5.3.1 VDD6 Buck Switch-Mode Power Supply

The purpose of the VDD6 buck switch-mode power supply is to reduce the power dissipation inside the device as a preregulator. The VDD6 supply regulates from the battery voltage (main supply) range to 6 V. The VDD6 output is used as the input voltage for the VDD5, VDD3/5, VDD1, and can also be used for VSOUT1 regulator depending on the required VSOUT1 output voltage. The VDD6 supply is intended as a preregulator, therefore the output accuracy of VDD6 is less than the other integrated regulators. The VDD6 current capability is set to supply the VDD5, VDD3/5, VDD1, and VSOUT1 regulators at their respective maximum output currents. Power dissipation and thermal analysis should be performed to ensure the PCB design and thermal management can support the required power dissipation in the application.

This switch-mode power supply operates with fixed-frequency adaptive on-time control PWM. The control loop is based on a hysteretic comparator. The internal N-channel MOSFET is turned on at the beginning of each cycle if the sensed voltage on the VDD6 pin is below the hysteretic comparator threshold. When the MOSFET is turned on, it is on for a minimum of 7% duty cycle (7% of f_{clk_VDD6}). This MOSFET is turned off when the hysteretic comparator detects a voltage on the VDD6 pin above the threshold. The VDD6 regulator may skip pulses if the output voltage remains above the hysteretic comparator when the clock edge occurs. When the MOSFET is turned off, the external Schottky diode recirculates the energy stored in the inductor for the remainder of the switching period. The VDD6 regulator enters dropout mode (100% duty cycle) for a supply voltage below approximately 7 V on the VBATP pin.

The internal MOSFET is protected from excessive power dissipation by a current-limit circuit. The VDD6 regulator also shares an overtemperature protection circuit with the VDD3/5 regulator. When overtemperature is detected by this circuit, the device transitions to the STANDBY state (all regulators switched off).

Because the control loop of the VDD6 regulator is based on a hysteretic comparator, the effective capacitance on the output, and effective series resistance (ESR) of the output capacitance must be considered. The effective capacitance of the output capacitors at the operating voltage (6 V, DC bias derating), tolerance, temperature range, and lifetime must meet the effective capacitance range for VDD6 (C_VDD6). The capacitor supplier should provide the necessary derating data to calculate the effective capacitance. The hysteretic comparator also requires a specified ESR to ensure balanced operation. Typically low-ESR ceramic capacitors are used for the output, so an external resistor is required to bring the total ESR into the specified ESR range for the C_VDD6. A general guideline to achieve balanced operation is R_ESR = L / (15 × C_Effective). Using a higher-effective output capacitance allows for a lower ESR, which leads to lower-voltage ripple. Additionally, the inductance influences the system: using a lower inductance value allows for lower ESR, however, the peak inductor current will be higher.

5.3.2 VDD5 Linear Regulator

The VDD5 pin is a regulated supply of 5 V ±2% overtemperature and battery supply range. A low-ESR ceramic capacitor is required for loop stabilization. This capacitor must be placed close to the pin of the device. This output is protected against shorts to ground by a current-limit. This output also limits output-voltage overshoot during power up and during line or load transients.

On an initial IGN or CANWU power cycle, the soft-start circuit on this regulator is initiated, which is typically from 1 ms to 2 ms. This output can require a larger output capacitor to ensure that during load transients the output does not drop below the required regulation specifications.

The internal MOSFET is protected from excess power dissipation with junction-overtemperature protection. In case of an overtemperature condition in the VDD5 pin, only the VDD5 regulator switches off by clearing bit D4 in the SENS_CTRL register. To re-enable the VDD5 pin, bit D4 in the SENS_CTRL register must be set again.

5.3.3 VDD3/5 Linear Regulator

The VDD3/5 pin is a regulated supply of 3.3 V or 5 V ±2% overtemperature and battery supply range. The output voltage level is selected with the SEL_VDD3/5 pin (open pin selects 3.3 V, grounded pin selects 5 V). The state of this selection pin is sampled and latched directly at the first initial IGN or CANWU power cycle. When latched, any change in the state of this selection pin after the first initial IGN or CANWU power cycle does not change the initially selected state of the VDD3/5 regulator.

A low-ESR ceramic capacitor is required for loop stabilization. This capacitor must be placed close to the pin of the device. This output is protected against shorts to ground by a current-limit. This output also limits output-voltage overshoot during power up or during line or load transients.

On an initial IGN or CANWU power cycle, the soft-start circuit on this regulator is initiated, which is typically from 1 ms to 2 ms. This output may require a larger output capacitor to ensure that during load transients the output does NOT drop below the required regulation specifications.

The internal MOSFET is protected from excess power dissipation with a current-limit circuit and junction overtemperature protection. In case of an overtemperature in the VDD3/5 pin, the TPS65381-Q1 device enters the STANDBY state (all regulators switched-off).

5.3.4 VDD1 Linear Regulator

The VDD1 pin is an adjustable regulated supply from 0.8 V to 3.3 V. This regulator uses a ±2% reference (VDD1_SENSE). The tolerance of the external feedback resistor divider resistors have an impact to the overall VDD1 regulation tolerance. To reduce on-chip power consumption, an external power NMOS is used. The regulation loop and the command gate drive are integrated. TI recommends applying a resistor with a value of 100 kΩ to 1 MΩ between the gate and source of the external power NMOS. The VDD1 gate output is limited to prevent gate-source overvoltage stress during power up or during line or load transients.

On an initial IGN or CANWU power cycle, the soft-start circuit on this regulator is initiated, which is typically from 1 ms to 2 ms. This soft-start is meant to prevent any voltage overshoot at start-up. The VDD1 output may require larger output capacitor to ensure that during load transients the output does not drop below the required regulation specifications.

The VDD1 LDO has no current-limit and no overtemperature protection for the external NMOS FET. Therefore, supplying the VDD1 pin from the VDD6 pin is recommended (see Section 5.2). In this way, the VDD6 pin current-limit acts as current-limit for the VDD1 pin and the power dissipation is limited also. To avoid damage in the external NMOS FET, selecting the current rating of the VDD1 pin well above the maximum-specified VDD6 current-limit is recommended.

If the VDD1 regulator is not used, leave the VDD1_G and VDD1_SENSE pins open. An internal pullup device on the VDD1_SENSE pin detects the open connection and pulls up the VDD1_SENSE pin. This forces the regulation loop to bring the VDD1_G output down. This mechanism also masks the VDD1_OV flag in VMON_STAT_2 register and therefore the ENDRV pin action from a VDD1 overvoltage (OV) condition is also masked. These actions are equivalent to clearing the NMASK_VDD1_UV_OV bit in the DEV_CFG1 register to 0. This internal pullup device on the VDD1_SENSE pin also prevents a real VDD1 overvoltage on the MCU core supply in case of an open connection to the VDD1_SENSE pin, as it brings the VDD1_G pin down. Therefore, in this situation, the VDD1 output voltage is 0 V.

By default, VDD1 monitoring is disabled. If the VDD1 pin is used in the application, TI recommends to set the NMASK_VDD1_UV_OV bit in the DEV_CFG1 register to 1 when the device is in the DIAGNOSTIC state. This setting enables driving and extending the reset to the external MCU when a VDD1 undervoltage event is detected.

5.3.5 VSOUT1 Linear Regulator

The VSOUT1 regulator is a regulated supply with two separate modes: tracking mode and non-tracking mode. The mode selection occurs with the VTRACK1 pin. When the voltage applied on the VTRACK1 pin is above 1.2 V, the VSOUT1 pin is in tracking mode. When the VTRACK1 pin is shorted to ground, the VSOUT1 regulator is in non-tracking mode. This mode selection occurs during the first ramp-up of the VDDx rails and is latched after the first VDDx ramp-up is complete. Therefore, after completion of the VDDx ramp-up, any change on the VTRACK1 pin no longer affects the selected tracking or non-tracking mode.

In tracking mode, the VSOUT1 regulator tracks the input reference voltage on the VTRACK1 pin with a gain factor determined by the external resistive divider. The tracking offset between the VTRACK1 and VSFB1 pins is ±35 mV. This mode allows, for instance, the VSOUT1 output voltage to be 5 V while tracking the VDD3 (3.3-V) supply. In unity-gain feedback, the VSOUT1 output voltage can directly follow the VDD5 pin or the VDD3 pin.

In non-tracking mode, the VSOUT1 output voltage is proportional to a fixed reference voltage of 2.5 V at the VSFB1 pin, with a gain factor determined by the external resistive divider. This mode allows the VSOUT1 pin to be any factor of the internal reference voltage.

Both in tracking and non-tracking mode, the VSOUT1 output voltage must be 3.3 V or higher. The VSOUT1 regulator can track the VDD3/5 pin in 3.3-V setting within the specified limits.

The VSOUT1 regulator has a separate input supply to reduce the internal power dissipation. For an output voltage of 3.3 V or 5 V, for instance, the VDD6 supply can be used as the input supply. For an output voltage greater than 5 V, the VBATP pin can be used as the input supply. The maximum power dissipation for the internal FET must not exceed 0.6 W to avoid overtemperature (thermal shutdown).

A low-ESR ceramic capacitor is required for loop stabilization; this capacitor must be placed close to the pin of the device. This supply limits output-voltage overshoot during power up or during line or load transients.

