This document is a functional safety manual for the Texas Instruments TPS3704x-Q1 component. The specific orderable part numbers supported by this functional safety manual are as shown in the device naming convention. For non automotive grade parts remove the -Q1 from the device name.
This functional safety manual provides information needed by system developers to help in the creation of a functional safety system using a TPS3704x-Q1 component. This document includes:
The following information is documented in the TPS3704x-Q1 Functional Safety Analysis Report and is not repeated in this document:
The following information is documented in the TPS3704x-Q1 Functional Safety Report, and is not repeated in this document:
The user of this document should have a general familiarity with the TPS3704x-Q1 component. For more information, refer to the TPS3704x-Q1 data sheet. This document is intended to be used in conjunction with the pertinent data sheets, technical reference manuals, and other component documentation.
For information that is beyond the scope of the listed deliverables, contact your TI sales representative or go to https://www.ti.com/technologies/functional-safety/overview.html.
TI E2E™ is a trademark of Texas Instruments.
All trademarks are the property of their respective owners.
This section summarizes the component functional safety capability.
This hardware component:
For functional safety development, it is necessary to manage both systematic and random faults. Texas Instruments follows a new-product development process for all of its components which helps to decrease the probability of systematic failures. This new-product development process is described in Section 3.1. Components being designed for functional safety applications will additionally follow the requirements of TI's functional safety development process, which is described in Section 3.2.
Texas Instruments has been developing components for automotive and industrial markets since 1996. Automotive markets have strong requirements regarding quality management and product reliability. The TI new-product development process features many elements necessary to manage systematic faults. Additionally, the documentation and reports for these components can be used to assist with compliance to a wide range of standards for customer’s end applications including automotive and industrial systems (e.g., ISO 26262-4, IEC 61508-2).
This component was developed using TI’s new product development process which has been certified as compliant to ISO 9001 / IATF 16949 as assessed by Bureau Veritas (BV).
The standard development process breaks development into phases:
Figure 3-1 shows the standard process.
The TI functional safety development flow derives from ISO 26262 and IEC 61508 a set of requirements and methodologies to be applied to semiconductor development. This flow is combined with TI's standard new product development process to develop TI functional safety components. The details of this functional safety development flow are described in the TI internal specification - SafeTI Functional Safety Hardware.
Key elements of the TI functional safety-development flow are as follows:
Table 3-1 lists these functional safety development activities which are overlaid atop the standard development flow in Figure 3-1.
Refer to Appendix B for more information about which functional safety lifecycle activities TI performs.
The customer facing work products derived from this TI functional safety process are applicable to many other functional safety standards beyond ISO 26262 and IEC 61508.
Assess | Plan | Create | Validate | Sustain and End-of-Life |
---|---|---|---|---|
Determine if functional safety process execution is required | Define component target SIL/ASIL capability | Develop component level functional safety requirements | Validate functional safety design in silicon | Document any reported issues (as needed) |
Nominate a functional safety manager | Generate functional safety plan | Include functional safety requirements in design specification | Characterize the functional safety design | Perform incident reporting of sustaining operations (as needed) |
End of Phase Audit | Verify the functional safety plan | Verify the design specification | Qualify the functional safety design (per AEC-Q100) | Update work products (as needed) |
Initiate functional safety case | Start functional safety design | Finalize functional safety case | ||
Analyze target applications to generate system level functional safety assumptions | Perform qualitative analysis of design (i.e. failure mode analysis) | Perform assessment of project | ||
End of Phase Audit | Verify the qualitative analysis | Release functional safety manual | ||
Verify the functional safety design | Release functional safety analysis report | |||
Perform quantitative analysis of design (i.e. FMEDA) | Release functional safety report | |||
Verify the quantitative analysis | End of Phase Audit | |||
Iterate functional safety design as necessary | ||||
End of Phase Audit |
The following figures are Block Diagrams showing the components for single-channel, dual-channel, triple-channel, and quadruple-channel devices.
