sm495320 - MC33PT2001 Safety manual (2.0)

9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG PT2001 functional safety manual Rev. 2.0 — 12 June 2019 1.1 Purpose 534 b74 Document purpose and scope The functional safety manual describes how to use the PT2001 injector pre-driver IC in the context of a safety-related system. It specifies the responsibility of the user for installation and operation to reach the targeted safety integrity level. This safety manual is intended to support system and software engineers using the PT2001 available features, as well as achieving additional diagnostic coverage by software measures. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c 1 User manual COMPANY CONFIDENTIAL 1.2 Scope This safety manual provides a minimum set of requirements and practices for safe operation of the safety element considered in a given context of use. This functional safety manual provides necessary assumptions of PT2001 IC use, such as details of the assumed functional safety (Automotive Safety Integrity Level (ASIL) capability, safe states, fault tolerant time interval (FTTI), technical safety requirements, etc.) and assumed use cases. The contents of this functional safety manual are driven and defined by the following: • Safety context and safety concept established during the development of PT2001 IC • Safety analysis results and information about failures of the element, their distribution, calculation of the failure rate,... and the diagnostic coverage offered by the safety mechanisms implemented in the element • Appropriate use of the safety mechanisms implemented within PT2001 IC to ensure safe operation • Safety measures to be implemented by the integrator to ensure safe operation 1.3 Content The safety manual contains the following: • Description of ISO 26262 lifecycle tailored for the IC, mentioning which parts, and work products were done during the IC development • Description of assumptions of use (AoU) of the IC regarding its intended use, including: – Assumption on the IC safe state – Assumptions on fault tolerant time interval – Assumptions on use of functional safety features or PT2001, from a potential integrator [interfacing microcontroller unit (MCU)] • Description of the IC safety concept and safety architecture with an abstract description of IC functionalities and description of safety requirements and mechanisms • Safety analysis basis and overview of safety analysis results 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual 1.4 Component safety analysis 534 b74 • Reference to the other safety relevant documentation that is not covered in the safety manual document • Summary table for system integrator use In distributed development, the user integrating the NXP component into an application or system needs to perform safety analysis at application/system level. Under the customer application/system, those results are aggregated with others from other components or subsystem to perform the customer application/system safety analysis under the safety architecture considered by the customers. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c The customer level application/system safety analysis is under the responsibility of the customer. The customer is solely responsible for the safety metric values. 1.5 General information PT2001 is an automotive smart solenoid driver, which in this case will be used to drive direct fuel injectors. This driver is part of the smart solenoid driver product family, which includes MC33816 and MC33PT2000. The specific part number is MC33PT2001. PPAP has been released in June 2018. 2 Description of ISO 26262 lifecycle used for the component development 2.1 Brief description of NXP safety life cycle Within NXP, an organizational-level approved product creation process with safety extension is defined with several gates and milestones [business creation and management (BCAM)], where in the objectives, input and deliverables are defined and checked. The product creation process is used as a guideline document for any project execution. Within a development project, several gates and milestones are defined based on the governing product creation process. These gates and milestones divide the project into manageable project phases. Within these project phases, activities are planned to generate several deliveries. The longer implementation phase is further subdivided into different phases with defined milestones based on product maturity expectations. At the end of each planned phase, formal reviews and audits are conducted to make sure that the expected process compliance and product level maturity are in place. The section below describes a basic overview and the project gates. