Safety Manual for bq76PL455A-Q1 Safety Manual for bq76PL455A-Q1 Literature Number: SLUUB67C February 2015 – Revised October 2015 Contents Preface ........................................................................................................................................ 5 Revision History ........................................................................................................................... 7 ................................................................................................................................................... 7 ................................................................................................................................................... 7 1 Introduction ......................................................................................................................... 8 2 bq76PL455A-Q1 Safety Lifecycle .......................................................................................... 13 2.1 TI QMS Development Process ........................................................................................... 13 2.2 Development Process Gaps to ISO 26262 ............................................................................. 13 3 bq76PL455A-Q1 Safety Architecture ..................................................................................... 15 3.1 Assumed Requirement for bq76PL455A-Q1 ........................................................................... 15 3.1.1 Assumed Item Definition ......................................................................................... 15 3.1.2 Functional Concept ............................................................................................... 16 3.1.3 Assumed Safety Requirements ................................................................................. 16 3.1.4 Safety Mechanism and Diagnostic Function - Used Blocks ................................................. 17 3.1.5 Safety Mechanism and Diagnostic Function - Covered Blocks ............................................. 18 3.2 Safety Architectures........................................................................................................ 18 3.2.1 OV Top Level Safety Requirement ............................................................................. 19 3.2.2 OT Top-Level Safety Requirement.............................................................................. 20 3.3 Safe State .................................................................................................................. 20 3.4 Diagnostic Functions and Safety Mechanisms Considered .......................................................... 20 3.4.1 FTTI Details ........................................................................................................ 20 3.4.2 Failure Mode and Diagnostic Summary ........................................................................ 21 4 Details on bq76PL455A-Q1 Safety Results............................................................................. 24 4.1 Safety Analysis Assumptions ............................................................................................. 24 4.2 Safety Analysis Results ................................................................................................... 25 A Assumptions of Use and Safety Mechanism Descriptions ....................................................... 27 A.1 CRCUART................................................................................................................... 27 A.2 RXCRCFault ................................................................................................................ 27 A.3 WritePWD ................................................................................................................... 27 A.4 TempMon .................................................................................................................... 27 A.5 ThermalShutdown .......................................................................................................... 27 A.6 BatBroken ................................................................................................................... 28 A.7 ADCComp ................................................................................................................... 28 A.8 ADCCompFault ............................................................................................................. 28 A.9 ADCFullTest ................................................................................................................ 28 A.10 ADCTest ..................................................................................................................... 28 A.11 TimeoutCheck .............................................................................................................. 28 A.12 WinComp .................................................................................................................... 29 A.13 WinCompTest ............................................................................................................... 29 A.14 WinCompFault .............................................................................................................. 29 A.15 POR .......................................................................................................................... 29 A.16 PORVDD18 ................................................................................................................. 29 A.17 MemECC .................................................................................................................... 29 2 Contents SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated www.ti.com A.18 A.19 A.20 A.21 A.22 A.23 A.24 A.25 A.26 A.27 A.28 A.29 A.30 ECCTest ..................................................................................................................... NPNprotect .................................................................................................................. NPNprotectCheck .......................................................................................................... NPNshortCheck ............................................................................................................ TestAvoid .................................................................................................................... AuxErrDet ................................................................................................................... FETCheck ................................................................................................................... Checksum ................................................................................................................... CustCksumFault ............................................................................................................ FactCksumFault ............................................................................................................ VintCheck ................................................................................................................... VintFaultCheck ............................................................................................................. VPClamp .................................................................................................................... SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated Contents 30 30 30 30 30 30 31 31 31 31 31 32 32 3 www.ti.com List of Figures 1-1. bq76PL455A-Q1 System Connections Diagram......................................................................... 8 1-2. bq76PL455A-Q1 Simplified Block Diagram ............................................................................. 10 3-1. View 1 Safety Architecture ................................................................................................ 19 3-2. FTTI Timing ................................................................................................................. 21 List of Tables 4 ...................................................................................................... 0-1. Reference Documents 1-1. Part and Sub-part Descriptions ........................................................................................... 10 3-1. Item Definition Considered for the Assumed Requirements .......................................................... 15 3-2. List of Top Level Safety Requirements .................................................................................. 16 3-3. Safety Mechanism / Diagnostic Function Coverage of Failure Modes .............................................. 