• State TI Thinks Resolved
  • Locked Locked
  • Replies 16 replies
  • Answers 3 answers
  • Subscribers 64 subscribers
  • Views 845 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TPS389006: AOU in the safety manual interpretation

Junliang Liu
Prodigy 30 points
Part Number: TPS389006
Other Parts Discussed in Thread: TPS38900X-Q1, TDA4VH, TPS6594-Q1

Hello,

We are evaluating the <TPS38900xQ1_SFFS545_Functional_Safety_Manual_May>, and here are the questions about the AOU:

1. [SA-3] in chapter 4.3 request the integrator to transit the system and TPS389006 to the safe state when the input voltage of TPS389006 is error.
     How can the TPS389006 transit to the safe state when the input voltage is under-voltage? Do you have any suggestions on the design ?

2. [SA-4] in chapter 4.3 reques the MCU to read the error status of the TPS38900x-Q1 when the TPS38900x-Q1 sends an interrupt signal to the MCU.
    ①Where is the interrupt signal(also referred as NIRQ pin) connected? Is the MCU same as the MCU domain in TDA4VH?
    ②If the answer is 'Yes', the MCU domian cannot run correctly cause the input power rail is abnormal as detected by the TPS389006, therefore the MCU domian may not react correctly about the interrupt signal and read the error status correctly;
    ③If the Answer is 'NO', which IC havs the ability to read the error status. since the interrupt from the 389006 leads the system in the safe state.

3. [SA-5] and [SA-6] in chapter 4.3 also mention the MCU-software. So does the MCU here refer to the MCU domain of the TDA4?

  • 0
    TI__Expert 8620 points

    Hello Junliang, 

    I have brought the questions to the attention of our functional safety expert, I will provide an update by 9/11. 

    Regards, 

    Oscar Ambriz

  • 0 in reply to Oscar Ambriz
    TI__Expert 8620 points

    Hello Junliang, 

    1. [SA-3] in chapter 4.3 request the integrator to transit the system and TPS389006 to the safe state when the input voltage of TPS389006 is error.
         How can the TPS389006 transit to the safe state when the input voltage is under-voltage? Do you have any suggestions on the design ?

    Once the input voltages of TPS38900x are below UVLO the voltage rails cannot be valid and the system integrator is responsible for direct transition to safe state by other methods. In the TDA4 design the NIRQ output form TPS38900x goes to the PMIC to turn off rails.

    2. [SA-4] in chapter 4.3 request the MCU to read the error status of the TPS38900x-Q1 when the TPS38900x-Q1 sends an interrupt signal to the MCU.
        ①Where is the interrupt signal(also referred as NIRQ pin) connected? Is the MCU same as the MCU domain in TDA4VH?

     In the TDA4 design the NIRQ output form TPS38900x goes to the PMIC to turn off rails. The NIRQ signal can also be connected to another SOC such as a safety micro which is in charge of running a routine when an undesired voltage is detected. It is really up to the designer to define how their safe state will be implemented. 

    3. [SA-5] and [SA-6] in chapter 4.3 also mention the MCU-software. So does the MCU here refer to the MCU domain of the TDA4?

    The MCU can refer to what ever the user is utilizing to monitor the error indication signals of TPS38900x and place their system in a safe state. 
    Regards, 
    Oscar Ambriz

  • 0 in reply to Oscar Ambriz
    Prodigy 30 points

    Hi,Oscar

    1. [SA-3] in chapter 4.3 request the integrator to transit the system and TPS389006 to the safe state when the input voltage of TPS389006 is error.
         How can the TPS389006 transit to the safe state when the input voltage is under-voltage? Do you have any suggestions on the design ?

    Once the input voltages of TPS38900x are below UVLO the voltage rails cannot be valid and the system integrator is responsible for direct transition to safe state by other methods. In the TDA4 design the NIRQ output form TPS38900x goes to the PMIC to turn off rails.

    Jinliang Reply: So we as system integrator don't need to design the SM to protect the input current and voltage of TPS389006;  the TPS389006 has the internal SM to detect the OV and UV on its input voltage and reports the fault through NIRQ pin to PMIC. Am I right?

    3. [SA-5] and [SA-6] in chapter 4.3 also mention the MCU-software. So does the MCU here refer to the MCU domain of the TDA4?