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 2 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual PI CONCEPT PCA DEFINITION PDA PLANNING PPA EXECUTION R CLOSURE PC PROJECT LIFECYCLE TO CES RQ CQS NPI LIFECYCLE PI Gate 534 b74 Standard Customer Marketing (MRD) Internal R Gate define product type QM or ISO 26262 Input Requirements E product functional safety assessment report and safety case CUSTOMER DOCUMENTS PRODUCT REQUIREMENTS (PRD) (7-5) PRODUCTION TESTING DATA SHEET REFERENCE MANUAL (4-6) SAFETY CONTEXT (8-13) QUALIFICATION TESTING SAFETY MANUAL Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c FMEDA, FTA, DFA (4-7) SAFETY CONCEPT (5-10) VALIDATION TESTING ARCHITECTURAL SPECIFICATION (5-6) REQUIREMENTS SPECIFICATIONS (RS) (5-7) DETAILED DESIGN SPECIFICATIONS (DOTS) FAULT INJECTION TESTING Test fine De (5-8, 9) INITIAL SAFETY ANALYSIS (5-7) CHIP LEVEL VERIFICATION TESTING (5-7) BLOCK LEVEL VERIFICATION TESTING FAULT INJECTION TESTING FAULT INJECTION TESTING Implement legend development flow input document functional documentation safety documentation Requirement traceability simulation testing silicon testing aaa-028456 Figure 1. BCAM functional safety life cycle Table 1. Major safety deliverables and gates Gate and objectives Key (safety) inputs Project initiation (PI) • Capture market requirements including functional safety requirements • Functional safety manager and architect allocated to project Concept phase (PCA) • Evaluate concept for technical and commercial viability From project initiation MC33PT2001SMUG User manual COMPANY CONFIDENTIAL Key (safety) deliverables Critical reviews ASIL target Initial structure and content for the following: • Safety context and safety concept • Safety plan • DIA • Safety case • Safety requirements • Resource requirements Verification review of safety concept All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 3 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual Key (safety) deliverables Critical reviews Definition phase (PDA) PCA deliverables • Complete requirement specifications, architectural specifications, and qualification strategy Safety concept, safety requirements, safety architecture, Base FIT calculations, Initial safety analysis (FMEA, FMEDA, FTA, DFA) TCL (initial) Verification Review of Safety concept, safety requirements in the requirements specification, safety analysis (FMEDA, FTA, DFA, SW FMEA) Planning phase (PPA) • Build and baseline Project Management Plan(s) • Commitment for funding and people • Technical specification (detailed) with safety features • Updated safety plan and safety assessment plan • Initial TCL reports • V&V, qualification plan, production test plan PDA deliverables 534 b74 Key (safety) inputs Confirmation review of safety plan Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c Gate and objectives Execution phase (R) • Develop and qualify the product and associated product collateral • Release product configurations to production and supply • All Major Milestone • All major verification Requirements met reviews (design reports, including safety V&V reports, safety manual, safety analysis) • Updated safety case report • Confirmation review of safety analysis, TCL, safety case, qualification reports • Safety assessments and audit (if applicable) PPA deliverables 2.2 Tailored ISO 26262 life cycle applied at component level Table 2. ISO 26262 Life cycle at component level ISO 26262 part ISO 26262 section Topic of the part Applicability Justification or exceptions 1 all sections vocabulary applicable — all sections management of functional safety applicable — all sections concept phase not applicable under customer responsibility all sections product development at system level partially applicable Sections 6.5.1, 6.5.2, 7.5.5, 10.5.1, and 11.5.1 are considered in the development of the product. It is the responsibility of the customer to verify that the assumptions made at system level are applicable to their target application. all sections product development at hardware level applicable — all sections product development at software level not applicable under customer responsibility all sections production and operation applicable No maintenance, no reparation, and no decommissioning planned at product level. The maintenance and reparation can be done only at system or vehicle level. all sections supporting processes Exception to the software part, because the element contains none. 2 3 4 5 6 7 8 MC33PT2001SMUG User manual COMPANY CONFIDENTIAL applicable All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 4 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual Topic of the part Applicability Justification or exceptions 9 all sections ASIL-oriented and safety-oriented analysis applicable There is no ASIL considered in IC development 10 all section guideline on ISO 26262 not applicable informative part only 2.3 Customer specific actions required 534 b74 ISO 26262 part ISO 26262 section Use of the latest PT2001 documentation revision (data sheet, safety manual, failure modes, effects, and diagnostic analysis (FMEDA), application notes, errata sheet). Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c Verify the application mission profile is well covered by the PT2001 devices as shown in Table 3. Compare system requirements versus PT2001 requirements and make sure there are no deviances. Establish validity of assumptions at the system level considered in Section 4 "Assumption on use": 1. Verify the FTTI of the PT2001 is under the system FTTI requirement, whatever the faults. 2. Verify no violation of violation of the technical assumptions as described in Section 5.1 "Safety architecture" 3. Safe state considerations described in Section 4.2.1 "System safe state" 4. Perform safety analysis at the system level, considering the safety analysis provided for the PT2001. Consider and verify single-point failures and latent failures at system level. Verify the effectiveness of diagnostics at the system level. Perform fault injection tests and validate safety mechanisms at the system level. Consider all system safety integration requirements (SIR[xxx]) given in this safety manual. In case of questions, the customer should contact their local NXP Semiconductors representative. