Mixed Signal Automotive March 2, 2012 MSA Solutions for Safety Critical App.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
-
Mixed Signal Automotive
March 2, 2012
MSA Solutions for Safety Critical App.
-
Functional Safety Standards Across Industries
– IEC 61508 is used as a basis of sector-specific standards, but intended for direct
use where these do not yet exist
– TI MSA’s circuit architectures in production today have resulted in successfully
certified systems to IEC 61508 SIL3 functional safety requirements
2
IEC 61508
EN 50128
(railway)DO-178B(aerospace)
IEC 50156 (furnaces)
IEC 60880 (nuclear power
stations)
ISO 26262 (automotive)
IEC 62061 (machinery)
IEC 61511 (process industry)
IEC 60601(medical
equipment)
http://www.picture-newsletter.com/nuclear/nuclear-power-plant-9igh.jpghttp://en.wikipedia.org/wiki/File:Alto_horno_antiguo_Sestao.jpg
-
SAFETY – TI’s Long Term Investment
Time
Co
mp
lexit
y
TMS37016-bit20 MHz256 KB
TMS47016/32-bit60 MHz1 MB
TMS570 Dual CoreAMP / LS32-bit180 MHz2 MB
Gen 2 Power ControlLBC5 (0.35um)60K gatesHigh-precision analog control
Gen 3 Power ControlLBC5x (0.35um)90K gatesOptimized high-precisionanalog control
Enhanced sensor inputs
Gen 1 Power ControlLBC4 (0.72um)20K gatesLow-precision analogcontrol
uC
Mixed signal
Gen 4 Power ControlLBC8 (0.18um)100K gates
Braking PressureSensor Interface LBC5
GyroSensor Interface
Sensor Platform
TMS570 Multi Core 32-bit>200 MHz4 MB
– Proven Track Record: >15 years experience in Safety
– Leadership in analog and microcontroller technology
– Dedicated teams developing mixed-signal ICs for active and
passive safety applications
-
ISO 26262 and Mixed-Signal Circuits
– ISO 26262 recommendations are quite vague about mixed-signal circuits
– MSA team derived from ISO 26262 a set of requirements and methodologies tobe applied to mixed-signal circuit safety development flow
– MSA supports this process by means of its Safety Development Flowmethodology, as integrated part of MSA New Product Development Process
Phase 0
Bussiness Planning
Phase 1
Program Planning
Phase 2
Create
Phase 3
Evaluate
Phase 4
Ready for Production
Phase 5
Sustaining
Is Safety Process
required?Generate Safety Plan
Device Design
Specification
Validation of Safety
Elements in Silicon
Plans for Support of
operation and production
Ongoing production
support
Nominate Safety
Manager
Initiation of the Safety
Case
Qualitative Analysis of
Design Specification
Characterization of Safety
Elements Release of final safety case End of Life Production
Execution of
Development
Interface Agreement
Identify System and
component safety
requirements
Validation of Safety Design
implementation at
transitor/schematicand
RTL level
Qualification of safety
related design features Confirmation review
Decommissioning of
products in the field
Confirmation Review Quantitative analysis of
design Release of safety manual
Periodic confirmation
reviews
Re-validation of Safety
Design with back-
annotated circuit parasitics
Release of safety analysis
report
Confirmation Review Confirmation Review
-
Mixed Signal Automotive
Enabling Automotive Safe SystemsEPS System Safety Analysis Example
TPS6538x Multi-Rail Power Supply
DRV3201 3-Phase Bridge Pre-Driver
TMS570 MCU
-
EPS System Safety AnalysisSystem Safety Requirements / Considerations
– SAFING Regulated Supplies
General UV/OV Voltage monitoring (with comparators self-test)
Regulator Current Limitation
Over-temperature detection and protection
– SAFING MCU
Supply monitor and reset generation
Watchdog function (and ERROR pin monitor)
SPI Communication Monitor
Interface interconnect diagnostics
– SAFING Sensor Interfaces (position and torque sensors)
Independent sensor supplies (with current limit, voltage monitoring and comparator self tests)
Independent and redundant sensor data processing (by MCU)
-
EPS System Safety AnalysisSystem Safety Requirements / Considerations (cont.)