The TPS3704x-Q1 component is targeted at general-purpose functional safety applications. This is called Safety Element out of Context (SEooC) development according to ISO 26262-10. In this case, the development is done based on assumptions on the conditions of the semiconductor component usage, and then the assumptions are verified at the system level. This method is also used to meet the related requirements of IEC 61508 at the semiconductor level. This section describes some of the target applications for this component, the component safety concept, and then describes the assumptions about the systems (also known as Assumptions of Use or AoU) that were made in performing the safety analysis.
Example target applications include, but are not limited to, the following:
Figure 4-5 shows a generic block diagram for an automotive system. This diagram is only an example and may not represent a complete system.
Figure 4-6 shows a generic block diagram for an industrial system. This diagram is only an example and may not represent a complete system.
TPS3704x is used to monitor rails for systems such as camera systems, rain sensors, display systems etc.
It monitors each rail for over voltage and under voltage faults. The thresholds for fault setting are defined by the rail voltage level being monitored and the SOC, interface, memory abs max and min levels that should not be exceeded. The basic functional safety assumption is that if an abs max or min limit is violated the system can operate in an undefined state which could violate safety goals and lead to hazards.
If an over voltage or under voltage fault happens the RESETx pin associated with that SENSEx pin is asserted low. In normal operation on power up the RESETx pin goes high after the startup delay (tSTRT ) plus Reset delay (TD). The functional safety concept is that when a fault is detected the RESETx pin goes low within the propagation delay (Tpd). This RESETx pin is connected to an NMI (Non maskable interrupt) of the Microcontroller or SOC. In Figure 4-7 it is shown that once the microcontroller gets a NMI it then takes action to trigger the safe state for the system.
In summary the basic premise of the functional safety concept is detect overvoltage and/or under voltage faults and perform a system reset to put the system in a safe state. The RESETx output can be connected to any input that is responsible for taking the system to a safe state. In Figure 4-7 it goes to an NMI of a microcontroller. In some system implementations it may trigger the system safe state directly.
Once the system is in a safe state there should be also defined what is the sequence of events that need to happen to take it out of the safe state.
Depending on the type of system it may sometimes be required to do a power reboot to clear the safe state or it can automatically be cleared if the fault that caused the RESET is gone (i.e. the output voltage comes back within spec). Once the voltage comes back within spec the RESETx pin is deasserted after the Reset time delay.
In creating a functional Safety Element out of Context (SEooC) concept and doing the functional safety analysis, TI generates a series of assumptions on system level design, functional safety concept, and requirements. These assumptions (sometimes called Assumptions of Use) are listed below. Additional assumptions about the detailed implementation of safety mechanisms are separately located in Section 6.3.
The TPS3704x-Q1 Functional Safety Analysis was done under the following system assumptions:
TPS3704x-Q1 shall be considered in the safe state when no power is applied, or when operating in a fully functional and fault-free integrated system.
TPS3704x-Q1 shall be considered in a safe state when Over-Voltage (OV), Under-Voltage(UV), is detected on one or more sense inputs and signaled to an external host element of the system/item. The host is responsible for fault reaction and transitioning of the system to a system safe state.
During integration activities these assumptions of use and integration guidelines described for this component shall be considered. Use caution if one of the above functional safety assumptions on this component cannot be met, as some identified gaps may be unresolvable at the system level.
A semiconductor component can be divided into parts to enable a more granular functional safety analysis. This can be useful to help assign specific functional safety mechanisms to portions of the design where they provide coverage ending up with a more complete and customizable functional safety analysis. This section includes a brief description of each hardware part of this component and lists the functional safety mechanisms that can be applied to each. This section is intended to provide additional details about the assignment of functional safety mechanisms that can be found in the Safety Analysis Report. The content in this section is also summarized in Appendix A.
Figure 5-1 and Figure 5-2 show the internal block diagrams of the TPS3704x-Q1 quad-channel and dual-channel devices respectively.
TPS3704x-Q1 is a family of quad, triple, dual, and single precision voltage supervisor(s) where each channel has overvoltage and undervoltage detection capability. The TPS3704x-Q1 features a highly accurate window threshold voltage where the upper and lower thresholds can be customized for symmetric or asymmetic tolerances. The reset signal for the TPS3704x-Q1 is asserted, with a fault detection time delay (tPD = 10 μs max), when the sense voltage is outside of the overvoltage and undervoltage thresholds.
