SLVA528D September   2012  – August 2021 TPS65381-Q1 , TPS65381A-Q1

 

  1.   Trademarks
  2. 1Introduction
  3. 2Product Overview
    1. 2.1 Safety Functions and Diagnostics Overview
    2. 2.2 Target Applications
    3. 2.3 Product Safety Constraints
  4. 3Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
  5. 4TPS65381x-Q1 Product Architecture for Management of Random Faults
    1. 4.1 Device Operating States
    2.     Device Operating States (continued)
    3. 4.2 NRES (MCU Reset) Driver and ENDRV (SAFING Path Enable) Driver
  6. 5TPS65381x-Q1 Architecture Safety Mechanisms and Assumptions of Use
    1. 5.1 Power Supply
    2. 5.2 Regulated Supplies
      1. 5.2.1 VDD6 Buck Switch-Mode Supply
      2. 5.2.2 VDD5 Linear Supply
      3. 5.2.3 VDD3/5 Linear Supply
      4. 5.2.4 VDD1 Linear Supply
      5. 5.2.5 VSOUT1 Linear Supply
      6. 5.2.6 Charge Pump
    3. 5.3 Diagnostic, Monitoring, and Protection Functions
      1. 5.3.1 External MCU Fault Detection and Management
        1. 5.3.1.1 External MCU Error Signal Monitor (MCU ESM)
        2. 5.3.1.2 Watchdog Timer
      2. 5.3.2 Voltage Monitor (VMON)
      3. 5.3.3 Loss-of-Clock Monitor (LCMON)
      4. 5.3.4 Junction Temperature Monitoring and Current Limiting
      5. 5.3.5 Analog and Digital MUX (AMUX and DMUX) and Diagnostic Output Pin (DIAG_OUT)
      6. 5.3.6 Analog Built-In Self-Test (ABIST)
      7. 5.3.7 Logic Built-In Self-Test (LBIST)
      8. 5.3.8 Device Configuration Register Protection
  7. 6Application Diagrams
    1. 6.1 TPS65381x-Q1 With TMS570
    2. 6.2 TPS65381x-Q1 With C2000
    3. 6.3 TPS65381x-Q1 With TMS470
  8. 7TPS65381x-Q1 as Safety Element out of Context (SEooC)
    1. 7.1 TPS65381x-Q1 Used in an EV/HEV Inverter System
    2. 7.2 SPI Note
  9. 8Revision History

7.1 TPS65381x-Q1 Used in an EV/HEV Inverter System

Several system configurations can be considered when using the TPS653381x-Q1 device. This SEooC analysis focuses on using the TPS65381x-Q1 in an electric vehicle (EV) or hybrid-electric vehicle (HEV) inverter system. Most motor-control systems tend to have similar electrical structure including a main microcontroller (MCU) for decision making, motor-drive circuitry, a motor, a position-feedback sensor with associated signal conditioning, and some type of power supply. Because of this, most of the analysis in this section can be applied to other motor-control systems as well. Figure 7-1 shows one implementation of this electric vehicle (EV) or hybrid-electric vehicle (HEV) inverter system where the TPS65381x-Q1 device interfaces with the main microcontroller (MCU) and supplies the motor-position sensor.

This safety analysis of the assumed inverter system focuses only on the TPS65381x-Q1 device and surrounding supply voltages, signals, and communications. For the complete system functional-safety analysis, faults of the other blocks such as the MCU, motor-position sensor, torque sensor, CAN Interface, and motor predriver must be analyzed as well.

In this configuration, when the TPS65381x-Q1 detects a fault in the system, it will set fault bits and may transition to the RESET state (ENDRV and NRES pins low), SAFE state (ENDRV pin low) or STANDBY state (ENDRV and NRES pins low). When a fault is detected by TPS65381x-Q1 causing ENDRV to go low, it is assumed the system is designed to place itself in a safe state by shutting off the inverter system and notifying the user that service is required. When the TPS65381x-Q1 transitions to its SAFE state, the MCU can read the status registers and determine which fault occurred. When the TPS65381x-Q1 transitions to RESET state the MCU is assumed to be in a reset because the NRES pin is low. When the TPS65381x-Q1 transitions to STANDBY state it is assume the MCU is unpowered (reset) because the voltage regulators are off and the NRES and ENDRV pins are low.