This supply rail is intended for going outside the ECU and therefore is protected against shorts to external chassis ground by a current-limit. The supply rail can be shorted externally within the specified short circuit voltages, VSOUT1_SH. If the output can be shorted to voltages outside the specified short circuit voltage range, additional external protection is required.

The VSOUT1 regulator is disabled by default on start-up. After the NRES pin release, the MCU can enable the VSOUT1 regulator through a SPI command by setting bit D0 in the SENS_CTRL register. After this SPI command, the soft-start circuit on this regulator is initiated, which is typically from 1 ms to 2 ms. This output may require a larger output capacitor to ensure that during load transients the output does NOT drop below the required regulation specifications. Regardless of tracking or non-tracking mode, the VSFB1 pin is ramped to the desired value after completion of the soft start.

The internal MOSFET is protected from excess power dissipation with a current-limit circuit and junction-overtemperature protection. In case of an overtemperature condition in the VSOUT1 pin, only the VSOUT1 regulator is switched off by clearing bit 0 in the SENS_CTRL register. To re-enable the VSOUT1 pin, first bit 2 in the SAFETY_STAT 1 register must be cleared on read-out, and afterwards bit 0 in the SENS_CTRL register must be set again.

The VSOUT1 pin voltage can be observed by the ADC input of the MCU through the DIAG_OUT pin (see Section 5.4.9), which allows the detection of a short to any other supply prior to enabling the VSOUT1 LDO.

5.3.6 Charge Pump

The charge pump is used to generate an overdrive voltage from the VBATP supply that is used for driving the gates of the internal NMOS FETs in the VDDx and VSOUT1 supply rails. The charge pump is a hysteretic architecture, when the VCP voltage is high enough, the CP_OV bit sets and the charge pump stops pumping until the VCP voltage drops below the threshold, the CP_OV bit clears and the charge pump starts pumping again. The charge pump overdrive is provided internally to the device through the linear regulators, VCP12 and VCP17. Furthermore, this overdrive voltage can drive the gate of an external NMOS FET acting as reverse-battery protection. Such reverse-battery protection allows for lower battery voltage operation compared to a traditional reverse battery-blocking diode. When using the charge pump (VCP) to drive the gate of an NMOS for reverse battery protection, a series resistance of about 10 kΩ must be connected between the VCP pin and the gate of the NMOS FET (see Section 5.2). This series resistance is required to limit any current out of the VCP pin when the gate of the NMOS FET is driven to a negative voltage, because the absolute maximum rating of the VCP pin is limited to –0.3 V because of a parasitic reverse diode to the substrate (ground).

The charge pump requires two external capacitors, one pumping capacitor (C_pump) and one storage capacitor (C_store). To have sufficient overdrive voltage out of the charge pump even at low battery voltage, the external load current on the VCP pin must be less than 100 µA.

5.3.7 Wake-Up

The TPS65381-Q1 device has two wake-up pins: IGN and CANWU. Both pins have a wake-up threshold level from 2 V to 3 V, and a hysteresis from 50 mV to 200 mV.

The IGN wake-up pin is level-sensitive and is deglitched with the IGN_deg deglitch (filter) time. The TPS65381-Q1 device provides a power-latch function (POST_RUN) for this IGN pin, allowing the MCU to decide when to power down the TPS65381-Q1 device through SPI command. For this, the MCU must set the IGN power-latch bit 4 (IGN_PWRL) in the SPI SAFETY_FUNC_CFG register, and read the unlatched status of the deglitched (filtered) IGN pin on the SPI register, DEV_STAT, bit 0 (IGN). To enter the STANDBY state, the MCU must clear the IGN_PWRL bit. For this, the TPS65381-Q1 device must be in the DIAGNOSTIC state because this SPI register is only writable in the DIAGNOSTIC state. The IGN_PWRL bit is also cleared after a detected CANWU wake-up event. Furthermore, the TPS65381-Q1 device provides an optional transition to the RESET state after a detected IGN wake-up during POST_RUN (see Figure 5-2).

The CANWU pin is level sensitive and is deglitched with CANWU_deg (filter) time. The deglitched (filtered) CANWU wake-up signal is latched, into CANWU_L, allowing the MCU to decide when to power down the TPS65381-Q1 device through the WR_CAN_STBY SPI command.

Both the IGN and CANWU pins are high voltage pins. If the pins are connected to lines with transients, the application should provide proper filtering and protection to ensure the pins stay within the specified voltage range.

5.3.8 Reset Extension

During a power-up event, the TPS65381-Q1 device releases the reset to the external MCU through the NRES pin with a certain delay time (reset extension time) after the VDD3/5 and VDD1 pins have crossed the respective undervoltage thresholds.

This reset extension time is externally configurable with a resistor between the RESEXT pin and ground. When shorting the RESEXT pin to ground, the minimum reset extension time is typically 1.4 ms. For a 22-kΩ external resistor, the typical reset extension time is 4.5 ms.

5.4.1 Power-Up and Power-Down Behavior

Figure 5-1 shows the power-up and power-down behavior.

1. During a power-up event, the analog BIST (ABIST) begins automatically after the VDD6 rail ramps above the UV threshold. If the ABIST fails, the device transitions to the SAFE state.

2. The device may not be able to respond to MCU SPI communication during a BIST, so if the MCU boots faster than the BIST, it should wait until the BIST is complete to use SPI communication. If the ABIST, LBIST, or both fail, the device transitions to the SAFE state.

3. The level of the ENDRV pin depends on the watchdog failure counter, WD_FAIL_CNT[2:0], the ENABLE_DRV bit, and the signals shown in Figure 5-14. The MCU should only set the ENABLE_DRV bit when the WD_FAIL_CNT[2:0] counter is below 5.

Figure 5-1 Power-Up and Power-Down Behavior

1. Under slow VBAT ramp-down and when the VDD3/5 rail is configured as a 5-V rail, the NRES output can be pulled low when VBAT is at approximately 6.3 V. This occurs because of an undervoltage transient on VDD3/5 rail.

2. Under slow VBAT ramp-up and when the VDD3/5 rail is configured as a 5-V rail, the NRES output can be pulled low when VBAT is at approximately 6.6 V. This occurs because of an undervoltage transient on VDD3/5 rail.

3. Under similar conditions, undervoltage transients are observed on VDD5 and VSOUT1 rails.

Figure 5-2 IGN Power Latch and POST-RUN Reset

5.4.2 Safety Functions and Diagnostics Overview

The TPS65381-Q1 device is intended for use in automotive and industrial safety-relevant applications. The following list of monitoring and protection blocks are those that improve the diagnostic coverage and decrease the undetected fault rate:

• Voltage monitor (VMON)
• Analog built-in self-test (ABIST) diagnostics for safety analog blocks
• Logic built-in self-test (LBIST) for safety controller functions
• Loss-of-clock monitor (LCMON)
• Junction temperature monitoring for all power supplies with internal FET
• Current-limit for all power supplies
• Analog MUX (AMUX) for externally monitored diagnostics and debug
• Digital MUX (DMUX) for externally monitored diagnostics and debug
• Watchdog configurable for trigger mode (open and close window) or question and answer mode
• MCU error signal monitor (ESM) for monitoring the error output from functional safety architecture MCUs
• Controlled and protected enable output (ENDRV) for external power stages or peripheral wakeup
• Device configuration register CRC protection
• SPI command decoder with parity check
• SPI data output feedback check
• Reset circuit for initializing external MCU
• EEPROM analog trim content CRC protection
• Device state controller with SAFE state in case of detected error event

5.4.3 Voltage Monitor (VMON)

The VBAT supply voltage, all regulator outputs, and internally generated voltages are supervised by a voltage monitor module (VMON). An undervoltage or overvoltage condition is indicated by the corresponding VMON register status flag bits:

• VMON flag bit cleared to 0 when power supply is within specification
• VMON flag bit set to 1 when power supply is outside tolerance band

The monitoring occurs by undervoltage and overvoltage comparators. The reference voltage (BANDGAP_REF2) for the VMON module is independent of the system reference voltage (BANDGAP_REF1) used by the regulators. A glitch-filtering function ensures reliable monitoring without false setting of the VMON status flag bits. The complete VMON block is supplied by a separate supply pin, VBAT_SAFING.

The VMON comparator diagnostics are covered by the ABIST executed during device startup and power up or activated with the SPI command by the external MCU SPI request when the device is in the DIAGNOSTIC or ACTIVE state. Each monitored voltage rail is emulated for undervoltage and overvoltage conditions on the corresponding comparator inputs, therefore forcing the corresponding comparator to toggle multiple times (in a toggling pattern observed and checked by the ABIST controller). The monitored voltage rails themselves are not affected during this self-test, so no real undervoltage or overvoltage event occurs on any of these rails because of this self-test.

Table 5-1 lists an overview of the performed voltage monitoring. As listed in this table, an overvoltage protection is implemented for some of the internal supply rails.

5.4.4 TPS65381-Q1 Internal Error Signals

Table 5-2 lists a useful overview of the TPS65381-Q1 device internal error signals and the impact of the signals on the device behavior.

