report type deliverable work group wp1 · 2017-04-20 · 0.8 25.03.2011 input of graphics for...

Contract no.: 248231

MOre Safety for All by Radar Interference Mitigation

D1.4 – Impact study of the interference with respect to ASIL

Report type Deliverable

Work Group WP1

Dissemination level Public

Version number Version 1.6

Date 31.05.2011

Lead Partner Continental A.D.C.

Project Coordinator Dr. Martin Kunert

Robert Bosch GmbH Daimler Strasse 6

71229 Leonberg Phone +49 (0)711 811 37468

[email protected]

copyright 2011

the MOSARIM Consortium

MOSARIM No.248231 31.05.2011

Task 1.4: Deliverable V1.6 2/32

Authors

Name Company

Robert Pietsch Continental AG (ADC)

Andreas John Hella KGaA Hueck & Co. (HKG)

Dirk Walz Hella KGaA Hueck & Co. (HKG)

Martin Kunert Robert Bosch GmbH (RB)

Holger Meinel Daimler AG (DAI)

Christoph Fischer Daimler AG (DAI)

Tom Schipper Karlsruhe Institute of Technology (KIT)

Revision chart and history log

Version Date Reason

0.1 13.10.2010 Initial version

0.2 19.11.2010 First input

0.3 24.11.2010 Added input for chapter 1

0.4 10.12.2010 Input for chapter 1 and 2 by ADC

0.5 12.01.2011 Correction of chapter 1 and 2

0.6 08.02.2011 Input of failure types in section 2.2

0.7 09.02.2011 Input of section 2.3 and methods for derivation of FIT rates

0.75 11.03.2011 Cleaned up structure

0.8 25.03.2011 Input of graphics for failure types, added input from Hella, RB and ADC in chapter 3

0.9 31.03.2011 Input for section 3.3

1.0 05.04.2011 Input from Hella fro section 3.3

1.1 12.04.2011 Input DAI, RB, ADC for chapter 4

1.2 13.04.2011 Rework of chapter 3, 4 and 5

1.3 29.04.2011 Rework of executive summary, chapter 4 (DAI) and chapter 5

1.4 03.05.2011 Final rework

1.5 11.05.2011 Document for peer review

1.6 31.05.2011 Final submission

MOSARIM No.248231 31.05.2011


Table of content Authors..................................................................................................................................... 2

Revision chart and history log................................................................................................. 2

Disclaimer .................................................................................................................................. 4

Executive summary .................................................................................................................... 4 1 Introduction to ASIL classification .................................................................................... 5

1.1 General definitions ...................................................................................................... 5

1.2 Scope of ASIL classification ....................................................................................... 5

1.3 Fundamental steps for development according to Functional Safety.......................... 7

1.3.1 Risk Assessment and Hazard Analysis � Risk Classification .......................... 10

1.3.2 Safety concept � safety requirements ............................................................... 11

1.3.3 Verification and validation................................................................................. 12

1.4 Examples for ASIL requirements of safety related functions ................................... 12

1.5 Application to radar sensors ...................................................................................... 13 2 Radar sensor FIT rates without interference .................................................................... 15

2.1 FIT rate due to component failure ............................................................................. 15

2.2 FIT rate due to environmental influences.................................................................. 15 3 Radar sensor FIT rates with interference ......................................................................... 16

3.1 Failure type a): Saturated victim receiver.................................................................. 17

3.2 Failure type b): Decreased S/N.................................................................................. 19

3.3 Failure type c): Generated false FFT peaks due to synchronized interference ......... 22

3.4 Total FIT rate............................................................................................................. 24 4 Radar sensor FIT rates with interference and possible countermeasures......................... 25

4.1 Failure type a): Saturated victim receiver.................................................................. 26

4.1.1 Implicit measures against saturation .................................................................. 26

4.1.2 Detection of saturation and handling of this effect ............................................ 26

4.2 Failure type b): Decreased S/N.................................................................................. 26

4.2.1 Implicit measures against decreased S/N ........................................................... 26

4.2.2 Detection of decreased S/N and handling of this effect ..................................... 26

4.3 Failure type c): Generated false FFT peaks............................................................... 28

4.3.1 Implicit measures against false FFT peaks ........................................................ 28

4.3.2 Detection of false FFT peaks and handling of this effect .................................. 28

4.4 Discussion of FIT rates within the system context.................................................... 29 5 Conclusion........................................................................................................................ 30 6 Abbreviations ................................................................................................................... 31 7 Bibliography..................................................................................................................... 32

MOSARIM No.248231 31.05.2011


Disclaimer The two key important safety standards for electronic applications are IEC 61508 [IEC] and ISO/DIS 26262 [ISO26262]. Each of these standards consists of several parts full of requirements, case-by-case discussions and subtleties. This document uses only extracts of these standards to achieve the intended goal of this task. Therefore it is not possible to mirror the complexity of the subject in any comprehensive way within this document and imprecision regarding the details is necessarily predominant. Imprecision is also unavoidable with respect to radar system performance aspects since the performance is application and implementation specific. The description of the safety requirements for a radar system that on the performance can therefore only be of limited definiteness and liability. Furthermore, the given statements represent the authors’ opinion but have no normative power. Some of the employed graphics has been taken from different internet sources, as well as general information, assumptions and estimations.

