

The first consists of doing an equal distribution along the failure modes, as shown in Table 3. Although it might be true, on average, and it has a low effort to execute it, on the other hand, there is a possibility of considering some failure that is not possible to happen. In addition, this method is too conservative because it implies all faults injected in the system element will propagate to the output and result in failure.

Table 3: Example for the equal distribution.

| Block name       | Failure mode   | Failure mode distribution |
|------------------|----------------|---------------------------|
|                  | Failure mode 1 | 25.00%                    |
| II. I Dl. l      | Failure mode 2 | 25.00%                    |
| Hardware Block 1 | Failure mode 3 | 25.00%                    |
|                  | Failure mode 4 | 25.00%                    |

The second method is area based, in which it is taken into account the area occupied by each block involved in the failure manifestation, and then compared with the total area of the block. This method has a medium effort, and it can create some errors. Table 4 illustrates this method.

Table 4: Example for the area method distribution.

| Mixed mode<br>function | Failure mode                   | Failure mode distribution |
|------------------------|--------------------------------|---------------------------|
|                        | Failure mode 1 (2 $\mu m^2$ )  | 5.00%                     |
| Hardware Block 1       | Failure mode 2 (8 $\mu m^2$ )  | 20.00%                    |
| $(40 \ \mu m^2)$       | Failure mode 3 (11 $\mu m^2$ ) | 27.50%                    |
|                        | Failure mode 4 (19 $\mu m^2$ ) | 47.50%                    |

The last one, indicated in Table 5, and the main focus of this study, is the output signal base. For this approach, faults are injected into the device to output all the possible failures for this block. As a result, after executing an exhaustive fault injection, the failure mode list presents higher precision than the previous methods. On the other hand, depending on the circuit block, it might be problematic to have significant test coverage, to present the distribution, mainly due to the single-time test execution.

*Table 5: Example for the output signal method distribution.* 

| Mixed mode<br>function | Failure mode   | Failure mode distribution |
|------------------------|----------------|---------------------------|
|                        | Failure mode 1 | 7.14%                     |
|                        | Failure mode 2 | 29.36%                    |
| Hardware Block 1       | Failure mode 3 | 23.82%                    |
|                        | Failure mode 4 | 39.68%                    |

### 1.5 Scope of the project

The idea of this study consists of working on the NXP product, which is SAF85xx. Inside the SoC, in the transceiver system, depicted in Figure 9, many analog and RF blocks are found, responsible for transmitting and receiving the information. Thus, for this project, firstly an analog block will be studied, a low-dropout regulator (LDO), responsible to output 0.9V.

It will be picked one circuit topology for this voltage regulator, developed by NXP, and from this, a methodology will be developed to execute fault injection that complies with ISO26262, using Legato, a simulation tools from Cadence.

Thus, it will be studied methods to prepare a testbench and conditionate this block to execute functional tests and execute single-run simulations in the fastest way possible.

Then, to simulate random failures, present during the life cycle of a product, it will be injected in-field defects, such as opens and bridges in all components of this block, and executed exhaustive fault simulations aiming for 100% test coverage. By doing this, and analyzing the outputs from each fault, it will be possible to identify all the failures found in the circuit and to obtain the failure mode distribution with higher accuracy.

After, the same study will be applied to an RF circuit, a frequency doubler, to investigate if Legato is suitable for those tests, the challenges, and which results can be achieved.



*Figure 9: Block diagram representing the transceiver system, with the worked blocks highlighted in green.* 

## 2 Methodology

The methodology, used in this study, was developed following the standard for analog defect modeling and coverage [7], and the ISO 26262 standard for functional safety [17].

To execute a simulation that complies with the automotive safety requirements, first, it is necessary to prepare the testbench. In this testbench, the device under test (DUT) must be added in a functional condition, to have the same behavior of an in-field operation. Besides, it will be used the netlist from the DUT, which can be obtained by its layout, or also by the schematic, as done in this study.

The fault universe is created by using the DUT's components found on its netlist, and it is also added a correspondent weight factor for each fault. Those weights can be used to define the fault injection order simulation, and most importantly, they impact the coverage result, obtained from the simulation outputs, adding more or less relevance for the result.

After this, it is also important to select which faults. from the fault universe, are going to be injected in the DUT, and how they will be modeled. In case the goal is 100% test coverage, all faults from the fault universe must be simulated.

For the simulation, it is necessary to define which type of analysis will be run. The tool presents different types, such as AC, DC, transient, harmonic balance, and so on, thus the suitable one needs to be taken.

Depending on the type of failures desired to be analyzed, for the same DUT, different simulation campaigns can be executed, changing just configurations in the testbench. In this case, if the DUT is the same, the fault universe does not need to be changed.

In the end, all simulation data needs to be analyzed externally Cadence, due to limitations in the tool to execute this task. Then, complete coverage can be outputted. Figure 10 presents a simulation flow.



Figure 10: Block diagram of a fault simulation process.

### 2.1 Fault model and weights definition on Legato

From the circuit elements, found on the DUT, it is possible to define the fault list, using fault rules pre-defined. Legato provides a few types of faults to be injected into the circuit. There are "Bridge" (also known as short), "Open", and "Stuck-at". For this study, "Stuck-at" will not be used because this case is more used for digital fault simulation, and, the main focus is fault injection at the transistor level, not at gate level. Thus, the faults used will be "Bridge" and "Open" types.

According to IEEE 2427, to simulate in-field defects for random faults, for open cases, it is necessary to add high resistive resistors in series with each component terminal. For bridge faults, it is added resistors connecting two terminals of the component, with a very small value. The exception applied for this study is not injecting any faults on the bulk terminal of transistors. [7]

Figure 11 exemplifies how the faults were added in all instances of the studied circuit. By following the IEEE standard, [7], bridge and open faults were defined with a  $10\Omega$  and a  $1G\Omega$  resistor, respectively.

