Designing a Power Supply for a Safety MCU to Meet Functional Safety ASIL B
Abstract
Functional safety is important in automotive applications such as advanced driver assistance systems (ADAS), battery management systems (BMS), digital cockpits, and instrument clusters. Designers often wonder how to design power supplies for safety microcontrollers (MCU) to achieve Automotive Safety Integrity Level (ASIL) B.
This article describes a TI design leveraging two TI Functional Safety-Capable devices – the LM63625-Q1 buck converter combined with the TPS37A-Q1 supervisor – to meet random hardware fault metrics for ASIL B in digital cockpit and cluster applications. This method can also be scaled to other automotive applications.
TI Functional Safety-Capable devices are not developed according to the requirements of any functional safety standard. TI provides failure-in-time (FIT) rate and failure mode distribution information to customers to aid in the calculation of random hardware fault metrics. TI recommends integrating these components into a system through the strategy of “evaluation of hardware element” (International Organization for Standardization [ISO] 26262-8:2018, clause 13).
1 Introduction
Safety MCUs are widely used in safety-critical automotive systems such as digital cockpits and instrument clusters. The MCU collects safety-relevant information from various electronic control units and sensors through a Controller Area Network (CAN). The device then executes the corresponding signal processing and fault detection to achieve the system functional safety requirements. Keeping the power supply within the recommended operating range of the safety MCU is essential to prevent the MCU from running into an unsafe state.
There are four classifications of ASILs in the ISO 26262 standard based on the inherent safety risk: ASIL A, ASIL B, ASIL C, and ASIL D, with ASIL D being the most stringent requirement. The target for digital cockpit and cluster applications is typically ASIL B.
2 Power Designs for Safety MCUs With Functional Safety Requirements
Suppose that a safety MCU needs a 3.3-V power rail. Figure 2-1 illustrates the typical power architecture.
Figure 2-1 Typical Power Architecture for a Safety MCU
The 3.3-V power output needs to be monitored for faults such as supply undervoltage or overvoltage. If either occurs, the MCU is potentially operating in an unsafe state, so resetting the MCU to switch off and transitioning the system into a safe state is required.
Designers must consider how to design the power supply for a safety MCU to achieve the random hardware fault requirement for ASIL B at the system level. One recommended fix is to use an external supervisor to monitor the power-supply output. The supervisor is independent of the power-supply output, so there is no common-cause failure. Given the high performance and accuracy of the supervisor, the diagnostic coverage for power-supply over- and undervoltage is high.
Using the integrated PGOOD pin of a functional safety-capable regulator as the safety mechanism to monitor under- and overvoltage failures can be insufficient to meet ASIL B requirements. The PGOOD circuit is possibly not independent from the regulator circuit of the power supply, as the circuits potentially share the same internal band gap. If the band gap drifts out of specification, then PGOOD also fails and does not catch under- and overvoltage failures; this is known as a common-cause failure. The diagnostic coverage with PGOOD is possibly below 90%, which does not meet the single-point fault metric (SPFM) of ≥ 90% for ASIL B.
Figure 3-4 and Figure 2-3 depict reference designs targeting ASIL B using various supervisors.
Figure 2-2 MCU Power-Supply Monitoring Using TPS3703-Q1 or TPS3850-Q1
Figure 2-3 MCU Power-Supply Monitoring Using a Wide-VIN Supervisor
In Figure 3-4, the TPS3703-Q1 is a window supervisor with a high-accuracy under- and overvoltage monitor. The TPS3850-Q1 is a window supervisor with an integrated window watchdog. Both devices support input voltages at the VIN and SENSE pins of up to 6.5 V. If a regulator overvoltage fault results in more than 6.5 VOUT, this overvoltage exceeds the absolute maximum voltage input range of the supervisor and renders the supervisor ineffective or damaged. However, usually this overvoltage also exceeds the maximum operating voltage of the MCU. The MCU has a gross malfunction or even damage. In a digital cockpit or instrument cluster, a damaged MCU results in a black screen, which is considered as a safe state.
If overvoltages above 6.5 V are a concern, then consider the TPS37A-Q1 instead. This device is a wide VIN supervisor that supports voltages on the VIN and SENSE pins of up to 65 V, so that VIN can be directly connected to the battery. The supervisor monitors the power-supply output and resets the MCU into a safe state upon detection of an under- or overvoltage event.
