• State Resolved
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 364 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

BQ79616: The use of the BQ79616 battery monitor without a host controller.

Yasser Fathy
Prodigy 40 points
Part Number: BQ79616

Tool/software:

Hello and thank you for your support.

We're considering the use of the BQ79616 battery monitor chip within an ASIL-D system and the chip is certified SEooC ASIL-D, while reviewing the safety concept we can see that its safety mechanisms are categorized into three groups:

- Auto:  Mechanisms that are passive elements or automatically executed by the ASIC.
- FDTI:  Mechanisms or diagnostic functions designed to be handled with external microcontroller assistance within each Fault Tolerant Detection Interval.
- MPFDI: Mechanisms or diagnostic functions designed to be executed with external microcontroller assistance at least once within Multi Point Fault Detection Interval.

I have two questions:

1. Our understanding is that it is not possible to use that chip as a standalone device, and that an ASIL-D rated host controller is required to allow the chip to achieve its rated ASIL, I want to conifrm this and check if there are ways around it, or if there is a way for the controller to have a lower ASIL (B).

2. I would like to understand more the method by which safety mechanisms are assigned these diagnostic groups, for example "SM1: AVDD OV Detection" is designated as FDTI, while "SM2: AVDD UV Detection " is designates as Auto, while both seem to address a somewhat similar concern, it would be helpful to understand how that categorization was decided.

Thank you.

  • 0
    TI__Expert 6710 points

    Yasser,

    I will answer your questions in order:

    1) The device shares no information and makes no decisions without a host controller. It will not even turn on without outside input. I do not know exactly how the ASIL rating of the microcontroller would affect the ASIL rating of the entire system, but I would suspect that you will need ASIL-D rated parts throughout the system.

    2) The descriptions you gave above are pretty apt. "Auto" mechanisms are done automatically and "FDTI" mechanisms require some action by the host. In the example you gave, if an AVDD UV fault occurs, the device will automatically go into shutdown mode to protect itself, with no action from the host. On the other hand, an AVDD OV fault will only cause a fault bit to go high, which the host must detect and act on. The device will take no actions by itself. 

    Regards,

    Ben

  • 0 in reply to Benjamin Luty
    Prodigy 40 points

    Thank you Ben for the response.

    Yeah I guess it would be difficult to get away with SW requirements with lower ASIL than D, I was hoping I would find some way, but the controller is initially responsible for configuring the chip, so this part has to be ASIL D, Auto mechanisms are ok without controller intervention, and FDTI mechanisms can be reported on the NFault pin to trigger a HW safety action, but MPFDI mechanism require a trigger from the controller.

    If I may rephrase my second question, I wanted to understand why the AVDD UV is auto while AVDD OV is FDTI, my thinking is Auto is more critical or the chip would not be able to function with its fault, while FDTIs are of less severity, would that be accurate?

    Thank you.

  • 0 in reply to Yasser Fathy
    TI__Expert 6710 points

    Yasser,

    I would like to clarify that some FDTI mechanisms require a trigger from the host, not all are reported on NFAULT.

    Auto safety mechanisms are not necessarily more critical than FDTI mechanisms. Auto mechanisms just happen automatically. In the example with AVDD, many internal components rely on AVDD to function, and if it does not have enough voltage they all stop working, forcing the device to shut off. Some of the auto mechanisms exist because of physical realities like this, because they were critical, or because they were easy to implement. There is no specific hierarchy of mission criticality between Auto, FDTI, and MPFDI mechanisms. 

    Regards,

    Ben 

  • 0 in reply to Benjamin Luty
    Prodigy 40 points

    Thanks for the clarification Ben, appreciate it.