Executive summary The original intention of this task was to derive the appropriate ASIL requirements for the different safety functions of a radar sensor. During work progress it became obvious that due to missing information this goal could not fully be met. The following work was carried out: Chapter 1 provides a general overview of ISO/DIS 26262. At the start the special terms for the classification procedure are explained. An overview regarding the entire scope of this draft is followed by a description of the three main classification steps. At the end critical (harmful) and non-critical failure mechanisms will be in focus, influencing the sensor detection performance and being covered only with non-explicit requirements by ISO/DIS 26262. In chapter 2, an overview of possible external physical influences on radar sensors with no additional disturbing radiators will be given. Such influences are not in the scope of the MOSARIM project and therefore will not be investigated here. Chapter 3 describes influences on radar sensors detection performance due to basic interference effects caused by external disturbing sources. Estimations of according false alarm or FIT (failures in time) rates under worst case scenario conditions have been derived, being necessary for an appropriate classification according to ISO/DIS 26262. The suggested methodologies might be a first step towards quantitative consideration of radar sensor detection performance. Different countermeasure procedures, concerning the investigated failure types will be described mainly qualitatively in Chapter 4. Such countermeasures shall improve the false alarm or FIT rate. Further investigation concerning their effectiveness will be carried out in upcoming tasks of the MOSARIM project.

MOSARIM No.248231 31.05.2011


1 Introduction to ASIL classification

1.1 General definitions

Item: System or array of systems or a function to which ISO 26262 is applied [ISO26262].

Failure: A failure is a termination of the ability of an element or an item to perform a function as required [ISO26262]

Failure rate: Probability density of failure divided by probability of survival for a hardware element [ISO26262]

FIT rate: 1 FIT = 1 Failure in Time = 10-9 failures / hour False alarm rate: The false alarm rate is the ratio of false alarms per hour Ghost target: A ghost target is a virtual, non-existing target that is produced by a

coherent, synchronized interference signal. The receiver cannot differentiate between a real target and such a ghost target.

Risk : Combination of probability of damage and severity of damage Safety : Freedom from intolerable risks

1.2 Scope of ASIL classification

The target of the safety norms ISO/ DIS 26262 and IEC 61508 is to mirror the „social opinion“ in a normative way and to document „state of the art“ with it! => The purpose is to reduce the risk to a justified level. The avoidance and the control of failures reduce the expected risk to an acceptable level concerning

• Injury or death of human beings

• Catastrophic environmental impact

• Property damage and capital costs (e.g. from a recall)

Source: [FST]

MOSARIM No.248231 31.05.2011


Figure 1.1: Acceptance of risk: socially accepted hazard severity versus the probability of the hazards

[FST]

The ISO/DIS 26262 classifies the required functional safety of electrical and electronic systems via Automotive Safety Integrity Level (ASIL) definitions. It is a draft norm derived from the general norm IEC 61508 to specialize for automotive applications.

IEC 61508 �� ISO/DIS 26262 comparison

Measures for necessary risk reduction

(IEC 61508)

Measures for necessary risk reduction

(ISO/WD 26262)

SIL = Safety Integrity Level

ASIL = Automotive Safety Integrity Level

Four-stage scale (SIL 1 to 4)

Four-stage scale (ASIL A to D)

Describes the necessary measure of risk reduction (SIL 1 = low, SIL 4 = high)

Describes the necessary measure of risk reduction (ASIL A = low, ASIL D = high)

Determination via acknowledged methods (risk analysis)

Determination via the method suggested by the ISO 26262 for the risk analysis.

Achieved via different measures, methods and technologies

Achieved via different measures, methods and technologies

MOSARIM No.248231 31.05.2011


SIL �� ASIL comparison

IEC 61508

Safety

Integrity Level

(SIL)

ISO

Automotive

Safety

Integrity Level

(ASIL)

---

(QM)

1

A

2

B

C

3

D

Although the ISO/DIS 26262 or [ISO26262] defines the “state of the art” for automotive functional safety applications, the mother norm IEC 61508 or [IEC] is still valid as well. The ASIL of the [ISO26262] and SIL of the [IEC] correspond to each other. If the [ISO26262] is not explicit with respect to a certain aspect, but [IEC] is, the [IEC] applies. As we shall see below, this rule will yield a failure rate although the respective failure rate is not defined in the [ISO26262]. In some applications, the functions of a radar system may have an influence on the safety of the driver. If so, the radar system’s ASIL classification should be defined.

4

---

1.3 Fundamental steps for development according to Functional Safety

The development of components, which are part of a safety related function, according to ISO DIS 26262 can be separated into three fundamental steps:

• Item definition and hazard analysis with automotive specific risk classification of safety related functions

• Development of a safety concept with safety requirements and implementation • Verification and validation

The Procedure

One of the important key principles in the development of functional safety systems is a clearly defined development process that includes (among other requirements) the structuring of the whole vehicle function system into modules and sub-modules towards a safety concept, and the planning of the verification of each sub-module and module as well as the planning of the validation of the system. It is this structuring and planning with respect to the interfaces of every sub-module and module (and the complete system) that makes the development process and the result or system transparent and verifiable.