21 List of Figures 5 SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated Preface SLUUB67C – February 2015 – Revised October 2015 About this document You, as a system and equipment manufacturer or designer, are responsible to ensure that your systems (and any Texas Instruments hardware or software components incorporated in your systems) meet all applicable safety, regulatory, and system-level performance requirements. All application and safetyrelated information in this document (including application descriptions, suggested safety measures, suggested TI products, and other materials) is provided for reference only. This document is a safety manual for the Texas Instruments bq76PL455A-Q1 battery monitor and protector product family for safety-critical applications. This safety manual provides information intended to help system developers create safety-related systems using a bq76PL455A-Q1 battery monitor. This document contains: • An overview of the product architecture • An overview of the development process utilized to reduce systematic failures • An overview of the safety architecture for management of random failures and the Assumptions of Use (AoU) that the bq76PL455A-Q1 system integrator may consider to use the bq76PL455A-Q1 in the context of ISO 26262. • Chapter 4 describes more details of the results of the functional safety analysis with respect to hardware random, dependent, and systematic failures. Reference Documents The following documents are referenced within this safety manual: Table 0-1. Reference Documents REFERENCE # LITERATURE NUMBER [1] SLUSC51 DESCRIPTION bq76PL455A-Q1 Datasheet [2] SLUUB94 User's guide on recommended method for using the safety mechanisms Available [3] SLUUB93 Full results of safety analysis. No customization of the file is possible Available [4] SLUUB96 Dependent Failure Analysis (DFA) reporting on the freedom from interference of the safety manual Available SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated AVAILABILITY Available as SLUSC51 5 Terms and Abbreviations www.ti.com Terms and Abbreviations ASIL— Automotive Safety Integrity Level AoU— Assumption of Use CCF— Common Cause Failure DC— Diagnostic Coverage FMEDA— Failure Modes, Effects and Diagnostic Analysis FTTI— Fault Tolerant Time Interval HARA— Hazard Analysis and Risk Assessment MPFDI— Mult-Point Fault Diagnostic Interval OT— Overtemperature OV— Overvoltage PMHF— Probabilistic Metric for Hardware random Failures SPFM— Single Point Fault Metric UV— Undervoltage 6 SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated Revision History www.ti.com Revision History Changes from B Revision (June 2015) to C Revision .................................................................................................... Page • • • Changed all references of bq76PL455-Q1 to bq76PL455A-Q1 for catalog release ............................................. 1 Changed SM to safety manual .......................................................................................................... 5 Added overtemperature abbreviation ................................................................................................... 6 NOTE: Page numbers for previous revisions may differ from page numbers in the current version. Changes from A Revision (April 2015) to B Revision .................................................................................................... Page • Changed results of safety analysis and dependent failure analysis to Available. ................................................ 5 NOTE: Page numbers for previous revisions may differ from page numbers in the current version. Changes from Original (February 2015) to A Revision .................................................................................................. Page • Added Auto-Monitoring is assumed disabled ........................................................................................ 25 SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated Revision History 7 Chapter 1 SLUUB67C – February 2015 – Revised October 2015 Introduction The bq76PL455A-Q1 is an integrated 16-cell monitor, protector, and passive cell balancing controller with many safety diagnostics designed for high-reliability automotive markets. Figure 1-1 illustrates the system connections that are assumed for the purposes of this safety manual. ² + All GND connections are local to this IC. See text for layout details. High Current Bus Cell Balancing Circuits Low Pass Filters Protection 16 16 Cell Balancing Circuits Low Pass Filters Protection All GND connections are local to this IC. See text for layout details. VSENSE16 VSENSE1 VSENSE0 EQx CHP CHM VM OUT2 OUT1 V5VAO VREF VSENSE16 VSENSE1 VSENSE0 EQx CHP VM CHM OUT2 OUT1 V5VAO VREF COMML+ COMMH+ COMML+ COMMH+ COMML± COMMH± COMML± COMMH± GND To Additional Battery Monitors GND FAULTL± FAULTL+ FAULTH± FAULTL± FAULTH± FAULTH+ FAULTL+ FAULTH+ TOP NPNB VP VDIG AUX7 GPIO (Out) GPIO (In) TX RX Texas Instruments µC C2000 TMS570 RT RT Cell Temperature Measurement AUX0 VIO GPIO0..5 WAKEUP FAULT_N TX RX TOP NPNB VP VDIG AUX7 AUX0 VIO GPIO0..5 WAKEUP FAULT_N TX RX Differential Signaling Daisy-Chain VP Cell Temperature Measurement I/O Power Supply Highest Cell (VSENSE16) Highest Cell (VSENSE16) CAN Bus, etc. Figure 1-1. bq76PL455A-Q1 System Connections Diagram NOTE: A stacked configuration is shown in Figure 1-1, but is not necessary and does not invalidate the safety analysis. A high-speed differential capacitor-isolated communications interface allows up to 16 bq76PL455A-Q1 devices to be stacked. The bq76PL455A-Q1 communicates with the host microcontroller via a high-speed UART interface, provides up to six general-purpose programmable digital I/O ports, and eight analog AUX ADC inputs. The device will detect overvoltage, undervoltage, overtemperature, communication, and many other fault conditions. The bq76PL455A-Q1 also provides a secondary safety mechanism for overvoltage and undervoltage detection. Additionally, the bq76PL455A-Q1 automatically shuts down in overtemperature conditions. The bq76PL455A-Q1 power comes from the same cells that it monitors and the bq76PL455A-Q1 generates all other required voltages with the use of an external NPN. The bq76PL455A-Q1 drives external N-FETs connected to external power resistors for passive cell balancing. 8 Introduction SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated www.ti.com The bq76PL455A-Q1 is a diverse and redundant integrated circuit that facilitates safety by accomplishing the following when appropriately designed-in: • Reducing failure rates at the system level (less PCB connections) while still keeping mission path (ADC) and safety mechanism (WINCOMP) diverse and separate. • Achieving high Diagnostic Coverage (DC) mostly by HW-based safety mechanisms: the embedded safety mechanisms (especially the WINCOMP) significantly reduce the amount of AoUs for the system integrator, enabling applications with shorter FTTI. For example, there is no need for the MCU to execute complex and long ADC tests during run time. The development of the bq76PL455A-Q1 made the following system level assumptions: • A micro-controller, FPGA, or other component capable of being a communication master, hereafter the host, is communicating directly with the bq76PL455A-Q1 through the UART interface or indirectly through the differential communication bus. • The host shall be able to monitor the faults of the bq76PL455A-Q1 and shall put it in a safe mode if appropriate. • The host will control the reading and writing of control registers availiable in the bq76PL455A-Q1 to obtain voltage information of the connected batteries. • The host will read the full stack voltage from the bq76PL455A-Q1. • There will not be a secondary protection in the system. • A MOSFET, in series, will be in parallel with the battery cell to provide balancing. • The filter shall be placed between the battery cell and the device and the loss of accuracy on an active channel, due to the input filter, is not safety related. • The host will signal the enabling and disabling of an external balancing network and the bq76PL455AQ1 will drive the enable/disable line. • Multiple temperature sensors will be present in the system and their voltages will be available to the bq76PL455A-Q1. • Up to 16 cells will be available for measurement, but a fewer number is possible if all VSENSE lines above the top cell are shorted to the top cell. • Available GPIOs shall not used in a safety related manner. • Separate cables shall be used to connect the top of the battery stack to TOP and VSENSE16. The bq76PL455A-Q1 was not developed in a manner that meets all ISO 26262requirements as applied to components. Development process gaps are noted in Section 2.2. Figure 1-2 shows the block diagram of bq76PL455A-Q1, while Table 1-1 includes a list of bq76PL455AQ1 parts and sub-parts as shown in the figure, with the definition of the acronyms used in this document. SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated Introduction 9 VP CLAMP Charge Pump NPN PROTECT VREF VDD18 VDIG OUT2 V5VAO OUT1 CHP VM VP TOP NPNB HIGHEST CELL CHM www.ti.com 2.5V VREF VREG1.8 5.3 V REF NPN Regulator Window Compators Squeeze Resistors OV VTOP AGND OSC 5V ALWAYS ON 10 V ALWAYS ON Module Monitor Temp Sensor VSENSE16 ADC MUX UV ADC POR EQ16 VP POR VP OV 1k VSENSE15 VDIG VDIG POR VIO VIO POR VDD18 1.8V POR V5VAO V5VAO POR UV Temp Sensor OV AUX0 AFE VSENSE2 AUX7 MUX UV AUX Pullup EQ2 Control AUXPUEN OV EEPROM VSENSE1 EEC Decoder EQ1 VSENSE0 ! 