Tool/software:
Background:
We are working on an automotive electric powertrain inverter system and are integrating the TPS653860-Q1 PMIC. According to the safety manual, when repeated safety MCU failure modes exceed the programmed threshold, the device enters its SAFE state and uses the configured SAFE_OUT1 and/or SAFE_OUT2 output pins to control the state of external power stages or communication interfaces.
Question:
Is it recommended to use both SAFE_OUT1 and SAFE_OUT2 simultaneously to trigger the safe state request in ASIL C or ASIL D applications?
More specifically:
- Does using both pins increase diagnostic coverage or robustness of the safe state signaling?
- Is there any general recommendation or best practice for ASIL C/D applications regarding the use of both pins?
- Is there any known order of increased failure rate between using one pin vs both?
- Is there any available failure rate data (e.g., FIT rates) or diagnostic coverage comparison between using only one SAFE_OUT pin versus both SAFE_OUT1 and SAFE_OUT2? This would help us assess the impact on system-level safety metrics for ASIL C/D compliance.
The safety manual does not provide a clear recommendation on this point, so any guidance or references would be appreciated.