5.4.5 Loss-of-Clock Monitor (LCMON)

The LCMON detects internal oscillator failures including:

• Oscillator clock stuck high or stuck low
• Reduced clock frequency

The LCMON is enabled during a power-up event after the power-on reset (NPOR) is released. The clock monitor remains active during device normal operation (STANDBY, RESET, DIAGNOSTIC, ACTIVE, and SAFE states). In case of a clock failure:

• The device transitions to the STANDBY state.
• All regulators are disabled.
• The digital core is reinitialized.
• The reset to the external MCU is asserted low.
• The failure condition is indicated by the LOCLK bit in the SAFETY_STAT_4 register.

The LCMON has a self-test structure that is activated and monitored by an analog BIST (ABIST). The external MCU can recheck the LCMON any time when the device is in the DIAGNOSTIC state or ACTIVE state. The enabled diagnostics emulate a clock failure that causes the clock-monitor output to toggle. The clock-monitor toggling pattern is checked by the ABIST, while the external MCU can check that the loss-of-clock status bit is being set during active test. During this self-test, the actual oscillator frequency (4 MHz) is not changed because of this self-test.

5.4.6 Analog Built-In Self-Test (ABIST)

The ABIST is the controller and monitor circuit for performing self-checking diagnostics on critical analog functions:

• VMON undervoltage and overvoltage comparators
• Clock monitor (LCMON)
• EEPROM analog-trim content check (CRC protection)

During the self-test on the VMON undervoltage and overvoltage comparators, the monitored voltage rails are left unchanged, so no real undervoltage or overvoltage event occurs on any of these rails because of these self-tests. Furthermore, also during the self-check on the clock monitor, the actual oscillator frequency (4 MHz) is not changed because of this self-test.

1. For impact to the device state if any ABIST function has a FAIL, see Section 5.4.19.

Figure 5-3 Analog BIST Run States

The ABIST is activated with every device power-up event or any transition to the RESET state. The ABIST can also be run by the external MCU by setting the ABIST_EN bit in the SAFETY_BIST_CTRL register. During an ABIST run, the device cannot monitor the state of the regulated supplies, and the ENDRV pin is pulled low. The ABIST run time is approximately 300 µs. The ABIST can be performed in the ACTIVE state on an MCU request, depending on system safety requirements (such as a system-fault response time), ENDRV pin will be low during ABIST run.

A running ABIST is indicated in the ABIST_RUN bit (bit D0) in the SAFETY_STAT_3 register. This bit is set to 1 during the ABIST run and is cleared to 0 when the ABIST is complete. In case of an ABIST failure while in the DIAGNOSTIC state, including power-up event, the device enters the SAFE state without asserting a reset to the external MCU and the ABIST_ERR status flag remains latched in the digital core until a successful ABIST run. This allows the external MCU to detect the ABIST failure by reading the ABIST_ERR bits in the SAFETY_STAT_3 register. In case of an ABIST failure while in the ACTIVE state, the device sets the ABIST_ERR status flag, but no state transition occurs.

5.4.7 Logic Built-In Self-Test (LBIST)

The logic BIST (LBIST) tests the digital-core safety functions. The LBIST has these characteristics:

• An application-controllable logic BIST engine, which applies test vectors to the digital core.
• The LBIST engine provides stuck-at fault test coverage to logic blocks under test.
• The LBIST run time is typically 4.2 ms (±5%). After the LBIST, a 16-ms (typical) wait period occurs to fill the digital filters covered by the LBIST. During this time, the ABIST runs. The total BIST time is approximately 21 ms. The SPI registers may be unavailable during a BIST, so no SPI reads or writes should be made while the BIST is running.
• The LBIST engine has a time-out counter as a fail-safe feature.

The BIST (LBIST with ABIST) is activated and run in the DIAGNOSTIC state with any transition out of the RESET state during power-up events. The BIST is also activated with any other transition out of the RESET state unless the AUTO_BIST_DIS bit in the SAFETY_BIST_CTRL register is set.

The MCU can run the LBIST (BIST) by setting the LBIST_EN bit in the SAFETY_BIST_CTRL register.

During the BIST run, the device cannot monitor the state of regulated supplies and cannot respond to any SPI command, and therefore cannot monitor the state of the MCU through the watchdog timer. During the BIST run, the ENDRV pin is pulled low and the watchdog fail counter reinitializes to 5. After the BIST is complete, the following functions and registers reinitialize:

• DEV_STAT
• SAFETY_STAT_2
• SAFETY_STAT_4
• SAFETY_STAT_5 (but FSM[2:0] will immediately update to reflect the current device state)
• WD_TOKEN_VALUE
• WD_STATUS
• SAFETY_CHECK_CTRL
• DIAG_CFG_CTRL
• DIAG_MUX_SEL

A running LBIST is indicated in the LBIST_RUN bit (bit D1) in the SAFETY_STAT_3 register. This bit is set to 1 while the LBIST is running and is cleared to 0 when the LBIST is complete. After the LBIST run, completion of the whole BIST is confirmed by the MCU by reading 0 for both the LBIST_RUN and ABIST_RUN bits.

In case of an LBIST failure in the DIAGNOSTIC state, the device enters the SAFE state. The external MCU can detect the LBIST failure by reading the LBIST_ERR bit in the SAFETY_STAT_3 register. In case of an LBIST failure while in the ACTIVE state, the device sets the LBIST_ERR status flag, but no state transition occurs. Because the ABIST is run during the LBIST, the ABIST_ERR bit can also be monitored by the MCU.

5.4.8 Junction Temperature Monitoring and Current Limiting

Each LDO with an internal power FET has junction temperature monitoring with overtemperature protection (thermal shutdown). In case of an overtemperature condition, a regulated supply can re-enable only after the overtemperature condition is removed.

For the VSOUT1 regulator, the overtemperature condition disables the regulator and clears the enable bit (VSOUT1_EN), while all other regulators remain enabled. When the VSOUT1 overtemperature condition is gone, the external MCU must set the enable control bit again to re-enable the regulator.

The VDD3/5 and VDD6 regulators share an overtemperature protection circuit. A overtemperature event disables the VDD3/5 regulator. If the NMASK_VDD3/5_OT is set to 1 (default), the device transitions to the STANDBY state. If the NMASK_VDD3/5_OT bit is cleared to 0, the device transitions to the RESET state when the VDD3/5 output reaches the UV level for the VDD3/5 regulator. In both cases the NRES pin goes low and resets the external MCU and the ENDRV pin is low. TI recommends using the device with the NMASK_VDD3/5_OT bit set to 1.

For the VDD5 regulator, the overtemperature condition clears the VDD5_EN enable bit and transitions to the RESET state. NRES pin goes low and resets the MCU and the ENDRV pin is low. All other regulators remain enabled. When the VDD5 overtemperature condition is gone, the MCU must set the enable control bit again to re-enable the regulator.

The VDD6, VDD3/5, VDD5, and VSOUT1 regulators include a current-limit circuit for protection against excessive power consumption and thermal overstress.

Table 5-3 lists an overview of the overtemperature and overcurrent protections for the supply output rails.

5.4.9 Diagnostic MUX and Diagnostic Output Pin (DIAG_OUT)

Analog and digital critical signals, which are not directly connected to the MCU, are switched by a multiplexer to the external DIAG_OUT pin. The programming of the multiplexer is done with the DIAG_MUX_SEL register. The digital signals are buffered to have sufficient drive capabilities.

This multiplexer facilitates external pin-interconnect tests by feeding back the input pin state or feeding back internal module self-test status or safety comparator outputs.

A. These analog signals are multiplexed out with a divide ratio

B. If the application must measure analog signals with an MCU ADC and monitor digital signals with an MCU GPIO, the application design must assure the GPIO input stage does not affect the ADC measurements. If isolating the MCU GPIO is not possible within the MCU, the application design must achieve the necessary isolation externally.

Figure 5-4 Diagnostic Output Pin, DIAG_OUT

In case the DIAG_OUT pin is connected to a mixed analog or digital input pin of the MCU, TI recommends configuring this MCU input pin and the DIAG_OUT pin simultaneously in accordance with the desired type of signal (analog or digital). The type of signal (analog or digital) on the DIAG_OUT pin can be configured with the MUX_CFG[1:0] bits in the DIAG_CFG_CTRL register. The DIAG_OUT multiplexer can be globally enabled and disabled with bit 7 in the DIAG_CFG_CTRL register. When disabled, the DIAG_OUT pin is in the high-ohmic state (tri-state).

5.4.10 Watchdog Timer (WD)

The watchdog monitors the correct operation of the MCU. This watchdog requires specific triggers, or messages, from the MCU in specific time intervals to detect correct operation of the MCU. The MCU can control the logic level of the ENDRV pin with the ENABLE_DRV bit when the watchdog detects correct operation of the MCU. When the watchdog detects incorrect operation of the MCU, the device pulls the ENDRV pin low. This ENDRV pin can be used in the application as a control signal to deactivate the power output stages, for example a motor driver, in case of incorrect operation of the MCU. This function is consequently referred to as the watchdog-enabled function.

The watchdog has two different modes, which are defined as follows:

To select the Q&A mode, the MCU must set the WD_CFG bit (bit 5) in the safety-function configuration register (SAFETY_FUNC_CFG) while in the DIAGNOSTIC state. When the watchdog operates in Q&A mode, the MCU error signal monitor (ESM) may be used.