    The MCU can refer to what ever the user is utilizing to monitor the error indication signals of TPS38900x and place their system in a safe state.

    Junliang Reply: According to the reference design the TI has supplied in the EVM, the NIRQ output of the 389006 goes to the PMIC and the I2C connects to the TDA4VH MCU Domain. When there are any faults on the power rail which the 389006 has monitored, the system should transit to safe state, which means the TDA4 MCU domain cannot work properly. Given the circumstances, how can MCU domain read the fault information through the I2C when the faults are detected in 389006?

  • 0 in reply to Junliang Liu
    TI__Expert 8620 points

    Hello Junliang, 

    Jinliang Reply: So we as system integrator don't need to design the SM to protect the input current and voltage of TPS389006;  the TPS389006 has the internal SM to detect the OV and UV on its input voltage and reports the fault through NIRQ pin to PMIC. Am I right?

    TPS389006 will monitor voltages using voltage monitors MON1 through MON6. when the voltage applied to one of these monitors falls outside of the voltage threshold window it will report the fault through the NIRQ output and will set the flag in the I2C register. The fault can be cleared once the external action causing the fault is corrected, in this case bringing the voltage back to the proper range, and the bit signaling the fault is cleared over I2C. 

    Junliang Reply: According to the reference design the TI has supplied in the EVM, the NIRQ output of the 389006 goes to the PMIC and the I2C connects to the TDA4VH MCU Domain. When there are any faults on the power rail which the 389006 has monitored, the system should transit to safe state, which means the TDA4 MCU domain cannot work properly. Given the circumstances, how can MCU domain read the fault information through the I2C when the faults are detected in 389006?

    I will need to consult with the TDA4 experts, will provide an update by 9/14. 

    Regards, 

    Oscar Ambriz

  • 0 in reply to Oscar Ambriz
    TI__Expert 6965 points

    The J784S4/TDA4VH EVM detailed PDN-3A diagram (snapshot below and the entire diagram is available on CDDS per link: 

    CDDS: Folder - Jacinto7 Product Series/J784S4/EVM/J784S4 EVM Single Leo + Dual HCPS PDN-3A:

    US - https://cdds.ext.ti.com/ematrix/common/emxNavigator.jsp?objectId=28670.42872.33731.19705&latestRevision=true


    The PDN-3A diagram shows the key interface signals & power rails monitored by Safety Voltage Supervisors (SVS-A & SVS-B). SVS-A monitors all SoC Main processing domain input supplies that are sourced from discrete power resources (not from PMIC). While SVS-B monitors all SoC MCU processing domain input supplies that are sourced from discrete power resources (not from PMIC). 

    The PMIC has two GPIO inputs connected to each SVS by nets "MAIN_PWRGRP_IRQn" and "MCU_PWRGRP_IRQn".  If an OV/UV error occurs on the Main processing domain input supplies, the SVS-A will assert MAIN_PWRGRP_IRQn low and PMIC state machine will transition to MCU Only mode of operation (only the MCU power supplies remain energized). This allows the PMIC INTn to notify TDA4 MCU R5 that an "issue" has occurred and MCU can investigate source of the INT via I2C bus. The MCU Only mode of operation enables the "safety processor" functions to be supported independently from SoC's Main domain processing.

    If an OV/UV error occurs on the MCU processing domain input supplies, the SVS-B will assert MCU_PWRGRP_IRQn low and PMIC state machine will transition to Safe State of operation (all Main & MCU power supplies are disabled). This puts the entire system in a Safe State as soon as possible since a fault within the MCU/Safety Processor has been detected.

    Details of the PMIC state machine operation can be found in the User's Guide available on TI website per link:

    Powering Jacinto 7 SoC For Isolated Power Groups With TPS6594133A-Q1 + Dual HCPS (ti.com)

    Snap-shot of J784S4 PDN-3A:

  • 0 in reply to Oscar Ambriz
    Prodigy 30 points

    Hi, Oscar

    TPS389006 will monitor voltages using voltage monitors MON1 through MON6. when the voltage applied to one of these monitors falls outside of the voltage threshold window it will report the fault through the NIRQ output and will set the flag in the I2C register. The fault can be cleared once the external action causing the fault is corrected, in this case bringing the voltage back to the proper range, and the bit signaling the fault is cleared over I2C. 