– SAFING Power Stages
VDS Monitoring and Short-Circuit Protection
Shoot-through protection and programmable dead-time
Ambient Over-Temperature Monitoring and Protection
Redundant and Independent External Power Stage Enable Control
– Motor Current Sensing
Redundant external gain setting check
Calibration options (auto-zero calibration)
Redundant and Independent External Power Stage Enable Control
– Power Supply IC Monitoring and Diagnostics
External diagnostics through AMUX/DMUX (by MCU ADC)
• Internal voltage measurement
• Bandgap voltage confirmation
• Comparators check
• Clock diagnostics
-
DRV3201Motor driver for 3-phase brushless DC motors
Electrical Power Steering systems
EHV Brake, Transmission
Oil Pump, Fuel Pump
Operating Voltage 4.75 to 30 Volt (down to 3V for logic)
Drives 6 FETs with 250nC gate charge
PWM freq. up to 30 kHz
Two low offset (
-
DRV3201Motor driver for 3-phase brushless DC motors
Development
SCLK
RSTN
PHxC
DRVOFF
BLDCLevel
shift
Safety / Diagnostic - Overtemp
- Overvoltage
- Undervoltage
- Clock Monitoring
- Overtemperature Detection
- Short Circuit
- Shoot Through Protection
- VDS Monitoring
- Dead Time Control
Bandgap,
Bias,
Oscillator
6 x VDS Monitor
3 x Phase Comp
SDI
NCS
SDO
EN
ERR
CSM
SCTH
BO
OS
T
VS
VSH
SW
RO
IPy
INy
GHSx
SHSx
SLSx
GLSx
O3
,4
O1
,2
3 * PowerStage
x = 1..3
y = 1..2
IHSx, ILSx
RI
Control Logic - Programmable Gate Current
- Programmable Gain
- Sleep Mode Control
Controller
GNDLS_B
B_EN
VCC5
VCC3
VDDIO
Clamp
AD
RE
F
PG
ND
GN
DA
GN
DL
-
DRV3201Differentiating features versus competition
• Motor control:• Drives 6 separate N-channel MOSFET up to 250nC gate charge and PWM frequency up to 30 kHz
• Programmable 140-mA to 1-A gate current drive (source/sink) for Dynamic Slew Control with fewer external components
• Integrated boost provides 100% duty cycle operation: reduced torque ripple compared to bootstrap solution.
• Wide range of programmable dead time (3 bit) covering various MOSFETs types
• Separate control input for each MOSFET
• Two integrated low-offset (+/-1mV) current sense amps with two 2nd stage amplifiers for higher resolution at low load current operation
• Operating Voltage 4.75 to 35 Volt:• Low supply voltage operation due to integrated boost converter for gate driver voltage generation
• Logic functional down to 3 Volt, Bridge drivers fully operational down to 4.75V supply
• Enables communication during Start/Stop operation and reduces start-up/initialization time, as settings are kept at low voltages
• Boost output can be used t o supply external components, e.g. safety relay driver
• Sleep mode function
• Functional safety: • Detailed failure diagnostics/registers enabling quick microcontroller reaction through SPI read
• Configurable Safety Mode (CSM) allowing user to configure minimum safety/protection functionality
• Short circuit protection with VDS-monitoring and precise digital adjustment of VDS monitoring detection level
• VGS monitoring for each bridge driver FET
• Over- and Under-voltage Shutdown
• Shoot Through Protection with programmable dead time
• Three real time phase comparators allow verification of switching and support sensor-less commutation
• Over temperature warning and shut down
• Reset and enable function
Development
-
TPS65381PMU for safety critical application powering lock-step uC (TMS570)
Safety-critical applications like EPS, Braking,
Transmission, Industrial Safety
Supports Texas Instruments’ TMS570LS series
16/32-Bit RISC Flash microcontroller
6.0V to 36 V (all regulators functional)
5V (CAN) supply voltage, linear regulator with internal
FET and temperature protection
3.3V or 5V uC IO voltage, linear regulator with internal
FET and temperature protection
Reverse battery protection with external FET allowing for
low-voltage operation down to 4.0V
Reset output to uC
ENDRV output for peripheral power stages (e.g.