TPS3704x-Q1 includes the resistors used to set the overvoltage and undervoltage thresholds internal to the device. These internal resistors allow for lower component counts and greatly simplifies the design because no additional margins are needed to account for the accuracy of external resistors. The level of integration in the TPS3704x-Q1 enables a total small solution size for any application.
The TPS3704x-Q1 is capable to monitor
any voltage rail with high resolution (VIT ≤ 0.8 V: 20 mV
steps /
VIT > 0.8 V:
0.5% or 20 mV steps whichever is lower). The device includes fixed
reset time delay (tD) options ranging from 20 μs to 1200
ms and can monitor up to four channels while maintaining an
ultra-low IQ current of 20 μA (max).
For a functional safety critical development it is necessary to manage both systematic and random faults. The TPS3704x-Q1 component architecture includes many functional safety mechanisms, which can detect and respond to random faults when used correctly. This section of the document describes the architectural functional safety concept for each sub-block of theTPS3704x-Q1 component. The system integrator shall review the recommended functional safety mechanisms in the functional safety analysis report (FMEDA) in addition to this safety manual to determine the appropriate functional safety mechanisms to include in their system. The component data sheet or technical reference manual (if available) are useful tools for finding more specific information about the implementation of these features.
RESETx/RESETx asserts
when SENSEx falls outside of the over-voltage or under-voltage threshold window.
RESETx/RESETx stays asserted for the reset
timeout period after SENSEx fall back within the window threshold. Active-low, open-drain
reset output, requires an external pullup resistor. For TPS37044,
RESETx/RESETx asserts when either SENSEx or SENSEx fall outside of
the window threshold. The pin can be left floating if it is unused.
This section includes a description of the different types of functional safety mechanisms that are applied to the design blocks of the TPS3704x-Q1 component.
The functional safety mechanism categories are defined as follows:
This section provides a brief summary of the functional safety mechanisms available on this component.
The OTP Write Protection ensures that the OTP cells are only written to when necessary. 2 Key Security- Fast slew rate input pulses, Secure sequence along with Clock, Fast Clocking required to enable OTP write. OTP Lock bits set after programming with Checksum bit for data verification. This method prevents rewrite of OTP in production. Checksum Bit verifies data integrity.
For each Sense channel n(1..4), the TPS3704x-Q1 shall assert RESET_UV when the voltage on the SENSEn pin is less than the programmed OTP_UV_VALn threshold for a time-interval longer than the sense propagation delay tPD.
For each Sense channel n(1..4), the TPS3704x-Q1 shall assert RESET_OV when the voltage on the SENSEn pin is greater than the programmed OTP_OV_VALn threshold for a time-interval longer than the sense propagation delay tPD.
OTP Checksum bit shall be checked at system startup before latch load to confirm OTP integrity. RESET will not be released at startup if there is a checksum mismatch
The TPS3704x-Q1 Shall assert all available RESET outputs during startup and release once Device has reached Safe active state. Host to Monitor RESET outputs at startup and confirm assertion, followed by de-assertion on expected timeline. This method can be used to detect issues with RESET pins, unexpected delays in RESET reponse, Issues with Latch logic, etc.
Table A-2 summarizes the functional safety mechanisms present in hardware or recommend for implementation in software or at the system level as described in Chapter 5. Table A-1 describes each column in Table A-2 and gives examples of what content could appear in each cell.