4.5V VREF ! UV DAC WAKE TSD Checksum Engine Threshold Set Control WAKEUP POR COMMH+ COMMH- TX / RX COMML+ COMML- LPF WAKEUP WAKEUP RX FAULT_N VIO TX CGND ANALOG DIE TX / RX I/O bq76PL455 GPIO5 VP POR DGND VDIG POR AGND3 VP Comms Interface Registers AGND2 VDIG VM POR AGND1 VM FAULTH+ FAULTHFAULTL+ FAULTL- Digital Comparators Wakeup Control GPIO0 OV DAC Registers V5VAO TSD NPN PROTECT RX TX VDD18 EQ Control VDIG V5VAO UV DIGITAL DIE Figure 1-2. bq76PL455A-Q1 Simplified Block Diagram Table 1-1. Part and Sub-part Descriptions 10 PART or SUB-PART SHORT DESCRIPTION VSENSE[16:0] Sense pins AFE, MUX Analog Front-End and Multiplexer from analog die Window Comparators Independent OV/UV detection path EQ[16:1] Passive equalizer pins EQ Control Passive balancing control Charge Pump Charge pump NPN Regulator Linear-voltage regulator and related controller VREG1.8 Linear-voltage regulator 1.8 V 2.5V VREF 2.5-V Voltage Reference for ADC 4.5V VREF 4.5-V Voltage Reference for the window comparator MUX Digital die Multiplexer for input to ADC OSC 48-MHz Oscillator of digital die Introduction SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated www.ti.com Table 1-1. Part and Sub-part Descriptions (continued) PART or SUB-PART SHORT DESCRIPTION Wakeup Control Wakeup circuit control ADC Analog-to-Digital converter AUX[7:0] Auxiliary analog inputs GPIO[5:0] General Purpose I/Os Control Analog Die: General Control Logic, Configuration Registers Digital Die: General Control Logic, Configuration registers, Communication blocks, digital comparators UART Universal Asynchronous Receiver-Transmitter EEPROM Non-Volatile Configuration Memory FAULTH+, FAULTL+ FAULTH-, FAULTL- Differential Fault Lines COMMH+, COMMH-, COMML+, COMML- Differential Communication Line FAULT_N Fault Line SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated Introduction 11 www.ti.com 12 Introduction SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated Chapter 2 SLUUB67C – February 2015 – Revised October 2015 bq76PL455A-Q1 Safety Lifecycle For a safety-critical development, it is necessary to manage both systematic and random faults. The bq76PL455A-Q1 was created using a standard quality-managed development process, which helps to reduce the occurrence of systematic faults. 2.1 TI QMS Development Process Automotive markets have strong requirements on quality management and high reliability of product. Though not explicitly developed for compliance to a functional safety standard, the TI QMS development process already features many elements necessary to manage systematic faults. This development process can be considered Quality Managed (QM), but does not achieve an IEC 61058 Safety Integrity Level (SIL) or ISO 26262 Automotive Safety Integrity Level (ASIL). The standard process breaks development into phases: • Business opportunity pre-screen • Program planning • Create • Validate, sample, and characterize • Qualify • Ramp to production and sustain through production 2.2 Development Process Gaps to ISO 26262 The development of the bq76PL455A-Q1 began with the intent to follow a process consistent with ISO 26262 requirements, before it was moved to the TI QMS Development Process, which is consistent with ISO/TS 16949 and many aspects of ISO 26262:2011. Key gaps include: • Gaps in functional safety management plan and a Safety manager not assigned to manage safety during program development • Gaps in templates and checklists for functional safety related documents recommended by the standard • Functional safety re-assessment not documented during the review process of the design revision • Safety validation requirements not updated and reviewed during the design review process The bq76PL455A-Q1 was designed with battery management systems in mind. However, the items in which the bq76PL455A-Q1 may be integrated have not been fully defined for any particular battery management system arrangement. Though some detailed information about assumed requirements is provided later in the Safety Manual, due to the development process gaps, the bq76PL455A-Q1 should not be viewed as a Safety Element out of Context (SEooC), since the information about presumed application configurations does not fully meet the requirements for an SEooC. As with all safety critical applications, the system integrator must rationalize the component safety concept to confirm that it meets the system safety needs. SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated bq76PL455A-Q1 Safety Lifecycle 13 Development Process Gaps to ISO 26262 14 bq76PL455A-Q1 Safety Lifecycle www.ti.com SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated Chapter 3 SLUUB67C – February 2015 – Revised October 2015 bq76PL455A-Q1 Safety Architecture This chapter describes the bq76PL455A-Q1 safety architecture with an abstract description of bq76PL455A-Q1 functionality and a description of the safety mechanisms. This chapter also describes the assumptions on the bq76PL455A-Q1 safe state and the assumptions on the bq76PL455A-Q1 context, including its external interfaces. 3.1 Assumed Requirement for bq76PL455A-Q1 3.1.1 Assumed Item Definition The bq76PL455A-Q1 could be considered an item with functionality performed by a system composed by battery cells, one or more bq76PL455A-Q1, the related discrete components needed to interconnect them, and an external microcontroller to control the bq76PL455A-Q1 devices. The bq76PL455A-Q1 has been designed to perform/function in the ways described if incorporated in a system that uses and interconnects the bq76PL455A-Q1, related components, and battery cells in the presumed manner. The following table summarizes the main characteristics of the item definition. This definition is for informational purposes only, since the item definition is under responsibility of the bq76PL455A-Q1 system integrator; it is given only to provide background on the assumed requirements. Table 3-1. Item Definition Considered for the Assumed Requirements REQUIREMENT DESCRIPTION of ITEM Functional concept: purpose, describing the purpose and functionality, including the operating modes and states of the item The purpose of the item is to manage the charge and discharge of the battery of an electric or hybrid vehicle. Operational and environmental constraints The assumption is that the battery of a vehicle is charged in a stationary state and during (regenerative) braking. Discharge occurs in an attended or unattended stationary state, while providing power to the traction motor of a vehicle and to other accessories of the vehicle (such as headlamps, air conditioning, and heater). Legal requirements (especially laws and regulations), national and international standards Various ISO and SAE requirements. Legal requirements will vary with the country of sale and operation of the vehicle. Behavior achieved by similar functions, items, or elements, if any N/A Assumptions on behavior expected from the item The vehicle might be plugged or unplugged during both charge and discharge. Potential consequences of behavior shortfalls including known failure Batteries can produce excess heat release (not only in overcharging modes and hazards situations), which can be dangerous. Elements of the item The item is composed of the following elements: • One or more cell supervisory boards that read cell voltage and temperature • One host controller board that communicates with the cell supervisory modules and is in charge of the management of the overall functional safety of the item. Assumptions concerning the effects of the item's behavior on other items or elements, that is the environment of the item None Interactions of the item with other items or elements N/A Functionality required by other items, elements, and the environment N/A SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated bq76PL455A-Q1 Safety Architecture 15 Assumed Requirement for bq76PL455A-Q1 www.ti.com Table 3-1. Item Definition Considered for the Assumed Requirements (continued) REQUIREMENT DESCRIPTION of ITEM Allocation and distribution of functions among the involved systems and elements The host controller is in charge of overall functional safety; the cell supervisory modules are in charge of detecting faults like overvoltage and overtemperature. Operating scenarios which impacts the functionality of the item The operating scenarios considered in the operational profile are driving conditions, charging conditions (including charging overnight), conditioning, and device off. 3.1.2 Functional Concept The purpose of the bq76PL455A-Q1 is to monitor the charge and discharge of the battery of an electric or hybrid vehicle. The device operation modes are: • SHUTDOWN – The lowest power state available. In this state, most internal