GUID-6E89035B-4E0D-4F19-B7DD-5DF3D8B065F6-low.gif
(1) When enabling the DIAG_OUT MUX while using SPI communication: the SDO pin is not in the high-impedance state while the NCS pin is HIGH and the DIAG_OUT MUX is enabled. Software or hardware modification may be required. For hardware modifications, check the SDO threshold level and drive capability if resistors are used to adjust the voltage level of the SDO pin on the SPI bus.
(2) Depending on the specific C2000™ MCU and the core rail generation, voltage monitoring may be provided within the PMIC or an external voltage monitor may be needed.
Figure 7-1 EV/HEV Inverter System
Table 7-1 Example Fault Detection for the Assumed EV/HEV Inverter System
FaultImpactDetection and Protection
Fault 1
VBAT supply short or open
  • A common-cause failure affects the complete Inverter ECU.
  • VBAT undervoltage detected by the TPS65381x-Q1 device by the VBATP UV monitor, TPS65381x-Q1 transitions to STANDBY state and system brought to a safe state (ENDRV pin is low).
Fault 2
CAN enable short or open
  • Disabled CAN PHY with no communication to other ECUs
  • MCU safing function detects failure with a dedicated GPIO to sense CAN PHY enable signal(1)
Fault 3
CAN supply (VDD5) short or open
  • CAN PHY is not functional and no communication is performed with other ECUs
  • In case of a CAN supply short-to-GND fault, theTPS65381x-Q1 device detects UV condition and sets the VDD5_UV bit
  • In case of a CAN supply open fault, the MCU detects no communication
Fault 4.1
TPS65381x-Q1 main supply (VBATP) supply short
  • No regulated power supplies
  • The MCU is in unpowered (reset)
  • The bridge driver is in the RESET state
  • The TPS65381x-Q1 VBATP UV monitor detects an UV condition, and transitions the device to the STANDBY state.
  • The system powers down and is brought to a safe state (ENDRV and NRES pins are low).
Fault 4.2
TPS65381x-Q1 main supply (VBATP) supply open
  • No regulated power supplies
  • The MCU is unpowered (reset)
  • The bridge driver is in the RESET state
  • The TPS65381x-Q1 VBATP UV monitor detects an UV condition, and transitions the device to the STANDBY state.
  • The system is powers down is brought to a safe state (ENDRV and NRES pins are low).
Fault 5.1
TPS65381x-Q1 VMON (VBAT_SAFING) supply short
  • No system supply monitoring functions are available.
  • The MCU is unpowered (reset)
  • The bridge driver remains in the RESET state.
  • The internal voltage monitor indicates an undervoltage event, transitions the TPS65381x-Q1 device to the STANDBY state which keeps the MCU supply off.
  • The system is brought to a safe state (ENDRV and NRES pins are low).
Fault 5.2
TPS65381x-Q1 VMON (VBAT_SAFING) supply open
  • No system supply-monitoring functions are available.
  • The MCU is unpowered (reset).
  • The bridge driver remains in the RESET state.
  • The internal voltage monitor indicates an undervoltage event, transitions the TPS65381x-Q1 device to the STANDBY state which keeps the MCU supply off.
  • The system is brought to a safe state (ENDRV and NRES pins are low).
Fault 6
TPS65381x-Q1 ENDRV short or open
  • The external power-stage enable (or safing path enable) is not controllable.
  • The TPS65381x-Q1 ENDRV read-back diagnostics can help the MCU detect the failure by reading the ENDRV_ERR bit to determine a mis-match of the state of the ENDRV pin and the expected driver output on the ENDRV pin.
  • The second system safing path enable should provide the required redundancy in case of an ENDRV short high
Fault 7
TPS65381x-Q1 sensor-supply short or open
  • No functioning sensor in the system
  • Potential sensor damage if short to supply (VBAT) occurs
  • The TPS65381x-Q1 VSOUT1 sensor supply voltage monitor detects both UV or OV events. The MCU monitors the VSOUT1_OV bit and VSOUT1_UV bit and disables the sensor supply. The MCU can also disable the external power states and place the system in a safe state if necessary due to loss of the sensor data because of the shorted or open supply sensor supply.
  • Sensor supply monitor covered by internal diagnostics and its status (UV or OV) read by the MCU through SPI.
Fault 8
TPS65381x-Q1 NRES pin short or open
  • The MCU reset function is not correct:
    • In case of a short to GND, the MCU remains in permanent reset and the system is disabled
    • In case of a short to high or VBAT, the MCU is never reinitialized and potentially damaged
    • In case of an open, MCU remains in permanent reset because of an internal pulldown on the MCU reset input pin, and the system is disabled
  • Diagnostics and monitoring detects NRES external faults because of an NRES short or open:
    • Watchdog function
    • MCU ESM function
    • Interconnect diagnostics
