SFFSAY3 January   2026 F29H850TU , F29H859TU-Q1 , TMCS1123 , TMCS1123-Q1 , TPS650362-Q1 , TPS650365-Q1

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction
    1. 1.1 Background
    2. 1.2 HW/SW FuSa Analysis Process
      1. 1.2.1 Item Definition
      2. 1.2.2 Functional Safety Goal
      3. 1.2.3 Functional Safety Concept
      4. 1.2.4 Technical Safety Concept
      5. 1.2.5 HW/SW Safety Requirement
      6. 1.2.6 Dependent‑failure Analysis
    3. 1.3 TI Collaterals
      1. 1.3.1 TI Components Category
      2. 1.3.2 FuSa Collaterals for Safety MCU
  5. 2FuSa Concepts of OBC System
    1. 2.1 Item Definition
      1. 2.1.1 Item Functions
      2. 2.1.2 System Boundaries
      3. 2.1.3 External Interfaces
      4. 2.1.4 Operation Modes
    2. 2.2 Functional Safety Goal
    3. 2.3 Functional Safety Concept
    4. 2.4 Technical Safety Concept
    5. 2.5 HW/SW Safety Requirement
    6. 2.6 Dependent‑Failure Analysis
  6. 3FuSa Components of OBC System
    1. 3.1 Components Overview
    2. 3.2 Microcontroller
      1. 3.2.1 CPU
      2. 3.2.2 ADC Sample
      3. 3.2.3 PWM Generation
      4. 3.2.4 CMPSS
      5. 3.2.5 Data Transmission
      6. 3.2.6 Fault Signal Monitor and Safe State Control
    3. 3.3 Power Management IC
      1. 3.3.1 MCU Monitor
      2. 3.3.2 Shutdown Sequence
      3. 3.3.3 Power Supply
    4. 3.4 System Basis Chips
      1. 3.4.1 CAN Communication
      2. 3.4.2 Supply Voltage Rail Monitoring
      3. 3.4.3 SPI/Processor Communication
      4. 3.4.4 Device Internal EEPROM
    5. 3.5 Power Supply and Supervisor
    6. 3.6 Gate Driver
    7. 3.7 Voltage Sensor
    8. 3.8 Current Sensor
    9. 3.9 Temperature Sensor
  7. 4Summary
  8. 5References

2.5 HW/SW Safety Requirement

After the TSRs have been established, the next phase is to turn them into HSRs and FSRs. Each HSR/SSR inherits the ASIL‑B of its parent TSR and respects the FTTI that is imposed by the most restrictive FSR in the group. The HSR defines the hardware characteristics that must be built into the current‑sense front‑end; the SSR defines the software actions that must be performed on the measured signal to satisfy the timing and detection criteria.

According to Table 2-12, the current sensor must be able to indicate a short‑circuit condition with sufficient bandwidth or response time, and also includes a self‑diagnosis function. For these reasons, the TMCS1133‑Q1 was selected as the current sensor in OBC application, and it is placed at the input side of PFC stage and the output side of DCDC stage. The pin diagram is shown in Figure 2-10. Alternate shunt-based current sensing method may also be used, but in this case, HSRs and FSRs are different and this is not covered in this document.

Pin Diagram of TMCS1133-Q1 Figure 2-10 Pin Diagram of TMCS1133-Q1

In Table 2-12, TSR‑CS‑1, TSR-CS-2 and TSR-CS-3 are allocated to current sensor, and TSR-CS-4 and TSR-CS-5 are allocated to MCU. Table 2-13 and Table 2-14 are an example of HSR and SSR that realizes these TSRs traced to FSR 2.1.

Table 2-13 Example of HSR for TSRs Traced to FSR 2.1
ID HSR ASIL Traced to
HSR-CS-1A Hall sensor shall have > 200 kHz bandwidth, and VOUT filter also shall have > 200kHz cutoff frequency. B TSR-CS-1
HSR-CS-1B Hall sensor shall have at least 40A sensing range. B TSR-CS-1
HSR-CS-2A Hall sensor shall have FLT pin for self-test, and report faults to MCU within 100ms. B TSR-CS-2
HSR-CS-2B Hall sensor FLT pin shall connect to DSP to report faults. B TSR-CS-2
HSR-CS-3A Hall sensor VOC pin shall set the OC threshold to 20% higher than the maximum current. B TSR-CS-3
HSR-CS-3B Hall sensor OC pin shall assert OC flag within 0.5us when overcurrent is detected. B TSR-CS-3
HSR-CS-3C Hall sensor OC filter shall have > 1MHz cutoff frequency B TSR-CS-3
HSR-CS-4A The VOUT of the current sensor in AC side shall be connected to an independent MCU ADC channel. B TSR-CS-4
Table 2-14 Example of SSR for TSRs Traced to FSR 2.1
ID SSR ASIL Traced to
SSR-CS-1A MCU shall sample the hall sensor output at 100kHz. B TSR-CS-1
SSR-CS-1B MCU shall implement power-on hall sensor offset calibration. B TSR-CS-1
SSR-CS-2A MCU shall identify different kinds of alert based on the duty cycle of FLT. B TSR-CS-2
SSR-CS-2B MCU shall implement plausibility check if sensor alert is detected B TSR-CS-2
SSR-CS-4A MCU shall perform plausibility check algorithm at 10kHz that computes the absolute difference of the two-sensor reading B TSR-CS-4
SSR-CS-4B MCU shall assert the hardware fault within 2ms if the difference > 20 % for three consecutive samples B TSR-CS-4
SSR-CS-5A MCU shall set software OC threshold 10% higher than the maximum current B TSR-CS-5
SSR-CS-5B MCU shall perform OC detection with CMPSS module based on the ADC value. B TSR-CS-5
SSR-CS-5C MCU shall disable PWM output in the specific sequence if OC is detected. B TSR-CS-5