blocks are powered off and monitoring is disabled. SHUTDOWN is typically used for long periods of inactivity when the battery is not being charged or discharged. The part must receive a high signal on the WAKE pin, or WAKEUP tone via the vertical communications bus to transition to the IDLE state. • WAKEUP – The device transitions from SHUTDOWN to WAKEUP when power is applied to the device or the host microcontroller pulls the WAKE pin high. This is a transitory state of the device between SHUTDOWN and IDLE. – WAKEUP mode resets the general control logic of the device and leads to a full reset of registers; EEPROM backed up registers will return to the stored value and non-backed up register will return to the defaults indicated in [1]. – The data in registers FAULT_UV[], FAULT_OV[], and FAULT_AUX[], as well as the data in bits FAULT_DEV[HREF_FAULT, HREF_GND_FAULT], shall be considered invalid and reading a fault register will not cause an ADC sample to be taken or the data to be updated. A command must be sent to the device to sample all channels to update the above listed fault bits, making them valid. • IDLE – In IDLE mode, the device is active and awaiting communication from the host microcontroller or the device above or below it in the stack. • ACTIVE – In ACTIVE mode, the device is actively communicating with the host microcontroller or the device above or below it in the stack. 3.1.3 Assumed Safety Requirements The following table summarizes the assumed safety requirements for the bq76PL455A-Q1. Table 3-2. List of Top Level Safety Requirements ACRONYM DESCRIPTION of SAFETY REQUIREMENTS OV OT 16 The bq76PL455A-Q1 shall detect an overvoltage (OV) or undervoltage (UV) of the battery cells. When it is properly used in combination with one or more external microcontrollers, the bq76PL455A-Q1 shall signal the OV, UV, or related malfunction to the microcontrollers. Thebq76PL455A-Q1 shall detect an overtemperature (OT) condition of external temperature sensors connected to its AUX input channels. When the bq76PL455A-Q1 is properly used in combination with one or more external microcontrollers, the bq76PL455A-Q1 shall signal the OT, OV, or any related malfunction to the microcontrollers. bq76PL455A-Q1 Safety Architecture SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated !"#$%&'($)*"+,-.'/' 0,"1+2-%,)'34+)%,2+ !"!#$"% "&!"!'()*+ ,-.+/012 %/34567 8(+8-69/7 $:!!634 $:!!634'()*+ $:!')**%/;+ $:!%/;+ %.3/6)+!</=9 ,.7!634 ,.7!634%/;+ ,.7!634'()*+ 0>" 0>"?::@A 5/3B!! B!!%/;+ C0C4-6+/=+ C0C4-6+/=+!</=9 C0C;<6-+!</=9 %/;+$D6.2 $)EB--:/+ 'B%!</=9 !</=9;)3 !);+!9;)3'()*+ '(=+!9;)3'()*+ ?.7+!</=9 ?.7+'()*+!</=9 ?0!*(34 ✓ !54$$6$ 7$-,-%28- ✓ 9:; <4==4> ✓ ✓ ✓ ?,+@2A B2.>"8"%28- ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ B2..-' C+%$8#")$ ✓ ✓ ✓ B*$)D-4. E+1,+$ ✓ ✓ ✓ ✓ 93E ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ 90B (4F ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ 0$R,)$'!4STU=2)D'/'!"#$%&'($)*"+,-.':!E0',+'L$-% (2@4=$ B*"81$ GHIJ'J7E3 KHIJ'J7E3 (2+,%28 <4.> 90B ✓ L$.>' !$+-28 ✓ ✓ MHNJ'<O7 ✓ EE<7O( ✓ ✓ EBB' 0$)2@$8 ✓ ✓ ✓ P<P' 7$14="%28 ✓ ✓ ✓ ✓ ✓ 0,1,%"=' B2.>"8"%28- ✓ EQ'B2+%82= www.ti.com Assumed Requirement for bq76PL455A-Q1 3.1.4 Safety Mechanism and Diagnostic Function - Used Blocks SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated bq76PL455A-Q1 Safety Architecture 17 Assumed Requirement for bq76PL455A-Q1 www.ti.com ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ !"#$%&'($)*"+,-.'/' 0,"1+2-%,)'34+)%,2+ !"!#$"% "&!"!'()*+ ,-.+/012 %/34567 8(+8-69/7 $:!!634 $:!!634'()*+ $:!')**%/;+ $:!%/;+ %.3/6)+!</=9 ,.7!634 ,.7!634%/;+ ,.7!634'()*+ 0>" 0>"?::@A 5/3B!! B!!%/;+ C0C4-6+/=+ C0C4-6+/=+!</=9 C0C;<6-+!</=9 %/;+$D6.2 $)EB--:/+ 'B%!</=9 !</=9;)3 !);+!9;)3'()*+ '(=+!9;)3'()*+ ?.7+!</=9 ?.7+'()*+!</=9 ?0!*(34 !54$$6$ 7$-,-%28- 9:; <4==4> ✓ ✓ ?,+@2A B2.>"8"%28- ✓ B2..-' C+%$8#")$ ✓ ✓ ✓ ✓ B*$)D-4. E+1,+$ ✓ 93E ✓ 90B (4F ✓ ✓ 90B 0$R,)$'!4STU=2)D'BOJE7E0',+'L$-% (2@4=$' GHIJ'J7E3 KHIJ'J7E3 (2+,%28 B*"81$ <4.> L$.>'!$+-28 ✓ MHNJ'<O7 ✓ EE<7O( ✓ EBB'0$)2@$8 ✓ ✓ ✓ P<P' 7$14="%28 ✓ 0,1,%"=' B2.>"8"%28- ✓ EQ'B2+%82= 3.1.5 Safety Mechanism and Diagnostic Function - Covered Blocks 3.2 Safety Architectures The safety analysis of the bq76PL455A-Q1 has been performed for both OV and OT according to View 1 (as shown in Figure 3-1). The OVBat safety requirement is necessary for the bq76PL455A-Q1 to measure the battery cell voltage and report an overvoltage, or undervoltage, condition on the cell; the thresholds for overvoltage and undervoltage are configurable via communication from the host microcontroller. The OTAux safety requirement is necessary for the bq76PL455A-Q1 to measure the internal die temperature and external temperature sensors with inputs on the AUX pins, reporting an overtemperature condition when present; as with over/undervoltage, the temperatures at which a fault is reported is configurable via communication from the host microcontroller. 18 bq76PL455A-Q1 Safety Architecture SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated Safety Architectures www.ti.com OVBat Battery Stack OV/UV Detection + SM OV/UV/CCF Fault Line CCF + SM SM Communication Line Voltage Measurement + SM AUX OTAux Battery Stack OV/UV Detection + SM OT/CCF Fault Line CCF + SM SM Temp Measurement + SM Communication Line AUX Figure 3-1. View 1 Safety Architecture 3.2.1 OV Top Level Safety Requirement The OVBat safety architecture is composed by: • A primary channel (“Voltage measurement” in Figure 3-1) performs the mission function (that is voltage measurement) • A secondary channel (“OV/UV detection” in Figure 3-1) performs independent comparison of voltage • Over/undervoltage detection flags are available through the communication lines and may be made available through the fault line Furthermore: • Some safety mechanisms (“CCF” in Figure 3-1) detect common-cause failures that may affect both the primary and secondary channel • Some safety mechanisms (“SM” in Figure 3-1) detect failure modes of either the primary or secondary channel • All flags are available through the communication lines and some may be made available through the fault line SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated bq76PL455A-Q1 Safety Architecture 19 Safety Architectures www.ti.com 3.2.2 OT Top-Level Safety Requirement The OTAux safety architecture is composed by: • A primary channel (“Temp. Measurement” in Figure 3-1) performs the mission function (that is, measurement of the temperature through the AUX lines) • A secondary channel (“SM” in Figure 3-1) performs a partially independent reporting of the temperature • Overtemperature detection flags are available through the communication lines and may be made available through the fault line NOTE: The contribution that the OV detection measures (especially the Window Comparator) give to the portion of the bq76PL455A-Q1 shared with the OT safety goal, for example the ADC and related interface, is also included in this case. Error flags of the OV detection measures are the same for the OV case. However, in this scenario, the I/Os relate to OV only (that is. the sense inputs) as also the AFE-related circuits are consdered safe. Furthermore: • Some safety mechanisms (“CCF” in Figure 3-1) detect common-cause failures that may affect both the primary and secondary channel • Some safety mechanisms (“SM” in Figure 3-1) detect failure modes of either the primary and secondary channel • All flags are available through the communication lines and some are available through the fault line 3.3 Safe State The bq76PL455A-Q1 shall be considered in the safe state when no power is applied to it, is operating in a fully functional and fault-free integrated system, or when it is in SHUTDOWN. The bq76PL455A-Q1 will enter its safe state when: • communication is lost • the internal thermal shutdown temperature is reached 3.4 Diagnostic Functions and Safety Mechanisms Considered The safety mechanisms for the bq76PL455A-Q1 have been divided into one the following categories: • Auto — mechanisms that are automatically executed by the bq76PL455A-Q1 • FTTI — mechanisms or diagnostic functions designed to be handled with external microcontroller assistance within each FTTI • MPFDI — mechanisms or diagnostic functions designed to be executed with external microcontroller assistance at least once within MPFDI 3.4.1 FTTI Details Failure Tolerant Time Interval, or FTTI, is the combination of time needed for diagnostics and Fault Reaction Time, as shown in Figure 3-2. When a diagnostic is listed as FTTI, it was assumed that it would be run in the diagnostic time, which is shorter than the FTTI. 20 bq76PL455A-Q1 Safety Architecture SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated Diagnostic Functions and Safety Mechanisms Considered www.ti.com FTTI Diagnostic Time Fault Reaction Time Figure 3-2. FTTI Timing MPDFI, or Multi-point Defect Fault Interval, is more difficult to define in a battery management device where the device is continuously connected to the battery. 