SNVAA92 November 2023 LM63625-Q1 , TPS37-Q1 , TPS3703-Q1 , TPS3850-Q1
Suppose that a safety MCU needs a 3.3-V power rail. Figure 2-1 illustrates the typical power architecture.
The 3.3-V power output needs to be monitored for faults such as supply undervoltage or overvoltage. If either occurs, the MCU is potentially operating in an unsafe state, so resetting the MCU to switch off and transitioning the system into a safe state is required.
Designers must consider how to design the power supply for a safety MCU to achieve the random hardware fault requirement for ASIL B at the system level. One recommended fix is to use an external supervisor to monitor the power-supply output. The supervisor is independent of the power-supply output, so there is no common-cause failure. Given the high performance and accuracy of the supervisor, the diagnostic coverage for power-supply over- and undervoltage is high.
Using the integrated PGOOD pin of a functional safety-capable regulator as the safety mechanism to monitor under- and overvoltage failures can be insufficient to meet ASIL B requirements. The PGOOD circuit is possibly not independent from the regulator circuit of the power supply, as the circuits potentially share the same internal band gap. If the band gap drifts out of specification, then PGOOD also fails and does not catch under- and overvoltage failures; this is known as a common-cause failure. The diagnostic coverage with PGOOD is possibly below 90%, which does not meet the single-point fault metric (SPFM) of ≥ 90% for ASIL B.
Figure 3-4 and Figure 2-3 depict reference designs targeting ASIL B using various supervisors.
In Figure 3-4, the TPS3703-Q1 is a window supervisor with a high-accuracy under- and overvoltage monitor. The TPS3850-Q1 is a window supervisor with an integrated window watchdog. Both devices support input voltages at the VIN and SENSE pins of up to 6.5 V. If a regulator overvoltage fault results in more than 6.5 VOUT, this overvoltage exceeds the absolute maximum voltage input range of the supervisor and renders the supervisor ineffective or damaged. However, usually this overvoltage also exceeds the maximum operating voltage of the MCU. The MCU has a gross malfunction or even damage. In a digital cockpit or instrument cluster, a damaged MCU results in a black screen, which is considered as a safe state.
If overvoltages above 6.5 V are a concern, then consider the TPS37A-Q1 instead. This device is a wide VIN supervisor that supports voltages on the VIN and SENSE pins of up to 65 V, so that VIN can be directly connected to the battery. The supervisor monitors the power-supply output and resets the MCU into a safe state upon detection of an under- or overvoltage event.