• State Resolved
  • Locked Locked
  • Replies 7 replies
  • Subscribers 64 subscribers
  • Views 155 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

BQ79606A-Q1: Safety Mechanism questions

Zizhen Yu
Prodigy 90 points
Part Number: BQ79606A-Q1

Dear ..

In safety manual of BQ79606, there has a safety mechanism: SM233: GPIO Fault Check

There is a configurable option (GPIOn_CONF[FAULT_EN]) for the GPIO to trigger a FAULT condition when high or low. When enabled, the GPIOs that are in a fault state set the GPIOn bit in the
GPIO_FAULT register. These faults are triggered regardless of the GPIOn_CONF[GPIO_SEL] setting for the GPIO, where n is the channel under test.

we want to know what functions contributed by this SM? what failure mode will be covered by this SM?

  • 0
    Prodigy 90 points

    Add a question:

    VCB BIST Check :

    The CBDONE comparator contains a BIST function for diagnostic purposes. The BIST can be enabled by OVUV_MODE bit in the DIAG_CTRL1 register. When enabled, the BIST tests the comparators. The comparator is tested by comparing a diagnostic DAC voltage (generated from REF2) to the selected threshold. The diagnostic DAC voltage is switched from 2 LSB below the threshold to 2 LSB above the threshold and the output of the comparator is checked to ensure it switches.

    If the BIST fails during the VCBDONE comparator BIST test, the CB_VDONE flag in SYS_FAULT3 is set. 

    This SM seem only related with CBVDONE function, not related with any safety goal of BQ79606. So what failure mode which related with safety goal will be covered by this SM?

  • +1 in reply to Zizhen Yu
    TI__Expert 4200 points

    Zizhen,

    For SM233: GPIO Fault Check, this is here in case you have a peripheral device that would output a FAULT bit. You would route the fault bit into a GPIO with GPIOn_CONF[FAULT_EN] set appropriately and you would be able to read that fault bit from FAULT_SUMMARY. If you do not set GPIOn_CONF[FAULT_EN] this safety mechanism is irrelevant.

    For SM151: VCB BIST Check, this safety mechanism relates to the cell balancing system of the device. This system has a comparator called CBDONE that compares a cell's voltage to a threshold to indicate whether the cell need to continue cell balancing. This check ensures that comparator is working by the described mechanism. If this comparator is not working, the cell balancing could end too early (which would leave cell balancing incomplete) or continue forever (which would drain the cells and potentially overheat the CBFETs). The number of the SM indicates it relates to safety goal 1 (Voltage Monitoring). 

    Regards,

    Ben

  • 0 in reply to Benjamin Luty
    Prodigy 90 points

    Hi Ben

    Thank you for your supports!

    I still have questions about SM233 and SM151.

    1. as you say, the SM233 is used in case we use GPIO as a fault input port, the BQ79606 can route the fault status into FAULT_SUMMARY. But t check the SM233 in FMEDA, it seems used to detected many failure modes, not only the case you said, but also inlcude OT/UT control and detection, as you can see in following picture. So if we have used BQ79606's UT/OT comparator function, i,e, safety goal 4, do we must need to implement this SM? or can we use other SMs to cover thses failure mode?

    1. SM151 is seems useless for cell voltage monitoring. Because if BQ79606 in active mode, when we acquire cell voltage, we must stop cell balance function firstly, the monitoring cycle is almost 10ms. So it would not lead cell over discharge even though we not use SM151. And if BQ79606 in sleep mode, if we need to monitor cell voltage status, we would use UV/OV comparator function, but if we use CBDONE comparator, it will bypass the UV/OV comparator function. So it is useless too. Am I understand right?

    Thank you.

  • +1 in reply to Zizhen Yu
    TI__Expert 4200 points

    Zizhen,

    I cannot tell you if a safety mechanism is "needed" in your system. If you have determined that the system will meet whatever standards you wish to comply with using the safety mechanisms you are implementing, that is your decision. 

    For SM233, there is redundancy with other SMs. It is up to you to determine if knowing a GPIO pin is digital one or zero is useful to you and if the redundancy is worth it. 

    For SM151, if you are cell balancing, you need to ensure the CBDONE comparator works and this is the safety mechanism that does that. During cell balancing this comparator monitors cell voltage. The failure cases it is related to all have to do with the cell balancing systems having problems. Other cell balancing SMs have all been placed under the Voltage Monitoring safety goal. 

    Regards,

    Ben

  • 0 in reply to Benjamin Luty
    Prodigy 90 points

    Hi Ben:

    Thank you for your answers.

    I understand your meaning.

    We can implement the SM233 in our project. but due to this SM will have impact on measurement, so I can only executed once per driving cycle. So I want to know how much impact on FMEDA results(PMHF, SPFM, LFM) if I only execute this SM once per driving cycle.

    please also consider SM232: AUXMUX GPIO Check only executed once per driving cycle.

    Thank you.

  • 0 in reply to Benjamin Luty
    Prodigy 90 points

    Hi Ben:

    Please also consider SM231: GPIO Multiplexor and Pin Short Check only executed once per driving cycle.

  • +1 in reply to Zizhen Yu
    TI__Expert 4200 points

    Zizhen,

    These safety mechanisms are designed to be run every FDTI. I cannot tell you the impact if you changed them to be run only once, you will have to do the calculations yourself.

    Regards,

    Ben