3.4.2 Failure Mode and Diagnostic Summary Table 3-3 lists potential failure-mode classes and the safety mechanism or diagnostic function used to address them. For more details on the failure modes and related fault models, please refer to the FMEDA, [3]. A Safety Mechanism is an auto-mechanism or a hardware feature built into the device to allow the external microcontroller to run a Diagnostic Function. For example, CRCUART is a safety mechanism and RXCRCFault is a diagnostic function, which uses CRCUART. To see which blocks are used and covered by Table 3-3, see Section 3.1.4 and Section 3.1.5. Table 3-3. Safety Mechanism / Diagnostic Function Coverage of Failure Modes FAILURE MODE DESCRIPTION SAFETY MECHANISM / DIAGNOSTIC FUNCTION RUN TYPE CRCUART Auto RXCRCFault MPFDI Failures of the communication lines, including internal RX and TX circuits. This applies to both UART and differential lines The CRC is used on all transaction frames to confirm that communication messages are received as the sender intended. Failures of the RX CRC checker This test checks that the chip properly handles and reports a communication frame with an invalid CRC. Unintentional programming of the EEPROM A password mechanism (Magic1/Magic2) is used to protect writes to the EEPROM. WritePwd Auto Temperature increase (either due to either internal or external causes) Die temperature monitoring TempMon Auto Broken sense leads . Detection of broken bondwires or disconnected sense pins BatBroken FTTI Failures of the AFE Digital comparators of the ADC output allowing for OV/UV detection. ADCComp Auto Failures of the OV digital comparators implemented in bq76PL455A-Q1 This test checks that faults from AFE channel measurements will be properly reported. ADCCompFault MPFDI Failures of the ADC This test will check that the ADC converting values accurately. ADCFullTest MPFDI Failures of the ADC This test checks that the ADC is functional and properly converts values. ADCTest FTTI Failures of the power down and balancing timeout counters This tests checks the values of the power down and of the balancing timeout counters. TimeoutCheck MPFDI Failures of the ADC An independent path providing OV and UV detection WinComp Auto SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated bq76PL455A-Q1 Safety Architecture 21 Diagnostic Functions and Safety Mechanisms Considered www.ti.com Table 3-3. Safety Mechanism / Diagnostic Function Coverage of Failure Modes (continued) FAILURE MODE 22 DESCRIPTION SAFETY MECHANISM / DIAGNOSTIC FUNCTION RUN TYPE Failures of the analog comparators implemented in bq76PL455A-Q1 and common- cause failures between analog frontend and those comparators The test checks that the AFE and Window Comparators are both reporting the same input voltage. WinCompTest FTTI Gross failures of the analog comparators and related fault flags The goal of this test is to check that faults from the window comparators will be properly reported. WinCompFault MPFDI Failures of the 1.8V supply voltages Supply out of range – undervoltage Failures of the 1.8V LDO implemented in bq76PL455A-Q1 and related POR circuit This test checks that the 1.8V LDO is properly functioning and that the 1.8V POR is also functional. Failures of the EEPROM content and related interface circuits POR Auto PORVDD18 MPFDI EEPROM stored memory (both user programmable and factory) includes ECC codes for single-bit error correction and dual- bit detection. MemECC Auto Failures of the ECC decoder implemented in bq76PL455A-Q1 This test checks that an ECC fault will be properly reported. ECCTest MPFDI Failures of the NPN or supply shorts on VP/VDIG The regulator has a checker circuit that will detect if the NPN base current is unable to get the VP voltage up for some reason and will send a signal to put the chip back in power down. NPNprotect Auto Failures of the bq76PL455A-Q1 when the regulator cannot ramp the supply This test confirms the bq76PL455A-Q1 will shutdown if the regulator is unable to bring up the supply. NPNprotectCheck MPFDI Failures of the NPN or regulator that would cause unexpected current in SHUTDOWN This test detects all collector-emitter shorts of the NPN that leak current greater than the power down leakage of the chip. NPNshortCheck MPFDI Unintentional activation of the test modes implemented in bq76PL455A-Q1 To enter any test mode, the factory registers must be unlocked and the test mode must be programmed. When the factory registers are locked, all test modes will be cleared. TestAvoid Auto Failures of the AUX lines (either internal or external to bq76PL455A-Q1) and of AUX path digital comparators implemented in bq76PL455A-Q1 This test checks that the proper AUX input is selected, is properly connected to a resistive driver, and that the OV fault condition are properly reported. AuxErrDet FTTI Failures of the internal circuit selecting the AFE channels and any related external FETs used for cell balancing This test checks that the proper AFE channels can be selected and that the external FETs are working as expected. FETCheck FTTI Failures in programmable registers The part will continuously monitor the checksum of the programmable registers and confirm that the checksum matches the programmed checksum. Checksum Auto Failures of the circuit checking the checksum of the user registers This test confirms that a fault will be reported if any covered register bit changes state. CustCksumFault MPFDI Failures of the circuit checking the checksum of the factory registers This test confirms that a fault will be reported if any covered register bit changes state. FactCksumFault MPFDI Failures of either of the internal voltage reference implemented in bq76PL455A-Q1. This test compares the references to confirm they are both operating in the proper range. VintCheck MPFDI Failures of the bq76PL455A-Q1 to properly report 4.5V reference faults This check confirms that the VIntCheck will properly generate an error flag if the internal voltage reference fails. VintFaultCheck MPFDI Failures leading to too high VP This test reports a fault if the regulator-base current was clamped because it tried to go too high. VPClamp Auto bq76PL455A-Q1 Safety Architecture SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated Diagnostic Functions and Safety Mechanisms Considered www.ti.com SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated bq76PL455A-Q1 Safety Architecture 23 Chapter 4 SLUUB67C – February 2015 – Revised October 2015 Details on bq76PL455A-Q1 Safety Results 4.1 Safety Analysis Assumptions The following list of assumptions were made for the safety analysis in [3]: • Measurement errors too small to be detected by WinCompTest will not cause a safety goal violation. • Multiple ADC readings of a given channel will be taken within the FTTI so that a single incorrect measurement will not cause a safety violation • Thresholds for the digital comparators of the bq76PL455A-Q1 have been properly configured • ADC errors below the level detectable by the ADC tests (ADCTest and ADCFullTest) are not safety related. • Noise on VREF is maintained to be less than 100 mV • Stack measurements shall be made and compared to the sum of the cells and are used for BatBroken • Turning the squeeze resistors on or off causes a measurable voltage difference and the system will generate a fault if, while running BatBroken, the squeeze cannot be properly enabled or disabled • Device communicating with the bq76PL455A-Q1 checks the CRC on all received frames and reports a fault if an invalid CRC is detected • Failure to receive an expected response from the device will be interpreted as a fault • The bq76PL455A-Q1 will be configured to power down if no communication is received for some period and additional current draw during this wait time will not cause a safety-goal violation • System uses auto-addressing for address configuration instead of GPIOs • Changes shortening COMM_PD_PER or changing the COMM_TM_CNT beyond the current shutdown period setting while CCNT_RST_OFF = 1 that prevent the part from shutting down are not considered safety related • The sense input resistance is low enough that the sampling current does not create a drop across the resistor that could produce a safety-goal violation • AFE sampling timings and capacitance on OUT1 and OUT2 are validated so that they do not cause unexpected sampling errors • When configuration changes are made, the microcontroller will also set the correct checksum for the new configuration. The microcontroller will set the checksum based off of its own calculation of what the correct checksum should be rather than using the checksum readout of the bq76PL455A-Q11. • The microcontroller does not write all the registers at startup, but the primary configuration is stored in EEPROM and is used • Correctable ECC errors that do not produce a checksum fault may be considered temporarily safe. • The magic codes necessary to burn the EEPROM will not exist within the vehicle while