    • The NRES_ERR monitor in the TPS65381x-Q1 device, when enabled by DIS_NRES_MON set to 1, detects a mismatch and places the device in the SAFE state ( ENDRV pin goes low) and the system transitions to a safe state.
Fault 9.1
TPS65381x-Q1 VDD3/5 or VDD1 short or open (MCU core supply fault)
  • In case of a short to GND:
    • The MCU is in reset or powered-down and the system is disabled
    • The VDD3/5 regulator is disabled
  • Diagnostics and monitoring detects a VDD3/5 or VDD1 short to GND:
    • VDD3/5 current limit is applied
    • VDD3/5 UV detected and power-stages are disabled (ENDRV pin is low), the device transitions to the RESET state (NRES pin is low)
    • With VDD3/5 current limit, eventually overtemperature condition can occur and disable the VDD3/5 regulator or the TPS65381x-Q1 device transitions to the STANDBY state
    • VDD1 UV detected, the TPS65381x-Q1 device transitions to the RESET state when the NMASK_VDD1_UV_OV bit is 1 (NRES pin is low)
Fault 9.2
TPS65381x-Q1 VDD3/5 or VDD1 short or open (MCU core supply fault)
  • In case of open:
    • The MCU is powered-down and the system is disabled.
  • Diagnostics and monitoring detects a VDD3/5 or VDD1 open fault
    • The MCU is not responsive and a watchdog or MCU ESM failure is detected
Fault 10
TPS65381x-Q1 DIAG_OUT (AMUX/DMUX) short or open
  • The MCU disables the system because of failed TPS65381x-Q1 diagnostics
  • All MCU-to-TPS65381x-Q1 interconnect diagnostics fail and the MCU software can decide to disable the system
Fault 11
TPS65381x-Q1 ERROR/WDI pin short or open
  • An MCU error is detected
  • An MCU reset is asserted and the system is disabled
  • The MCU runs diagnostics on the ERROR/WDI pin after a power-up event in either watchdog trigger mode or MCU ESM. The MCU detects a short or open and the MCU software can decide to disable the system.
  • The TPS65381x-Q1 device in either watchdog trigger mode or MCU ESM detects an error in the ACTIVE state and transitions the device to the RESET or SAFE state which drives the ENDRV pin low to brining the system to a safe state.
Fault 12
MCU locks
  • The MCU is powered-down and the system is disabled
  • TPS65381x-Q1 detects a watchdog and or MCU ESM failure
  • For a watchdog failure when WD_RST_EN is set to 1, the device will transition to RESET state (NRES and ENDRV pins low)
  • For a MCU ESM failure the device transitions to SAFE state (ENDRV pin is low), depending on configuration of TPS65381x-Q1 and the DEV_ERR_CNT the device may transition to RESET state (NRES and ENDRV pins are low), remain locked in SAFE state (ENDRV pin is low) or transition to STANDBY state (power off, NRES and ENDRV pins are low).
Fault 13
TPS65381x-Q1 SPI short or open
  • The MCU is powered-down and the system is disabled
  • The MCU detects a lack of communication or incorrect communication with the TPS65381x-Q1 device
  • The TPS65381x-Q1 SPI error flags are read by the MCU, the MCU software takes appropriate action
  • Q&A mode watchdog failure would be detected. For a watchdog failure when WD_RST_EN is set to 1, the device will transition to RESET state (NRES and ENDRV pins low)
  • If these faults cause a device transition to SAFE state (ENDRV pin is low), depending on configuration of TPS65381x-Q1 and the DEV_ERR_CNT the device may transition to RESET state (NRES and ENDRV pins are low), remain locked in SAFE state (ENDRV pin is low) or transition to STANDBY state (power off, NRES and ENDRV pins are low).
Fault 14
I/O supply short or open
  • In case of a short to GND:
    • The MCU is in reset or powered-down and the system is disabled
    • The VDD3/5 regulator is disabled
  • In case of an open:
    • The MCU is powered-down and the system is disabled
  • Diagnostics and monitoring detects the VDD3/5 or VDD1 short to GND:
    • VDD3/5 current limit is applied
    • VDD3/5 UV detected and power-stages are disabled (the ENDRV pin is driven low), the device transitions to the RESET state (NRES and ENDRV pins low)
    • With VDD3/5 current limit, eventually overtemperature condition may occur and disables VDD3/5 or transitions TPS65381x-Q1 to the STANDBY state (unpowered, NRES and ENDRV pins low)
    • VDD1 UV detected, the TPS65381x-Q1 device transitions to the RESET when the NMASK_VDD1_UV_OV bit is 1 (NRES and ENDRV pins low)
  • Diagnostics and monitoring detects a VDD3/5 or VDD1 open fault:
    • The MCU is not responsive and a watchdog or MCU ESM failure is detected.For a MCU ESM failure the device transitions to SAFE state (ENDRV pin is low), depending on configuration of TPS65381x-Q1 and the DEV_ERR_CNT the device may transition to RESET state (NRES and ENDRV pins are low), remain locked in SAFE state (ENDRV pin is low) or transition to STANDBY state (power off, NRES and ENDRV pins are low).
(1) CAN PHY enable signal can be the same as MCU power-on reset driven by the TPS65381x-Q1 device.