The circuit elements found on the studied blocks are transistors, resistors, capacitors, diodes, and inductors.



Figure 11: Fault models for transistor, capacitor, inductor, resistor and diode.

Each fault must have a "weight" factor. Legato always outputs results showing each fault having a weight equal to 1. However, it is also possible to add a new weighting expression, then, the final result will display both weight values.

The expression created takes into account the width and length of the component model. The same component can have different models. For example, during the design circuit process on Cadence, a component such as a capacitor might contain several models, displaying different dimensions, and materials due to the technology used during its fabrication.

For a transistor element, the area calculation is different and it is not considered the source and the drain areas.

As exemplified in Figure 12, those two areas are not used for the reason that the area of a MOS device with the number of gates equal to 2 is not twice bigger, because the drain is shared. Tracking all cases in a very complex circuit, and also in an automatic way, is not possible on Legato. Thus, it is considered the width and length used are from the gate, and the product of those two parameters is multiplied by the number of gates.



Figure 12: MOS transistors examples with (a) 1 gate, and (b) 2 gates, with a shared drain area.

#### 2.2 Fault simulation environment

Legato, shown in Figure 13, is a tool available on Virtuoso ADE Assembler, on "Maestro", one of the views Cadence provides to the user. Before starting the fault simulation, it is necessary to choose the simulator the tool will use to run the simulations, and Legato only runs with "Spectre". It is highly recommended to use the latest version, and, for this study, version 21.1.0.751 was used.

Therefore, Legato will be used to simulate random faults that can happen in the circuit, based on the fault rules and the fault list. Next, it will be seen if the fault is "safe" or "dangerous" for the system.

There are two main simulation modes in the simulation software, Transient Defect Analysis (TDA) and Direct faults Analysis (DFA). TDA simulations allow the user to select when the fault will be injected, so in the waveform, for example, would be possible to observe how the device behaves without the fault, and how the fault changes the observed output, after being injected in the desired time.

DFA, inject the fault at the beginning of the simulation, when time is equal to zero, thus in this case it is observed just the fault effect on the output. For the developed work, DFA was used due to its simplicity to set the software, and mainly because this mode does not operate "Harmonic Balance" and "Harmonic Balance Noise" simulations.