it is in operation • Conditions that will cause the chip to draw excessive power during shutdown (for example, the chip is awake when it should be shutdown) are safety-goal violations • During normal operation, LDO_TEST shall be set to 0 • During normal operation, VM_MON_EN shall be set to 0 • For ECCTest, check the result values, not just the fault bits • The system is using the internal regulator • There is a microcontroller that monitors for fault conditions and has the appropriate ability to put the chip into a safe state if a fault condition is detected 24 Details on bq76PL455A-Q1 Safety Results SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated Safety Analysis Results www.ti.com • • • • • • • • • • • 4.2 The FMEDA assumes all 16 cells are used There are separate cables connecting TOP and VSENSE16 to the top-most cell. There are separate cables connecting GND and VSENSE0 to the bottom of the bottom-most cell. GPIO pins are not safety related and their failure to drive, receive, or report faults will not violate the safety goal The EQ pins are connected to the gate of balancing MOSFETs for the respective cells Having an EQ pin either on or off unexpectedly will affect the measurements enough to violate the safety goal Turning the EQ on or off causes a measurable voltage difference and the system will generate a fault if, while running FETCheck, the EQ cannot be properly enabled or disabled Timer function to automatically turn off balancing is not safety related. The fault line is not safety related, because the testing will read everything safety related from the communications interface every FTTI and the fault line will only show information sooner within the FTTI. AUX pins are connected to a resistive driver and turning on the pullups (as with AuxErrDet) will create a measurable difference. The system checks to confirm there is adequate change with the pullup on and off and reports a fault if this is not true. Resistive shorts to other voltages, that are below the level of this test to detect, will not cause a violation of the safety goal. There is no correlation between the AUX pin measurements and no redundancy is assumed Auto-Monitoring is assumed to be disabled in the safety analysis Safety Analysis Results The results of the safety analysis of the bq76PL455A-Q1 performed by Texas Instruments can be found in [3]. When reviewing the results, the summary results for both OVBat and OTAux can be found in the Main settings tab. There you will find the Single Point Fault Metric (SPFM), Latent Fault Metric (LFM), and Probabilistic Metric for random Hardware Failures (PMHF). A Fault Tree Analysis is also available for both OVBat in the V_FTA tab and OTAux in the T_FTA tab. Each FTA is derived by numbers in the FMEDA (die) and FMEDA (pad-package) tabs. Each line item in the FMEDA tab corresponds to a possible failure and the mechanism that can be used to detect that failure. Each line item is also assigned an FTA Basic Event, 1 through 6, that corresponds to the key below each FTA diagram. SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Details on bq76PL455A-Q1 Safety Results Copyright © 2015, Texas Instruments Incorporated 25 Safety Analysis Results 26 www.ti.com Details on bq76PL455A-Q1 Safety Results SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated Appendix A SLUUB67C – February 2015 – Revised October 2015 Assumptions of Use and Safety Mechanism Descriptions The assumptions of use for the device and the safety mechanisms that can be implemented are described in the following sections. For more information on the implementation of the following tests, please see [2], available upon request from Texas Instruments. An analysis of the freedom from interference of the safety mechanisms was performed and can be found in [4]. A.1 CRCUART The bq76PL455A-Q1 performs CRC check on all frames received from the host device, rejecting any communication with an incorrect CRC, and generates the CRC for frames sent to the host. The CRCUART safety mechanism will generate a fault condition if an incorrect CRC is received. CRCUART runs automatically. A.2 RXCRCFault To test the CRCUART function explicitly, the RXCRCFault test can be run. To run the test, the host microcontroller should confirm that CRC_FAULT_L is clear and then send a write frame with an invalid CRC. The host microcontroller should then confirm that CRC_FAULT_L is set and determine if the associated register write was not performed. It is highly recommended to run the RXCRCFault at least once every MPFDI. A.3 WritePWD A password mechanism (Magic1/Magic2) is used to protect writes to the EEPROM.To reduce the likelihood of an accidental EEPROM write, it is assumed that the system integrator shall program the EEPROM in the factory and the password shall not be present in the microcontroller firmware. WritePWD runs automatically. A.4 TempMon A temperature monitor (thermal sensor) is provided inside the bp76PL455-Q1 (digital die) to support detection of die overtemperature conditions. This mechanism runs automatically every second and reports a fault if the die temperature is higher than a factory set threshold. The die temperature will increase if the ambient temperature increases significantly due to a system issue. This mechanism runs automatically every one second, but the host microcontroller may schedule the TempMon to run more frequently if the system integrator desires to add this to an FTTI sequence. A.5 ThermalShutdown The bq76PL455A-Q1 contains two thermal shutdown circuits that will put the device into SHUTDOWN if the die temperature becomes too high. ThermalShutdown is an auto mechanism that will shut down the device if tripped. The device temperature must drop below the trip threshold before wakeup will be possible. SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Assumptions of Use and Safety Mechanism Descriptions Copyright © 2015, Texas Instruments Incorporated 27 BatBroken A.6 www.ti.com BatBroken This diagnostic function checks that SENSE inputs, TOP and AGND are properly connected to battery cells. This test connects an internal "squeeze" resistor between each pair of adjacent sense leads. To run this test, the squeeze circuit is enabled and then channels are selected to be squeezed using the equalizer controls (equalizer function is disabled in this mode). With a 0.1 µF external capacitor, the test will require approximately 2 ms of settling after engaging the squeeze circuit. All odd channels should be squeezed and all channels sampled. Then all even channels should be squeezed and all channels sampled. The battery-stack voltage should also be read by the microcontroller, using either the internal Module Monitor or an external measurement, and compared to the sum of the cell voltages. The BatBroken diagnostic is highly recommended to be run every FTTI. A.7 ADCComp Digital comparators are provided after the ADC to automatically detect and report cell OV and UV threshold violations. The thresholds and sample settings, which depend on system components, can be programmed into the bq76PL455A-Q1 during system assembly or controlled by the host microcontroller at run time. The safety mechanism runs automatically whenever the host microcontroller samples a channel. A.8 ADCCompFault This mechanism checks that OV and UV threshold violations of the AFE channel measurements will be reported as expected. The host microcontroller is expected to set the Overvoltage threshold under the cell voltage and Undervoltage threshold above the cell voltage to cause the comparator to trip; several LSBs of margin may be necessary to induce the trip. After setting the threshold, a conversion will be run to get the comparison. The host microcontroller should reset the thresholds back to their mission values after completion of the test. Another approach, which does not require the changing of thresholds, is to run this test with the fake ADC value and then sample all channels. This approach does require two samples, one for overvoltage and another for undervoltage. The recommendation is to run the ADCCompFault at least once every MPFDI. A.9 ADCFullTest This test will check that the ADC converting values accurately. It runs an abbreviated version of the calibration algorithm and confirms it is within expected limits of the factory calibration. The recommendation is to run ADCFullTest at least once every MPFDI. A.10 ADCTest This test will check that the ADC is functional and converting values properly. An abbreviated version of the ADCFullTest calibration algorithm is run and checked against the expected limits of the factory calibration. It is recommended to run ADCTest every FTTI. A.11 TimeoutCheck The purpose of this mechanism is to test the power-down timeout counter. After the power-down timeout, the host microcontroller will check to confirm the part powered down. The chip provides a bit to disable the reset of the counter when transactions are received. A readout of the current counter value (or at least the more significant bits) is provided in a register. The host microcontroller can also write to the register to set the current count value. These allow the host microcontroller to test the rollovers of the counter and final timeout values without waiting for the entire count to expire. The recommendation is to run TimeoutCheck at least once every MPFDI. 