MOSARIM No.248231 31.05.2011


Figure 1.2: In the development of a functional safety product a step by step procedure (V-model) is

applied. Within this procedure the elements or sub-modules together with the test or

verification and validation requirements are defined. (Source: Adapted internet information

(V-model))

The Safety Plan

Pivotal in “Functional Safety” is the Safety Plan. It gives an overview on the required work products or documents. The Safety Plan is a document on management level that does not include technical details, but provides the links to where these details can be found. There are (at least for the higher ASIL) advanced requirements for the applied procedures and the tracking of the safety measures; special software or data bases may be required. In all cases, the reports of the respective work must be documented, and those reports must be reviewed (or even assessed) by an independent technical and functional safety expert. This review or assessment and its results must itself be documented, too. The Safety Plan for a project includes the

1) project scope (direct in the Safety Plan) – the “what (heating, sensor…) shall be done”

2) link to the Requirement File and to the specification 3) link to the Item Definition (including the drawings and explanations) 4) definition of the responsibilities and Functional Safety training of project key

personnel with names 5) organization chart / escalation plan (directly in the Safety Plan) 6) link to the Functional Safety Concept 7) link to the Technical Safety Concept (that includes the safety requirements) 8) Supplier Safety Plan (qualification, ASILs, measures, planning) 9) Safety Measures Schedule (ASIL dependent / not in every case relevant, links) for

MOSARIM No.248231 31.05.2011


• H&R (Hazard Analysis & Risk Assessment) for the ASIL classification • FTA (Failure Tree Analysis), recommended input in addition to the DFMEA • DFMEA (Design Failure Mode and Effect Analysis) for the operating mode* • FMEDA (Failure Modes, Effects and Diagnostic Coverage Analysis) &

Functional Safety metrics • FMET (Failure Mode Effect Testing) / Fault Insertion • FSA Audit (Functional Systems Audit) (Audits and Assessments starting from

ASIL C) • V & V Planning (verification & validation), validation ≠ generic DVP&R • PFMEA (Process Failure Mode and Effect Analysis), *insufficient at severity 9

& 10 • Control Plan based on the PFMEA (which itself is FTA and DFMEA based) • Work Instructions and Check Lists with Functional Safety content (safety

symbol!), PFMEA based • “Safety measures on process level” including 100% tests where necessary

10) link to the Safety Manual 11) planning of the reviews / assessments (by an independent assessor) of the

• Safety Plan (with organisation chart etc.) • Functional Safety Concept (including H&R, FTA…) • Technical Safety Concept (including the DFMEA and the safety requirements) • Documentation of the safety measures & its schedule • Safety Manual & the Functional Safety measures in production (including

schedule)

MOSARIM No.248231 31.05.2011


1.3.1 Risk Assessment and Hazard Analysis �� Risk Classification

The procedure that yields the ASIL classifications of the system functions is the “Hazard Analysis and Risk Assessment” (H&R). The H&R procedure has similarity with a FMEA procedure (mainly that the FMEA uses RPNs (Risk Potential Numbers) and the H&R applies ASIL). In the H&R the relevant or potentially risky (driving) situations are listed and the severity of the potential harm, the probability of exposition (or the likelihood of the situation), and the controllability of the driving situation are evaluated in order to be able to read out (in a table) the respective ASIL level (corresponding to the (driving) situation).

Figure 1.3: Principle of the “Hazard Analysis and Risk Assessment”: For all relevant driving situations,

the severity of the potential harm in case of an accident, the probability of exposition, and the

controllability of the driving situation are evaluated in order to find the ASIL of the function

[ISO26262]

MOSARIM No.248231 31.05.2011


1.3.2 Safety concept �� safety requirements

Starting with the ASIL classifications of the safety goals, the Functional Safety Concept can be defined. Build upon the Functional Safety Concept, the Technical Safety Concept with its technical requirements and safety measures can be defined. ASIL Decomposition

The ASIL requirement for a system to be met can be decomposed into several less demanding requirements (see example in Figure 1.4).

Sensor

System

ASIL C

Actuator

System 1

ASIL B (C)

Sensor

Actuator

System 2

ASIL A (C)

Figure 1.4: Example of an ASIL C decomposition. The ASIL C requirement of the total system is

decomposed into an ASIL B requirement of System 1 and an ASIL A requirement of System 2

[ISO26262]

Safety metrics

For each ASIL there is a maximal failure rate (e.g. random hardware failures) defined in the [ISO26262] and in the [IEC]. Based on the [ISO26262] (table 7 of vol. 5 with ref. to table 5 of vol. 8 for the FIT rate levels) one may very roughly state the following FIT rates (1 FIT = 1 Failure in Time = 10-9 failures / hour):

ASIL A*: 1.000 – 10.000 FIT

ASIL B: 1000 FIT

ASIL C: 100 FIT

ASIL D: 10 FIT

* The [ISO26262] does not require or define a FIT rate for ASIL A. The [IEC] allows for SIL 1 < 10.000 FIT although not explicitly in an automotive context.

MOSARIM No.248231 31.05.2011


A value of 10.000 FIT means that there must be 100.000 hours of relevant operating time until the first failure is allowed to occur for an ASIL A system. A year has about 8.800 hours. The ASIL A system must therefore operate more than 10 years until the first functional failure is allowed to occur. A solution for the radar sensor or system could be a decomposition of the overall ASIL requirement into a “QM”* sensor that is developed according to ASIL A such that the “ASIL A” classification refers to the electronic failure rate as well as the functional failure rate. Thereby it is assumed that the required functional safety of the system can be guaranteed in cooperation with the driver. This “ASIL A” radar system cooperates with other safety systems – e.g. with the brake. *It is NOT allowed to decompose an ASIL A system into two QM systems.

1.3.3 Verification and validation

Key important differences in the development of functional safety products as compared to “normal” developments are the

1) in-detail planning of the verification and validation tests right at the time of the definition of the interfaces of the sub-modules and modules (if the tests are not defined together with the elements and modules, the result is not a functional safety product);

2) in-detail review or assessment of all the development steps, documents, and results (thereby the adherence to the required development process itself is also verified);

3) proof that the safety requirements (e.g. the FIT rates) have been met.

In addition to these additional requirements, a lot of more [ISO26262] and [IEC] requirements as well as the “normal” automotive requirements must be met in order to have a validated product.