| ۵ 🔾                                                                   | Virtuoso® ADE Assembler           | Editing: My_Legato_E | xper_Lib top: | sim_legato_testcase_fm maestro <@ap     | c3401.nxdi.nl-c | dc01.rxp.com> 🙁 🔿 🗷                                                                                                              |
|-----------------------------------------------------------------------|-----------------------------------|----------------------|---------------|-----------------------------------------|-----------------|----------------------------------------------------------------------------------------------------------------------------------|
| Launch File Create Tools Options Run El                               | AD Parasitics/LDE <u>Window</u> S | ymphony Synchronici  | ty Solido 1   | W/P Calibre Help                        |                 | cadence                                                                                                                          |
| 🗅 🗁 🖃 🌄 🔰 🥤 📲                                                         | 🗊 🎽 💌 🙀 🚺 🛛                       |                      | Fault Simul   | ation 🗧 🗟 🧠                             |                 |                                                                                                                                  |
| No Parasitics/LDE                                                     | lo Sweeps Faul                    | Simulation           | -             | 🗞 🧿 🙆 References                        |                 | - No @                                                                                                                           |
| Data View 7.5 ×                                                       | maestro × 🖷 tops                  | m legato testcase fm | ×             |                                         |                 | Fault Setup 7.6 ×                                                                                                                |
| Name Value                                                            | Outputs Setup Reput               |                      | _             |                                         |                 | Fault Group to Run Rules/Ind. Faults                                                                                             |
| Filter 🖬 Filter 🗖                                                     |                                   | . 🖪 🧐 🍋 🛛            | D (201        |                                         |                 | D. # 93 A. III 10                                                                                                                |
| 🖯 🗹 🎨 Tests                                                           |                                   | - 🖬 🖉 I 🗁 🛛          | 🖬 (ex) 🌱      |                                         |                 |                                                                                                                                  |
| EgatoExper_fm1_OV                                                     | 34/151 rows                       | News                 |               | Details                                 | Front Toman     | Name Value                                                                                                                       |
| E gatoExper_fm2_UV                                                    | ie.                               | Name                 | iype          | Uturs                                   | evallype        | DUT Lib/Cell/ a_ip_pmc_5vk31x_c40esf3/pmc_regulators_left                                                                        |
|                                                                       | LegatoExper fm1 OV                | Func form vdd2v5     | faultewne     | value(VT("/vdd2p5") 0.001)              | evint           | B- Fault Bules                                                                                                                   |
| 🕀 🗹 👆 LegatoExper_fm5_drift                                           | LegatoExper_fm1_OV                | Func_vdd2v5_fpm      | faultexpr     | value(VT("/vdd2p5") 0.001)              | point           | Bridge                                                                                                                           |
| 🕀 🛃 👆 LegatoExper_fm6_osc                                             | LegatoExper_fm1_OV                | Check_OV_2v5_fm      | faultexpr     | value(VT(*/pmc_hv25fm_lv*) 0.001)       | point           | <ul> <li>— RB1(* nnvtfhv_esf3 psvtfhv_esf3 nsvtfhv_esf3 wh</li> </ul>                                                            |
| LegatoExper_fm7_fast_osc                                              | LegatoExper_fm1_OV                | Check_W2v5_rm        | faultexpr     | value(VT("/lv25rm_lv") 0.001)           | point           | <ul> <li>RB2(* nhvt phvt where * on * with res = 100)</li> </ul>                                                                 |
| Cick to add test                                                      | LegatoExper_fm2_UV                | Func_vdd2v5          | faultexpr     | value(VT("/vdd2p5") 0.001)              | point           | <ul> <li>RBJ(* psvt_25 nsvt_25 where * on * with res = 100</li> <li>RBJ(* psvt_25 nsvt_25 where * on * with res = 100</li> </ul> |
|                                                                       | LegatoExper_fm2_UV                | Func_vdd2v5_fpm      | faultexpr     | value(VT("/vdd2p5") 0.001)              | point           | RB6(* cfringe_nosh where * on * with res = 100)                                                                                  |
| Test Setun                                                            | LegatoExper_fm2_UV                | Check_UV_2v5_fm      | faultexpr     | value(VT("/lv25fm_lv") 0.001)           | point           | ⊜ Open                                                                                                                           |
| restoctup                                                             | LegatoExper_fm2_UV                | Check_lv2v5_rm       | faultexpr     | value(VT(*/lv25rm_lv*) 0.001)           | point           | <ul> <li>— MOT1(* psvtfhv_esf3 nsvtfhv_esf3 nrvtfhv_esf3 w.</li> </ul>                                                           |
| Cature States                                                         | LegatoExper_fm3_spike             | Check_N2v5_rm        | faultexpr     | value(VT(*/lv25rm_lv*) 0.001)           | point           | <ul> <li>ROT2(* nhvt phvt where * on * with res = 10M)</li> <li>ROT2(* nhvt phvt where * on * with res = 10M)</li> </ul>         |
| Reliability Analyses                                                  | LegatoExper_fm3_spike             |                      | faultexpr     | value(VT(*/h/25fm_h/*) 0.001)           | point           | <ul> <li>ROT4/* rxfringe nosh rp po sip rp po sip od50.</li> </ul>                                                               |
| Checks/Asserts                                                        | LegatoExper_fm3_spike             | Func_vdd2v5          | faultexpr     | value(VT("/vdd2p5") 0.001)              | point           | ROTS(* cfringe_nosh where * on * with res = 10M                                                                                  |
|                                                                       | LegatoExper_fm3_spike             | Func_fpm_spike_u     | faultexpr     | (value(VT("/vdid2p5_mod") 0.0009) - y   | point           | - Stuck-at                                                                                                                       |
| Data History                                                          | LegatoExper_fm3_spike             | Func_fpm_spike_0     | faultexpr     | (- (value(VT("/vdd2p5_mod") 0.0013)     | point           | Individual Faults                                                                                                                |
| Data moony                                                            | LegatoExper_fm3_spike             | Check_2v5_fm_sen     | faultexpr     | value(VT("/2p5_spike_det") 0.001)       | point           | - Britte                                                                                                                         |
| Run Summary 7.8 ×                                                     | LegatoExper_fm4_recovery          | Check_lv2v5_fm       | faultexpr     | value(VT(*/lv25fm_lv*) 0.001)           | point           | Fault Setup                                                                                                                      |
| 7 Tests ⊻ Nominal Corner                                              | LegatoExper_fm4_recovery          | Check_lv2v5_rm       | faultexpr     | value(VT("/lv25rm_lv") 0.001)           | point           | E Fault Groups                                                                                                                   |
| ✓ 1 Point Sweep ✓ 0 Corner                                            | LegatoExper_fm4_recovery          | Funct_rpm_recovery   | faultexpr     | (cross(clip(VT("/fpm_ready_lv") 0.002 0 | point           |                                                                                                                                  |
|                                                                       | LegatoExper_fm4_recovery          | Checker_fpm_rdy      | faultexpr     | value(VT("/fpm_ready_lv") 0.002475)     | point           |                                                                                                                                  |
|                                                                       | LegatoExper_fm4_recovery          | Func_fpm_rdy         | faultexpr     | value(VT(*/fpm_ready_V*) 0.002475)      | point           |                                                                                                                                  |
|                                                                       | LegatoExper_fm4_recovery          | Func_rpm_vdd25       | faultexpr     | varue(v1("/vdd2p5") 0.002475)           | point           | a                                                                                                                                |
| History Item Status<br>FaultSimulation.0 running - 4839/7091 complete | 1                                 | Fault Ou             | tput e        | xpressions                              |                 |                                                                                                                                  |
| mouse L:                                                              |                                   |                      |               | M:                                      | -               | an e                                                                                                                             |
| 2(3) Incremental Connectivity paused. To activat                      | e it, run the Check command.      |                      |               |                                         |                 |                                                                                                                                  |

*Figure 13: ADE Assembler Maestro view snapshot.* 

### 2.3 DUT and its failure mode definition

Inside the radar device, there are many RF, analog, and digital blocks, having different roles to ensure the correct behavior of the module.

### 2.3.1 Low-dropout regulator (LDO)

LDOs have key features in the radar system, mainly to drive different blocks and provide accurate voltage output values whenever it is relevant.

The basic operation behind this block is based on its output and its reference voltage. The reference is compared with the voltage coming from the voltage divider, composed of two resistors, acting as a resistor feedback network. The operational amplifier acts to amplify the error (voltage difference between inputs), regulating the voltage output. Figure 14 shows an exemplification of a basic LDO circuit. [18]



Figure 14: Basic representation of an LDO circuit.

Its output voltage can be determined by:

$$V_{out} = 1 + \frac{R_1}{R_2} V_{ref}$$

The LDO block used in the project is more complex. It has sub-blocks responsible for conditionate all input driver signals, and also the output. Furthermore, the block is designed to be highly robust and precise. Considering this block will be added to the radar module, the LDO shall go through a safety analysis. Table 6 presents the standard failure modes used for LDOs, using an equal distribution, the same explained in Table 3. All those failures were obtained after talking with the analog designer engineer responsible to develop the block.

| Failure<br>Modes | Description                                              | Distribution [%] |
|------------------|----------------------------------------------------------|------------------|
| FM1              | Regulated Output in Overvoltage                          | 16.66            |
| FM2              | Regulated Output in Undervoltage                         | 16.66            |
| FM3              | Regulated Output Affected by Spikes                      | 16.66            |
| FM4              | Regulated Output Drift                                   | 16.66            |
| FM5              | Regulated Output Oscillation Inside<br>Regulation Range  | 16.66            |
| FM6              | Regulated Output Oscillation Outside<br>Regulation Range | 16.66            |

Table 6: Standard effects considered in the LDO.

