SSZT482 May 2019 LM4132-Q1 , TPS3703-Q1 , TPS3850-Q1 , TPS3890-Q1
Many safety related automotive systems are required to meet Automotive Safety Integrity Level (ASIL) as defined by International Organization for Standardization (ISO) 26262.
It is a common misconception that integrated circuits (ICs) not developed following the ISO 26262 standards cannot be used to achieve functional safety goals. Many automotive OEMs have been able to use the features and reliability of non-ASIL compliant semiconductor devices to develop systems that target ASIL requirements. In this post, it will be demonstrated how both voltage references and supervisors can help you achieve ASIL compliance for your automotive systems.
Devices such as voltage references and supervisors (reset ICs) are common semiconductor devices that can help automotive system integrators develop functionally safe systems. When used in automotive applications, these devices provide diagnostic coverage or redundant monitoring capability.
Figure 1 is taken from ISO26262-10:2018, 9.2.3.4 and is an example of how safety elements out of context (SEooC) can implement voltage supervisors and watchdogs as safety mechanisms.
A voltage supervisor can help achieve system-level functional safety targets by providing power supply fault detection. A voltage supervisor implements a safety mechanism to the microcontroller (MCU) when an overvoltage or undervoltage failure mode is detected on the power supply. Some voltage supervisors can also provide digital diagnostics with watchdog timers that can detect clocking failures of an MCU. Clocking failures include late pulses or early pulses sent from the MCU. The window watchdog timer can monitor these pulses and alert the system that a fault has occurred. Another method of under and overvoltage monitoring is to use an analog-to-digital converter (ADC) with a precision voltage reference to monitor multiple voltage rails. Figure 2 shows how a window watchdog timer operates. In some cases, systems with very high diagnostic coverage goals may require redundant safety mechanisms in order to achieve system-level functional safety goals. This means that in addition to an ADC and voltage reference to monitor potential voltage supply failures, a supervisor is also required to monitor the same voltage rails to ensure safety and diagnostic coverage.
Risk assessments of automotive systems show that faults can occur due to IC failures; therefore evaluations at the device level are required in some functionally safe systems. TI can provide device information needed for evaluating the IC versus the requirements of the functional safety system concept. TI can provide device collateral such as qualification reports, failure in time (FS-FIT), failure mode distributions (FMD), and design failure mode and effect analysis (DFMEA) for voltage references and supervisors.
The “ADAS power reference design with improved voltage supervision” shows how voltage references and supervisors can help in implementing functionally safe systems. The voltage reference and supervisors used in this reference design can help enable the designers achieve the system-level functional safety goals when combing the devices’ functionality, features and device collateral.
The reference design provides an automotive power solution with additional voltage supervision and a window watchdog for safety MCUs in advanced driver assistance systems (ADAS). The design helps achieve accurate voltage monitoring with precision supervision of 1% maximum across temperature and includes features such as flexible reset delay and manual reset. The TPS3703-Q1 provides overvoltage and undervoltage monitoring in a small footprint, with minimal needs for external components to help solve space constrained problems.
Figure 3 describes how the TPS3703-Q1 detects overvoltage and undervoltage. For potential clocking failures, the TPS3850-Q1 doubles as an overvoltage/under-voltage monitor and window watchdog timer which is illustrated in Figure 2 and Figure 3. It also has the flexibility of changing the watchdog timeout and window ratio and disabling the watchdog timer. In cases where only undervoltage monitoring is necessary, the TPS3890-Q1 can provide accurate voltage monitoring at a very low quiescent current to save system power consumption. Last but not least, the LM4132-Q1 provides precision voltage to reference the ADC for voltage monitoring. With 0.05% initial accuracy and low temperature drifts of 10 ppm/°C, the LM4132-Q1 solves accurate voltage monitoring at a low supply current cost of 60 µA.
The reference design takes ISO 26262 and its guidance on power-supply voltage monitoring and watchdog diagnostics into consideration. Figure 4 explain the need for detecting failures in the power supply and failures in a defective program sequence. Figure 4 is taken from ISO26262-5:2018, Annex D. This annex is intended to evaluate diagnostic coverage and is used as a guideline to choose appropriate safety mechanisms to detect possible system failures. The reference design can help in implementing system-level safety mechanisms shown in Figure 4.
The voltage supervisors and references used in this reference design can provide an additional layer of safety by providing extra diagnostic coverage, safety mechanisms or redundant safety monitoring. The product’s performance and functionality of detecting faults can help achieve functional safety goals in automotive systems. Additionally, TI can provide collateral to improve time-to-market for system integrators.
TI PROVIDES TECHNICAL AND RELIABILITY DATA (INCLUDING DATASHEETS), DESIGN RESOURCES (INCLUDING REFERENCE DESIGNS), APPLICATION OR OTHER DESIGN ADVICE, WEB TOOLS, SAFETY INFORMATION, AND OTHER RESOURCES “AS IS” AND WITH ALL FAULTS, AND DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS.
These resources are intended for skilled developers designing with TI products. You are solely responsible for (1) selecting the appropriate TI products for your application, (2) designing, validating and testing your application, and (3) ensuring your application meets applicable standards, and any other safety, security, or other requirements. These resources are subject to change without notice. TI grants you permission to use these resources only for development of an application that uses the TI products described in the resource. Other reproduction and display of these resources is prohibited. No license is granted to any other TI intellectual property right or to any third party intellectual property right. TI disclaims responsibility for, and you will fully indemnify TI and its representatives against, any claims, damages, costs, losses, and liabilities arising out of your use of these resources.
TI’s products are provided subject to TI’s Terms of Sale (www.ti.com/legal/termsofsale.html) or other applicable terms available either on ti.com or provided in conjunction with such TI products. TI’s provision of these resources does not expand or otherwise alter TI’s applicable warranties or warranty disclaimers for TI products.
Mailing Address: Texas Instruments, Post Office Box 655303, Dallas, Texas 75265
Copyright © 2023, Texas Instruments Incorporated