1.4 Examples for ASIL requirements of safety related functions

The following examples of actual classification in an ASIL safety class are informative (depending on the special conditions of the car): Window lift ASIL A Windscreen wiper ASIL A

Central locking system ASIL A Rear light ASIL A

Driving light ASIL B Braking light ASIL B

Seat memory ASIL A ACC (> 2,5 m/s2) ASIL B

Flasher ASIL B Electrical power steering ASIL D

Steering column lock ASIL D

MOSARIM No.248231 31.05.2011


1.5 Application to radar sensors

The performance of a radar system may be affected by failures of the system components and by environmental influences that can lead to a critical state. But in contrast to handling of E/E architecture failures there are no explicit requirements for avoidance or mitigation of environmental influences on the sensor detection performance given by ISO DIS 26262 (see Figure 1.5).

Figure 1.5: Overview of the applicability of ISO/DIS 26262 on components of safety related radar systems

FIT values are defined in the ISO 26262 and applicable for E/E architecture failures. However, how a further breakdown of the FIT values on detection performance of environmental sensors could be managed is not specified. Consequently no FIT values for interference on radar sensors are available.

Figure 1.6: Failure effects on radar sensor’s behaviour due to environmental influences;

the black dashed frame on the right side shows the focus of this project

MOSARIM No.248231 31.05.2011


As a proposal, in Figure 1.6 a way forward is shown. In this content, FIT refers to failures due to interference which are critical (e.g. harmful interference), and which are not critical for the final function. With that understanding of FIT rates of radar sensors, within the MOSARIM project investigations regarding the interference behaviour will be carried out here. This especially applies on the appearance of ghost peaks/targets and the increase of the noise level due to mutual influence of identical or different used modulation schemes. Analytical investigations are shown in chapters 3 and 4.

MOSARIM No.248231 31.05.2011


2 Radar sensor FIT rates without interference

2.1 FIT rate due to component failure

According to [ISO26262] the standard approach is to determine the probability of component failure and what that means for the functional safety of the whole system. However, component failure does not encompass interference effects and is therefore not further considered here.

2.2 FIT rate due to environmental influences

Radar sensors use a limited frequency bandwidth and a limited measurement time to sense an environment which exhibits a very broad range of complexity, dynamics and parasitic effects:

• The temperature can differ drastically between the cold start and after a multi-hour ride in summer

• The environment fluctuates within short time • The environmental complexity differs drastically between city and highway traffic • The typical behaviour of car drivers differs noticeably from country to country • Radar waves are attenuated to the fourth power from the distance to an object • The reflection coefficient of a target object differs by a factor of more than 100

between a person / motorbike and a lorry or in a multi-storey car park • Radar wave propagation is disturbed by dirt, heavy rain or snow • Parasitic Doppler frequency shifts due to rotating fans, vibrating parts, … • The road infrastructure like guard rails or tunnel walls reflect radar waves causing

multipath propagation • Signals of different noise sources are superimposed to the actual measurement signal • The separation and object discrimination capability of a radar device is limited and

thus may lead to the misinterpretation or wrong clustering of distributed targets These effects are added to sensor-internal non-ideal effects like limited VCO phase noise or limited isolation between the transmitting and receiving path. Under such harsh circumstances, errors in detection (failures) cannot be avoided completely. Thus, the FIT rate before tracking is larger than 0, even without any interference. The exact behaviour of the respective radar sensor on influences, as described above, is unknown. Due to that fact further quantitative investigations are not made. The current state of the art causes the disturbed sensor system to switch into a safe state (see Figure 1.6). This means, the disturbed sensor signal is no longer taken as valid and does not influence the whole safety function with false information. Even if these environmental influences occur often and result in a noticeable amount of deactivation of the radar sensors, the use of automotive radar sensors for safety related functions still leads to an improvement of the controllability C (see Figure 1.3) compared to non-use.

MOSARIM No.248231 31.05.2011


3 Radar sensor FIT rates with interference In the tasks of the MOSARIM project work packages 2 “Simulation of radar interference mechanisms and 3 “Elaboration of efficient interference countermeasures on a simulation basis”, detailed investigations to interference effects based on a detailed system structure as shown in Figure 3.1 are undertaken.

Figure 3.1: Generic system model of a radar sensor with transmitting and receiving stage [T2.2]

In this task, interference effects are considered mostly in a qualitative way to find dependencies of FIT rates for various basic failure types. It is obvious that the FIT rate of a single signal processing step (e.g. the FFT of a single signal record) is always higher than the FIT rate after post-processing (e.g. target tracking or plausibility checks). In this report considerations regarding FIT rates address only the first level, i.e. the unprocessed signals at the receiver physical and raw-signal blocks. In the following, three basic effects causing failures are described:

a) Driving the victim receiver input stage into saturation (see Figure 3.1, “physical

“ block)

b) Decreasing S/N due to short-term interference (see Figure 3.1, “Raw signal” block)

c) Generating false FFT peaks due to synchronized interference (see Figure 3.1, “Raw

signal” block)

MOSARIM No.248231 31.05.2011


For obtaining a basic understanding, these failure types are investigated under worst case conditions. This means, that the following conditions, leading to a decrease of false alarm rate or FIT rate, could not be considered because they are either unknown or not specified:

• Variations in modulation scheme parameters • The density of radar sensor equipped cars per area and time • The traffic density in certain areas per time • The probability of interference during a measurement cycle • The duration of possible interference due to dynamic street scenarios

Regarding the real world situation only a rough estimation can be achieved here. Further details are provided in the following sections 3.1 to 3.4.