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 5 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual 3 System architecture 3.1.1 Use case overview Direct fuel injector driver for automotive vehicle 534 b74 3.1 Component overview in the system architecture The PT2001 features and safety requirements are derived from the following: Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c • An automotive direct fuel injection application • The DC-to-DC converter for high-voltage generator • The solenoid the PT2001 controls Each metal-oxide-semiconductor field-effect transistor (MOSFET) is driven by a unique IC, which is the PT2001 in this case. After it has been programmed, the PT2001 receives voltage supplies to power the MOSFET gates. Moreover, the PT2001 drives a low-side gate to handle a DC-to-DC converter. This converter generates high voltage that is required at the initial phase of injection. Several of the elements in Figure 2 are optional. The boost voltage issued from the DC-to-DC converter can be provided by another supply. In addition, the redundant current monitoring path to the MCU is also not mandatory to reach ASIL C level. The system arrangement depends on the application. • In a four-cylinder application, two injectors per bank are considered enabled by the related low-side switches • In a six-cylinder application, three injectors per bank are considered enabled by the related low-side switches. In this use case, only the four-cylinder application is considered. 3.2 Architecture overview The following figure is the application example considered for the safety analysis. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 6 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual VEHICLE BATTERY VOLTAGE U4 VBAT COM n.c. NO 1 3 A VBAT_PROTECT 2 MAIN SWITCH 534 b74 B VBOOST KEY SWITCH 4 G_LS7_BOOST MCU_MAIN_SWITCH_CMD 3 DC-DC CONVERTER VBAT_PROTECT G_HS2 VBOOST 4 4 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c G_HS1 1 3 DRVEN 2 VBOOST VBOOST VCC5 DIAG1 4 VCCIO G_LS1 1 MAIN MCU SENSOR COM START_CMD 4 SPI 4 INJECTOR PREDRIVER AND DIAGNOSIS ASSP INJECTION BANK # 1 VBAT_PROTECT G_HS4 VEHICLE COMMUNICATION INTERFACE CUR_SENSE_REDUNDANT (optional) POWER SUPPLY LOGIC CONTROLLER SYSTEM FEATURE GATE DRIVER IC 4 G_HS3 1 DIAG2 POWER STAGE 3 CUR_SENSE1 CAN SENSOR INTERFACES PSC10 4 1 3 G_LS2 RESETB IRQB Injector # 2 3 1 3 3 VBOOST VBOOST 4 G_LS5 1 G_LS4 VBOOST 4 Injector # 4 VCC5 1 1 3 Injector # 1 lOs MCU_RESET POWERSBC Injector # 3 SBC_MAIN_SWITCH_CMD 1 CUR_SENSE4_BOOST VBAT_PROTECT 4 1 3 3 CUR_SENSE2 INJECTION BANK # 2 aaa-028457 Figure 2. Example of an automotive powertrain direct fuel injection driver electronic system 3.3 Features overview Vehicle battery voltage The vehicle battery voltage is the voltage applied to the module. This is a car battery in automotive system. Key switch The key switch is a switch controlled by the car driver. This is the main switch for starting and stopping the car engine. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 7 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual The key switch supplies the power system basis chip (SBC). Sensor interfaces Throttle position sensor interface Fuel pressure sensor interface Manifold absolute pressure sensor interface Coolant temperature sensor interface Mass air flow sensor interface Active camshaft position sensor interface Glow plug temperature sensor interface O2 sensor interface NOx sensor interface Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c • • • • • • • • • 534 b74 The sensor interfaces interact with the car sensors, outside the powertrain module. It generally includes: The interfaces of the sensors are connected to the main MCU for configuration and data exchange. Main switch The main switch prevents module damage issued from reverse battery connection. If primary shut off path failure, the main switch is a secondary shut off path. The main switch supplies the power SBC, the PT2001, and the power stages (injection bank #1 and #2, and DC-to-DC converter). Power SBC (or other safety MCU) The power SBC (FS6500) is a multiple stage supply that provides several voltages to the platform components. This SBC supplies the PT2001 on its VCC5 input and VCCIO input. It provides voltage to the main MCU of the platform. The power SBC ensures the main MCU monitoring. The power SBC controls the primary shut off path (DRVEN) and the secondary shut off path (main switch). The power SBC supplies the main MCU, the PT2001, and other functions. Main MCU The main MCU provides the main powertrain logic functions and enables the PT2001. The main MCU can take the decision to switch off the injection power stages by the mean of the DRVEN path in some cases of malfunctions not detected by the PT2001. The main MCU drives the main switch, used a second safety path. The main MCU interfaces with the PT2001, the sensor interfaces, and the vehicle communication interface. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 8 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual Vehicle communication interface PT2001 injector pre-driver 534 b74 The vehicle communication interface includes any communication interfaces connected outside the powertrain module. The vehicle communication interface is based on Controller Area Network bus (CAN-bus). The PT2001 is a gate driver that drives the DC-to-DC converter, the injection bank #1, and injection bank #2 based on the main MCU commands (controlling start). Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c The PT2001 is used in automotive systems where a safety reaction is expected. The PT2001 implements the actuation of its safety reactions. The system is responsible for ensuring safety strategy and triggering the safety reactions. In this particular case, we use the PT2001 4-injectors system with DC-to-DC converter. DC-to-DC converter The DC-to-DC converter includes the external circuitry (inductor, diode, MOSFET, and capacitor) to generate an output voltage of typically 65 V from the vehicle battery voltage. The DC-to-DC converter supplies the injection banks #1 and #2. Injection bank #1 The injection bank #1 includes one high-side MOSFET to vehicle battery voltage, one high-side MOSFET to Vboost and two low-side MOSFETs to enable injector #1 or injector #2. This bank also includes a current-sense resistor connected to ground to monitor the current sequentially flowing through the injectors. Injection bank #2 The injection bank #2 includes one high-side MOSFET to vehicle battery voltage, one high-side Vboost and two low-side MOSFETs to enable injector #3 or injector #4. This bank also includes a current-sense resistor connected to ground to monitor the current sequentially flowing through the injectors. 4 Assumption on use 4.1 Electrical specification and environmental limits The system level assumptions for the PT2001 are: • The PT2001 is used in automotive systems where a safety reaction is expected. • The PT2001 implements the actuation of its safety reactions. • The system is responsible for ensuring safety strategy and triggering the safety reactions. • Software running in PT2001, developed by system integrator, is considered fully validated and tested at system level. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 9 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 4.1.1 Electrical specification limits SIR[001] Use PT2001 according to the maximum ratings table in the MC33PT2001 data sheet https://www.docstore.nxp.com/products/product-hierarchy?query=Ds520950. 534 b74 Above this voltage, the safety requirements are no longer satisfied and the PT2001 runs the risk of being destroyed. If excessive voltages are possible, it is assumed that the automotive system provides overvoltage protection. The PT2001 is used in combination with other devices in the application, such as an MCU, saving logic, other analog ICs, and power MOSFETs. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c Short circuits between printed-circuit board (PCB) traces are not considered in the PT2001 safety analysis, but is covered by normal design practices. External component disconnection is not considered in the PT2001 safety, but is covered by normal design practices. 4.1.2 Mission profile SIR[002] The PT2001 is used in applications for which the mission profile is the following, or less aggressive: • Junction temperature: –40 °C to ≤ +150 °C • Operation lifetime: 12000 hours • Number of key-on/key-off cycles: 55000 Table 3. Mission profile table MC33PT2001SMUG User manual COMPANY CONFIDENTIAL PCB temperature (°C) Operating time (%) Operating time (hours) –35 0.1 12 –25 0.2 24 –15 0.5 60 –5 0.7 84 5 1.1 132 15 1.5 180 25 2.0 240 35 2.7 324 45 3.7 444 55 4.7 564 65 7.0 840 75 11.2 1344 85 20.1 2412 95 31.0 3720 105 10.6 1272 115 2.4 288 125 0.5 60 Total 100 % 12000 hours All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 10 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 4.2 System safety goal SZ-01 Prevention of unintended acceleration → ASIL B 534 b74 The system safety goal definition is based on the Standardized E-Gas Monitoring Concept for Gasoline and Diesel Engine Control Units, version 6.0. See https:// www.iav.com/en/publications/technical-publications/etc-monitoring-concepts Per market analysis the ASIL C level is targeted on most of the automotive powertrain applications. In the appropriate system context the PT2001 can contribute to meet ASIL C system level. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c 4.2.1 System safe state The system safe state considered is the switching off of the injection driver of the engine. 4.2.2 Assumptions on fault tolerant time interval The single-point FTTI/process safety time (PST) is the time span between a failure having the potential to give rise to a hazardous event, and the time by which counteraction has to be completed to prevent the hazardous event from occurring. It is used to define the sum of the worst case fault indication time and the time for execution of corresponding countermeasures (reaction). Figure 3 shows the FTTI for a single-point fault occurring with an appropriate functional safety mechanism to handle the fault. The fault reaction time can include both PT2001 reaction and MCU reaction time, in case some action is needed from the MCU. normal operation failure operation fault occured normal operation fault detected possible hazard failure operation fault detection time safe state fault reaction time fault tolerant time interval (FTTI) safe state time aaa-028458 Figure 3. Fault tolerant time interval diagram For an engine running at 6000 RPM, 10 ms is required for the engine revolution. It is assumed that the unintended acceleration is effective after 5 engine revolutions. Assuming that the failure affects two cylinders at the same time and the injection and ignition occurs every two engine revolutions, the FTTI is estimated to be 50 ms. 4.2.3 Assumption on multiple point fault detection interval The multiple point detection interval shall be at least equal to the item power-up to power-down cycle. 