5.4.11 Watchdog Fail Counter, Status, and Fail Event

The watchdog includes a watchdog fail counter (WD_FAIL_CNT[2:0]) which increments because of bad events or decrements because of good events. When the value of the watchdog fail counter is 5 or more, the watchdog status is out-of-range and the ENDRV pin is low (the watchdog-enabled function is disabled).

When the watchdog fail counter is 4 or less, the watchdog status is in-range and the watchdog no longer disables the watchdog-enabled function. In this case, the device pulls up the ENDRV pin when the ENABLE_DRV control bit (in the SAFETY_CHECK_CTRL register) is set and when the device detects no other errors that impact the level of the ENDRV pin.

The watchdog fail counter operates independently of the state of the watchdog reset configuration bit (bit 3), WD_RST_EN, in the SAFETY_FUNC_CFG register.

The watchdog fail counter responds as follows:

• A good event decrements the fail counter by one, down to the minimum of zero.
• A bad event increments the fail counter by one, up to the maximum of seven.
• A time-out event increases the fail counter by one, up to the maximum of seven, and sets the TIME_OUT flag (WD_STATUS register, bit 1).

The definitions of good event, bad event and time-out event are listed Section 5.4.14 and Section 5.4.15.

Figure 5-5 Watchdog Impact on ENDRV and RESET

The watchdog fail counter is initialized to a count of 5 when the device enters the DIAGNOSTIC state (after going through the RESET state) and when the device transitions from the DIAGNOSTIC state to the ACTIVE state.

When the watchdog fail counter reaches a count of 7, another bad event does not change the counter: the counter remains at 7. However, if the watchdog reset is enabled (WD_RST_EN bit in the SAFETY_FUNC_CFG register is set to 1), on the next bad event or time-out event (7 + 1) the device enters the RESET state and resets the MCU by pulling the NRES pin low. In the RESET state, the watchdog fail counter reinitializes to 5. If the watchdog fail counter is at seven when the WD_RST_EN bit is set to 1, the device immediately enters the RESET state without requiring another bad event or time-out event.

5.4.12 Watchdog Sequence

Each watchdog sequence begins with a Window 1 followed by a Window 2. The MCU can program the time periods of Window 1 (t_WIN1) and Window 2 (t_WIN2) with the WD_WIN1_CFG and WD_WIN2_CFG registers respectively when the device is in the DIAGNOSTIC state. When the device goes from the RESET state to the DIAGNOSTIC state, the watchdog sequence begins with the default t_WIN1 and t_WIN2 time periods.

Use Equation 1 and Equation 2 to calculate the minimum and maximum values for the t_WIN1 time period. Use Equation 3 and Equation 4 to calculate the minimum and maximum values for the t_WIN2 time period.

If the MCU stops sending events, or stops feeding the watchdog during the watchdog sequence, the watchdog considers this lack of response from the MCU a time-out event (no response event). This sets the TIME_OUT status bit (bit 1 in the WD_STATUS register) and increments the watchdog fail counter. Immediately following a time-out event the next watchdog sequence is started.

Based on the Window 1 and Window 2 time periods, the watchdog sequence and time-out time periods are calculated as follows:

The watchdog uses the internal system clock of the device (±5% accuracy) as a time reference for creating the 0.55-ms watchdog time step. WINDOW 1 may be up to one 0.55-ms watchdog time step shorter than programmed as indicated by Equation 1.

5.4.13 MCU to Watchdog Synchronization

To synchronize the MCU with the watchdog sequence, the MCU can write to either the WIN1_CFG or WIN2_CFG registers to start a new watchdog sequence. After a write access to the WIN1_CFG or WIN2_CFG register by the MCU (even when these registers are locked or when the device is in the ACTIVE or the SAFE state), the device immediately starts a new watchdog sequence and increments the watchdog fail counter. Therefore a write access to the WD_WIN1_CFG or WD_WIN2_CFG register only takes effect in this new watchdog sequence.

When the MCU is synchronized with the watchdog sequence, a good event from the MCU immediately starts a new watchdog sequence. In this way, the MCU stays synchronized with the watchdog sequence.

See Figure 6-11 for an example software flowchart of how to synchronize the MCU with the TPS65381-Q1 watchdog.

5.4.14 Trigger Mode (Default Mode)

When the device goes from the RESET state to the DIAGNOSTIC state, the watchdog operates in trigger mode (default). The first watchdog sequence begins with the default t_WIN1 and t_WIN2 time periods. The watchdog receives the triggers from the MCU on the ERROR/WDI pin. A rising edge on the ERROR/WDI pin, followed by a falling edge on the ERROR/WDI pin after more than the required pulse time, t_{WD_pulse(max)} (32 μs), is a trigger. Even a waveform with a longer duration high than low is counted as a trigger if the rising and falling edges meet this requirement.

Window 1, called a CLOSE window, is the first window in the watchdog sequence. A trigger received in Window 1 is a bad event and ends Window 1, starts a new watchdog sequence and sets ANSWER_EARLY flag.

Window 2, called an OPEN window, follows Window 1. At a minimum, Window 2 lasts until a trigger is received. At a maximum, Window 2 lasts until the programmed t_WIN2 time. A trigger received in Window 2 (OPEN) is a good event. A new watchdog sequence begins immediately after the watchdog receives a trigger in Window 2.

If the MCU stops sending triggers during the watchdog sequence, the watchdog considers this lack of response from the MCU a time-out event (no response event). This sets the TIME_OUT status bit (bit 1 in the WD_STATUS register) and increments the watchdog fail counter. Immediately following a time-out event a new watchdog sequence is started.

The TIME_OUT flag can be useful for the MCU software to resynchronize the watchdog trigger pulse events to the required device watchdog timing. When resynchronizing in this way, the MCU detects the TIME_OUT flag being set. The TIME_OUT flag being set indicates the time-out event and the start of a new watchdog sequence. The MCU should send the trigger with timing so the trigger is in Window 2 (OPEN) of this new watchdog sequence.

In trigger mode, the watchdog uses a deglitch filter with the t_{WD_pulse} filter time and an internal system clock to create the internally generated watchdog pulse (see Figure 5-6 and Figure 5-7).

The rising edge of the trigger on the ERROR/WDI pin must occur at least the t_{WD_pulse(max)} time before the end of Window 2 (OPEN) to generate a good event.

The window duration times of Window 1 (CLOSE) and Window 2 (OPEN) are programmed through the WD_WIN1_CFG and WD_WIN2_CFG registers when the device is in the DIAGNOSTIC state. In trigger mode, the window duration time are as follows:

Use Equation 1 and Equation 2 to calculate the minimum and maximum values for the t_WIN1 = t_WCW time period. Use Equation 3 and Equation 4 to calculate the minimum and maximum values for the t_WIN2 = t_WOW time period.

Writing a new Window 1 or Window 2 time to the WD_WIN1_CFG or WD_WIN2_CFG register immediately begins a new watchdog sequence and increments the watchdog fail counter. A new watchdog sequence is started by a write even when WD_WIN1_CFG register and the WD_WIN2_CFG SPI register are locked because the device is not in DIAGOSTIC state or the SPI command SW_LOCK is blocking a write update to the register values.

The watchdog trigger event is considered a good-event if received during a Window 2 (OPEN) window, and is considered a bad-event if received during Window 1 (CLOSE) window. A good-event ends the current watchdog sequence and starts a new watchdog sequence, therefore the MCU and device watchdog timing stay synchronized.

A good-event, bad-event, time-out event, power-up event, or power-down event ends the current watchdog sequence and starts a new watchdog sequence.

A. When a good event is received in Window 2, 1 system clock-cycle (250 ns, typical) later the next watchdog sequence begins. Therefore the actual length of Window 2 depends on when the MCU sends the good event.

Figure 5-6 Example Cases for Good-Events in Trigger Mode

A. When a time-out event occurs, 1 system clock-cycle (250 ns, typical) later, the next watchdog sequence begins.

B. WD_RST_EN = 0 per default. To enable a reset from the watchdog once WD_FAIL_CNT[2:0] = 7 +1, WD_RST_EN must be set to 1. The notation WD_FAIL_CNT[2:0] = 7 +1 means the next (+ 1) bad event or time-out event if WD_FAIL_CNT[2:0] = 7 while WD_RST_EN = 1 will cause a transition to the RESET state. However, when WD_RST_EN = 0, the WD_FAIL_CNT[2:0] counter does not increment past 7 and the watchdog does not cause a transition to the RESET state.

C. When a bad event is received in Window 1, 1 system clock-cycle (250 ns, typical) later the next watchdog sequence begins. Therefore the actual length of Window 1 depends on when the MCU sends the bad event.

Figure 5-7 Example Cases for Bad-Event and Time-out Events in Trigger Mode

5.4.15 Q&A Mode

Setting the WD_CFG bit in the SAFETY_FUNC_REG register to 1 when the device is in the DIAGNOSTIC state configures the watchdog for Q&A (question and answer) mode. In Q&A mode, the device provides a question (or TOKEN) for the MCU in the WD_TOKEN_VALUE register. The MCU performs a fixed series of arithmetic operations on the question to calculate the required 32-bit answer. This answer is split into four answer bytes or responses. The MCU writes these answer bytes through SPI one byte at a time into the WD_ANSWER register. The device verifies that the MCU returned the answer bytes within the specified timing windows, and that the answer bytes are correct.