3.1 Failure type a): Saturated victim receiver

The various components of the victim receiver (see Figure 3.1, physical block) all have limitations with respect to their maximum output amplitude. Figure 3.2 shows an example for that case with a received interfering signal driving any component of the receiving stage into saturation. The output signal amplitude (red graph) can not follow the too strong input signal amplitude (blue dashed line) and is therefore clipped. The changed signal waveform results in additional spectral components after the FFT stage (see Figure 3.2, lower picture on the right side). This may lead to non existing target peaks and could be a potential danger for misinterpretation of the real street scenario.

Figure 3.2: Left picture: original received signal (blue dashed line) and due to saturation influenced signal

in the receiving stage (red line)

Right pictures: calculated FFT spectrum of original received signal (blue graph) and due to

saturation influenced signal (red graph) at receiving stage

MOSARIM No.248231 31.05.2011


A simple simulation scenario was derived to evaluate the victim receiver amplitude versus interferer distance (see Figure 3.3). The following formula [Ref D4.1] is used to calculate the absolute power level at the receiving input stage:

vantipathis GFPI ,,, +−= (1)

with Ps,i : transmitted power of interfering radar sensor

2

,4

log10

⋅⋅⋅=

c

fxF ipath

π (2)

Gant,v: antenna gain of victim sensor The parameters for an example scenario are given in Figure 3.3. The values of the transmitted interfering signal represent the specifications of a sensor working in the 24GHz ISM band. Figure 3.3 shows the resulting graph for the interfering signal power level at the receiving stage for different distances between interferer and receiver. It is obvious, that the absolute received power level of the interfering signal decreases very strongly with increasing distance. Due to this fact, the danger for potentially saturation of the receiving input stage decreases also. There is a high probability for potential interference due to the high variability of possible street scenarios. However, for a scenario with oncoming traffic the possible time duration for potential irradiation from an interfering sensor into the victim sensor will be only short. More important is the scenario with two cars driving behind each other, whereby the car in front is equipped with a backward looking radar sensor, while the following car has a forward looking radar sensor. Here, each car sensor directly irradiates into the other for a longer time. Due to normally occurring distances (5…50m) between two cars driving along the road, the power level of the interfering signal will be reduced by free space attenuation (see also equation (2)). Thus, the likelihood for saturation to occur will be decreased drastically by distance.

MOSARIM No.248231 31.05.2011


Interfering power level scenario Resulting graph

Interferer position:

• x = 1 … 100m • y = 0m

parameter of transmitted interferer signal :

• Ps,i = 20dBm • f = 24,15GHz

Interferer main beam : ϕ=0° Victim antenna gain

• Gant,v = 17dBi

Figure 3.3: Power level of the interfering signal I at the receiving input stage of the victim radar for

different distances

3.2 Failure type b): Decreased S/N

The most important challenge in radar signal processing, when evaluating the signal spectra in the frequency domain, is the selection of the best threshold level in the presence of thermal noise fluctuations and clutter effects. Moving the threshold level too high above the thermal noise floor reduces the target detection probability, especially for weak target reflections that are only a few dB above the noise level. On the other hand, when setting the threshold level too close to the noise floor, random noise peaks may trigger false alarms by surpassing the threshold level. With the Neyman-Pearson criterion, a decision rule is constructed that has a maximum probability of detection while not allowing the probability of false alarm to exceed a certain value. In [FPR], a relation between probability of detection, Signal-to-Noise Ratio (SNR) and false alarm rate for a sinusoidal signal is derived with the following assumptions:

• There are only thermal, Gaussian noise fluctuations in the radar signal. • There are no other radar interferers or environmental clutter present.

MOSARIM No.248231 31.05.2011


• Radar signal processing using the polar coordinates with Rayleigh distributed noise yields valid results.

• The target detection probability is a function of the reflected signal strength and the threshold level.

• The false alarm rate is a function of noise statistics and the threshold level. • A 1 MHz victim receiver bandwidth (i.e. 106 noise pulses per second may cause a false

alarm rate) is assumed. • Ideal transmitter and receiver components (no non-linearities, VCO phase noise,

receiver noise figure,…) are assumed. • An ideal target (not distributed, i.e. all reflected energy in a single sinusoidal waveform)

is assumed.

It is obvious that for a lower false alarm rate the SNR has to be higher and that this holds also true for the probability of detection. Broadband interference in the radar signal spectrum decreases the SNR. The threshold for target peak detection shall be chosen in such a way that both, the false alarm rate and the detection probability, are within the required limits (see Figure 3.4).

Figure 3.4: Relation between probability of detection, Signal-to-Noise Ratio and false alarm rate for a

sinusoidal signal [FPR]

The following figure 3.5 gives an illustration for different constant detection levels and the consequences for the detection of targets, ghost peaks and the false alarm rate.

MOSARIM No.248231 31.05.2011


With the threshold level a) as shown in Figure 3.5, the disturbing peaks (caused by internal effects of the radar system or by external sources) are not detected. But also some useful target peaks are lost. This means that the threshold level a) for detection is too high.

Figure 3.5: Threshold level is set too high (level a)) or too low (level b)) or optimal (level c)) for a scenario

with five targets

The threshold level b) in Figure 3.5 is set too low. This means that beside the useful target peaks also many false target peaks by noise fluctuation will occur. This causes an increase of the false alarm rate. The threshold level c) in Figure 3.5 is optimal for the detection of targets. An increase of the noise floor due to broadband interference can be critical, especially if the detection level is exceeded (see Figure 3.6).