4.3 Component safety goal The PT2001 shall never turn on external MOSFET if the MCU is not requiring it. Otherwise, this leads to unwanted acceleration (ASIL C). MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 11 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual 4.3.1 Component safe state 4.3.2 Assumptions on fault tolerant time interval The FTTI is estimated to 50 ms at system level. 4.3.3 HW architectural metrics Single-point fault metrics 534 b74 In its safe state, the PT2001 switches off the external MOSFET gates. It can be done by either forcing RSTB or DRVEN pin LOW. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c The evaluation of the effectiveness of the architecture shall demonstrate a single-point fault metric (SPFM) rate above 97 % at system level to satisfy ASIL C. Latent fault metrics The evaluation of the effectiveness of the architecture shall demonstrate a latent fault metric (LFM) rate above 80 % at system level to satisfy ASIL C. Probabilistic metric for random hardware failures (PMHF) The evaluation of the effectiveness of the architecture shall demonstrate a PMHF rate –7 below 10 per hour of operation (100 FIT) at system level to satisfy ASIL C. The PT2001 contribution is x FIT. The PT2001 contribution is below 10 FIT, corresponding to 10 % of total system failure in time (FIT). 5 Safety concept 5.1 Safety architecture This section contains brief descriptions of the functional blocks of PT2001. For more details on each functional block, refer to https://www.docstore.nxp.com/products/producthierarchy?query=Ds520950. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 12 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual LOGIC CONTROL CLK RESETB IRQB CONTROLS DIGITAL MICROCORE (UC0CH1) HIGH SIDE PREDRIVER HS3 DIAGNOSTICS SPI INTERFACE DATA RAM FUSE TESTMODE DBG FLAG0 SIGNATURE UNIT DEBUG INTERFACE CROSSBAR SWITCH FLAG1 FLAG2 START1 START2 START3 START4 START5 START6 VBOOST VBATT BOOST MONITOR LOGIC CHANNEL 2 BAT ADC DIGITAL MICROCORE (UC0CH2) VCCP LDO UV G_HS3 S_HS3 B_HS4 G_HS4 S_HS4 B_HS5 HIGH SIDE PREDRIVER HS5 DIAGNOSTICS CODE RAM CSB G_HS2 S_HS2 B_HS3 HIGH SIDE PREDRIVER HS4 DIAGNOSTICS Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c SCLK HIGH SIDE PREDRIVER HS2 DIAGNOSTICS DIGITAL MICROCORE (UC1CH1) MISO MOSI LOGIC CHANNEL 1 G_HS1 S_HS1 B_HS2 534 b74 PLL CLK MONITORING B_HS1 HIGH SIDE PREDRIVER HS1 DIAGNOSTICS MC33PT2001 DIGITAL MICROCORE (UC1CH2) G_HS5 S_HS5 LOW SIDE PREDRIVER LS1 DIAGNOSTICS D_LS1 LOW SIDE PREDRIVER LS2 DIAGNOSTICS D_LS2 LOW SIDE PREDRIVER LS3 DIAGNOSTICS D_LS3 LOW SIDE PREDRIVER LS4 DIAGNOSTICS D_LS4 LOW SIDE PREDRIVER LS5 DIAGNOSTICS D_LS5 LOW SIDE PREDRIVER LS6 DIAGNOSTICS D_LS6 G_LS1 G_LS2 G_LS3 G_LS4 G_LS5 G_LS6 DCDC PREDRIVER LS7 G_LS7 CURRENT MONITORING BANK 1 VSENSEP1 VSENSEN1 ANALOG OUTPUT 1 OA_1 CURRENT MEASURE 3 VSENSEP3 VSENSEP2 CODE RAM CURRENT MONITORING BANK 2 VCC1P5 VCC1P5 REGULATOR DATA RAM ANALOG OUTPUT 2 VCCIO IO BUFFERS SUPPLY SIGNATURE UNIT CURRENT MONITORING DCDC VCCP VCC5 MONITOR VCC5 VSENSEN3 VSENSEN2 OA_2 VSENSEP4 VSENSEN4 END OF INJECTION DETECTION DRVEN AGND DGND PGND aaa-028459 Figure 4. PT2001 internal block diagram MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 13 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual 5.1.1 Power management 5.1.1.1 BOOST monitor 534 b74 This block is used to monitor the Vboost voltage. It is then used to control LS7 to generate the boost voltage needed. BOOST voltage also supplies the internal charge pump and is used as a voltage drain source (VDS) monitoring reference for the high side (HS) pre-drivers. 5.1.1.2 Charge pump Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c The charge pump is supplied by BOOST. It is only used to provide enough voltage to sustain 100 % duty cycle for all high sides. 5.1.1.3 VCCP low dropout (LDO) and UV monitoring VCCP is an internal regulator supplied by Vbat. It is biasing the MOSFET gate drivers (HS pre-drivers X, and low side (LS) pre-drivers Y). It requires an external decoupling capacitor on VCCP pin. The VCCP output voltage is monitored against the undervoltage threshold. 5.1.1.4 VCC5 external supply VCC5 provides power for the internal regulator VCC1P5 to supply the logic. PT2001 provides VCC5 overvoltage and undervoltage monitoring. 5.1.1.5 VCC1P5 regulator VCC1P5 regulator powers the digital block. It requires an external decoupling capacitor on the VCC1P5 pin. 5.1.1.6 IO buffers supply VCCIO supplies the digital IO buffers of the pins CLK, RESETB, IRQB, MISO, MOSI, SCLK, CSB, DBG, FLAG0 to FLAG2, START1 to START6, and DRVEN. 5.1.2 Logic control 5.1.2.1 Clock monitor and oscillator PT2001 receives a fixed low frequency input clock usual from MCU. The clock subsystem has the following subfeatures: • A phase-locked loop (PLL) to create the higher frequency internal system clock from the input clock • An internal backup oscillator The digital core provides a clock monitoring circuit which uses the backup oscillator to ensure safe system operation, even when the input clock or PLL fails. 