    Jinliang Reply: The Monitors from MON1 to MON6 are used to detect the voltages applied to TDA4. But I wonder if there are any SMs inside the 389006 to detect the input voltage of itself, as remarked in below picture.

    If there are no SMs inside the TPS389006 to protect the input voltage itself, what is the system's action when there are UV fault, according to the reference design?

    The J784S4/TDA4VH EVM detailed PDN-3A diagram (snapshot below and the entire diagram is available on CDDS per link: 

    CDDS: Folder - Jacinto7 Product Series/J784S4/EVM/J784S4 EVM Single Leo + Dual HCPS PDN-3A:

    Thanks.

  • 0 in reply to Bill McCracken
    Prodigy 30 points

    Hi, Bill

    Thanks for your reply, I understand the fault handling process when faults are detected on the input voltage of TDA4.

  • 0 in reply to Junliang Liu
    TI__Expert 8620 points

    Hello Junliang, 

    If there are no SMs inside the TPS389006 to protect the input voltage itself, what is the system's action when there are UV fault, according to the reference design?

    TPS389006 does not have a safety mechanism to monitor its own VDD, there will have to be another element in the system to account for that type of fault. I will let Bill comment if this case is accounted for at the system level. 

    Regards, 

    Oscar Ambriz

  • 0 in reply to Oscar Ambriz
    TI__Expert 8620 points

    Hello Junliang, 

    I'm still waiting on feedback, I'll report with an update by 9/18. 

    Regards, 

    Oscar Ambriz

  • 0 in reply to Oscar Ambriz
    TI__Expert 8620 points

    Hello Junliang, 

    I got a response from Bill, the PMIC in the reference design provides monitoring to the VDD rail of the supervisor. 

    Regards, 

    Oscar Ambriz

  • 0 in reply to Oscar Ambriz
    Prodigy 30 points
    Oscar Ambriz said:
    the PMIC in the reference design provides monitoring to the VDD rail of the supervisor. 

    Hello, Oscar 

    According to the reference design, PMIC TPS6594 and the supervisor TPS389006 have the same power source.

    -In the safety manual of TPS6594, the PMIC has the internal SM to protect its input voltage:

        The 6.3.9 SM9—Redundant UVLO/OVP Input Voltage Monitor on VCCA indicates that PMIC will shut down when UV & OV is detected. 

        The 6.3.10 SM10—Input Over-Voltage Protection (VSYS_SENSE, OVPGDRV) indicates that PMIC will shut down the power input when OV is detected.

    -In the safety manual of TPS389006, 0ne AOU requirement is as follows:

        [SA-3] The system will meet the data sheet requirements for voltage and current for the supply input of the TPS38900x-Q1. In the event of voltage error, the system inluding TPS38900x-Q1 will be transistioned to a safe state.

    Now my question is: How does the current design meet this AOU when UV fault is detected?

    Thanks.

  • 0 in reply to Junliang Liu
    TI__Expert 8620 points

    Hello Junliang, 

    I will consult the team and return with feedback by 9/20. 

    Regards, 

    Oscar Ambriz

  • 0 in reply to Oscar Ambriz
    TI__Expert 8620 points

    Hello Junliang, 

    I have yet to receive feedback from the team, I'll provide an update by tomorrow 9/21. 

    Regards, 

    Oscar Ambriz

  • 0 in reply to Oscar Ambriz
    TI__Expert 8620 points

    Hello Junlian, 

    I really apologize about the wait I am still waiting on feedback from a team member, they should be back in the office today. 

    Regards, 

    Oscar Ambriz

  • 0 in reply to Oscar Ambriz
    TI__Expert 8620 points

    Hello Junliang,

    The question is being accessed by the functional safety engineers of the TDA4 team, will provide feedback by 10/5. 

    Regards, 

    Oscar Ambriz

  • 0 in reply to Oscar Ambriz
    TI__Expert 8620 points

    Hello Junliang, 

    I apologize for the delay from my side. I was reading through the TPS6594-Q1 datasheet and noticed the following section on page 47 of the datasheet which speaks about the PMIC behavior in the case of a UV event, I thought it might be useful information. 

    Additionally, I have spoken to the team about this query and was wondering would you be open to a secondary supervisor to monitor the VDD power rail? doing so I believe would give you the flexibility to influence the safety concept of the system to meet your needs.  

    Regards,

    Oscar Ambriz