#### 2.3.2 Frequency doubler

This block is responsible to output a frequency twice bigger than its input frequency. For the studied case, it is injected 39GHz and measured 78GHz in the output. The working principle of this circuit is based on a push-push frequency doubler (PPFD), with the harmonic current generation and a load to execute the conversion from current to voltage. Figure 15 presents the schematic for this circuit.

For a correct operation, both transistors M1 and M2 must be identical, the input voltages connected to the gates also need to have the same frequency and one signal source must have a phase shift of  $\pi$ . [19]



Figure 15: PPDF circuit representation. Figure adapted from [19].

As a result, the periodic current " $i_T$ " will behave as shown in *Figure 16*. Then, it will be added other blocks to properly conditionate the signal to its application on the radar circuit.

As seen in [19], odd-order harmonics are canceled, while even-order harmonics are not. Then, as the next step, it is necessary to filter out undesired frequencies.



Figure 16: Voltage and current behavior representation of PPDF circuit. Figure adapted from [19].

The worked FD block is more complex, once it has many sub-blocks that conditionate the driver signals, and also, many stages of gain, to output the desired output power. Due to safety reasons, this block also needs to go through a safety analysis. As seen in Table 7, for this circuit, it is expected to find 5 failure modes. They were listed based on what designers said from previous experience, and besides that, a uniform distribution was also applied for each of them.

Table 7: Standard effects considered in the FD.

| Failure<br>Modes | Description                             | Distribution<br>[%] |
|------------------|-----------------------------------------|---------------------|
| FM1              | Incorrect Output Power                  | 33.33               |
| FM2              | Output is Stuck at High/Low or Floating | 33.33               |
| FM3              | Incorrect Output Noise                  | 33.33               |

#### 2.4 Testbench and expected results

Here it will be explained how the testbench was prepared to execute a fault simulation, and the results expected to be outputted.

Before running the fault simulation on Legato, using Direct faults Analysis (DFA), it is essential to select the run mode "Single Run, Sweeps and Corners" and execute the functional testbench at least once. This process will create an initial condition file "spectre.ic", and its address file must be added to the analysis, as exemplified in Figure 17.

This ensures the same initial behavior for all fault simulations. As a consequence, it can be seen the failure propagation in the circuit. Not doing this step, outputs results as if the block had its netlist modified by a fault While it was turned off, and then the faulty circuit is activated. The main goal is to see the effects of random faults while the circuit is operational. After ensuring this, the run mode can be switched to "Fault Simulation"

Once it is known the failures expected in the DUT, it is created fault expressions. They will take each faulty simulation output, and check if the waveform has the descriptions added in the expression. If it is the case, then the failure is detected.

| 🔀 💿 Choo                      | sing Analys | es ADE As | sembler <@a                                 | арс 🕐 😒 🚫 😣                 | 🔀 💿       | Т              | ransient O | otions <@ | apc3602.nxdi. | nl-cdc01 | l.nxp.com>     | 00       | $) \odot \otimes$ |
|-------------------------------|-------------|-----------|---------------------------------------------|-----------------------------|-----------|----------------|------------|-----------|---------------|----------|----------------|----------|-------------------|
| Analysis                      | 🖲 tran      | 🔾 dc      | 🔾 ac                                        | O noise                     | Time Step | Algorithm      | State File | Output    | EM/IR Output  | Fault    | Electrothermal | Misc     |                   |
|                               | 🔾 xf        | sens      | O dcmatch                                   | <ul> <li>acmatch</li> </ul> |           |                |            |           |               |          |                |          | 4                 |
|                               | 🔾 stb       | 🔾 pz      | 🔾 lf                                        | ⊖ sp                        | INITIAL C | ONDITION PA    | RAMETERS   |           |               |          |                |          | - 1               |
|                               | envlp       | 🔾 pss     | 🔾 pac                                       | o pstb                      | ic        |                | dc         | node      | dev 🗹 all     |          |                |          | - 1               |
|                               | O pnoise    | 🔾 pxf     | 🔾 psp                                       | Q qpss                      |           |                |            | _         |               |          |                |          | - 1               |
|                               | 🔾 qpac      | O qpnoise | Q qpxf                                      | Q qpsp                      | skipdc    |                | ⊻ yes      | - r       | io 🔄 usep     | revic    | waveless       |          |                   |
|                               | 🔾 hb        | 🔾 hbac    | 🔾 hbstb                                     | hbnoise                     |           |                | 📃 ram      | pup 📃 a   | utodc 📃 sigra | mpup     | dcrampup       |          |                   |
|                               | 🔾 hbsp      | hbxf      |                                             |                             | readic    |                | plifed     | _sim_tx_  | gldo2_1p8_sec | uencin   | g_1/netlist sp | ectre.ic |                   |
| Transient Analysis            |             |           | INITIAL CONDITION PARAMETERS FOR OSCILLATOR |                             |           |                |            |           |               |          |                |          |                   |
| Stop Time                     | 320u        |           |                                             |                             | Calculate | ic automatical | y 🔲 yes    | no        |               |          |                |          |                   |
| Accuracy Defaults (errpreset) |             |           | Estimated                                   | frequency                   |           |                |            |           |               |          |                |          |                   |
| Transien                      | t Noise     |           |                                             |                             | CONVER    | GENCE PARAN    | IETERS     |           |               |          |                |          | - 1               |
|                               |             |           | readns                                      |                             |           |                |            |           |               |          |                |          |                   |
| Dynamic Parameter             |             |           | cmin                                        |                             |           |                |            |           |               |          |                |          |                   |
| Enabled 🕑 Options             |             |           |                                             |                             |           |                |            | ncel      | Defaults      | Apply    | Help           |          |                   |
|                               | ОК          | Cancel    | Defaults                                    | Apply Help                  |           |                |            |           |               |          |                |          |                   |

*Figure 17: Initial condition file, "spectre.ic", being added to the analysis.* 

#### 2.4.1 Low-dropout regulator (LDO)

Although the fault is injected at the beginning of the simulation when time is equal to zero seconds, all simulation curves are expected to start from the regulated voltage output level of 0.9 V. This ensures the block was operating correctly, then an anomaly happened and changed the circuit behavior as shown in Figure 18.