5.1.2.2 Serial peripheral interface (SPI) The communication between the MCU and the PT2001 is ensured by the SPI communication bus. The data are: MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 14 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual • • • • Received from the MCU through the MOSI pin Sent to the MCU through the MISO pin Synchronized based on the clock applied by the MCU to the SCLK pin Taken into account by the PT2001 if the pin CSB is asserted LOW 534 b74 5.1.2.3 Debug interface The DBG pin is used to define bootstrap initialization strategy. This DBG is left open and internally pulled up for immediate charging of the bootstrap capacitor at device power on. 5.1.2.4 Controls This block provides: Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c • Device digital reset when asserting the RESETB pin to its LOW state • Interrupt toward the MCU with the IRQB pin 5.1.3 Logic channel 1 and 2 5.1.3.1 Digital microcores (Uc0ChX, Uc1ChX) The digital microcores are digital blocks that execute the microcode stored into the code RAM according to the parameters stored into the data RAM. These blocks drive the HS pre-drivers and the LS pre-drivers according to the microcode executed and the crossbar switch settings. These blocks manage the MOSFET diagnosis performed by the VDS and voltage source (VSRC) monitoring. 5.1.3.2 Code RAM 1 and 2 This block stores the microcode loaded at device startup through the SPI and executed by two digital microcores. A memory built-in self-test (MBIST) function ensures the code RAM integrity at device startup. A cyclic redundancy check (CRC) ensures microcode integrity at startup and runtime. 5.1.3.3 Data RAM 1 and 2 This block stores the data loaded at device startup through the SPI. This data is used by two digital microcores as microcode parameters, for example, current regulation targets, timing for current regulation, or timeout. An MBIST function ensures the data RAM integrity at device startup. 5.1.4 Crossbar switch The crossbar switch is a digital multiplexer with a setting that allows connection of any microcore IO to the analog resource including: • • • • • MC33PT2001SMUG User manual COMPANY CONFIDENTIAL HS pre-drivers input (gate command) LS pre-drivers input (gate command) Current measure blocks input (digital-to-analog converter (DAC) thresholds) BOOST monitor block input (DAC threshold) VDS and VSRC monitors output (comparators output) All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 15 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual • Current measure blocks output (comparators output) • BOOST (voltage) monitor block output (comparator output) 5.1.5 HS pre-drivers and VDS VSRC monitors 534 b74 5.1.5.1 HS pre-drivers The HS pre-drivers 1 to 5 control the external MOSFETs by biasing their gate input pins. These pre-drivers are controlled by the microcores according to the crossbar switch setting. Optionally, these pre-drivers can be controlled by any flag input pin. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c The HS pre-drivers are enabled by the DRVEN input signal. HS5 is optionally enabled by DRVEN. The HS pre-drivers are disabled by the VCCP UV, VCC5 OV and UV, loss of clock and ground disconnect. 5.1.5.2 VDS and VSRC monitors These circuits provide a real-time monitoring of the external MOSFETs: • Drain to source voltage for the VDS monitor • Source to ground voltage for the VSRC monitor • These voltages are compared to internal references. The output comparators can be read back by any microcore according to the crossbar switch setting. • The VDS HS monitoring can be referenced to VBOOST or VBAT pin • An automatic state machine checks the state of each VDS, VSRC comparator versus gate command and reports faults if error. 5.1.6 LS1 to LS6 pre-drivers and VDS monitors 5.1.6.1 LS pre-drivers The LS pre-drivers 1 to 6 control the external MOSFETs by biasing their gate input pins. These pre-drivers are controlled by the microcores according to the crossbar switch setting. The LS pre-drivers are enabled by the DRVEN input signal. LS3 and LS6 are optionally enabled by DRVEN. The LS pre-drivers are disabled by the VCCP UV, VCC5 OV and UV, loss of clock and ground disconnect. 5.1.6.2 VDS monitor This VDS monitoring circuits provide a read-back status of the external MOSFETs drain-to-source voltage. This voltage is compared to an internal reference. Its output comparator can be read back by any microcore, according to the crossbar switch setting. An automatic state machine checks the state of each VDS, VSRC comparator versus gate command and reports faults if error. 5.1.7 LS7 pre-drivers The LS pre-drivers 7 control the DC-to-DC MOSFETs by biasing its gate input pin. This pre-driver is controlled by the microcores according to the crossbar switch setting. The LS pre-driver 7 is optionally enabled by DRVEN. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 16 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual This LS pre-driver is disabled by the VCCP UV, VCC5OV and UV, loss of clock and ground disconnect. 