A good event occurs when the MCU sends the correct answer bytes calculated for the current question within the correct watchdog window and in the correct order.

A bad event occurs when one of the events that follows occur:

• The MCU sends the correct answer bytes, but not in the correct watchdog window.
• The MCU sends incorrectly calculated answer bytes.
• The MCU returns correct answer bytes in the wrong order (sequence).

If the MCU stops sending answer bytes during the watchdog sequence, the watchdog considers this lack of response from the MCU a time-out event (no response event). This sets the TIME_OUT status bit (bit 1 in the WD_STATUS register) and increments the watchdog fail counter. Immediately following a time-out event a new watchdog sequence is started.

The TIME_OUT flag can be useful for the MCU software to resynchronize the watchdog answer timing to the required device watchdog timing. When resynchronizing in this way, the MCU detects the TIME_OUT flag being set. The TIME_OUT flag being set indicates the time-out event and the start of a new watchdog sequence. The MCU should send the answer bytes with timing so they will be in the correct windows of the new watchdog sequence.

5.4.15.2 Watchdog Sequence in Q&A Mode

The watchdog sequence in Q&A mode ends after the MCU writes the fourth answer byte, Answer-0 (WD_TOKEN_RESP_0), or after a time-out event. A new watchdog sequence starts after the previous watchdog sequence ends.

The window duration times of Window 1 (OPEN) and Window 2 (CLOSE) are programmed through the WD_WIN1_CFG and WD_WIN2_CFG registers when the device is in the DIAGNOSTIC state. In Q&A mode, the window duration time are as follows:

Equation 11. t_{WOW_MIN} (Q&A mode) = t_{WIN1_MIN}

where

• WOW is a watchdog OPEN window
  

Equation 12. t_{WOW_MAX} (Q&A mode) = t_{WIN1_MAX}

where

• WOW is a watchdog OPEN window
  

Equation 13. t_{WCW_MIN} (Q&A mode) = t_{WIN2_MIN}

where

• WCW is a watchdog CLOSE window
  

Equation 14. t_{WCW_MIN} (Q&A mode) = t_{WIN2_MIN}

where

• WCW is a watchdog CLOSE window
  

Use Equation 1 and Equation 2 to calculate the minimum and maximum values for the t_WIN1 = t_WOW time period. Use Equation 3 and Equation 4 to calculate the minimum and maximum values for the t_WIN2 = t_WCW time period.

Writing a new Window 1 or Window 2 time to the WD_WIN1_CFG or WD_WIN2_CFG register immediately begins a new watchdog sequence and increments the watchdog fail counter. A new watchdog sequence is started by a write even when WD_WIN1_CFG register and the WD_WIN2_CFG SPI register are locked because the device is not in DIAGOSTIC state or the SPI command SW_LOCK is blocking a write update to the register values.

1. The MCU is not required to read the question (token). The MCU can begin giving the correct answer bytes Answer-3, Answer-2, Answer-1, anywhere in Window 1 or Window 2. The new question (token) is generated and a new watchdog sequence started within 1 system clock cycle after the final Answer-0 as long as the answer was a good event. A bad event or time-out event causes a new watchdog sequence to start, however a new question (token) is not generated.

2. The MCU can put other SPI commands in-between the WR_WD_ANSWER commands (even rerequesting the question). These SPI commands have no influence on the detection of a good event, as long as the four correct answer bytes are in the correct order, and the fourth correct answer byte is provided in Window 2.

Figure 5-8 Watchdog Sequence in Q&A Mode

5.4.15.3 Question (Token) Generation

The watchdog uses a 4-bit token counter (TOKEN_CNT[3:0] bits in Figure 5-9), and a 4-bit Markov chain to generate a 4-bit question (token). The MCU can read this question in the WD_TOKEN_VALUE register, TOKEN[3:0] bits. The watchdog generates a new question when the token counter increments, which only occurs when the watchdog detects a good event. The watchdog does not generate a new question when it detects a bad event or a time-out event. The watchdog does not generate a new question for a watchdog sequence that starts after the MCU writes to the WD_WIN1_CFG or WD_WIN2_CFG registers.

The token counter provides a clock pulse to the Markov chain when it transitions from 1111b to 0000b. The question counter and the Markov chain are set to the singular default value of 0000b when the device completes the LBIST (either a manual LBIST run or the automotive LBIST run initiated on the transition from the RESET to DIAGNOSTIC state). To leave the singular point, the feedback logic combination is implemented.

Figure 5-9 shows the logic combination for the question (token) generation. The question is in the WD_TOKEN_VALUE register, TOKEN[3:0] bits.

The logic combination of the token counter with the WD_ANSW_CNT[1:0] status bits (in the WD_STATUS register) generates the reference answer bytes as shown in Figure 5-9.

1. A value of 0000b is a special seed and equates to 0001b, including the default loading of 0000b during power up.

Figure 5-9 Watchdog Question (Token) Generation

Figure 5-10 Watchdog Answer Calculation

5.4.16 MCU Error Signal Monitor (MCU ESM)

This block monitors the external MCU error conditions signaled from the MCU to the device through the ERROR/WDI input pin. The MCU ESM is configurable to monitor two different signaling options depending which functional safety architecture MCU family is being monitored and how the specific MCU family indicates on the error or fault output pin improper operation. The MCU ESM mode is selected through the ERROR_CFG bit in the SAFETY_FUNC_CFG register.

In TMS570 mode the ESM detects a low-pulse signal with a programmable low-pulse duration threshold (see Section 5.4.16.1). This mode is selected when the ERROR_CFG bit is set to 1. In PWM mode the ESM detecting a PWM signal with a programmable frequency and duty cycle (see Section 5.4.16.2). This mode is selected when the ERROR_CFG bit is cleared to 0 (default). PWM mode can be used as an external clock-monitor function.

The MCU ESM is deactivated by default. To activate it, clear the NO_ERROR bit to 0 in the SAFETY_CHECK_CTRL register.

The low-signaling duration threshold (for TMS570 mode) or the expected PWM low-pulse duration (for PWM mode) is set through the SAFETY_ERR_PWM_L register. The expected PWM high-pulse duration (for PWM mode) is set through the SAFETY_ERR_PWM_H register. A detected MCU signaling error is indicated when the ERROR_PIN_FAIL bit in the SAFETY_ERR_STAT register is set to 1.

When the TPS65381-Q1 device is in the DIAGNOSTIC state, the MCU can emulate a signaling error (emulated fault-injection) for a diagnostic check of the error-signal monitor by checking the status of the ERROR_PIN_FAIL bit while the NO_ERROR bit is cleard to 0 (MCU ESM enabled) without a transition to the SAFE state.

When the TPS65381-Q1 device is in the ACTIVE state, a detected MCU signaling error causes a transition to the SAFE state. A dedicated 4-bit error counter, the DEV_ERR_CNT[3:0] bits in the SAFETY_ERR_STAT register, counts the transitions from the ACTIVE state to the SAFE state.

The module is covered by the logic BIST (LBIST).

5.4.16.1 TMS570 Mode

An error condition is detected when the ERROR/WDI pin remains low longer than the programmed amount of time set by the SAFETY_ERR_PWM_L register. The programmable time range is 5 µs to 1.28 ms (typical), with 5-µs steps (±5%).

The SAFETY_ERR_PWM_L register must be set to the desired value based on the maximum required time for the TMS570 MCU to detect an error or fault and to potentially recover from or correct the error or fault.

The LOW duration time is as follows:

Equation 15. t_{TMS570_LOW_MIN} = (PWML[7:0]) × 5 µs × 0.95

Equation 16. t_{TMS570_LOW_MAX}= (PWML[7:0] + 1) × 5 µs × 1.05

Use Equation 15 and Equation 16 to calculate the minimum and maximum values for the LOW duration, t_{TMS570_LOW}. Figure 5-11 shows the error-detection case scenarios.

NOTE

The SAFETY_ERR_PWM_L register (PWML[7:0]) should be configured with a minimum of 1 (01h) in the register.

The low-pulse monitoring on the ERROR/WDI pin is implemented as follows:

• When the NO_ERROR bit is cleared to 0, every falling edge on the ERROR/WDI pin reinitializes the low-pulse duration counter to 0 within one system clock-cycle (250 ns ±5%).
• After reinitialization, the low-pulse counter restarts one system clock-cycle (250 ns ±5%).
• The low-pulse duration counter increases every 5 µs (with ±5% accuracy) as long as the ERROR/WDI pin is low. A rising edge on the ERROR/WDI pin stops the low-pulse duration counter.
• When low-pulse duration counter is equal to the SAFETY_ERR_PWM_L register setting, an error is detected.

The ERROR_PIN_FAIL bit in the SAFETY_ERR_STAT register is set within one system clock cycle (250 ns ± 5%) after detecting an MCU signaling error. When the device is in the ACTIVE state, a transition to the SAFE state occurs after one more system clock-cycle.

Figure 5-11 Error Detection Case Scenarios in TMS570 Mode

5.4.16.2 PWM Mode

An error condition is detected when one of the following occurs on the ERROR/WDI pin:

• The ERROR/WDI pin high-pulse duration exceeds the threshold value programmed by the PWM_H register.
• The ERROR/WDI pin low-pulse duration exceeds the threshold value programmed by the PWM_L register.