Figure 18: LDO output voltage representation, for both good and faulty circuit cases.

At the output of the LDO, it is added a current source responsible to drain current from this block, and for creating load step variations, starting at a current level of 100mA, decreasing to 50mA, then going to zero, before starting to increase again. This load makes the test more realistic with a regular operation of an LDO for a radar circuit. Figure 19 presents how the DUT was placed in the testbench.

Besides that, it is displayed other inputs and outputs pins in the device. Their role is to drive the circuit, by providing voltage and current. The block belongs to a functional architecture, thus, it was developed to be integrated properly with other blocks around it. In addition, it also has a design for testing (DfT) solutions, presenting derivations, and outputting relevant internal signals.

Thus, the main pins used were the input "Enable", being always activated during the simulation time by the digital logic "1", and the 0.9V output pin.



*Figure 19: Testbench representation for the LDO block, placed on Cadence during fault simulation.* 

The best analysis to be set on Cadence to observe the failure propagation, is the "transient analysis", mainly because it is desired to see how the failure behaves in time, and how the system can be affected by the failure.

Besides that, to reach 100% simulation coverage, a big number of fault simulations must be done, mainly linked to the fact the circuit blocks have many electronic elements on them. Thus, it is highly recommended to add additional effort to decrease the unitary simulation time. In addition to that., whenever two failures are detected in the same fault simulation, only the first one will be counted, having only one failure associated with each fault injected.

By the end of the simulation, all safe and dangerous statuses obtained from all fault simulations must be exported from Cadence, and pos-processed, to see which failure modes were detected, and then the failure mode distribution can be generated.

During the simulation, failure detections happen when one or more anomalies cross the upper and lower voltage limit. The upper limit is 5% higher than the targeted voltage output, and similarly, the lower limit is 5% smaller. Table 8 show the criteria used to identify each failure mode.

| Failure<br>Modes | Description                                                 | Failure detection criteria                                                          |
|------------------|-------------------------------------------------------------|-------------------------------------------------------------------------------------|
| FM1              | Regulated Output in<br>Overvoltage                          | $V_{out} \ge 0.945 V$                                                               |
| FM2              | Regulated Output in<br>Undervoltage                         | $V_{out} \le 0.855 V$                                                               |
| FM3              | Regulated Output<br>Affected by Spikes                      | If voltage safety range is crossed rapidly<br>and unexpectedly by the output signal |
| FM4              | Regulated Output Drift                                      | If the output signal increases constantly with time                                 |
| FM5              | Regulated Output<br>Oscillation Inside<br>Regulation Range  | Voltage safety range is not crossed, and a frequency component is identified        |
| FM6              | Regulated Output<br>Oscillation Outside<br>Regulation Range | Voltage safety range is crossed, and a frequency component is identified            |

Table 8: Standard effects considered in the LDO and their failure detection criteria.

#### 2.4.2 Frequency doubler (FD)

To execute the simulations, the block was set with an AC signal source, with a frequency of 39GHz, in its input pin. The signal was properly conditionate following the designers' orientation. In the output, a load was added, making it possible to observe a 78 GHz signal. Figure 20 presents how the testbench was prepared.

Just like in the LDO circuit, the FD also has more input and output pins, essential for the architecture of the radar system.



*Figure 20: Testbench representation for the FD block, placed on Cadence during fault simulation.* 

With the frequency doubler block simulation, it is expected to see faults affecting the target frequency, in the output signal. Considering the high frequency in the block, "transient analysis" is not the most efficient way to run a simulation, as it would consume a lot of time for each fault, and in total, the fault list is composed of thousand elements. Thus, to optimize the simulation time, it will be executed "harmonic balance" and "harmonic balance noise" analyses. Those analysis modes give enough information to understand the circuit behavior in the targeted frequency, and it allows the identification of distortion in the output signal.

Overall, failures will be identified by measuring the power of the main frequency, and the noise level, as represented in Figure 21 and Figure 22.



Figure 21: PPFD output frequency spectrum for both good and faulty circuit cases.



*Figure 22: PPFD output noise representation, for both good and faulty circuit cases.* 

Table 9 shows the criteria used to identify each failure of the frequency doubler circuit block.

| Failure<br>Modes | Description                    | Failure detection criteria                               |
|------------------|--------------------------------|----------------------------------------------------------|
| FM1              | Incorrect Output Power         | $P_{out} < -5  dBm$                                      |
| FM2              | Output is Stuck at<br>High/Low | Low output power across the entire<br>frequency spectrum |
| FM3              | Incorrect Output Noise         | $P_{noise} > -130  dBc$ , for Freq = 2MHz                |

Table 9: Standard effects considered in the FD and their failure detection criteria.

The output power of the frequency doubler is given in dBm (decibel-milliwatts), having the signal power compared with 1mW, as seen below.

$$Output Power_{dBm} = 10 log_{10} \left( \frac{Signal_{Watt}}{1mW} \right)$$

The noise is preferably outputted in dBc (Decibels relative to the carrier) because, for this application, the 78GHz amplitude signal is compared with the total noise of the FD block. The relation is demonstrated as:.