5.1.8 Current measure (1, 2, and 3) 534 b74 These blocks sense a current flowing through an external sense resistor connected to the pins VSENSEP and VSENSEN of the related current measure block. The differential amplifier output is compared to a DAC output voltage controlled by one of the microcores. This differential amplifier output can be muxed to the OA_1 or OA_2, as they have been converted [analog-to-digital converter (ADC)] by the application MCU. 5.1.9 Current measure 4 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c This block senses a current flowing through an external sense resistor connected to the pins VSENSEP4 and VSENSEN4 by the mean of two operational amplifiers. One of the two comparator outputs is used to monitor the positive currents and the other one to monitor the negative currents. The differential amplifier output is compared to a DAC output voltage controlled by one of the microcores 5.1.10 OA mux out (1 and 2) These analog output blocks are used to send different analog signals to an MCU ADC. These signals include: • Current measurement differential output • Internal Vcc2p5 voltage • End of injection (EOI) detection outputs (In this case, use the OA pin to send current information to the MCU.) 5.1.11 Temperature warning When the temperature exceeds the authorized maximum, an internal temperature sensor provides a warning to the MCU by means of the IRQB pin and the SPI registers. Optionally the temperature flag can trigger a driver disable interrupt. 5.1.12 Ground disconnect detection This block detects when at least one of the three grounds (AGND, DGND, PGND) is disconnected from any of the others. If the event is detected, the digital supply VCC1P5 is switched off [power-on reset (POR)] and the pre-drivers are disabled. 5.2 Safety related functions The following sections describe how the safety related blocks should be configured in hardware and software. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 17 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual MC33PT2001 CLK PLL, BACKUP CLK CLK MONITORING B_HS1 DIAGNOSIS (VDS, VSRC, BIAS) HS PREDRIVER 1 G_HS1 S_HS1 IRQB RESETB HS PREDRIVER 2 INTERRUPT (IRQB) MISO SIGNATURE UNIT 1 HS PREDRIVER 3 DRAM1 MOSI SCLK 534 b74 B_HS2 RESETB SPI INTERFACE HS PREDRIVER 4 LOGIC CHANNEL 1 UC0, UC1, CRAM1 CSB DBG Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c DBG HS PREDRIVER 5 FLAG0 FLAG1 FLAG 0-2 FLAG2 LS PREDRIVER 2 START4 START5 CROSSBAR SWITCH START 1-6 TEST MODE VBOOST BOOST VOLTAGE MONITORING VBAT BATTERY VOLTAGE MONITORING VCCP VCCP REGULATOR AND MONITORING LOGIC CHANNEL 2 UC0, UC1, CRAM2 G_HS3 S_HS3 B_HS4 G_HS4 S_HS4 B_HS5 G_HS5 S_HS5 G_LS1 G_LS2 D_LS3 LS PREDRIVER 3 START6 B_HS3 D_LS2 START2 START3 S_HS2 D_LS1 LS PREDRIVER 1 START1 G_HS2 G_LS3 D_LS4 LS PREDRIVER 4 G_LS4 D_LS5 LS PREDRIVER 5 G_LS5 D_LS6 LS PREDRIVER 6 LS PREDRIVER DCDC G_LS6 G_LS7 DRAM2 VCC5 VCC5 VOLTAGE MONITORING VCCIO VCC10 VOLTAGE MONITORING VCC1P5 DRVEN SAFETY RELATED BLOCK VSENSEP1 CURRENT SENSE MONITORING 1 SIGNATURE UNIT 2 ANALOG OUTPUT 1 VCC1P5 REGULATOR PORESET TEMPERATURE MEASUREMENT ANALOG OUTPUT 2 END OF INJECTION DETECTION GND DISCONNECTION MONITORING CURRENT SENSE MONITORING 4 PGND DGND VSENSEN3 VSENSEP2 CURRENT SENSE MONITORING 2 DRIVE ENABLE NONE-SAFETY RELATED BLOCK OA_1 VSENSEP3 CURRENT SENSE MONITORING 3 FUSES VSENSEN1 VSENSEN2 OA_2 VSENSEP4 VSENSEN4 AGND aaa-028460 Figure 5. Safety block diagram MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 18 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 5.2.1 HS pre-driver HS1 to HS4 and LS pre-driver LS1, LS2, LS4, and LS5 534 b74 SIR[003] The HS pre-driver and LS pre-driver should be controlled by only a specific microcore. The goal is to avoid any wrong programming or code RAM (CRAM) corruption of one core that disturbs the other one. This is done using the crossbar switch safety mechanism. SIR[004] The following registers should be set according to the application selected. In the architecture considered for the safety analysis output, access shall be set as follows: Channel 1 ucore 0 (uc0ch1): controls BANK1 (HS1 HS2 LS1 LS2) Channel 1 ucore 1 (uc1ch1): controls BANK2 (HS2 HS3 LS4 LS5) Channel 2 ucore 0 (uc0ch2): not used (can be optionality used to drive fuel pump) Channel 2 ucore1 (uc1ch2): controls DC-to-DC Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c • • • • Table 4 shows an example for uc0ch1. Table 4. out_acc_uc0_ch1 register (184h) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 4 3 Acc_ Acc_ Acc_ Acc_ Acc_ Acc_ Acc_ Acc_ seq0_ seq0_ seq0_ seq0_ seq0_ seq0_ seq0_ seq0_ ch1_ ch1_ls7 ch1_ls6 ch1_ls5 ch1_ls4 ch1_ls3 ch1_ls2 ch1_ls1 hs5 reserved 0 0000 0 0 0 0 1 1 Acc_ seq0_ ch1_ hs4 0 2 1 Acc_ seq0_ ch1_ hs3 0 0 Acc_ seq0_ ch1_ hs2 0 1 Acc_ seq0_ ch1_ hs1 1 5.2.2 DRVEN path SIR[005] User shall make sure that the path between the MCU or the power SBC and the PT2001 is working properly. Using the driver_status register, it is possible to have a value of the DRVEN level by SPI. SIR[006] Before flashing the CRAM, it is recommended to change the level of DRVEN from LOW to HIGH and then check the DRVEN value in SPI using driver_status register. Table 5. driver_status register (1D2h) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 cksys_ missing reserved DrvEn_ latch 0 0 0000 0000 4 DrvEn_ value 1 3 2 1 0 Overtemp uv_vboost uv_vcc5 — 0 0 uv_vccp 0 — It is also important to make sure the overwrite bit on driver_config bit Hs5_ls36_ovr is set to logic 0. Depending on the strategy, the bit ls7_ovr can also be set to logic 0 to shut down DC-to-DC when DRVEN is set LOW. Table 6. driver_config register (1C5h) Bit Name Value 15 Hs5_ ls36_ ovr 0 14 13 12 vccp_ Ls7_ Vboost_ ext_en ovr mon_en 1 1 0 11 10 9 8 7 6 Vboost_ disable_ en Over temp_ irq_en Drv_ en_ irq_en Vboost_ irq_en Vcc5_ irq_en Vccp_ irq_en 0 0 0 0 0 0 4 3 2 1 Iret_en Irq_ uc1_ ch2_ en 5 Irq_ uc0_ ch2_ en Irq_ uc1_ ch1_ en Irq_ uc0_ ch1_ en 0 0 0 0 0 0 Irq_ uc_en 0 5.2.3 SPI SPI protocol is defined in the PT2001 data sheet and should be set accordingly during the first SPI transaction (register SPI_config). MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 19 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual SIR[007] At each control word instruction (write), read the data back on the MCU. The data should always be equal to AAA8h. If the data does not match AAA8h, the previous transaction failed. To analyze the failure, read the SPI error register. 