The MCU ESM does NOT detect an MCU signaling error on the ERROR/WDI pin if both of the following occurs:

• The ERROR pin high-pulse duration is less than the threshold value programmed by the PWM_H register.
• The ERROR pin low-pulse duration is less than the threshold value programmed by the PWM_L register.

The programmable time range for the expected HIGH and LOW pulse duration is 15 µs to 3.8 ms (typical), with 15-µs resolution steps (±5%). The HIGH and LOW pulse duration times are programmed through the SAFETY_ERR_PWM_H and SAFETY_ERR_PWM_L registers when the device is in the DIAGNOSTIC state. The pulse duration time are as follows:

Equation 17. t_{PWM_HIGH_MIN} = (PWMH[7:0]) × 15 µs × 0.95

Equation 18. t_{PWM_HIGH_MAX} = (PWMH[7:0] + 1) × 15 µs × 1.05

Equation 19. t_{PWM_LOW_MIN} = (PWML[7:0]) × 15 µs × 0.95

Equation 20. t_{PWM_LOW_MAX}= (PWML[7:0] + 1) × 15 µs × 1.05

Use Equation 17 and Equation 18 to calculate the minimum and maximum values for the HIGH pulse duration, t_{PWM_HIGH}. Use Equation 19 and Equation 20 to calculate the minimum and maximum values for the LOW pulse duration, t_{PWM_LOW}.

NOTE

The SAFETY_ERR_PWM_H (PWMH[7:0]) and SAFETY_ERR_PWM_L (PWML[7:0]) register should be configured with a minimum of 1 (01h) in the registers.

The monitoring of the high-pulse duration and low-pulse duration is implemented as follows:

LOW pulse monitoring:

• Every falling edge on the ERROR/WDI pin, or setting the NO_ERROR bit from 1 to 0 when the ERROR/WDI pin is low, reinitializes the low-pulse duration counter to 0 within one system clock-cycle (250 ns ±5%).
• After reinitialization, the low-pulse counter restarts after one system clock-cycle (250 ns ±5%).
• The low-pulse duration counter increases every 15 µs (±5%) while the ERROR/WDI pin remains low.
• When the low-pulse duration counter is equal to the SAFETY_ERR_PWM_L register setting, an error is detected.

HIGH pulse monitoring:

• Every rising edge on the ERROR/WDI pin, or setting the NO_ERROR bit from 1 to 0 when the ERROR/WDI pin is high, reinitializes the high-pulse duration counter to 0 within one system clock-cycle (250 ns ±5%).
• After reinitialization, the high-pulse counter restarts after one system clock-cycle (250 ns ±5%).
• The high-pulse duration counter increases every 15 µs (with ± 5% accuracy) while the ERROR/WDI pin remains high.
• When the high-pulse duration counter is equal to the SAFETY_ERR_PWM_H register setting, an error is detected.

NOTE

The ERROR/WDI pin is edge triggered, to synchronize the MCU to the MCU ESM module, while in the DIAGNOSTIC state the MCU should start sending the desired PWM signal. On the first falling or rising edge the MCU ESM detects the edge and starts the internal timers in sync with the edge so the MCU and MCU ESM are synchronized. The MCU ESM resynchronizes to the MCU on every rising and falling edge. While in the DIAGNOSTIC state, when synchronization has occurred the ERROR_PIN_FAIL flag should be cleared.

The ERROR_PIN_FAIL bit in the SAFETY_ERR_STAT register is set within one system clock cycle (250 ns ±5%) after detecting an MCU signaling error. When the device is in the ACTIVE state, a transition to the SAFE state occurs after one more system clock-cycle.

Figure 5-12 Error Detection Case Scenarios in PWM Mode

5.4.17 Device Configuration Register Protection

This function offers a mechanism to help protect safety SPI-mapped registers by means of SPI write-access protection and CRC check.

The register access protection includes two distinctive features:

• A register cannot be written after write-access lock protection is set. The lock is cleared by software or by a power-on reset.
• CRC protection for configuration registers.

A CRC occurs on safety data after a SPI write updates to verify the SPI register contents are correctly programmed. The CRC controller is a diagnostic module, which performs the CRC to verify the integrity of the SPI-mapped register space. A signature representing the content of the safety registers is obtained when the content is read into the CRC controller. The responsibility of the CRC controller is to calculate the signature for a set of data and then compare the calculated signature value against a predetermined good-signature value. The predetermined CRC signature value is stored in the SAFETY_CFG_CRC register. The external MCU uses the SAFETY_CHECK_CTRL register to enable a CRC check and the SAFETY_STAT_2 register to monitor the status. When enabled, a CRC check on the configuration registers is performed. In case of a detected signature error, the CFG_CRC_ERR flag is set in the SAFETY_STAT_2 SPI register. The device state and the ENDRV pin state remain unchanged. In case of a detected checksum error with the TPS65381-Q1 device in the DIAGNOSTIC state, clearing the CFG_CRC_EN bit to 0 brings the TPS65381-Q1 device into the SAFE state (the ENDRV pin is pulled low).

A standard CRC-8 polynomial is used: X8 + X2 + X1 + 1

The CRC monitor test is covered by a logic BIST.

A 64-bit string is protected by CRC. The following registers are protected:

• SAFETY_FUNC_CFG
• DEV_REV
• SAFETY_PWD_THR_CFG
• SAFETY_ERR_CFG
• WD_TOKEN_FDBK
• WD_WIN2_CFG
• WD_WIN1_CFG
• SAFETY_ERR_PWM_L
• DEV_CFG2
• DEV_CFG1 (only bit number 6)

Table 5-13 lists the CRC bus structure.

In the external MCU, the CRC calculation must be performed byte-wise, starting with the lowest byte of the 64-bit bus ordering value. The most significant bit is first in the bit order. The resulting CRC of one calculation is the seed value for the next calculation. The initial seed value is FFh. The CRC result of the eighth byte-wise calculation is the CRC signature value, which must be stored in the SAFETY_CFG_CRC register (see Figure 5-13).

Figure 5-13 CRC Calculation Logic

Table 5-14 lists some CRC calculation examples.

In case the CRC controller detects a signature error on the configuration registers, care must be used when performing an EEPROM CRC afterwards. In case of a detected signature error in the configuration registers, the device reports an EEPROM signature error when the CFG_CRC_EN bit in the SAFETY_CHECK_CTRL register is cleared to 0 first before performing the EEPROM CRC by setting the EE_CRC_CHK bit in the SAFETY_BIST_CTRL register to 1, even when the EEPROM bits do not have an error. Therefore, when performing an EEPROM CRC after a CRC on the configuration registers, the steps must always occur in the following order:

1. Calculate CRC8 in the MCU and store it in the SAFETY_CFG_CRC register.
2. Set the CFG_CRC_EN bit in the SAFETY_CHECK_CTRL register to 1 to perform a CRC on the configuration registers.
3. After the SPI command sets the CFG_CRC_EN bit to 1 (for example, after rising edge on NCS), wait at least 2.1 µs for the configuration register to complete the CRC.
4. Read the results of the configuration register CRC in the SAFETY_STAT_2 register, bit CFG_CRC_ERR. If continuous CRC on the configuration register must be performed, clear the CFG_CRC_EN bit in the SAFETY_CHECK_CTRL register to 0 and repeat beginning with Step 1. If the CRC on the EEPROM registers must be performed, proceed to Step 5.

NOTE

A correct EEPROM CRC afterwards (as described in Step 5) clears this CFG_CRC_ERR bit. Therefore, TI recommends reading out this CFG_CRC_ERR bit before performing the EEPROM CRC.

5. Set the EE_CRC_CHK bit in the SAFETY_BIST_CTRL register to 1 to perform the CRC on the EEPROM registers.
6. After the SPI command sets the EE_CRC_CHK bit to 1 (for example, after rising edge on NCS), wait at least 811 µs for the EEPROM CRC to finish.
7. Completion of the EERPOM CRC is observed by reading the EE_CRC_CHK bit. When the EEPROM CRC is complete, this EE_CRC_CHK bit is cleared to 0.
8. Clear the CFG_CRC_EN bit in the SAFETY_CHECK_CTRL register to 0
9. Read the results of the EEPROM CRC in the SAFETY_STAT_2 register, bit EE_CRC_ERR.
10. Go back to Step 1.

NOTE

Returning to Step 1 is not required; returning to Step 2 is also an option.

NOTE

While in the DIAGNOSTIC state, a check can be performed to confirm the CFG_CRC_ERR bit is set to 1 on a mismatch between the value stored in the SAFETY_CFG_CRC register and the value that is calculated from the configuration registers covered by the CRC8. If the CFG_CRC_EN is cleared while the CFG_CRC_ERR bit is set to 1, then the device transitions to the SAFE state, set the EE_CRC_ERR bit and clear the CFG_CRC_EN bit. To avoid this transition to the SAFE state, the CFG_CRC_ERR bit must be cleared by running the EEPROM CRC by setting the EE_CRC_CHK bit. While the EPPROM CRC is running, the EE_CRC_ERR bit is set. Assuming the EEPROM CRC was good, both the EE_CRC_ERR and CFG_CRC_ERR bits are cleared. To check if the CFG_CRC_ERR bit is 0 for a matching CRC, the matching CRC value should be stored in the SAFETY_CFG_CRC register. Then the CFG_CRC_EN bit must be cleared to 0 and set again to 1 which reruns the CRC on the configuration registers, resulting in the CFG_CRC_ERR bit being 0.