Relative 
$$Power_{dBc} = Power of the Noise_{dBm} - Power of the Signal_{dBm}$$

Besides that, it is critical to the noise level at 2MHz, because this might affect the target detection in the radar system, mainly if the noise level is higher than -130dBc. For the radar project specification, it is considered the target will increment the radio-frequency signal ( $\Delta f$ ) in 2MHz, thus, it is essential to have low noise at this frequency value, to reduce the error in the target detection in the RX system.

#### 2.5 Post-processing and coverage analysis

By the end of the simulations, and having all the fault outputs, it is necessary to calculate the fault coverage. As shown in blow, this coverage is found by using "detected" as a binary variable, where it is equal to "1" when a failure is detected, and "0" when it is not. In addition, the "weight" of each fault is also added to this equation. Below it is shown how the coverage calculation is performed.

$$Coverage = \frac{\sum_{i=1}^{n} weight_i * detected_i}{\sum_{i=1}^{n} weight_i}$$

 $weight = \begin{cases} 1, for an uniform failure likehood \\ area, for a failure likehood proportional to the area of the element \end{cases}$ 

 $detected = \begin{cases} 0, when a failure is not detected \\ 1, when a failure is detected \end{cases}$ 

For "w=1", it is considered a uniform likelihood among all "n" faults from the fault universe, and it states that all faults have the same chance of generating a failure. For the case of "w=area", it will be stated the likelihood of failure is proportional to the area of the component.

## 3 Practical Results

After developing a methodology that better fits the automotive standards, and gives the most accurate outputs, it is done a practical application for the created method. The simulation results presented are from an LDO block, an analog circuit with values obtained from "transient" simulations, and an FD block, an RF circuit developed to operate at the frequency of 78 GHz.

#### 3.1 LDO block

Firstly it will be introduced information about the testbench and then results about the outputs taken from the fault simulation. Besides, it will be compared the failure mode distribution obtained by the simulation, and the equal distribution method.

#### 3.1.1 Testbench on Cadence

With the block on its functional operation, the simulation time using "transient" analysis for the single run mode lasted 3 minutes.

The main reason behind it was the complexity of a testbench, being composed of current and voltage driver circuits, driving other inputs of the LDO block. After simplifying the testbench, by replacing the driver blocks with current and voltage source models, found on Cadence, the single run time decreased to 30 seconds.

#### 3.1.2 Nominal simulation

Firstly, was executed a simulation without any fault to observe how the output voltage behaves in the functional configuration.

Figure 23 shows both the LDO voltage output and the load behavior. The output voltage is having small spikes during the current level transition in the load, in 50 $\mu$ s, 100  $\mu$ s, 150  $\mu$ s, and 200  $\mu$ s. Except for those instants, the voltage level is constant at 901.326mV. In addition, it is also possible to observe the load draining 100mA, in the beginning, after 50mA and 0A, before starts increasing again, as seen in Figure 24.



*Figure 23: Waveform obtained from LDO voltage output.* 



Figure 24: Waveform obtained from load in the output of the LDO.



## 3.1.3 Fault injection simulation

Figure 25: All 2981 fault simulation outputs and the nominal case, highlining the desired voltage level of 901 mV, and zoom-in from 0 to 450 ns.

After running 2981 fault simulations, many failures were ably propagated to the LDO output. Overall, curves presented behaviors such as oscillations, overvoltage, and undervoltage.

Besides that, all curves started from the same voltage level, 901.326mV, considered essential to see the effect of faults that created failures in the DUT. Figure 25 illustrates all 2981 simulations presenting both failures and pass cases. In addition, it can be seen a zoom-in from 0 to 450ns.

#### 3.1.4 Analysis

The testbench simplification made the simulation 6 times faster, making the entire analysis done in 4.14 hours. For this case, the simulation does not demands a higher computational power, thus, the number of simulations that would be run in parallel was set in 6. Below can be seen how to determine the total simulation time:

 $Simulation\_time_{total} = \frac{single\_run\_time * size\_fault\_list}{number\_parallel\_simulation}$  $Simulation\_time_{total} = \frac{30 [sec] * 2981}{6}$  $Simulation\_time_{total} = 14905 [sec] = 4.14 [hour]$ 

After post-processing the data and taking the first failure identified in the curve, it was possible to obtain a precise effect distribution considering a 100% test coverage.

As expected, the equal distribution method, supported by ISO 26262 and normally used for safety analysis, is conservative in comparison with weighted coverages, for both approaches, w=1 and w=area. The equal distribution labeled as ISO 26262, assumes all faults generate failures in the circuit, hence it gives 0% of safe cases, while for the w=1 method, it gives 78.87% of safe cases, and for w=area, it shows 25.79%.



*Figure 26: Cases identified during the simulation, with safe and dangerous cases, representing the sum of all failures.* 

The main reason behind the safe cases is due to the several outputs in the block. Just the main LDO output is measured, and go through the violation checks based on their failure description. Thus it might have faults affecting directly other outputs.

Besides that, for w=1 and w=area, the simulation results presented just 3 failures , being them oscillation outside the range, undervoltage e overvoltage, as seen in Figure 26.

In addition, from 630 faults responsible to generate failures in the output of the device, 509 were caused by bridge type faults, and 121 were open type. Figure 27 shows the distribution of the injected faults in three failure cases identified in the fault simulation of the LDO.

One hypothesis why bridge cases generate more failures might be related to the netlist impact. Bridges between circuit nets make the faulty schematic more different from the original one.



*Figure 27: Open and bridge fault distribution in the undervoltage, overvoltage, and oscillation outside the range.* 

## **3.2** Frequency doubler (FD)

Initially, it will be presented information about the testbench and about the outputs given by the software, focusing on the errors obtained during the simulation.