MotorDriver)
Package: 32-pin HTSSOP PowerPad
Features
Applications
Benefits
High-Efficiency, flexible output power with low-cost
in mind (only one inductor needed)
Suitable for safety related application (ISO26262),
making 2nd safing uC obsolete
6V Asynch. Buck pre-regulator, adjustable uC
core supply with external FET
Sensor supply: protection against short to
battery and short to ground
Safety: Q&A/window watchdog, LockStep Error
monitor, SPI for control & diagn., Power
supply/System monitoring and diagn., BIST
Suitable for sensor connection outside ECU
without external protection
CP2
VTRACK1
SDO
NCS
SDI
TPS65381
CP1
VCP
ERROR/WDI
GND
4
3
2
1
VSOUT1
VBAT_SAFING
SCLK
13
14
VDD6
CANWU
VDD3/5
VDDIO
VDD1_G
SDN6
VBATP
IGN
VDD1_SENSE
GND
VDD5
ENDRV
DIAG_OUT
15
NRES
SEL_VDD3/5
VSIN16
VSFB1
RSTEXT
PGND
GND
5
8
10
9
11
12
7
6
31
18
19
24
23
21
22
20
17
28
27
25
26
29
30
32
Development
-
TPS65381 Supply & functional safety companion chip to DRV3201 & LS/LC mC
VB
AT
P
SD
N
Buck
Int. FET
VD
D5
LDO
Int. FET
6V
VD
D6
VD
DIO
WakeUp
SD
I
IGN
CA
NW
U
SPI Interface
SD
O
NC
S
Bandgap
Ref 1
Bandgap
Ref 2
Voltage
Monitoring
Digital
State
Machine
EEPROM
CRC
Oscillator
1
Oscillator
Monitor
VD
D3/5
3.3/5V, 300mA
LDO
Int. FET
LDO
Controller
5V, 300mA
VC
P
CP
1
CP
2
Charge
Pump
VD
D6
VBAT_SAFING
VBATP
Bias /
Internal
Supply
Tj
Over-Temp
shutdown
VDD5 or
VDD3/5
SC
LKTPS65381
GND
SE
L_
VD
D3/5
Sensor LDO
Protected
Int. B2B FET
VTRACK1
VSOUT13.3V...9.5V,
100mA
VDD5,
VDD3/5 or
GND
VSFB1
VSINVBATP or
VDD6
GN
D o
r
NoC
onn
ect
Power Supply
Reference/Bias
Diagnostics
Safety
VD
D1_
G
0.8 .. 3.3V, 600mA
VD
D1_
SE
NS
E
RES ExtRSTEXT
KL30
Schottky
Scho
ttky
Q&A
Watchdog
uC ERROR
Monitor /
Window Watchdog
ER
RO
R/
WD
IReset /
EnableDIAG_OUT
Diagnostics
An
alo
g
Mu
x
Bandgap 1
Bandgap 2
NR
ES
EN
DR
V
VDD3/5
Development
-
EPS chipsetTPS6538x supply + DRV3201 gate driver + TMS570 mC – Option #1
Current Sense
Q&A
Watchdog
WakeUp
SPI
Protected
Sensor
Supply
Voltage
Monitoring
Reset /
Enable
GHSx
SHSx
SLSx
GLSx
x = [1..3]
VSH
Bridge
Driver
Vds
Mon
Phase
Comp
3 x PHxC
Current Sense
3 x IHSx
3 x ILSx
3 * PowerStage
uC ERROR
Monitor
SPI
nRESET
NHET
- Input Capture
- Input Capture
- PWM
INT
SPR
Switch
DRV3201
Motor
CAN
CAN
Flexray
FR
ADC2
Analog Sensor Signal
Digital Sensor Signal
Bridge Error
Monitoring
OUT EN
KL30
KL15
Diagnose &
Config
CAN
FR
Power Supply
Bridge Driver
OUT
Ta/Tj Over
Temp
shutdown
Charge
Pump
TPS65381/65383
SPIDiagnose &
Config Error Monitoring:
- VDS Mon.
- Shoot Through
- Voltage Monitoring on
VBAT, VBOOST and
internal supplies.
- Temp. Warning
- etc.
