SFFSAY3 January   2026 F29H850TU , F29H859TU-Q1 , TMCS1123 , TMCS1123-Q1 , TPS650362-Q1 , TPS650365-Q1

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction
    1. 1.1 Background
    2. 1.2 HW/SW FuSa Analysis Process
      1. 1.2.1 Item Definition
      2. 1.2.2 Functional Safety Goal
      3. 1.2.3 Functional Safety Concept
      4. 1.2.4 Technical Safety Concept
      5. 1.2.5 HW/SW Safety Requirement
      6. 1.2.6 Dependent‑failure Analysis
    3. 1.3 TI Collaterals
      1. 1.3.1 TI Components Category
      2. 1.3.2 FuSa Collaterals for Safety MCU
  5. 2FuSa Concepts of OBC System
    1. 2.1 Item Definition
      1. 2.1.1 Item Functions
      2. 2.1.2 System Boundaries
      3. 2.1.3 External Interfaces
      4. 2.1.4 Operation Modes
    2. 2.2 Functional Safety Goal
    3. 2.3 Functional Safety Concept
    4. 2.4 Technical Safety Concept
    5. 2.5 HW/SW Safety Requirement
    6. 2.6 Dependent‑Failure Analysis
  6. 3FuSa Components of OBC System
    1. 3.1 Components Overview
    2. 3.2 Microcontroller
      1. 3.2.1 CPU
      2. 3.2.2 ADC Sample
      3. 3.2.3 PWM Generation
      4. 3.2.4 CMPSS
      5. 3.2.5 Data Transmission
      6. 3.2.6 Fault Signal Monitor and Safe State Control
    3. 3.3 Power Management IC
      1. 3.3.1 MCU Monitor
      2. 3.3.2 Shutdown Sequence
      3. 3.3.3 Power Supply
    4. 3.4 System Basis Chips
      1. 3.4.1 CAN Communication
      2. 3.4.2 Supply Voltage Rail Monitoring
      3. 3.4.3 SPI/Processor Communication
      4. 3.4.4 Device Internal EEPROM
    5. 3.5 Power Supply and Supervisor
    6. 3.6 Gate Driver
    7. 3.7 Voltage Sensor
    8. 3.8 Current Sensor
    9. 3.9 Temperature Sensor
  7. 4Summary
  8. 5References

2.2 Functional Safety Goal

Prior to conducting the HARA, the following simplifying assumptions are adopted to limit the analysis scope:

  • Item functions (Section 2.1.1): The OBC employs a single‑stage matrix‑converter topology, and primary item functions include power conversion, voltage regulation, galvanic isolation, protection, communication and diagnostics.
  • System boundaries (Section 2.1.2): Only the OBC system is in the scope; the HV-LV DC‑DC converter, PDU, and any other electronic control units are excluded.
  • External interfaces (Section 2.1.3): A single MCU controls the OBC. This MCU is dedicated solely to OBC control and interfaces with the AC inlet as well as the BMS/VCU.
  • Operation modes (Section 2.1.4): The main function is to charge the high-voltage battery, and the analysis focuses exclusively on the fast‑charge operating mode.

Once the functions, processes, and interactions of each item have been defined, the next phase is the HARA. Using the assumptions and analyses already established, any incorrect behavior in each subsystem can give rise to potential hazard events, such as DC overvoltage, DC bus overcurrent and thermal failure.

Each hazard must be evaluated separately using the ISO 26262: 2018 criteria of Severity (S), Exposure (E) and Controllability (C). Take thermal failure as an example:

  • Severity: The worst consequence of a thermal failure is a vehicle fire, which can cause life‑threatening or fatal injuries. Consequently, the event is assigned to S3.
  • Exposure: In the OBC usage profile, the charger is active for a moderate portion of the vehicle’s overall operating time. This corresponds to an exposure rating of E3.
  • Controllability: While the vehicle is stationary during charging, the driver can promptly interrupt the charging circuit (e.g., by disengaging the charger or opening the contactors). Therefore, the event is considered C2.

According to Table 1-3, the combination S3 – E3 – C2 corresponds to ASIL‑B, so the thermal‑failure hazard is assigned ASIL‑B.

Regarding DC bus overcurrent, it will not have a significant impact on the high-voltage battery, because the maximum charging current of the high-voltage battery is much higher than the current of AC charging. However, overcurrent can cause the power devices on the OBC output side to overheat and fail due to short circuits. Following a short-circuit failure, the high-voltage battery can create a low-impedance pathway through the OBC, potentially resulting in severe system overheating and, in extreme cases, vehicle fires. The exposure and controllability level are the same as thermal failure. According to Table 1-3, the combination S3 – E3 – C2 corresponds to ASIL‑B, so the DC bus overcurrent hazard is assigned ASIL‑B.

For DC bus overvoltage, it can cause overvoltage breakdown of the power devices on the OBC output side, and overvoltage is also hazardous to Li-ion cells on high-voltage battery, which can further lead to system overheating or even vehicle fire. The exposure and controllability level are the same as thermal failure. According to Table 1-3, the combination S3 – E3 – C2 corresponds to ASIL‑B, so the DC bus overvoltage hazard is assigned ASIL‑B.

All hazard events need to be analyzed. Since this assessment is typically performed by the system integrator, the detailed evaluation of every hazard is not presented here. HAZOP is a system hazard analysis method, which can provide 7 guide words. Table 2-7 illustrates an example of the HARA analysis. HAZOP leading word is used in malfunction behavior.

Table 2-7 Example HARA Analysis of the Single-Stage OBC
ID Malfunction Behavior Potential Vehicle Level Hazard S E C ASIL
H1 More thermal than expected Vehicle fire caused by overheating S3 E3 C2 B
H2 More DC bus current than requested Vehicle fire caused by OBC short-circuit S3 E3 C2 B
H3 More DC bus voltage than requested Vehicle fire caused by OBC short-circuit S3 E3 C2 B
H4 More electrical interference Spurious control signals S1 E3 C2 QM

For hazard events from ASIL A to ASIL D in Table 2-7, at least one safety goal must be identified. A functional‑safety goal is a high‑level, technology‑independent statement that fulfills the safe state requirement.

Table 2-8 is an example entry of FuSa goal. The FTTI value must be derived from hazard analysis and regulatory requirements. Take SG1 as an example, the operating temperature is 65 °C, and the thermal failure critical temperature is 155 °C. With general temperature rise rate 15 °C / s, the time to critical temperature is 6s. 500ms FTTI time is conservative for early detection to allow early intervention before cascading failure.

Table 2-8 Example FuSa Goal of the Single-Stage OBC
ID Safety Goal ASIL Safety State FTTI
SG1 Avoid vehicle fire due to thermal failure. B OBC shutdown, and switch to emergency operation mode. Specified by users
SG2 Avoid vehicle fire due to DC bus overcurrent. B
SG3 Avoid vehicle fire due to DC bus overvoltage. B

The safe state requirement states the system‑wide response that must be triggered when the hazard occurs. For example, the safe state of SG1 to SG3 is that OBC shall be switched into emergency operation mode, in which key actions are shown as below. Different from dual-stage OBC, this architecture does not contain a DC‑link capacitor, so there is no action on discharging DC-link capacitor.

  • Disable gate driver in sequence.
  • Open all contactors.
  • Discharge OBC output bus into safe voltage.
  • Log fault condition.