#### 3.2.1 Testbench on Cadence

Due to the necessity of using a block that has parameters from both schematic and layout (named as "config view"), aiming for more precision, initially, one single simulation was taking an average of 45 minutes. After combining the DUT schematic with just layout parameters in key sub-blocks that were essential for the simulation, the simulation time was reduced to 20 minutes.

#### **3.2.2**Nominal simulation

The frequency doubler block output both harmonic balance and harmonic balance noise, as seen respectively in Figure 28 and Figure 29. By Figure 28, the output power, for the 78GHz frequency, is  $-824.3 \times 10^{-3}$  dBm. For the other harmonics, the signals were properly attenuated, all of them below -30 dBm. In addition, frequencies like 78GHz, in 156GHz, and 234GHz, even-order harmonics, presented higher power amplitudes than odd-order harmonics, as explained in [19]. However, instead of odd-order harmonics being annulated, as previously expected, instead, they presented a very small power contribution to the output signal.



Figure 28: Output spectrum of the frequency doubler circuit.



Figure 29: Output noise simulation of the frequency doubler circuit.

Besides, for the harmonic balance noise, Figure 29, the noise decreases once the frequency values start to increase. The curve has its peak at 10KHz, and its smaller value is at 20MHz, as expected. In addition, the relative noise at 2MHz is smaller than -130dBc, implying the FD block is operating as expected.

### 3.2.3 Fault injection simulation

For the frequency doubler circuit, 4607 faults were prepared to be injected into the device. However, during the fault simulation using harmonic balance, the software presented a fatal error. The software error is between Legato and exclusively with "harmonic balance", and "harmonic balance noise" analysis, given that Legato works properly when other analysis, such as "transient" is selected to execute the simulations.

The error message, displayed in Figure 30 says: "FATAL (SPECTRE-18): Segmentation fault. Encountered a critical error during simulation. Run `mmsimpack' (see mmsimpack -h for detailed usage information) to package the netlist and log files as a compressed tar file. Then, contact your Cadence representative or submit a service request via Cadence Online Support, including the tar file and any other information that could help identify the problem. Encountered a critical error during simulation. Run `mmsimpack' (see mmsimpack -h for detailed usage information) to package the netlist and log files as a compressed tar file. Then, contact your Cadence representative or submit a service request via Cadence Online Support, including the tar file and any other information that could help identify the problem."



*Figure 30: Error message obtained during fault simulation for harmonic balance analysis.* 

#### 3.2.4 Analysis

Decreasing the simulation time for this DUT is essential. Considering this block demands more computational power, it can be set to run 10 simulations in parallel, and the fault simulation would finish after 6.40 days, as shown below:

 $Simulation\_time_{total} = \frac{single\_run\_time * size\_fault\_list}{number\_parallel\_simulation}$  $Simulation\_time_{total} = \frac{20 \ [min] * 4607}{10}$  $Simulation\_time_{total} = 9214 \ [min] = 6.40 \ [days]$ 

From the company's point of view, allocating that much computational power for a single simulation is costly and might demand different approaches to optimize this process.

Besides that, although Cadence ensures Legato can run all analyses presented on Cadence Spectre, the results showed the opposite. To fix the problem, Cadence support client service was contacted, however, a possible solution will not be able to be provided quickly.

## 4 Conclusion

Analog fault simulations are very efficient to determine the fault effects caused in the circuit, with good precision. The previous method, equal distribution from ISO 26262, is conservative once it considered that all faults are dangerous, and will generate a failure in the DUT.

For the LDO, by using a uniform weight (w=1), while the coverage is calculated, it is seen that approximately 78.87% of the fault injected did not generate any failure. For the area-based weight (w=area), 25.79% of the faults were safe.

Overall, safe faults happen because just the main LDO output, responsible for output 0.9V, goes through safety checks. It is possible to assume that, in case all outputs available in the LDO block were verified, the number of safe cases might decrease. However, they were not checked, because the block is going through a safety verification process, focusing in ensure the main operation, not a regular verification that the designer does while they are designing a circuit.

Besides that, the actual number of failures identified in the system is smaller than expected. Initially, it was expected 6 different failures, but only 3 were observed, undervoltage, overvoltage, and oscillation outside the range. This also shows how conservative the analyses that do not include fault simulation are.

On the other hand, the simulation time, in which the fault was in the DUT, was too short. If the fault stays longer in the system, it might have more failures being outputted in the system.

Besides that, bridge-type faults presented a bigger impact on the DUT, as the majority of failures were caused by them. It happens because bridges have more impact on the netlist, and as a consequence, most of the failures were caused by it.

From the two weighting factors considered during the coverage calculation, the weight area base is more relevant. It states the likelihood of a random failure occurring in a component increases with its area.

Furthermore, Legato is the best tool available on the market, but it still presented software problems. For "transient" analysis executed on the LDO, the tool works perfectly, but for "harmonic balance" and "harmonic balance noise" simulations, the tool presents a fatal error message, being unable to execute any fault simulation and finish the safety analysis of the FD block. However, the testbench optimization reduced the single-run time from 45 minutes to 20 minutes.

This represents resources being saved by the company. Once the new version of Legato is released with the corrections, the testbench can be used to perform fault simulation, and output results within 6.40 days.

## 5 Future work

To finish an FMEDA report, it is essential to add a safety mechanism in the DUT output. Thus, as the next steps, it is desired to verify how the additional block behaves with the safe and dangerous cases. Besides that, it is also desired to obtain a precise distribution following the model proposed in Figure 31. It is essential to obtain the distribution of "safe undetected", "safe detected", "dangerous detected", and "dangerous undetected", to output a more precise FMEDA.



Figure 31: DUT and safety mechanism configuration, with all four result combinations.

Besides that, it is possible to assume part of the methodology might change once the current IEEE standard for analog fault injection is still in the draft status. Thus, part of the work can be updated in the future.