Bandgap
Ref 2
nERROR
Tj Over
Temp
shutdown
VBAT
BOOST
TMS570
uC IO
Supply
uC Core
Supply
CAN
Supply
Pre-
Regulator
Relay Driver
EN
Sensors
2x
Networks
Safety Diagnostics
KL30
Voltage
Monitoring
ADC1
-
EPS System Configuration – Option #1Assumed System Safety Function Distribution
– TPS6538x (link) SAFING MCU
• Programmable Watchdog Function
• MCU Error or Clock Monitoring
• MCU supply voltage monitoring and protection
• MCU supply supervisor and reset generation
SAFING DRC3201 3x Pre-Driver
• Power Stage Enable/Disable, or
• High Side Safing Power Switch Control
– DRV3201 (link) SAFING external 3x Power FET Drivers
• Monitoring, diagnostics and protection
– TMS570 (Main MCU and Safety Controller) (link) Torque and Position Sensor data plausibility or redundant comparison
Closed loop motor control
Redundant power stage enable (independent from one controlled by TPS6538x)
Cross-checks with TPS6538x to ensure each other integrity
Redundant sensor processing
-
EPS System Safety Analysis – Option #1Safety Element Out-of-Context Analysis (with assumed system level faults)
TPS6538x
CAN
Transciever
DRV3201H-Bridge
HS Safing
Switch
TMS570
MCU
Sensor Supply
CAN Supply
VBAT VBAT
IO Supply
Core Supply
SPI Interface
WD/ERROR
EN_DRV
AMUX /
DMUX
VB
AT
VB
AT
_M
ON
Sensor 1
Sensor 2
CA
N S
up
ply
VBAT
IO Supply
SPI
Interface
CONTROL
PHASE SENSE
SAFING_ENSAFING_EN
EN_DRV_N
RESN
ERR
RESN as
CAN_EN
EN_DRV_N
Sensor
SupplyCore Supply
Sh
un
t
Current
Sense
Current
Sense
Sensor DataSensor Data
H-BridgeH-Bridge
3x Pre-Driver
3-Phase
Motor
Fault 1 Fault 2 Fault 3 Fault 4 Fault 5 Fault 6
Fault 7
Fault 8
Fault 9Fault 10Fault 11Fault 12Fault 16 15 14Fault 17Fault 18Fault 19
Fault 20
Fault 21
Fault 22
Fault 23
Fault 24
Fault 25
-
Other MSA Safety application solutions
-
Power Management Module (TPIC7112)
Warning
Lamp Driver
K-LineSatellite
Interface
Fail Safe
Module
Supervisor Buck/LDO
Boost
Airbag System: TPIC 7112 & TPIC7100x
Digital
Core,
Diagnosis
&
Control
Airbag
Squib 1
Airbag
Squib n
Squib
Driver IC
CAN
Bus
Airbag
MCU
TMS470
Buckle
Switches
Battery
Warning
Lamp
Channel
X8
TPIC71008
Channel
X4
TPIC71004
Channel
x2
TPIC71002
Channel 1
Satellite
Interface
CAN
Transceiver
SPIDiagnostic Systems
ISO K-Line
Crash
Sensors
-
Automotive ABS: TPIC7218
ABS IC
TPIC7218
ABS
MCU
TMS470/570
Chassis
CAN Bus
Wheel
Speed
Sensor x4
Power Management Module
Battery
Warning
Lamp/LED
LS Switch Driver
LS Switch Driver
x4
LS Switch Driver
PWM
LS Switch Driver
PWM x4
Lamp Driver
Lamp Driver
x2
Pump Motor Driver
Main Relay Driver
M
Solenoid
Solenoid
Diagnostic Systems
ISO K-Line
CAN
Transceiver
Wheel Speed
Sensor
Interface
K-Line
Watchdog
Monitor
SPI
Charge PumpWake up
Supervisor
PSSC
Pressure
Sensor TPIC83Rxxx
Buck/LDO
http://cgi.ebay.com/BRAND-NEW-OEM-KNOCK-SENSOR-1989-1994-NISSAN-MAXIMA_W0QQitemZ160307463379QQcmdZViewItemQQptZMotors_Car_Truck_Parts_Accessories?hash=item160307463379&_trksid=p3286.c0.m14&_trkparms=72:543|66:2|65:12|39:1|240:1318|301:1|293:1|294:50
-
Automotive ESC: TPIC7218
ABS IC
TPIC7218
ABS
MCU
TMS470/570Chassis CAN Bus
Wheel Speed Sensor x4
Power Management
Module
Battery
Warning