5.4.18 Enable and Reset Driver Circuit

Figure 5-14 shows the reset and enable circuit.

Figure 5-14 Reset and Enable Circuit

The ENDRV pin features a read-back circuit to compare the external ENDRV level with the internally applied ENDRV level. This feature detects any possible failure in the ENDRV pullup or pulldown components. A failure is detected by the MCU through the ENDRV_ERR bit (bit 1 in the SAFETY_STAT_4 register).

The ENDRV pin is pulled low for the ABIST duration time (approximately 300 µs) when activating the ABIST function after the ENDRV output is turned on and driven high. This is part of ENDRV diagnostics to validate all monitoring functions that disable the ENDDRV output and confirm that the ENDRV output is controllable by using the ENDRV read-back path.

The NRES pin features a readback of the external NRES level. The value is read on the DIAG_OUT pin and NRES_ERR bit (bit 5 in the SAFETY_STAT_3 register)..

For both the ENDRV pin and the NRES pin, the logic read-back threshold level is typically 400 mV.

Figure 5-15 shows the timing-response diagram for the NRES and ENDRV pins to any VDDx undervoltage or overvoltage condition.

1. The signal deglitch time is defined for each undervoltage or overvoltage condition as given in Section 4.

2. The NRES extension time is defined by the external resistor value as given in Section 4.

Figure 5-15 Timing-Response Diagram for NRES and ENDRV Pins to any VDDx Undervoltage or Overvoltage Condition

5.4.19 Device Operating States

1. RESET State: SPI, Watchdog and MCU ESM are in reset; see Section 5.4.21 section for conditions that prevent the wake up from the STANDBY state to the RESET state.

2. DIAGNOSTIC State: BIST (LBIST with ABIST) is initiated on the transition into the DIAGNOSTIC state. See Section 5.4.22 for options to disable automatic BIST run, the DIAGNOSTIC state time-out and diagnostics the MCU may perform on safety functions. WD_FAIL_CNT reinitializes to 5 on transition into the DIAGNOSTIC state.

3. ACTIVE State: WD_FAIL_CNT reinitializes to 5 during transition into the ACTIVE state. During the ACTIVE state the MCU may perform diagnostics of some safety functions, see Section 5.4.23 for more details.

4. SAFE State: DEV_ERR_CNT[3:0] increments on any transition to the SAFE state. See Section 5.4.24 for details on SAFE state time-out.

5. The ENDRV pin level is dependent on the ENABLE_DRV bit, WD_FAIL_CNT[2:0] counter value, and VDDx_OV as shown in Figure 5-14 in the DIAGNOSTIC and ACTIVE states.

6. The VDD5 and VSOUT1 regulators may be enabled or disabled in the DIAGNOSTIC, ACTIVE, and SAFE states.

Figure 5-16 Device Controller State Diagram

5.4.20 STANDBY State

The STANDBY state is the default state when the device is supplied by the VBATP and VBAT_SAFING supplies. This state has the characteristics that follow:

• All regulators are disabled
• The NRES and ENDRV pins are low.
• The device transitions to the STANDBY state from any state because of the following:
  • Internal power-on reset event (NPOR = 0)
  • VBATP undervoltage event (VBATP_UV)
  • Deglitched IGN = 0 and IGN_PWRL = 0 (cleared IGN power-latch control bit) and CANWU_L = 0
  • Loss-of-clock detection (LOCLK)
  • VDD3/5 overtemperature event (VDD3/5_OT) while NMASK_VDD3/5_OT = 1
  • DVDD undervoltage event (DVDD_UV)
  • DVDD overvoltage event (DVDD_OV)
  • AVDD_VMON overvoltage or undervoltage event (AVDD_VMON_ERR)
  • VCP12 overvoltage event (VCP12_OV)
  • VCP17 overvoltage event (VCP17_OV)
  • Error with band gaps: BG_ERR1 or BG_ERR2
  • EEPROM check fails during run after exit from NPOR event (EE_CRC_ERR = 1 when EE_CRC_CHK is run on exit from NPOR)
  • The device error count (DEV_ERR_CNT[3:0]) is greater than or equal to the programmed power-down threshold, PWD_THR[3:0]

5.4.21 RESET State

The RESET state has the characteristics that follow:

• This state is entered from the STANDBY state after a wake-up request from ignition (IGN pin = high, deglitched IGN bit = 1) or CANWU pin (CANWU pin = high, deglitched and latched CANWU_L bit = 1). The following conditions would prevent the transition from the STANDBY state to the RESET state even if a wake-up request occurred:
  • BG_ERR1
  • BG_ERR2
  • VCP17_OV
  • VCP12_OV
  • AVDD_VMON_ERR
  • EE_CRC_CHK fails
• This state is entered from the SAFE state after a SAFE state time-out occurs and the DEV_ERR_CNT[3:0] counter is less than the programmed SAFE_LOCK_THR[3:0] + 1. See Section 5.4.24 for details on the SAFE state time-out duration which is set by the SAFE_TO[2:0] and NO_SAFE_TO bits.
• The device transitions to the RESET state from any other state because of the following:
  • VDD3/5 undervoltage event (VDD3/5_UV)
  • VDD5 overtemperature event (VDD5_OT) when NMASK_VDD5_OT = 1
  • VDD1 undervoltage event (VDD1_UV) when NMASK_VDD1_UV_OV = 1 (not default)
  • VBATP overvoltage event (VBATP_OV) when MASK_VBATP_OV = 0 (default)
  • Watchdog reset. A watchdog reset occurs after the watchdog fail counter (WD_FAIL_CNT[2:0]) has reached a value of 7 and another bad event occurs (7+1) which sets the WD_FAIL flag when WD_RST_EN = 1 (not default)
  • POST_RUN_RST = 1 and IGN_PWRL = 1 and a recrank (LOW followed by a valid HIGH) on IGN pin
• The VDDx regulators are powered on.
• The NRES and ENDRV pins are low.
• The SPI, watchdog, and MCU ESM are in reset.

5.4.22 DIAGNOSTIC State

The DIAGNOSTIC state has the characteristics that follow:

• The DIAGNOSTIC state is entered from the RESET state after the VDDx regulators have ramped-up and the reset extension is complete
• The VDD5 (enabled by default) regulator can be disabled by the VDD5_EN bit, and the VSOUT1 regulator can be enabled (disabled by default) by the VSOUT1_EN bit.
• The NRES pin is HIGH.
• The state of the ENDRV pin is determined by the ENABLE_DRV bit, WD_FAIL_CNT[2:0] counter value, and the overvoltage monitoring for the VDDx regulators (VDDx_OV) as shown in Figure 5-14.
• The watchdog and MCU error signal monitoring (ESM) functions can be configured and operated. The MCU ESM module does not cause a transition to the SAFE state from the DIAGNOSTIC state when an emulated failure on the ERROR/WDI pin is detected. This allows the MCU to run diagnostics on the MCU ESM and ERROR/WDI pin during the DIAGNOSTIC state.
• This state is where the MCU should perform all device self-tests and diagnostics (failures are induced to emulate internal failures and confirm detection).
• Upon entry of the DIAGNOSTIC state, the watchdog fail counter is reinitialized to 5.
• The BIST (LBIST with ABIST) is activated with the transition out of the RESET state into the DIAGNOSTIC including a power up event from the STANDBY state. This automatic BIST run can be disabled with the AUTO_BIST_DIS bit for cases when the RESET state was entered from the DIAGNOSTIC, ACTIVE, or SAFE state, but cannot be disabled when the RESET state was entered from the STANDBY state at power up.
• The BIST (LBIST with ABIST) is initiated on the transition to the DIAGNOSTIC state.
• During the DIAGNOSTIC state, the MCU can perform diagnostics of any safety function such as watchdog, MCU ESM, ERROR/WDI pin, DIAG_MUX pin, and CRC on registers. Ti recommends running diagnostic checks at least every power-up cycle while in the DIAGNOSTIC state.

NOTE

DIAGNOSTIC state time-out: When the DIAGNOSTIC state is entered, if the DIAG_EXIT_MASK or DIAG_EXIT bit is not set to 1 within 512 ms (typical), the DIAGNOSTIC state time-out interval expires, causing a transition to the SAFE state. This also sets both the ERROR_PIN_FAIL and WD_FAIL bits in the SAFETY_ERR_STAT register and sets the mirror bits, MCU_ERR and WD_ERR, in the SAFETY_STAT_4 register. The device error count (DEV_ERR_CNT[3:0]) is incremented. Only the DIAG_EXIT_MASK or DIAG_EXIT bit should be set in a single SPI write command to the SAFETY_CHECK_CTRL register. Setting the DIAG_EXIT bit to 1 causes a transition to the ACTIVE state. Setting the DIAG_EXIT_MASK bit to 1 causes the device to remain in the DIAGNOSTIC state (only recommended for software debug).