Functional Safety Mechanism | Description |
---|---|
TI Safety Mechanism Unique Identifier | A unique identifier assigned to this safety mechanism for easier tracking. |
Safety Mechanism Name | The full name of this safety mechanism. |
Safety Mechanism Category | Safety Mechanism - This test provides coverage for faults on the
primary function. It may also provide coverage on another safety
mechanism. Test for Safety Mechanism - This test provides coverage for faults of a safety mechanism only. It does not provide coverage on the primary function. Fault Avoidance - This is typically a feature used to improve the effectiveness of a related safety mechanism. |
Safety Mechanism Type | Can be either hardware, software, a combination of both hardware and software, or system. See Section 6.2 for more details. |
Safety Mechanism Operation Interval | The timing behavior of the safety mechanism with respect to the test interval defined for a
functional safety requirement / functional safety goal. Can be
either continuous, or on-demand. Continuous - the safety mechanism constantly monitors the hardware-under-test for a failure condition. Periodic or On-Demand - the safety mechanism is executed periodically, when demanded by the application. This includes Built-In Self-Tests that are executed one time per drive cycle or once every few hours. |
Test Execution Time | Time period required for the safety mechanism to complete, not including error reporting
time. Note: Certain parameters are not set until there is a concrete implementation in a specific component. When component specific information is required, the component data sheet should be referenced. Note: For software-driven tests, the majority contribution of the Test Execution Time is often software implementation-dependent. |
Action on Detected Fault | The response that this safety mechanism takes when an error is detected. Note: For software-driven tests, the Action on Detected Fault may depend on software implementation. |
Time to Report | Typical time required for safety mechanism to indicate a detected fault to the
system. Note: For software-driven tests, the majority contribution of the Time to Report is often software implementation-dependent. |
Hardware Safety Requirement ID | Technical Safety Requirement ID | Assumed Diagnostic Requirement (Safety Features in IC that meet corresponding system requirements) | ASIL | FTTI | Status |
---|---|---|---|---|---|
HSR1-1.1 | TSR1-1 | For each SENSEx (x=1..4) channel, the TPS3704x-Q1 shall assert CHx_UV_OUT when the voltage on the SENSEx pin is less than the programmed OTP_UV_VALx threshold for a time-interval longer than the propagation detect delay tPD. | ASIL A | 100ms | Assumed |
HSR1-1.2 | TSR1-1 | For each SENSEx (x=1..4) channel, the TPS3704x-Q1 shall assert CHx_OV_OUT when the voltage on the SENSEx pin is greater than the programmed OTP_OV_VALx threshold for a time-interval longer than the propagation detect delay tPD. | ASIL A | 100ms | Assumed |
HSR1-1.3 | TSR1-1 | The TPS3704x-Q1 shall assert each RESETn (n=1..3) output based on CHANx_OV_OUT and CHx_UV_OUT (x=1..4) dependant on device configuration. These options include: RESETn (n=from 1 to 3) matched to same SENSEx (OV only, UV only, or Window), and two RESET (RESET_OV and RESET_UV) calculated as OR(x=1..4) of all available CHx_OV_OUT and CHx_UV_OUT respectively. | ASIL A | 100ms | Assumed |
HSR1-1.4 | TSR1-1 | In the case of RESET asserted on one or more of the RESET ouptut pins due to voltage fault, the TPS3704x-Q1 shall remain in active state to monitor for additional voltage faults. | ASIL A | 100ms | Assumed |
HSR1-1.5 | TSR1-1 | In the case of RESET asserted on one or more of the RESET ouptut pins due to voltage fault, the RESET shall remain asserted for the configured reset delay tD. | ASIL A | 100ms | Assumed |
HSR2-1.1 | TSR2-1 | The TPS3704x-Q1 shall assert all RESETn (n=1..4 depending on configuration) at startup for tSTRT and then release reset once VDD > VDD(MIN). | ASIL A | 100ms | Assumed |
A Development Interface Agreement (DIA) is intended to capture the agreement between two parties towards the management of each party’s responsibilities related to the development of a functional safety system. TI functional safety components are typically designed for many different systems and are considered to be Safety Elements out of Context (SEooC) hardware components. The system integrator is then responsible for taking the information provided in the hardware component safety manual, safety analysis report and safety report to perform system integration activities. Because there is no distribution of development activities, TI does not accept DIAs with system integrators.
TI functional safety components are products that TI represents, promotes or markets as helping customers mitigate functional safety related risks in an end application and/or as compliant with an industry functional safety standard or FS-QM. For more information about TI functional safety components, go to TI.com/functionalsafety.
TI has tailored the functional safety lifecycles of ISO 26262 and IEC 61508 to best match the needs of a functional Safety Element out of Context (SEooC) development. The functional safety standards are written in the context of the functional safety systems, which means that some requirements only apply at the system level. Since TI functional safety components are hardware or software components, TI has tailored the functional safety activities to create new product development processes for hardware and for software that makes sure state-of-the-art techniques and measures are applied as appropriate. These new product development processes have been certified by third-party functional safety experts. To find these certifications, go to TI.com/functionalsafety.
