SLVA528D September   2012  – August 2021 TPS65381-Q1 , TPS65381A-Q1

 

  1.   Trademarks
  2. 1Introduction
  3. 2Product Overview
    1. 2.1 Safety Functions and Diagnostics Overview
    2. 2.2 Target Applications
    3. 2.3 Product Safety Constraints
  4. 3Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
  5. 4TPS65381x-Q1 Product Architecture for Management of Random Faults
    1. 4.1 Device Operating States
    2.     Device Operating States (continued)
    3. 4.2 NRES (MCU Reset) Driver and ENDRV (SAFING Path Enable) Driver
  6. 5TPS65381x-Q1 Architecture Safety Mechanisms and Assumptions of Use
    1. 5.1 Power Supply
    2. 5.2 Regulated Supplies
      1. 5.2.1 VDD6 Buck Switch-Mode Supply
      2. 5.2.2 VDD5 Linear Supply
      3. 5.2.3 VDD3/5 Linear Supply
      4. 5.2.4 VDD1 Linear Supply
      5. 5.2.5 VSOUT1 Linear Supply
      6. 5.2.6 Charge Pump
    3. 5.3 Diagnostic, Monitoring, and Protection Functions
      1. 5.3.1 External MCU Fault Detection and Management
        1. 5.3.1.1 External MCU Error Signal Monitor (MCU ESM)
        2. 5.3.1.2 Watchdog Timer
      2. 5.3.2 Voltage Monitor (VMON)
      3. 5.3.3 Loss-of-Clock Monitor (LCMON)
      4. 5.3.4 Junction Temperature Monitoring and Current Limiting
      5. 5.3.5 Analog and Digital MUX (AMUX and DMUX) and Diagnostic Output Pin (DIAG_OUT)
      6. 5.3.6 Analog Built-In Self-Test (ABIST)
      7. 5.3.7 Logic Built-In Self-Test (LBIST)
      8. 5.3.8 Device Configuration Register Protection
  7. 6Application Diagrams
    1. 6.1 TPS65381x-Q1 With TMS570
    2. 6.2 TPS65381x-Q1 With C2000
    3. 6.3 TPS65381x-Q1 With TMS470
  8. 7TPS65381x-Q1 as Safety Element out of Context (SEooC)
    1. 7.1 TPS65381x-Q1 Used in an EV/HEV Inverter System
    2. 7.2 SPI Note
  9. 8Revision History

5.3.1 External MCU Fault Detection and Management

When the integrated diagnostics detect an external MCU fault, indication of the error is necessary. The TPS65381x-Q1 device uses the watchdog function, or MCU error signal monitor (ESM) to monitor the external MCU for hardware and software faults. On detection of an external MCU fault in the ACTIVE state, the TPS65381-Q1 device transitions to the SAFE or RESET state and can increment the device error counter depending on the specific fault and state transition. Refer to the data sheet for all state transitions caused by MCU faults.

In the SAFE state, the MCU can perform additional diagnostics to confirm the root cause of the fault.

If the detected fault condition or event has caused the MCU to be nonresponsive, the TPS65381x-Q1 watchdog detects a timeout event, when the watchdog failure counter (WD_FAIL_CNT[2:0]) has a next timeout after it reaches 7, the device transitions through the RESET state, pulling the NRES pin low and asserts a reset to the external MCU attempting to recover the MCU from the non-responsive state.

In case the MCU does not provide the correct signal to the MCU ESM in the TPS65381x-Q1 device, the TPS65381x-Q1 transitions to the SAFE state. Depending on how the NO_SAFE_TO, SAFE_LOCK_THR[3:0], and PWD_THR[3:0] bits are configured, the device either stays locked in the SAFE state or stays in the SAFE state for a configurable SAFE state time-out time before transitioning to either the RESET or STANDBY state. Refer to the SAFE State section of the data sheet for details on configuring these registers for the desired response of the specific application. When the TPS65381x-Q1 device transitions to the SAFE state it increments the device-error counter, DEV_ERR_CNT[3:0]. When the device-error counter reaches values matching the programmable thresholds, the TPS65381x-Q1 device transitions states accordingly.

The MCU can test the TPS65381x-Q1 device in the DIAGNOSTIC state by forcing watchdog failures while the WD_RST_EN bit is set to 0 and the MCU ESM failures. Detected watchdog failures while the WD_RST_EN bit is 0 do not cause a transition to the RESET state. Detected MCU ESM failures in the DIAGNOSTIC state do not cause a transition to the SAFE state. The error flags from forced failures during the DIAGNOSTIC state must be cleared before transition to the ACTIVE state for normal operation.