This document is a functional safety manual for the Texas Instruments TPS3704x-Q1 component. The specific orderable part numbers supported by this functional safety manual are as shown in the device naming convention. For non automotive grade parts remove the -Q1 from the device name.

This functional safety manual provides information needed by system developers to help in the creation of a functional safety system using a TPS3704x-Q1 component. This document includes:

• An overview of the component architecture
• An overview of the development process used to decrease the probability of systematic failures
• An overview of the functional safety architecture for management of random failures
• The details of architecture partitions and implemented functional safety mechanisms

The following information is documented in the TPS3704x-Q1 Functional Safety Analysis Report and is not repeated in this document:

• Summary of failure rates (FIT) of the component
• Summary of functional safety metrics of the hardware component for targeted standards (for example IEC 61508, ISO 26262, and so forth)
• Quantitative functional safety analysis (also known as FMEDA, Failure Modes, Effects, and Diagnostics Analysis) with detail of the different parts of the component, allowing for customized application of functional safety mechanisms
• Assumptions used in the calculation of functional safety metrics

The following information is documented in the TPS3704x-Q1 Functional Safety Report, and is not repeated in this document:

• Results of assessments of compliance to targeted standards

The user of this document should have a general familiarity with the TPS3704x-Q1 component. For more information, refer to the TPS3704x-Q1 data sheet. This document is intended to be used in conjunction with the pertinent data sheets, technical reference manuals, and other component documentation.

For information that is beyond the scope of the listed deliverables, contact your TI sales representative or go to https://www.ti.com/technologies/functional-safety/overview.html.

This section summarizes the component functional safety capability.

This hardware component:

• Was developed as a functional Safety Element out of Context (SEooC)
• Was developed according to the relevant requirements of IEC 61508:2010
• Was developed according to the relevant requirements of ISO 26262:2018
• Includes sufficient functional safety mechanisms for random fault integrity requirements of SIL-1
• Includes sufficient functional safety mechanisms for random fault integrity requirements of ASIL-A
• Achieves systematic integrity of SIL-3
• Achieves systematic integrity of ASIL-D
• Has passed a functional safety assessment by Texas Instruments

For functional safety development, it is necessary to manage both systematic and random faults. Texas Instruments follows a new-product development process for all of its components which helps to decrease the probability of systematic failures. This new-product development process is described in Section 3.1. Components being designed for functional safety applications will additionally follow the requirements of TI's functional safety development process, which is described in Section 3.2.

Texas Instruments has been developing components for automotive and industrial markets since 1996. Automotive markets have strong requirements regarding quality management and product reliability. The TI new-product development process features many elements necessary to manage systematic faults. Additionally, the documentation and reports for these components can be used to assist with compliance to a wide range of standards for customer’s end applications including automotive and industrial systems (e.g., ISO 26262-4, IEC 61508-2).

This component was developed using TI’s new product development process which has been certified as compliant to ISO 9001 / IATF 16949 as assessed by Bureau Veritas (BV).

The standard development process breaks development into phases:

• Assess
• Plan
• Create
• Validate

Figure 3-1 shows the standard process.

Figure 3-1 TI New-Product Development Process

The TI functional safety development flow derives from ISO 26262 and IEC 61508 a set of requirements and methodologies to be applied to semiconductor development. This flow is combined with TI's standard new product development process to develop TI functional safety components. The details of this functional safety development flow are described in the TI internal specification - SafeTI Functional Safety Hardware.

Key elements of the TI functional safety-development flow are as follows:

• Assumptions on system level design, functional safety concept, and requirements based on TI's experience with components in functional safety applications
• Qualitative and quantitative functional safety analysis techniques including analysis of silicon failure modes and application of functional safety mechanisms
• Base FIT rate estimation based on multiple industry standards and TI manufacturing data
• Documentation of functional safety work products during the component development
• Integration of lessons learned through multiple functional safety component developments, functional safety standard working groups, and the expertise of TI customers

Table 3-1 lists these functional safety development activities which are overlaid atop the standard development flow in Figure 3-1.

Refer to Appendix B for more information about which functional safety lifecycle activities TI performs.

The customer facing work products derived from this TI functional safety process are applicable to many other functional safety standards beyond ISO 26262 and IEC 61508.

The following figures are Block Diagrams showing the components for single-channel, dual-channel, triple-channel, and quadruple-channel devices.

The TPS3704x-Q1 component is targeted at general-purpose functional safety applications. This is called Safety Element out of Context (SEooC) development according to ISO 26262-10. In this case, the development is done based on assumptions on the conditions of the semiconductor component usage, and then the assumptions are verified at the system level. This method is also used to meet the related requirements of IEC 61508 at the semiconductor level. This section describes some of the target applications for this component, the component safety concept, and then describes the assumptions about the systems (also known as Assumptions of Use or AoU) that were made in performing the safety analysis.