Lamp/LED
LS Switch Driver
LS Switch Driver
x4
LS Switch Driver
PWM
LS Switch Driver
PWM x4
Lamp Driver
Lamp Driver
x2
Pump Motor Driver
Main Relay Driver
M
Solenoid
Solenoid
Diagnostic Systems
ISO K-Line
CAN
TransceiverWheel Speed
Sensor
Interface
K-Line
Watchdog
Monitor
SPI
Charge Pump
Wake up
Supervisor
Additional IC
LS Switch Driver PWM x4
Solenoid
CAN
Transceiver
ESC Sensor Cluster Module
Gyro
Low G Accelerator
Sensor Cluster Interface SOC
TPIC7601
MCUPower
Management
Center of Car
Under the
hood
CAN
TransceiverPSSC
TPIC83Rxxx
Buck/LDO
Pressure
Sensor
http://cgi.ebay.com/BRAND-NEW-OEM-KNOCK-SENSOR-1989-1994-NISSAN-MAXIMA_W0QQitemZ160307463379QQcmdZViewItemQQptZMotors_Car_Truck_Parts_Accessories?hash=item160307463379&_trksid=p3286.c0.m14&_trkparms=72:543|66:2|65:12|39:1|240:1318|301:1|293:1|294:50
-
Automotive Ultrasonic Signal Conditioner: PGA450
System
ECU
USSC: PGA450
OSC
Linear
Regulator
Power Management
Buck/LDO
MCU
TMS470/570
CAN BUS
MCU
8051W
LIN
Battery
Digital &
Data Path
Drive A
Drive B
SAR LNAAnalog
BlockLIN
ECU
Applications: UPA: Ultrasonic Park Assist; PDC: Park Distance Controller & BSD: Blind
Spot Detection.
http://www.clker.com/clipart-transformer-symbol.html
-
Tire Pressure Monitoring System: TPIC82010
Integrated Voltage Regulator
Back up Oscillator for Low Power Operation in Sleep
condition
Ultra Low Power Consumption
0.2uA (typ) in Stand-by (LF Oscillator operating)
0.5mA(typ) in Measurement Mode
8.6mA(Max) in Transmitting (+5dBm)
Wide Operation Voltage Range: 1.5V to 3.5V
Enables to over 10-year system operation with small Li-
Battery (without G sensor)
Features
TPMS Sensor Module
TPIC82000TPMS Sensor & Tx Control IC
P-Sensor
G-Sensor
Temp. Sensor
V Sensor
MCU 8051
UHF Tx
LF Rx
Power Management
CLK
Control
X-Tax
Li-Battery
TPIC82000TPMS Sensor & Tx Control IC
P-SensorP-Sensor
G-SensorG-Sensor
Temp. SensorTemp. Sensor
V SensorV Sensor
MCU 8051MCU 8051
UHF TxUHF Tx
LF RxLF Rx
Power ManagementPower Management
CLK
Control
CLK
Control
X-Tax
Li-Battery
MCU
TMS320F
2803x/2x
GIO
SPI
GIO
CAN Transceiver(Integrated on MCU
or SN65HVD23x)
UHF Receiver
CC1131-Q1
LF Driver
(TBD)
Power ManagementLDOs = TLE4275-Q1 etc.
from Car Battery
UHF Antenna
LF Antenna
to/from
Body Control
ECU/Display
TPMS Control Module
MCU
TMS320F
2803x/2x
GIO
SPI
GIO
CAN Transceiver(Integrated on MCU
or SN65HVD23x)
UHF Receiver
CC1131-Q1
LF Driver
(TBD)
Power ManagementLDOs = TLE4275-Q1 etc.
from Car Battery
UHF Antenna
LF Antenna
to/from
Body Control
ECU/Display
TPMS Control Module
MCU
TMS320F
2803x/2x
GIO
SPI
GIO
MCU
TMS320F
2803x/2x
GIOGIO
SPISPI
GIOGIO
CAN Transceiver(Integrated on MCU
or SN65HVD23x)
CAN Transceiver(Integrated on MCU
or SN65HVD23x)
UHF Receiver
CC1131-Q1
UHF Receiver
CC1131-Q1
LF Driver
(TBD)
LF Driver
(TBD)
Power ManagementLDOs = TLE4275-Q1 etc.
Power ManagementLDOs = TLE4275-Q1 etc.
from Car Battery
UHF Antenna
LF Antenna
to/from
Body Control
ECU/Display
TPMS Control Module
RF 315MHz/434MHz(pressure, temp, battery, other)
LF 125KHz(trigger signals)
Receiver/ Diag.
Control UnitDisplay
LF AntennaRF Receiver
Antenna
-
Thank you!
Related Documents
