SFFSAY3 January   2026 F29H850TU , F29H859TU-Q1 , TMCS1123 , TMCS1123-Q1 , TPS650362-Q1 , TPS650365-Q1

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction
    1. 1.1 Background
    2. 1.2 HW/SW FuSa Analysis Process
      1. 1.2.1 Item Definition
      2. 1.2.2 Functional Safety Goal
      3. 1.2.3 Functional Safety Concept
      4. 1.2.4 Technical Safety Concept
      5. 1.2.5 HW/SW Safety Requirement
      6. 1.2.6 Dependent‑failure Analysis
    3. 1.3 TI Collaterals
      1. 1.3.1 TI Components Category
      2. 1.3.2 FuSa Collaterals for Safety MCU
  5. 2FuSa Concepts of OBC System
    1. 2.1 Item Definition
      1. 2.1.1 Item Functions
      2. 2.1.2 System Boundaries
      3. 2.1.3 External Interfaces
      4. 2.1.4 Operation Modes
    2. 2.2 Functional Safety Goal
    3. 2.3 Functional Safety Concept
    4. 2.4 Technical Safety Concept
    5. 2.5 HW/SW Safety Requirement
    6. 2.6 Dependent‑Failure Analysis
  6. 3FuSa Components of OBC System
    1. 3.1 Components Overview
    2. 3.2 Microcontroller
      1. 3.2.1 CPU
      2. 3.2.2 ADC Sample
      3. 3.2.3 PWM Generation
      4. 3.2.4 CMPSS
      5. 3.2.5 Data Transmission
      6. 3.2.6 Fault Signal Monitor and Safe State Control
    3. 3.3 Power Management IC
      1. 3.3.1 MCU Monitor
      2. 3.3.2 Shutdown Sequence
      3. 3.3.3 Power Supply
    4. 3.4 System Basis Chips
      1. 3.4.1 CAN Communication
      2. 3.4.2 Supply Voltage Rail Monitoring
      3. 3.4.3 SPI/Processor Communication
      4. 3.4.4 Device Internal EEPROM
    5. 3.5 Power Supply and Supervisor
    6. 3.6 Gate Driver
    7. 3.7 Voltage Sensor
    8. 3.8 Current Sensor
    9. 3.9 Temperature Sensor
  7. 4Summary
  8. 5References

2.3 Functional Safety Concept

After the FuSa goal has been established, the next phase is to develop the FSC. The system block diagram is shown in Figure 2-5, which is one level deeper than the block diagram in item definition. The objective is to define sub-functional elements and interconnections on preliminary architecture diagrams.

FSR Level System Block Diagram Figure 2-5 FSR Level System Block Diagram

To simplify the analysis, SG2 is chosen as an example. Figure 2-6 is the one level deeper block diagram related to SG2, and related sub-functional elements and interactions are defined in Table 2-9.

FSR Level System Block Diagram of SG2 Figure 2-6 FSR Level System Block Diagram of SG2
Table 2-9 Sub-functional Elements and Interactions of SG2
Element ID Element Name Description
E1 DC output current measurement circuit Measure the OBC output current for both constant current control and overcurrent protection.
E2 AC input current measurement circuit Measure the OBC input current for AC current control and overcurrent protection.
E3 Microcontroller circuit Executes the charger control algorithm, monitors sensor data, generates PWM signals, and communicates with the vehicle’s BMS/VCU.
E4 Gate driver circuit Provide the required voltage and high‑current drive signals of the power switches.
E5 TPLD circuit Programmable logic device that features power switches switching off sequence with combinational logic.
E6 CAN transceiver circuit Exchange status and diagnostic information with the BMS/VCU.
E7 PMIC circuit Provide the power supply to key devices and voltage monitoring for key voltage rails. This also provides an external watchdog and error pin monitor for MCU.
E8 Temperature measurement circuit Monitors the power switches junction temperature, transformer temperature and the ambient temperature of the converter.

FTA is performed to generate FSRs of SG2. FTA analysis is structured by three steps. The first step is to create the fault tree with SG2 violation as top event, then the second step is to derive each potential malfunction of the defined sub-functional element that leads to top events occur, then the third step is to use logic gates to represent the relationships between events.

Following the above steps, the FTA tree is illustrated in Figure 2-7. Critical failure paths must be identified for cut set analysis. If SPF directly violates the FuSa goal, FSR must be designed; if SPF does not directly violate the FuSa goal, it is necessary to determine whether the dual-point failure system is acceptable and to analyze the independence of dual-point failures.

For the FTA analysis of the SG, in FSR level it can be terminated at the component, while more detailed analysis must be carried out at the TSR level. As shown in Figure 2-7, If there is abnormal current sensing, or a control malfunction, or a power supply issue, SG2 is violated. Then it can be broken down into different components.

  • The incorrect current sensing can be caused by the fault on current sensor, or any fault on the discrete comparator used for overcurrent protection.
  • The incorrect control command can be caused by many components. It can be caused by communication with VCU (Incorrect charging command or fail to report fault state). It can be caused by incorrect control signals from MCU. It can be caused by the incorrect driving waveform from gate driver. It can be caused by any fault on discrete logic components in the fault reaction path.
  • The fault on power supply can cause malfunction of key components, including MCU, gate driver, sensors, voltage references.
The FTA Tree Example of SG2 Figure 2-7 The FTA Tree Example of SG2

Cut set is a logical analysis to determine sets of combinations of gate/events which causes the top gate condition to fail.

  • 1-order cut set. Only one event can lead the top event occurs. These events are transformed into an FSR with FTTI requirement.
  • 2-order cut set. Two events occur at the same time can lead to the top events occurring. These events will be transformed into an FSR with MPFHTI requirement.
  • More than 2-order cut set. More than two events occur at the same time can lead to the top events occurring. These events will not be transformed into an FSR.

Each FSR must be assigned to the logical block that is responsible for the implementation. Where an FSR spans more than one block, all relevant subsystems must be listed. Table 2-10 lists the concise set of FSRs that underpin the goal Avoid vehicle fire due to DC bus overcurrent.

Table 2-10 Example FSRs for SG2
SG2: Avoid vehicle fire due to DC bus overcurrent.
ID FSR Safe state Allocation ASIL Traced to
FSR 2.1 DC‑bus current sensing system shall perform accurate current measurement. Assert the OC flag to MCU. E1 and SW B GT4
FSR 2.2 TCAN shall perform correct communication between OBC and VCU. Transmit OC status to VCU. E6 and SW B GT6
FSR 2.3 MCU shall perform correct control scheme. Switch to emergency operation mode. E3 and SW B GT7
FSR 2.4 Gate drivers shall drive the power switches correctly. Disable power switches. E4 B GT8
FSR 2.5 Bias supply shall provide reliable voltage to key components. Provide reliable voltage rail. E7 B GT3