Example target applications include, but are not limited to, the following:

• Advanced Driver Assistance System (ADAS)
• Automotive infotainment & cluster
• HEV/EV
• Body electronics and lighting
• Factory automation
• Building automoation
• Medical
• Motor Drives
• Grid infrastructure
• Wireless infrastructure
• Data center & enterprise computing

Figure 4-5 shows a generic block diagram for an automotive system. This diagram is only an example and may not represent a complete system.

Figure 4-6 shows a generic block diagram for an industrial system. This diagram is only an example and may not represent a complete system.

TPS3704x is used to monitor rails for systems such as camera systems, rain sensors, display systems etc.

It monitors each rail for over voltage and under voltage faults. The thresholds for fault setting are defined by the rail voltage level being monitored and the SOC, interface, memory abs max and min levels that should not be exceeded. The basic functional safety assumption is that if an abs max or min limit is violated the system can operate in an undefined state which could violate safety goals and lead to hazards.

If an over voltage or under voltage fault happens the RESETx pin associated with that SENSEx pin is asserted low. In normal operation on power up the RESETx pin goes high after the startup delay (tSTRT ) plus Reset delay (TD). The functional safety concept is that when a fault is detected the RESETx pin goes low within the propagation delay (Tpd). This RESETx pin is connected to an NMI (Non maskable interrupt) of the Microcontroller or SOC. In Figure 4-7 it is shown that once the microcontroller gets a NMI it then takes action to trigger the safe state for the system.

In summary the basic premise of the functional safety concept is detect overvoltage and/or under voltage faults and perform a system reset to put the system in a safe state. The RESETx output can be connected to any input that is responsible for taking the system to a safe state. In Figure 4-7 it goes to an NMI of a microcontroller. In some system implementations it may trigger the system safe state directly.

Once the system is in a safe state there should be also defined what is the sequence of events that need to happen to take it out of the safe state.

Depending on the type of system it may sometimes be required to do a power reboot to clear the safe state or it can automatically be cleared if the fault that caused the RESET is gone (i.e. the output voltage comes back within spec). Once the voltage comes back within spec the RESETx pin is deasserted after the Reset time delay.

In creating a functional Safety Element out of Context (SEooC) concept and doing the functional safety analysis, TI generates a series of assumptions on system level design, functional safety concept, and requirements. These assumptions (sometimes called Assumptions of Use) are listed below. Additional assumptions about the detailed implementation of safety mechanisms are separately located in Section 6.3.

The TPS3704x-Q1 Functional Safety Analysis was done under the following system assumptions:

• [SA_1] The external System shall determine on TPS3704x-Q1 reset signal whether transistion to safe state is needed and execute that transition.
• [SA_2] Voltage thresholds and timing requirements for TPS3704x-Q1 shall be set to match system requirements.
• [SA-3] The system shall include a voltage clamp to prevent overvoltage on the sense inputs of TPS3704x-Q1
• [SA-4] All inputs to the TPS3704x-Q1 SVS shall meet the recommended operating conditions defined in the device specification and does not exceed absolute operating conditions defined therein
• [SA-5] The operating temperature of the TPS3704x-Q1 SVS shall meet the ambient and junction temperature limits defined in the device specification
• [SA-6] All external components to the TPS3704x-Q1 SVS shall meet the electrical characteristics defined in the device specification
• [SA-7] The layout of the system board shall follow the layout guidelines as defined in the TPS3704x-Q1SVS device specification

TPS3704x-Q1 shall be considered in the safe state when no power is applied, or when operating in a fully functional and fault-free integrated system.

TPS3704x-Q1 shall be considered in a safe state when Over-Voltage (OV), Under-Voltage(UV), is detected on one or more sense inputs and signaled to an external host element of the system/item. The host is responsible for fault reaction and transitioning of the system to a system safe state.

During integration activities these assumptions of use and integration guidelines described for this component shall be considered. Use caution if one of the above functional safety assumptions on this component cannot be met, as some identified gaps may be unresolvable at the system level.

A semiconductor component can be divided into parts to enable a more granular functional safety analysis. This can be useful to help assign specific functional safety mechanisms to portions of the design where they provide coverage ending up with a more complete and customizable functional safety analysis. This section includes a brief description of each hardware part of this component and lists the functional safety mechanisms that can be applied to each. This section is intended to provide additional details about the assignment of functional safety mechanisms that can be found in the Safety Analysis Report. The content in this section is also summarized in Appendix A.

Figure 5-1 and Figure 5-2 show the internal block diagrams of the TPS3704x-Q1 quad-channel and dual-channel devices respectively.

TPS3704x-Q1 is a family of quad, triple, dual, and single precision voltage supervisor(s) where each channel has overvoltage and undervoltage detection capability. The TPS3704x-Q1 features a highly accurate window threshold voltage where the upper and lower thresholds can be customized for symmetric or asymmetic tolerances. The reset signal for the TPS3704x-Q1 is asserted, with a fault detection time delay (t_PD = 10 μs max), when the sense voltage is outside of the overvoltage and undervoltage thresholds.

TPS3704x-Q1 includes the resistors used to set the overvoltage and undervoltage thresholds internal to the device. These internal resistors allow for lower component counts and greatly simplifies the design because no additional margins are needed to account for the accuracy of external resistors. The level of integration in the TPS3704x-Q1 enables a total small solution size for any application.