Figure 3.6: For a constant detection threshold (green line), an increasing noise floor (graph on right side)

results in an increased number of possible false target detections

However, an increase of the noise floor due to broadband interference can also lead to a range reduction which would be only a graceful degradation. Nevertheless, a constant detection threshold is not optimal. Several algorithms can be used to make the threshold level adaptive. Further details are described in section 4.2.

MOSARIM No.248231 31.05.2011


3.3 Failure type c): Generated false FFT peaks due to synchronized

interference

It is difficult – probably even impossible – to exhaustively list and analyze all possible origins of false peaks (or ghost signals). Here, detection failures due to synchronous narrow band interference shall be considered, only. Not considered in this task are detailed interference mechanisms like false peaks in an FMCW sensor due to interference effects from a pulse radar sensor. For each radar sensor with a specific modulation scheme, there are different conditions for appearance of ghost peaks. Figure 3.7 shows an example for a FMCW radar. In the upper graphic, the raising RF signal produced by the local oscillator is shown. Additionally there is an interfering signal. Its frequency slope varies relative to the LO (local oscillator) signal in the range of 0.999 to 1 (fully coherent to victim LO signal). The result after the first FFT is shown in the lower graphic. The ghost peak originates from the increasing noise floor when the interfering frequency slope approaches the LO frequency slope.

Figure 3.7: RF frequency according to the LO signal of the victim receiver and the interfering signal with

changing slope in the time domain (upper graphic); resulting spectrum after FFT in the victim

receiver stage for a changing frequency slope of the interfering signal (lower graphic)

For an estimation of a false alarm rate with respect to this failure type, the argumentation of [AMI] and MOSARIM task 1.3 “Determination and definition of basic radar interference mechanisms, effects and impact on sensor performance and identification of key sensor parameters” [T1.3] is used.

MOSARIM No.248231 31.05.2011


There, the calculation of the probability for appearance of ghost targets is performed for the interference of two synchronized FMCW radar sensors as shown in Figure 3.8.

Figure 3.8: Instantaneous RF frequency of the local oscillator signal of the victim receiver and the

received interfering signal (upper graphic) over time [AMI].

The lower graphic shows the resulting IF signal.

Additionally, the following assumptions are made:

• The interfering signal to be coherent to the local oscillator signal of the victim receiver stage.

• The start frequency of the interfering signal to be the same as the start frequency of the local oscillator.

• The interfering ramp to be identical to the ramp of the local oscillator. The maximum probability for the occurrence of a ghost target Pghost,max for every ramp in a cycle is:

T

tP

shiftghost

max,max,

2 ⋅= (3)

with tshift,max being the maximum time shift that results in an IF frequency smaller than fIF,max

for all ramps in a cycle. Now, for a given fIF,max, the steepness of the frequency ramp determines tshift :

S

Tt xshift ⋅= max IF,f (4)

To have all ramps in a cycle such that they lead to a frequency smaller than fIF,max. , the maximum tshift and thus Pghost is determined by the steepest ramp, which for the example of Figure 3.9 is T2 [AMI]:

MOSARIM No.248231 31.05.2011


T

Tf

22 2max IF,

max,max,

⋅⋅

=⋅

=S

T

tP

shiftghost (5)

Now, the maximum receiver bandwidth can be expressed by the maximum detection range rmax, the speed of light c, and the shortest ramp duration T2:

2

max

2max,max IF,

2f

T

S

c

r

T

Stshift ⋅

⋅=⋅= (6)

Substituting fIF,max (6) into (5) results in:

T

4 max

max,c

r

Pghost = (7)

For getting an order of magnitude, sensor data from a typical ACC sensor working at 77 GHz are chosen: Bandwidth S: 500MHz

Ramp duration T2: 1ms (shortest ramp) Measurement cycle time T: 20ms Maximum detection range rmax: 250m By use of these values, the following probability for the appearance of ghost peaks (the false alarm rate for ghost targets FARc) is obtained:

6

3-6

max

10167100210300

2504

T

4−

⋅=

⋅⋅⋅

⋅==

ss

m

mc

r

Pghost (8)

More detailed descriptions and calculated examples are given in [AMI].

3.4 Total FIT rate

According to section 1.1.2 the FIT rate is defined as 10-9 failures per hour or 1 failure per 109 hours. A given measurement cycle time T of the radar sensor and the false alarm rate FAR for each failure type can then be transformed into a FIT rate:

XX FART

sFIT ⋅⋅⋅=

13600109

(9)

MOSARIM No.248231 31.05.2011


In the following example calculation, a typical measurement cycle time of T = 20ms for a radar sensor (see section 3.3) is used. Failure type a): At present, no numerical dependencies with respect to the influence of saturation on the false alarm rate is available. Due to this, the saturation effect will be described in a qualitative way in this document. Failure type b): With help of a chosen false alarm rate FARb = 10-12 per cycle (see Figure 3.4) for failure type b) (see Figure 3.5) this results in the FIT rate FITb:

180101020

1360010 12

39

=⋅

⋅

⋅⋅=−

−s

sFITb (10)

Failure type c): The FIT rate for failure type c) (FITc ) can be estimated by using the estimated false alarm rate FARc = 167*10-6 per cycle of section 3.3:

963

9 1030101671020

1360010 ⋅=⋅⋅

⋅

⋅⋅=−

−s

sFITb (11)

The total FIT rate results from the single FIT rate for every failure type as described above:

FIT=FITa+FITb+FITc (12)

As mentioned at the beginning of chapter 3, this is a worst case estimation and the given values may differ from real world values. In the following sections measures for a decrease of the estimated FIT rates are described in a more qualitative way.