The TI functional safety products are hardware components developed as functional Safety Elements out of Context. As such, TI's functional safety activities focus on those related to management of functional safety around hardware component development. System level architecture, design, and functional safety analysis are not within the scope of TI activities and are the responsibility of the customer. Some techniques for integrating the SEooC safety analysis of this hardware component into the system level can be found in ISO 26262-11.
Functional Safety Lifecycle Activity(1) | TI Execution | Customer Execution |
---|---|---|
Management of functional safety | Yes | Yes |
Definition of end equipment and item | No | Yes |
Hazard analysis and risk assessment (of end equipment/item) | No | Yes |
Creation of end equipment functional safety concept | No. Assumptions made for internal development. | Yes |
Allocation of end equipment requirements to sub-systems, hardware components, and software components | No. Assumptions made for internal development. | Yes |
Definition of hardware component safety requirements | Yes | No |
Hardware component architecture and design execution | Yes | No |
Hardware component functional safety analysis | Yes | No |
Hardware component verification and validation (V&V) | V&V executed to support internal development. | Yes |
Integration of hardware component into end equipment | No | Yes |
Verification of IC performance in end equipment | No | Yes |
Selection of safety mechanisms to be applied to IC | No | Yes |
End equipment level verification and validation | No | Yes |
End equipment level functional safety analysis | No | Yes |
End equipment level functional safety assessment | No | Yes |
End equipment release to production | No | Yes |
Management of functional safety issues in production | Support provided as needed | Yes |
Texas instruments has summarized what it considers the most critical functional safety work products that are available to the customer either publicly or under a nondisclosure agreement (NDA). NDAs are required to protect proprietary and sensitive information disclosed in certain functional safety documents.
Deliverable Name | Contents |
---|---|
Functional Safety Product Preview | Overview of functional safety considerations in product development and product architecture. Delivered ahead of public product announcement. |
Functional Safety Manual | User guide for the functional safety features of the product, including system level assumptions of use. |
Functional Safety Analysis Report | Results of all available functional safety analysis documented in a format that allows computation of custom metrics. |
Functional Safety Report(1) | Summary of arguments and evidence of compliance to functional safety standards. References a specific component, component family, or TI process that was analyzed. |
Assessment Certificate(1) | Evidence of compliance to functional safety standards. References a specific component, component family, or TI process that was analyzed. Provided by a 3rd party functional safety assessor. |
Changes from Revision * (April 2022) to Revision A (May 2022)
TI PROVIDES TECHNICAL AND RELIABILITY DATA (INCLUDING DATASHEETS), DESIGN RESOURCES (INCLUDING REFERENCE DESIGNS), APPLICATION OR OTHER DESIGN ADVICE, WEB TOOLS, SAFETY INFORMATION, AND OTHER RESOURCES “AS IS” AND WITH ALL FAULTS, AND DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS.
These resources are intended for skilled developers designing with TI products. You are solely responsible for (1) selecting the appropriate TI products for your application, (2) designing, validating and testing your application, and (3) ensuring your application meets applicable standards, and any other safety, security, or other requirements. These resources are subject to change without notice. TI grants you permission to use these resources only for development of an application that uses the TI products described in the resource. Other reproduction and display of these resources is prohibited. No license is granted to any other TI intellectual property right or to any third party intellectual property right. TI disclaims responsibility for, and you will fully indemnify TI and its representatives against, any claims, damages, costs, losses, and liabilities arising out of your use of these resources.
TI’s products are provided subject to TI’s Terms of Sale (www.ti.com/legal/termsofsale.html) or other applicable terms available either on ti.com or provided in conjunction with such TI products. TI’s provision of these resources does not expand or otherwise alter TI’s applicable warranties or warranty disclaimers for TI products.
Mailing Address: Texas Instruments, Post Office Box 655303, Dallas, Texas 75265
Copyright © 2022, Texas Instruments Incorporated