Due to the software problems while running RF blocks using "harmonic balance" and "harmonic balance noise" analyses, the work needs to be concluded after having a new version of the Legato with the corrections on it. Then, the precise failure mode distribution can be obtained.

In addition, it is interesting to have a better weight expression for transistors. As explained during this report, having the used area of a transistor is challenging, thus, tracking all cases in a very complex circuit, and also in an automatic way, can be interesting for future analysis.

Another topic that can be interesting is making a correlation between the fault simulation, and laboratory validation results, to see in detail if the waveforms outputted by the software are similar to the ones seen in the laboratory. This can help to improve the faults models added on Legato.

In addition, it would be very important to execute simulation over PVT (process, voltage and temperature variation) to evaluate if a new failures appears, and how this impacts the failure mode distribution.

## Bibliography

- [1] National Motor Vehicle Crash Causation Survey (NMVCCS), "Critical Reasons for Crashes Investigated in the National Motor Vehicle Crash Causation Survey," United States Department of Transportation, Washington, DC, USA, 2018.
- [2] European Road Safety Observatory, "Annual statistical report on road safety in the EU 2022," European Commission, Brussels, 2023.
- [3] A. Ors, "RADAR, Camera, LiDAR and V2X for Autonomous Cars," 03 August 2023. [Online]. Available: https://www.nxp.com/company/blog/radar-cameralidar-and-v2x-for-autonomous-cars:BL-RADAR-LIDAR-V2X-AUTONOMOUS-CARS.
- [4] K. &. G. Y. &. K. S. Wong, "Mapping for Autonomous Driving: Opportunities and Challenges," *IEEE Intelligent Transportation Systems Magazine*, no. PP. 10.1109/MITS.2020.3014152., p. 99, 2020.
- [5] C. Wolff, "Radar Basics," radartutorial, [Online]. Available: https://www.radartutorial.eu/02.basics/Frequency%20Modulated%20Continuo us%20Wave%20Radar.en.html. [Accessed 07 July 2023].
- [6] NXP, "High Performance 77GHz RFCMOS Automotive Radar One-Chip SoC," [Online]. Available: https://www.nxp.com/products/radio-frequency/radartransceivers-and-socs/high-performance-77ghz-rfcmos-automotive-radar-onechip-soc:SAF85XX. [Accessed 02 August 2023].
- [7] Test Technology Committee of the IEEE Computer Society, IEEE SA Standards Board, *P2427<sup>™</sup>/D0.37 Draft Standard for Analog Defect Modeling and Coverage*, New York, USA: IEEE, 2023.
- [8] Ö. Karaca, "Pre-Silicon Safety-Related Functional Verification of Automotive Smart Power ICs Using the Fault Injection Technique," Bundeswehr University Munich, Munich, 2017.
- [9] S. D. X. B. a. Y. Z. M. Cuviello, "Fault modeling and simulation for crosstalk in system-on-chip interconnects," in *IEEE/ACM International Conference on Computer-Aided Design*, San Jose, CA, USA, 1999.
- [10] T. G. A. K. a. H. -P. K. M. Blank, "Digital Slew Rate and S-Shape Control for Smart Power Switches to Reduce EMI Generation," *IEEE Transactions on Power Electronics*, vol. 30, no. 10.1109/TPEL.2014.2361021, pp. 5170-5180, 2015.
- [11] M. A. Pasha, "Study of the Vulnerability of Cryptographic Circuits by Laser Fault Injection," Ecole Nationale Supérieure des Mines de Saint-Etienne, https://theses.hal.science/tel-00844751, Saint-Etienne, 2011.
- [12] L. G.-S. P. M. S. Ordas, "EM Injection: fault model and locality," 2015 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 3-13, 2015.
- [13] A. C. J. A. A. Naveena Nagi, "DRAFTS: Discretized Analog Circuit Fault Simulator," in *30th ACM/IEEE Design Automation Conference*, Dallas, Texas, USA, 1993.
- [14] K. R. S. J. G. E. Ian M.Bell, "Fault Orientated Test and Fault Sixnullation of Mixed Signal Integrated Circuits," *International Symposium on Circuits and Systems, Seattle, WA, USA*, vol. 1, no. 10.1109/ISCAS.1995.521532., pp. 389-392, 1995.
- [15] A. Bounceur, "Plateforme CAO pour le test de circuits mixtes," Université de Bretagne Occidentale, Brest, France, 2007.
- [16] Market Business News, "What is failure mode? Definition and examples," MBN, [Online]. Available: https://marketbusinessnews.com/financial-glossary/failuremode/. [Accessed 02 August 2023].

- [17] ISO26262, *Road vehicles Functional safety*, Switzerland: ISO, 2018.
- [18] Wilson Fwu, "LDO Basics," Texas Instruments, [Online]. Available: https://www.ti.com/lit/eb/slyy151a/slyy151a.pdf?ts=1692624915355. [Accessed 05 August 2023].
- [19] X. Wu, "A 53–78 GHz Complementary Push–Push Frequency Doubler With Implicit Dual Resonance for Output Power Combining," *IEEE TRANSACTIONS* ON CIRCUITS AND SYSTEMS, vol. 70, no. 3, pp. 1202-1213, 2023.
- [20] D. L. G. F. A. T. a. C. H. L. W. S. Lee, "Fault Tree Analysis, Methods, and Applications - A Review," *IEEE Transactions on Reliability*, Vols. R-34, no. doi: 10.1109/TR.1985.5222114, pp. 194-203, 1985.
- [21] AUTOQUIP, "BRAINBEE CONNEX DIGITAL ADAS," AUTOQUIP, [Online]. Available: https://www.autoquip.co.uk/crypton/brainbee-connex-digitaladas#&gid=1513834372&pid=4. [Accessed 07 July 2023].