4 Radar sensor FIT rates with interference and possible

countermeasures The state of the art of countermeasures was already compiled in task 1.5 and will be quantitatively evaluated in task 3.2. In principle, countermeasures can be distinguished between implicit and strategic approaches. In the following for the three basic failure types being derived in chapter 3, it is considered how exemplary countermeasures influence the FIT rate mainly in a qualitative way. Upcoming tasks of the MOSARIM project will provide the quantitative evaluation.

MOSARIM No.248231 31.05.2011


4.1 Failure type a): Saturated victim receiver

4.1.1 Implicit measures against saturation

The effect of saturation, occurring in certain road traffic situations, can be circumvented, employing different polarization schemes within the affected sensors. According to [T1.5] cross polarization may lead to a decrease of interfering signal power level of up to 15dB which increases the interference free distance (see also Figure 3.3).

4.1.2 Detection of saturation and handling of this effect

Additional improvement is possible by intelligent analysis of the received signal and applying appropriate measures like input signal attenuation. In the frequency domain saturation effects may be reduced by elimination of harmonic peaks (see also Figure 3.2). Another countermeasure after detection of saturation of the receiving input stage is to change the carrier frequency of the transmitted signal pseudo randomly within the allowed allocated frequency band.

4.2 Failure type b): Decreased S/N

4.2.1 Implicit measures against decreased S/N

There are different measures to counteract the S/N ratio decrease coming from interference by reducing the interference impact both in the time- and/or frequency domain. This is mainly done by reducing the probability that receiver measurement time or frequency coincide with the interference in time or frequency. The simplest approach is by doing so in a predefined, often pseudo-random sequence or scheme. Limiting the component characteristics (e.g. antenna beam width, receiver bandwidth, noise figure, etc.) is another implicit method to mitigate S/N decrease by radar interference.

4.2.2 Detection of decreased S/N and handling of this effect

The detection of a decrease in S/N is possible in the sampled time domain signal by detecting spikes. Such irregularities can be eliminated by appropriate signal processing algorithms. Ideally the S/N level as without disturbances can be achieved. In the frequency domain a decrease of the S/N ratio by radar interference occurs when the interference power is equally distributed over the victim receiver bandwidth. Thus the interference power provokes similar effects like Gaussian noise in the receiver input stage and reduces the sensitivity of the radar device or even completely blocks the reception of the radar signals. For radar systems that evaluate their signals in the frequency domain the increase of the prevailing noise level due to uncorrelated, broadband interferers, results either in a reduced sensitivity (in case of an adaptive threshold level) or in a higher false alarm rate (for a fixed threshold level, see also Figure 3.6). In a typical radar system the threshold level is implemented by a so called CFAR (Constant False Alarm Rate) algorithm that adapts the threshold automatically by the condition to keep the false alarm rate constant, i.e. to increase or decrease the variable threshold depending on the prevailing noise and signal characteristics (see Figure 4.1).

MOSARIM No.248231 31.05.2011


Figure 4.1: Sampled time domain signal with spikes (upper left graphic) caused by external disturbing

sources leading to an increased noise level after FFT(upper right graphic); processed time

domain signal ( lower left graphic) leads to a lower noise level after FFT (lower right graphic)

[T1.5]

Figure 4.2: Adaption of threshold level due to the CFAR algorithm in a scenario with five targets. Due to

the adaption the increasing noise level will not lead to an increasing number of possible false

target detections but one target will be missed (see the red circle in the right graphic)

The use of such CFAR algorithms also - as a positive side effect - allows to detect a decrease in S/N caused by interference by following the changing noise floor level for each of the bins in the frequency domain within a given range.

MOSARIM No.248231 31.05.2011


4.3 Failure type c): Generated false FFT peaks

4.3.1 Implicit measures against false FFT peaks

In chapter 3.3, the probability of a ghost target

T

c

r

Pghost

max

3.3,

4= (11)

is derived with the three assumptions of a) start time coherence, b) same start frequency, and c) identical frequency ramp. Now we replace these idealizations with probabilities: If now random pauses between chirps are introduced, for example equally distributed in the range of 0sec … T2, the probability of eq. (11) that still all N chirps in a cycle have tshift <

tshift,max decreases by a factor of (tshift,max / T2)N.

If the chirp frequency range S is smaller than the maximum allowed frequency range FBW, the actually used frequency range S can be randomly chosen by the victim and by the interferer. The probability of eq. (11) that victim and interferer choose ranges identically up a difference of fIF,max decreases by a factor of fIF,max / (FBW – S). Combining both approaches and using the same replacements as in eq. (5) gives an extended version of eq. (11):

3.3,max,max,

3.3,max,

2

max,

, )()( ghost

BW

IFNIF

ghost

BW

IFNshift

totalghost PSF

f

S

fP

SF

f

T

tP

−=

−= (12)

Practical example: With the numeric values and equations of section 3.3 one gets fIF,max = 833kHz. Now, additionally with S = 1000MHz and N = 3, one obtains:

163.3,

13, 106.1106.9 −−

⋅=⋅⋅= ghosttotalghost PP

corresponding to 0,03 FIT if the parameters from chapter 3.4 are also used.

4.3.2 Detection of false FFT peaks and handling of this effect

The detection of false peaks is not trivial because the peaks themselves resemble a possible target. One possible indicator may be the signal amplitude: If peaks appear at a high frequency and have unrealistic high amplitudes they are very likely to be false ones that are then caused by direct interference. The amplitude could be estimated by assuming the largest possible targets at different distances and calculating the expected amplitudes in the receiver. If a peak has an amplitude above that limit, it can be regarded as false and may be neglected in further processing. The most obvious hint for false peaks is a relatively high frequency of the radar signals. In a scenario with a high number of peaks, appearing only for a single cycle it may be a good idea to initiate no object at all because real objects may be influenced by the false peaks and therefore be either inaccurate or even hidden completely.