The TPS3704x-Q1 is capable to monitor any voltage rail with high resolution (V_IT ≤ 0.8 V: 20 mV steps /
V_IT > 0.8 V: 0.5% or 20 mV steps whichever is lower). The device includes fixed reset time delay (t_D) options ranging from 20 μs to 1200 ms and can monitor up to four channels while maintaining an ultra-low I_Q current of 20 μA (max).

For a functional safety critical development it is necessary to manage both systematic and random faults. The TPS3704x-Q1 component architecture includes many functional safety mechanisms, which can detect and respond to random faults when used correctly. This section of the document describes the architectural functional safety concept for each sub-block of theTPS3704x-Q1 component. The system integrator shall review the recommended functional safety mechanisms in the functional safety analysis report (FMEDA) in addition to this safety manual to determine the appropriate functional safety mechanisms to include in their system. The component data sheet or technical reference manual (if available) are useful tools for finding more specific information about the implementation of these features.

RESETx/RESETx asserts when SENSEx falls outside of the over-voltage or under-voltage threshold window.
RESETx/RESETx stays asserted for the reset timeout period after SENSEx fall back within the window threshold. Active-low, open-drain reset output, requires an external pullup resistor. For TPS37044, RESETx/RESETx asserts when either SENSEx or SENSEx fall outside of the window threshold. The pin can be left floating if it is unused.

This section includes a description of the different types of functional safety mechanisms that are applied to the design blocks of the TPS3704x-Q1 component.

The functional safety mechanism categories are defined as follows:

This section provides a brief summary of the functional safety mechanisms available on this component.

SM01 - OTP Write Protection

The OTP Write Protection ensures that the OTP cells are only written to when necessary. 2 Key Security- Fast slew rate input pulses, Secure sequence along with Clock, Fast Clocking required to enable OTP write. OTP Lock bits set after programming with Checksum bit for data verification. This method prevents rewrite of OTP in production. Checksum Bit verifies data integrity.

SM02 - SENSEx UV

For each Sense channel n(1..4), the TPS3704x-Q1 shall assert RESET_UV when the voltage on the SENSEn pin is less than the programmed OTP_UV_VALn threshold for a time-interval longer than the sense propagation delay tPD.

SM03 - SENSEx OV

For each Sense channel n(1..4), the TPS3704x-Q1 shall assert RESET_OV when the voltage on the SENSEn pin is greater than the programmed OTP_OV_VALn threshold for a time-interval longer than the sense propagation delay tPD.

SM04 - Configuration Checksum

OTP Checksum bit shall be checked at system startup before latch load to confirm OTP integrity. RESET will not be released at startup if there is a checksum mismatch

SME03 - RESET verifcation at startup

The TPS3704x-Q1 Shall assert all available RESET outputs during startup and release once Device has reached Safe active state. Host to Monitor RESET outputs at startup and confirm assertion, followed by de-assertion on expected timeline. This method can be used to detect issues with RESET pins, unexpected delays in RESET reponse, Issues with Latch logic, etc.

Table A-2 summarizes the functional safety mechanisms present in hardware or recommend for implementation in software or at the system level as described in Chapter 5. Table A-1 describes each column in Table A-2 and gives examples of what content could appear in each cell.

A Development Interface Agreement (DIA) is intended to capture the agreement between two parties towards the management of each party’s responsibilities related to the development of a functional safety system. TI functional safety components are typically designed for many different systems and are considered to be Safety Elements out of Context (SEooC) hardware components. The system integrator is then responsible for taking the information provided in the hardware component safety manual, safety analysis report and safety report to perform system integration activities. Because there is no distribution of development activities, TI does not accept DIAs with system integrators.

TI functional safety components are products that TI represents, promotes or markets as helping customers mitigate functional safety related risks in an end application and/or as compliant with an industry functional safety standard or FS-QM. For more information about TI functional safety components, go to TI.com/functionalsafety.

TI has tailored the functional safety lifecycles of ISO 26262 and IEC 61508 to best match the needs of a functional Safety Element out of Context (SEooC) development. The functional safety standards are written in the context of the functional safety systems, which means that some requirements only apply at the system level. Since TI functional safety components are hardware or software components, TI has tailored the functional safety activities to create new product development processes for hardware and for software that makes sure state-of-the-art techniques and measures are applied as appropriate. These new product development processes have been certified by third-party functional safety experts. To find these certifications, go to TI.com/functionalsafety.

The TI functional safety products are hardware components developed as functional Safety Elements out of Context. As such, TI's functional safety activities focus on those related to management of functional safety around hardware component development. System level architecture, design, and functional safety analysis are not within the scope of TI activities and are the responsibility of the customer. Some techniques for integrating the SEooC safety analysis of this hardware component into the system level can be found in ISO 26262-11.

Texas instruments has summarized what it considers the most critical functional safety work products that are available to the customer either publicly or under a nondisclosure agreement (NDA). NDAs are required to protect proprietary and sensitive information disclosed in certain functional safety documents.