These are only a handful of illustrative cases. In a real OBC project, the system integrator must perform a thorough analysis for every TSR and then move on to the subsequent steps.

  • Design allocation. Assign each HSR and SSR to the respective team.
  • Traceability matrix. Consolidate FTA or FMEA block diagrams to link FuSa goal to FSR, TSR and then HSR and SSR. Each HSR and SSR should be linked to their verification evidence.
  • Verification planning. Verification and validation of HSRs and SSRs. Provide the test report that shows the requirement is satisfied and demonstrates the compliance of the ASIL‑B safety goal.

In the OBC system, the ASIL level of some analog components is QM. Using QM components in an ASIL-B system is possible but requires hardware element evaluation. Hardware element evaluation demonstrates either the QM component cannot interfere with safety goals or additional safety mechanisms provide sufficient diagnostic coverage to achieve the required ASIL.

For example, TMCS1133-Q1 is FuSa capable component, and it is selected to achieve ASIL-B requirement. Suppose it is used in DC output side for current sensing and overcurrent protection. TI can provide the following content to facilitate customers in hardware element evaluation.

  • All failure modes.
  • Probability of each failure mode.
  • Effect on system safety.

All the above information can be found in the FuSa document of TMCS1133-Q1. Customers shall perform design verification, including analysis and testing. All failures modes include die failure modes and pin failure modes. The total component FIT rate is 62, including die FIT rate 26 and pin FIT rate 36. All die failure modes and distribution are listed in Table 2-15.

Table 2-15 TMCS1133-Q1 Die Failure Modes and Distribution
Die Failure Modes Failure Mode Distribution (%)
VOUT open (Hi-Z) 5
VOUT stuck (high or low) 30
VOUT functional, not in specification 30
OC false trip, failure to trip 15
ALERT false trip, failure to trip 20

The pin failure modes basically include the typical pin-by-pin failure scenarios:

  • Pin short-circuited to ground.
  • Pin open-circuited.
  • Pin short-circuited to an adjacent pin.
  • Pin short-circuit to supply.

Take pin short-circuited to ground as an example, the description of potential failure effects is shown in Table 2-16. Failure effect class indicates how these pins conditions can affect the device:

  • Class A: Potential device damage that affects functionality.
  • Class B: No device damage, but loss of functionality.
  • Class C: No device damage, but performance degradation.
  • Class D: No device damage, no impact to functionality or performance.
Table 2-16 Pin FMA for Device Pins Short-circuited to Ground
Pin Name Pin No. Description of Potential Failure Effects Failure Effect Class
IN+ 1 For forward current, hall-sensor bypassed, providing no signal to be sensed and amplified. If the IN+ pin is at a large potential above GND, this state results in a large amount of current being sunk. Depending upon layout and configuration, this result can damage the input current system supply, the load device, or the actual device. A
IN- 2 For reverse current, hall-sensor bypassed, providing no signal to be sensed and amplified. If the IN- pin is at a large potential above GND, this status results in a large amount of current being sunk. Depending upon layout and configuration, this result can damage the input current system supply, the load device or the actual device A
GND 3 Normal operation. D
ALERT 4 Alert is not able to trigger since ALERT is shorted to GND B
NC 5 Normal operation D
VOUT 6 Output is pulled to GND, and the output current is short circuit limited. When left in this configuration, while VS is connected to a high-load-capable supply and for certain high-load conditions through the IN+ and IN- pins, the die temperature can approach or exceed 150°C. A
OC 7 Alert is not able to trigger since OC is shorted to GND. B
VOC 8 The threshold at GND means that all voltages trip the alert. As a result, the alert is stuck in active mode. B
VS 9 Power supply is short to ground. B
VS 10 Power supply is short to ground. B

Based on the safety mechanisms, diagnostic coverage calculation should be implemented to show >90% detection. This evaluation determines that this hardware element can adequately support the safety requirements assigned to it.

Finally, the development team has a complete, traceable, and verifiable set of concrete safety requirements that can be implemented in the single‑stage OBC and reviewed during ISO 26262: 2018 audits.