MOSARIM No.248231 31.05.2011


Another measure against false peaks having influence on the sensor performance is realized in the tracking stage used in many commercially available radar sensors. If a peak appears it is tracked only if it remains stable in multiple cycles. As false peaks are expected to be random this measure significantly reduces the probability for a potentially false target to influence vital functionalities of the system. The removal of remaining intrinsic peaks that have its origin in the geometry or hardware can be eliminated via a calibration procedure.

4.4 Discussion of FIT rates within the system context

The FIT rates of the sensor(s) have to be distinguished from the FIT rate of the system including the sensor(s). The FIT rate of the system can be reduced by the following measures:

• According to the determination of the FIT rates of each failure type it is obvious, that the total FIT rate can be decreased by decreasing the probability of detection (see Figure 3.5).

• Deactivate the sensor and report to the driver, if interference is detected, that may lead to an unavoidable critical situation.

• Use the detection results not in all but only in a limited number of scenarios, meaning support to the driver’s reaction, not the general replacement of the driver’s reaction.

• Use several independent sensors and combine their detection results by logically combinations (e.g. sensor fusion).

• Interference effects from non-automotive users can be limited by regulatory measures, requiring the frequency status of an automotive radar system to be that of a primary user, having the right to claim protection criteria. These are to be chosen to limit interferences to a non-harmful level for all possible victim receivers.

MOSARIM No.248231 31.05.2011


5 Conclusion Within this report an overview of classification according to ISO/DIS 26262 [ISO26262] is given, specifying the functional safety for automotive applications. The [ISO26262] is derived from the standard for industrial applications IEC 61508. The [ISO26262] is a guideline for the development of safety related systems in automotive applications. The present document gives an overview about the three main steps of the classification procedure in the [ISO26262]:

• Risk & Hazard analysis with risk classification • Development of a safety concept to achieve the derived safety goals and ASIL

levels • Verification and validation

Up to now, [ISO26262] gives explicit requirements to avoid or mitigate E/E failures. Failures regarding the detection performance of environmental sensors due to external physical influences are only considered with non-explicit requirements by [ISO26262]. The main scope of the MOSARIM project is the investigation of influences on radar sensors due to interferences from other automotive radar devices or incumbent frequency users. In this report, a mostly qualitative investigation of the following basic interference effects concerning the estimation of false alarm rates under worst case conditions was carried out:

• Saturation of the victim receiver input stage • Decreased signal to noise ratio (S/N) • Generated false FFT peaks (ghost peaks) due to synchronized interference

The false alarm rates are used for the calculation of a corresponding FIT rate which is necessary to achieve a certain ASIL level in accordance with the mentioned classification procedure. The obtained results may differ largely from real world values due to the worst case conditions. Therefore, this methodology is only a first step towards a realistic FIT estimation. Ongoing evaluations of not yet identified root causes and effects, the implementation of appropriate design measures, the qualification of detection measures in the sensor’s software routines might reveal additional failure modes. In the present document potential countermeasures against the basic interference effects are described. For example more measures for reducing the susceptibility to interference were carried out in Task 1.5 [T1.5]. Such measures will be further investigated in upcoming tasks of the MOSARIM project.

MOSARIM No.248231 31.05.2011


6 Abbreviations ASIL Automotive Safety Integrity Level CFAR Constant False Alarm Rate H&R Hazard analysis and Risk assessment, processes according to ISO/DIS 26262 FTA Failure Tree Anylsis, recommentded input to the DFMEA DFMEA Design Failure Mode and Effect Analysis for the operating mode FMEA Failure Mode and Effect Analysis FMEDA Failure Mode and Diagnostic coverage Analysis FMET Failure Mode Effect Testing FSA Functional Systems Audit V&V Verification and Validation

MOSARIM No.248231 31.05.2011


7 Bibliography [AMI] Analytical investigation of mutual interference between automotive FMCW

radar sensors, M. Goppelt, H.-L. Blöcher and W. Menzel; Institute of Microwave Techniques, University of Ulm, Germany, Group Research & Advanced Engineering, Daimler AG, Ulm, Germany; 2011-03

[FAR] False Alarm Rate, http://www.radartutorial.eu/18.explanations/ex10.en.html [FPR] Four Problems in Radar, Michael C. Wicks and Braham Himed, Air Force

Research Laboratory, Sensors Directorate, 26 Electronic Parkway, Rome, New York 13441-4514, email: [email protected]

[FST] Schulung Funktionale Sicherheit / IEC 61508, TÜV SÜD Automotive GmbH [IEC] IEC 61508-1 to -7, Edition 2.0, 2010-04, Functional safety of

electrical/electronic/programmable electronic safety-related systems [ISO26262] DRAFT INTERNATIONAL STANDARD ISO/DIS 26262-1 to -10, 2009-07-

09, Road vehicles - Functional safety - [T1.3] Milestone to MOSARIM Task 1.3 “Determination and definition of basic radar

interference mechanisms, effects and impact on sensor performance and identification of key sensor parameters”, 2010

[T1.5] Deliverable to MOSARIM Task 1.5 “Study on the state-of-the-art interference

mitigation techniques”, 2010 [T2.2] Deliverable to MOSARIM Task 2.2 “Generation of an interference

susceptibility model for the different radar principles”, 2010

report type deliverable work group wp1 · 2017-04-20 · 0.8 25.03.2011 input of graphics for...

Documents