28 Assumptions of Use and Safety Mechanism Descriptions SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated WinComp www.ti.com A.12 WinComp The bq76PL455A-Q1 has 32 analog comparators, connected in pairs as window comparators, to provide cell-voltage monitoring independent from and in parallel with the main acquisition path. In case of malfunction of the AFE or ADC, the analog comparators will still be able to report faults if the input voltage crosses the OV or UV comparator thresholds, which are set by the host microcontroller. The WinComp mechanism may be enabled or disabled by the host microcontroller and will run automatically when enabled. The use of WinComp is highly recommended. A.13 WinCompTest This test detects faults of Window Comparator (the secondary channel in view 1 as described in Section 3.2) and detects corner-case common-cause failures (for example,VM faults or faults in the front end of the AFE or WinComp that draw current from the input) that might affect both Window comparator and the AFE-ADC (that is, the primary channel). This test is performed taking into account the fact that the input values of AFE and Window Comparator cannot be changed. The procedure is the following: • The host microcontroller samples the channels to get their current values • The host microcontroller sets the threshold values of Window Comparator as close as possible to the current input voltage to both cause a fault and not cause a fault, and checks that the proper condition is reported • Each comparator may have to be checked independently since their inputs may be at different values based on the balancing of the cells • Since it is possible that one threshold value will produce intermittent results (due to input noise), it is recommended that three values be tested It is highly recommended to run WinCompTest every FTTI. A.14 WinCompFault This diagnostic function checks taht faults from the Window Comparators will be properly reported. The host microcontroller needs to enable the comparator channel, clear any existing fault, set a threshold value that will not trip and confirm that no comparator fault is seen, and then set a threshold that will trip and confirm that the comparator fault is detected. The threshold values selected do not need to be near the actual value of the input. It may be necessary to shift the comparator range to trip the comparator. It is highly recommended to run WinCompFault at least once every MPFDI. A.15 POR The POR circuit monitors the output of the internal regulator that generates the VDD18 rail. This mechanism runs automatically. A.16 PORVDD18 This diagnostic function checks that the 1.8V LDO is properly functioning and that the 1.8V POR is also functional. It is optional that the host microcontroller run this at least once every MPFDI. A.17 MemECC EEPROM stored memory (including the factory memory space) includes ECC codes for single-bit error correction and dual-bit detection. A fault will be flagged if an error is detected and a safe default configuration is chosen if the state cannot be corrected. Note that if the ECC incorrectly tries to correct a multi-bit failure, there will likely be a checksum failure. A single error in the MemECC, if confirmed through multiple retests, should be considered a failure of the bq76PL455A-Q1 and the appropriate action taken at the system level. The MemECC mechanism runs automatically whenever the EEPROM is read. SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Assumptions of Use and Safety Mechanism Descriptions Copyright © 2015, Texas Instruments Incorporated 29 ECCTest www.ti.com A.18 ECCTest The purpose of this test is to check that the ECC circuit properly corrects errors and reports faults. Two memory blocks are provided, one will cause a correctable error and the other will cause an uncorrectable error. Each of these blocks can be loaded on request from the host microcontroller. It is highly recommended to run ECCTest at least once every MPDFI. A.19 NPNprotect The regulator has a checker circuit that will detect whether the VP voltage comes up per parameter VPSD_DLYin [1]. If the VP voltage fails to rise (for example, if VP is shorted to ground) the circuit will send a signal to put the bq76PL455A-Q1 back in power down. This safety mechanism runs automatically. A.20 NPNprotectCheck This test causes the NPNProtect circuit to trigger, causing the bq76PL455A-Q1 to go into SHUTDOWN. It is recommended to run this test every MPFDI. A.21 NPNshortCheck This test can detect leakage of the NPN base regulator, or shorts of the NPN collector-emitter, that cause leakage through the NPN greater than the power down leakage of the chip on VP/VDIG. A short power-down and power-up cycle will cause an inadvertent fault, because the voltage on the VP/VDIG pins will not have dropped enough due to typical VP/VDIG leakage currents. The diagnostic uses this principal, as a short of the NPN will charge up the capacitance on the VP/VDIG pins. To run NPNShortCheck, set bit VDIG_TEST before turning off the external regulator, causing the part to enter shutdown at the falling POR threshold. Once the device enters shutdown, it is necessary to wait for leakage of the NPN to pull the VP/VDIG pins above the POR’s hysteresis threshold. The time required to wait depends on the capacitance on those pins and the amount of NPN leakage current the system can safely tolerate. The recommendation is to run this safety mechanism at least once at end-of-drive cycle MPFDI. A.22 TestAvoid The bq76PL455A-Q1 embeds special circuitry to prevent production test modes from being unintentionally activated during operation. To prevent contention if the part should enter a test mode, GPIO[4:0] should have pullup or pulldown resistors, if they are used as outputs, and GPIO5 should use an isolation resistor, if used as a chip input. If RX or WAKEUP are not being driven they should include pullup or pulldown resistors. This mechanism is run automatically and no host microcontroller interaction is required. A.23 AuxErrDet This test checks that the proper AUX input is selected, is properly connected to a resistive driver, and that the OV and UV fault conditions are properly reported. The host microcontroller is responsible for calculating the difference between the measurements and determining if it is sufficient. The host microcontroller should enable the pullup resistor of each used AUX channel, one at a time, sample the channel, turn off the pullup for the channel, and sample the channel. The threshold checking can be done with the digital comparators internal to the bq76PL455A-Q1. The host microcontroller must write a threshold low enough to trigger an overvoltage fault and high enough to trigger an undervoltage fault. The reading with the pullup on should be compared with a following reading with the pullup disabled, confirming that pullup was disabled. The thresholds must be restored at the end of the test. 30 Assumptions of Use and Safety Mechanism Descriptions SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated FETCheck www.ti.com An alternative method to test, if threholds cannot be changed once the bq76PL455A-Q1 is installed in a production vehicle, is to use fake ADC values above and below the set thresholds. The AuxErrDet mechanism is highly recommended to be run every FTTI. A.24 FETCheck This test checks that the proper AFE channels can be selected and that there is sufficient change in the channel voltage when enabling or disabling the balancing FET. The host microcontroller should select each channel (one at a time), turn on the FET, sample the channel, turn off the FET, sample the channel, and then compare the two samples. This test also enables detection of shorts between the sense and eq lines. The recommendation is to run FETCheck every FTTI. A.25 Checksum The bq76PL455A-Q1 continuously monitors the checksum of the programmable registers and confirms that the checksum matches the programmed checksum. While the checksum calculation is automatic, it is highly recommended that the host microcontroller not mask the checksum faults. A.26 CustCksumFault This safety mechanism tests the behavior of the checksum engine with respect to the User region of memory. Prior to running the test, the host microcontroller should confirm there are no customer checksum faults. The host microcontroller is required to start the test. During the test the bq76PL455A-Q1 automatically toggles the state of a single bit in the user register space on every clock. The bits are flipped twice, from their original state to the opposite and back to the original state. The number of