NOTE

DIAG_EXIT_MASK for software debug: When the DIAG_EXIT_MASK bit is set to 1 before the DIAGNOSTIC state time-out interval expires, the device stays in the DIAGNOSTIC state until the bit is cleared. The DIAGNOSTIC state time-out timer remains free running in the background, but does not cause a state transition. When the DIAGNOSTIC state time-out interval has expired, the DIAG_EXIT bit is set automatically (in addition to the DIAG_EXIT_MASK bit remaining set) and the device remains in the DIAGNOSTIC state. For a controlled transition to the ACTIVE state, TI recommends clearing the DIAG_EXIT_MASK bit and setting the DIAG_EXIT bit with a single SPI write command to the SAFETY_CHECK_CTRL register. If both the DIAG_EXIT_MASK bit and DIAG_EXIT bits are cleared at the same time, the device remains in the DIAGNOSTIC state until either the next DIAGNOSTIC state time-out interval expires causing a transition to the SAFE state or if the DIAG_EXIT bit is set to 1, prior to the DIAGNOSTIC state time-out, transitioning the device to ACTIVE state.

NOTE

In the DIAGNOSTIC state the following considerations must be considered if a manual run of the LBIST is initiated by setting the LBIST_EN bit to 1. Setting the LBIST_EN bit to 1 clears the DIAG_EXIT_MASK bit to 0. If the DIAG_EXIT_MASK bit is being used to hold the device in the DIAGNOSTIC state for software debug, it must be set again to 1 after LBIST completion to stay in the DIAGNOSTIC state. The DIAGNOSTIC state time-out counter stops only during the running of LBIST. After the LBIST completes, the time-out counter continues from the last value. For a transition from the DIAGNOSTIC state to the ACTIVE state, the DIAG_EXIT bit must be set to 1.

5.4.23 ACTIVE State

The ACTIVE state has the characteristics that follow:

• The device enters from the DIAGNOSTIC state after the MCU sets the DIAG_EXIT bit after clearing the ERROR_PIN_FAIL and WD_FAIL bits.

NOTE

While in the DIAGNOSTIC state, the MCU must clear by writing a 0 to the ERROR_PIN_FAIL bit and the WD_FAIL bit in the SAFETY_ERR_STAT register before setting the DIAG_EXIT bit. Clearing these bits also clears their mirror bits, MCU_ERR and WD_ERR. Otherwise, a transition to the SAFE state occurs.

• The NRES pin is high.
• The state of the ENDRV pin is determined by the ENABLE_DRV bit, WD_FAIL_CNT[2:0] counter value, and and the overvoltage monitoring for the VDDx regulators (VDDx_OV) as shown in Figure 5-14;
• The VDDx regulators are on, the VDD5 regulator can be enabled or disabled through the VDD5_EN bit. The VSOUT1 regulator can be enabled or disabled through the VSOUT1_EN bit.
• The WD_FAIL_CNT[2:0] counter reinitializes to 5 during a transition from the DIAGNOSTIC state to the ACTIVE state.
• The watchdog and MCU ESM monitoring functions are operated as configured but cannot be reconfigured.
• During the ACTIVE state, the MCU can perform diagnostics of some safety function such as watchdog, DIAG_MUX pin, ABIST (approximately 300 µs, ENDRV pin will be low), LBIST (approximately 21 ms, ENDRV pin will be low), and CRC on registers depending on the system safety requirements.

5.4.24 SAFE State

The SAFE state has the characteristics that follow:

• The SAFE state is entered from:
  • The ACTIVE state by:
    • An error in the signal on the ERROR/WDI pin detected by the MCU ESM while enabled.. This transition is because of an error in the MCU and sets the ERROR_PIN_FAIL flag.
    • A detected read-back error on the NRES pin which sets the NRES_ERR flag while DIS_NRES_MON is cleared to 0 (1 in default state).
  • The DIAGNOSTIC state by:
    • After a DIAGNOSTIC state time-out event happens before the DIAG_EXIT_MASK bit is set to 1, keeping the device in the DIAGNOSTIC state or before the DIAG_EXIT bit is set to 1 transitioning the device to ACTIVE.
  • CFG_CRC_ERR = 1 AND CFG_CRC_EN is cleared to 0
  • An EE_CRC_ERR is detected in the DIAGNOSTIC state.
  • An ABIST_ERR or LBIST_ERR is detected in the DIAGNOSTIC state.
  • The WD_FAIL and ERROR_PIN_FAIL flags were not cleared to 0 before setting the DIAG_EXIT bit while exiting the DIAGNOSTIC state.
• Every transition to the SAFE state increments the device error count, DEV_ERR_CNT[3:0].
• The device stays in the SAFE state when the NO_SAFE_TO bit is set to 1 (default state) and DEV_ERR_CNT[3:0] = SAFE_LOCK_THR[3:0] + 1. This allows for programming the MCU without causing a reset and transition to the RESET state because of the SAFE state time-out.
• The NRES pin is high.
• The ENDRV pin is low.
• The VDDx regulators are on, the VDD5 regulator can be enabled or disabled with the VDD5_EN bit. The VSOUT1 regulator can be enabled or disabled with the VSOUT1_EN bit.

5.4.25 State Transition Priorities

For all global or possible double-state transitions, the following priorities hold true:

1. Priority I: all conditions for STANDBY state transition
2. Priority II: all conditions for RESET state transition
3. Priority III: all conditions for SAFE state transition

All other state transitions have a lower priority compared to any of the state transitions listed with priority numbers.

5.4.26 Power on Reset (NPOR)

The device goes through a power on reset (NPOR) which reinitializes all registers. The events that cause an NPOR are:

• Analog power on reset:
  • Loss-of-clock detection (LOCLK)
  • AVDD_VMON overvoltage or undervoltage event (AVDD_VMON_ERR)
  • DVDD undervoltage event (DVDD_UV)
  • DVDD overvoltage event (DVDD_OV)
• Digital power on reset. These errors can cause a NPOR. If the detected fault duration is less than 6 ms, an NPOR may not occur. When the CANWU or IGN state is kept high, the device transitions to the RESET state because of the wake-up request. The registers on the post-BIST reinitialization list are reinitialized after BIST runs on the transition from the RESET state to the DIAGNOSTIC state (unless AUTO_BIST_DIS = 1, not default).
  • VBATP undervoltage event (VBATP_UV)
  • VDD3/5 overtemperature event (VDD3/5_OT) while NMASK_VDD3/5_OT = 1
  • AVDD undervoltage event (AVDD_UV)
  • Error with the device VMON trim settings (VMON_TRIM_ERROR)
  • Error with band gaps: BG_ERR1 or BG_ERR2
  • VCP12 overvoltage event (VCP12_OV)
  • VCP17 overvoltage event (VCP17_OV)

5.5.1 Serial Peripheral Interface (SPI)

The primary communication between the device and the external the MCU is through a SPI bus which provides full-duplex communications in a master-slave configuration. The external MCU is always a SPI master, which sends command requests on the SDI pin and receives device responses on the SDO pin. The TPS65381-Q1 device is always a SPI slave device, which receives command requests and sends responses (status, measured values) to the external MCU over the SDO line.

• The SPI is a 4-pin interface.
  • NCS—SPI chip select (active-low)
  • SCLK—SPI clock
  • SDI—SPI slave-in and master-out (SIMO)
  • SDO—SPI slave-out and master-in (SOMI, three-state output)
• The SPI frame size is 16 bits.
• Speed is up to 6 Mbit/s.
• Commands and data are shifted MSB first, LSB last.
• The SDI line is sampled on the falling edge of SCLK.
• The SDO line is shifted out on the rising edge of SCLK.

The SPI communication starts with the NCS falling edge, and ends with the NCS rising edge. The NCS high level keeps the SPI slave interface in the reset state, and the SDO output is in the tri-state.

5.5.1.5 SPI Frame Overview

Figure 5-17 shows an overview of a complete 16-bit SPI Frame:

The SPI master (MCU) and SPI slave (TPS65381-Q1) sample receive data on the falling SCLK edge and transmit data on the rising SCLK edge.

Figure 5-17 16-Bit SPI Frame

5.5.2 SPI Register Write Access Lock (SW_LOCK command)

The SW_LOCK command protects the SPI registers against write update access through MCU control. When the SW_LOCK command with data AAh is sent to the device, the listed registers are locked from updates through a write access. To unlock the SPI registers, the SW_UNLOCK command with data 55h is sent to the device.

5.5.3 SPI Registers (SPI Mapped Response)

The following sections list the SPI registers. For each SPI register, the bit names are given along with the initialized values (values after internal logic reset).

The values are initialized after each wake-up from the STANDBY state or after any other power-on reset (NPOR) event.

After a LBIST run is complete, including the LBIST run on the transition out of RESET state, the following functions and registers re-initialize:

• DEV_STAT
• SAFETY_STAT_2
• SAFETY_STAT_4
• SAFETY_STAT_5 (but FSM[2:0] immediately updates to reflect the current device state)
• WD_TOKEN_VALUE
• WD_STATUS
• SAFETY_CHECK_CTRL
• DIAG_CFG_CTRL
• DIAG_MUX_SEL

The initialized value of the reserved bits (RSV) is indicated, however some of these bits are used for internal device operation and the application software should mask them as they may not remain at their initialized value.

The following sections also list an explanation of each bit function.

5.5.4 Device Safety Status and Control Registers

5.5.5 Watchdog Timer