toggles of the user checksum fault are counted and reported in CKSUM_TEST; the host microcontroller should read the value and make sure it is correct. Having a customer checksum fault prior to running this test will cause the test to fail. Running the test may cause unexpected fault conditions to be triggered that should be ignored. This test, if run after all faults are cleared, should not generate a Customer Checksum Fault. CustCksumFault is highly recommended to be run at least once every MPFDI. A.27 FactCksumFault This safety mechanism tests the behavior of the checksum engine with respect to the Factory region of memory. The host microcontroller is required to start the test. During the test the bq76PL455A-Q1 automatically toggles the state of a single bit in the factory register space on every clock. The bits are flipped twice, from their original state to the opposite and back to the original state.The number of toggles of the factory checksum fault are counted and reported in CKSUM_TEST; the host microcontroller should read the value and make sure it is correct. A factory checksum fault is not self-clearing, as customer checksum fault is, so the host microcontroller must clear the fault when the test is completed. FactCksumFault is highly recommended to be run at least once every MPFDI. A.28 VintCheck This test automatically checks that the internal voltage references are both operating in the proper range. This test first changes the internal mux to the 4.5-V reference and then measures it with the ADC. The test measures the 4.5-V reference with the ADC that uses the 2.5-V reference. As a result, an error in either reference will cause an error in the measurement. The bq76PL455A-Q1 does internal limit checking on the measured value to confirm it is in the proper range and reports a fault if it is out of range. The measured value can also be reported to the uC. SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Assumptions of Use and Safety Mechanism Descriptions Copyright © 2015, Texas Instruments Incorporated 31 VintFaultCheck www.ti.com The test also samples the 4.5-V reference ground after sampling the reference and reports a fault if it is too high. This is done to prove that the reference buffer has been switched off and accidental selection of the reference voltage input by the bq76PL455A-Q1 (for example, when sampling cells) will report a value well below UV. This measured value can also be reported to the uC. It is recommended that this test be run at least once every MPDFI. A.29 VintFaultCheck This check confirms that the VIntCheck will properly generate a fault if it fails. The ability to inject host microcontroller controlled ADC output values is used during a run of VIntCheck and the host microcontroller must verify the fault is reported. At least one UV and one OV check should be run. The recommendation is to run this test at least once every MPFDI. A.30 VPClamp The regulator for the NPN base current has a monitor to clamp it if it tries to go too high. This prevents VP from exceeding 6.0 V in the case where the capacitors on VP are missing (although VP will oscillate in this case). The VPClamp mechanism runs automatically. 32 Assumptions of Use and Safety Mechanism Descriptions SLUUB67C – February 2015 – Revised October 2015 Submit Documentation Feedback Copyright © 2015, Texas Instruments Incorporated IMPORTANT NOTICE Texas Instruments Incorporated and its subsidiaries (TI) reserve the right to make corrections, enhancements, improvements and other changes to its semiconductor products and services per JESD46, latest issue, and to discontinue any product or service per JESD48, latest issue. Buyers should obtain the latest relevant information before placing orders and should verify that such information is current and complete. All semiconductor products (also referred to herein as “components”) are sold subject to TI’s terms and conditions of sale supplied at the time of order acknowledgment. TI warrants performance of its components to the specifications applicable at the time of sale, in accordance with the warranty in TI’s terms and conditions of sale of semiconductor products. Testing and other quality control techniques are used to the extent TI deems necessary to support this warranty. Except where mandated by applicable law, testing of all parameters of each component is not necessarily performed. TI assumes no liability for applications assistance or the design of Buyers’ products. Buyers are responsible for their products and applications using TI components. To minimize the risks associated with Buyers’ products and applications, Buyers should provide adequate design and operating safeguards. TI does not warrant or represent that any license, either express or implied, is granted under any patent right, copyright, mask work right, or other intellectual property right relating to any combination, machine, or process in which TI components or services are used. Information published by TI regarding third-party products or services does not constitute a license to use such products or services or a warranty or endorsement thereof. Use of such information may require a license from a third party under the patents or other intellectual property of the third party, or a license from TI under the patents or other intellectual property of TI. Reproduction of significant portions of TI information in TI data books or data sheets is permissible only if reproduction is without alteration and is accompanied by all associated warranties, conditions, limitations, and notices. TI is not responsible or liable for such altered documentation. Information of third parties may be subject to additional restrictions. Resale of TI components or services with statements different from or beyond the parameters stated by TI for that component or service voids all express and any implied warranties for the associated TI component or service and is an unfair and deceptive business practice. TI is not responsible or liable for any such statements. Buyer acknowledges and agrees that it is solely responsible for compliance with all legal, regulatory and safety-related requirements concerning its products, and any use of TI components in its applications, notwithstanding any applications-related information or support that may be provided by TI. Buyer represents and agrees that it has all the necessary expertise to create and implement safeguards which anticipate dangerous consequences of failures, monitor failures and their consequences, lessen the likelihood of failures that might cause harm and take appropriate remedial actions. Buyer will fully indemnify TI and its representatives against any damages arising out of the use of any TI components in safety-critical applications. In some cases, TI components may be promoted specifically to facilitate safety-related applications. With such components, TI’s goal is to help enable customers to design and create their own end-product solutions that meet applicable functional safety standards and requirements. Nonetheless, such components are subject to these terms. No TI components are authorized for use in FDA Class III (or similar life-critical medical equipment) unless authorized officers of the parties have executed a special agreement specifically governing such use. Only those TI components which TI has specifically designated as military grade or “enhanced plastic” are designed and intended for use in military/aerospace applications or environments. Buyer acknowledges and agrees that any military or aerospace use of TI components which have not been so designated is solely at the Buyer's risk, and that Buyer is solely responsible for compliance with all legal and regulatory requirements in connection with such use. TI has specifically designated certain components as meeting ISO/TS16949 requirements, mainly for automotive use. In any case of use of non-designated products, TI will not be responsible for any failure to meet ISO/TS16949. Products Applications Audio www.ti.com/audio Automotive and Transportation www.ti.com/automotive Amplifiers amplifier.ti.com Communications and Telecom www.ti.com/communications Data Converters dataconverter.ti.com Computers and Peripherals www.ti.com/computers DLP® Products www.dlp.com Consumer Electronics www.ti.com/consumer-apps DSP dsp.ti.com Energy and Lighting www.ti.com/energy Clocks and Timers www.ti.com/clocks Industrial www.ti.com/industrial Interface interface.ti.com Medical www.ti.com/medical Logic logic.ti.com Security www.ti.com/security Power Mgmt power.ti.com Space, Avionics and Defense www.ti.com/space-avionics-defense Microcontrollers microcontroller.ti.com Video and Imaging www.ti.com/video RFID www.ti-rfid.com OMAP Applications Processors www.ti.com/omap TI E2E Community e2e.ti.com Wireless Connectivity www.ti.com/wirelessconnectivity Mailing Address: Texas Instruments, Post Office Box 655303, Dallas, Texas 75265 Copyright © 2015, Texas Instruments Incorporated