534 b74 During initialization, to improve safety, the MCU reads back initialization data [SPI + data RAM (DRAM)] and compares it to the send data and then locks the SPI configuration registers to avoid any corruption during runtime. Register device_lock allows to lock the SPI and both DRAMs. Refer to SMA2. Table 7. device_lock register (1CDh) Bit 15 14 13 12 11 Name 9 8 7 6 5 4 3 reserved 2 1 0 0000 0000 0000 0 Dram2_ private_ area_lock Dram1_ private_ area_lock Dev_lock 1 1 1 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c Value 10 5.2.4 VCC5 monitoring VCC5 supply is coming from external SBC, integrated in the PT2001 is an undervoltage and overvoltage monitoring. 5.2.4.1 Hardware recommendation SIR[008] In order to avoid getting noise or spikes on VCC5 monitoring, it is required to add a filtering capacitor close to PT2001 VCC5 pin. A value of 100 nF is recommended. 5.2.4.2 Software recommendation SIR[009] This undervoltage is enabled by default and shuts down all output automatically without any configuration needed. However, the reporting of the fault back to the MCU using the IRQB shall be configured by setting the bit Vcc5_irq_en to logic 1. Table 8. driver_config (1C5h) Bit Name Value 15 14 13 Hs5_ ls36_ ovr vccp_ ext_en Ls7_ ovr 0 0 0 12 11 10 Vboost_ Vboost_ Over mon_en disable_ temp_ en irq_en 0 0 9 8 7 6 5 4 3 2 1 0 Drv_ en_ irq_en Vboost_ irq_en Vcc5_ irq_en Vccp_ irq_en Iret_ en Irq_ seq1_ ch2_ en Irq_ seq0_ ch2_ en Irq_ seq1_ ch1_ en Irq_ seq0_ ch1_ en Irq_ uc_en 0 0 1 0 0 0 0 0 0 1 0 5.2.5 VCCP internal regulator SIR[010] VCCP supply is an internal regulator supplying the drivers. This supply also includes an undervoltage monitoring. This regulator is enabled by SPI at power up using the driver_config register (1C5h). 5.2.5.1 Hardware recommendation SIR[011] VCCP is used as a supply for the low-side gates, it is then mandatory to add a tank 4.7 µF capacitor and an optional 100 nF in parallel to filter noise and spikes that could happen during the application. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 20 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 5.2.5.2 Software recommendation Table 9. driver_config (1C5h) 15 14 13 Name Bit Hs5_ ls36_ ovr vccp_ ext_en Ls7_ ovr Value 0 0 0 12 11 10 Vboost_ Vboost_ Over mon_en disable_ temp_ en irq_en 0 0 9 8 7 6 5 Drv_ en_ irq_en Vboost_ irq_en Vcc5_ irq_en Vccp_ irq_en Iret_ en 0 0 1 1 0 0 4 3 2 1 0 Irq_ seq1_ ch2_ en Irq_ seq0_ ch2_ en Irq_ seq1_ ch1_ en Irq_ seq0_ ch1_ en Irq_ uc_en 0 0 0 0 1 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c 5.2.6 VCC1P5 internal regulator 534 b74 SIR[012] This undervoltage is enabled by default and shuts down all output automatically without any configuration needed, but the reporting of the fault back to the MCU using the IRQB needs to be configured by setting the bit Vccp_irq_en to logic 1. 5.2.6.1 Hardware recommendation VCC1P5 is the internal regulator for the logic and in order to be able to get a stable voltage (mandatory to guarantee logic functioning) it is mandatory to connect an external capacitor of 1.0 µF and also for immunity and noise reduction a 100 nF in parallel. SIR[013] Positions of those capacitors on PCB are critical. Connect them as close as possible to the VCC1P5 pin and the DGND. 5.2.7 Start 1-4 5.2.7.1 Software recommendation Start pins are used to control the injection duration, which makes the pins critical for the safety. Depending on engine control unit (ECU) strategy, PT2001 can be configured to have the start pin with active LOW or HIGH. This is done using the polarity register. It is recommended to use a monitoring start pin to detect stuck HIGH or stuck LOW. Safety mechanism Section 5.3.14 describes how this should be done. • SIR[014] Important is also to set which microcode is sensitive to which start pulse using the register start_config_reg for each channel. For our safety case, see below how register start_config_reg – 104h should be set. Table 10. start_config_reg register for channel 1 Bit Name Value 15 14 reserved 00 13 12 11 10 9 8 7 6 5 4 3 2 1 0 smart_ smart_ start6_ start5_ start4_ start3_ start2_ start1_ start6_ start5_ start4_ start3_ start2_ start1_ start_ start_ sens_ sens_ sens_ sens_ sens_ sens_ sens_ sens_ sens_ sens_ sens_ sens_ u c1 u c0 u c1 u c1 u c1 u c1 u c1 u c1 u c0 u c0 u c0 u c0 u c0 u c0 0 0 0 0 1 1 0 0 0 0 0 0 1 1 5.2.8 CLK monitoring, backup CLK 5.2.8.1 Hardware recommendation SIR[015] For redundancy, MCU shall send a precise 1 MHz CLK to PT2001. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 21 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 5.2.8.2 Software recommendation If external loss of clock, it is detected and reported back to the MCU if set as below. SIR[016] It is also recommended to shut down all drivers if cksys loss. Table 11. backup_clock register (1C7h) Bit 15 14 13 12 11 10 9 8 Value 6 5 4 3 2 cksys_missing_ disable_driver seq1_ ch 2_ irq_en seq0_ ch2_ irq_en seq1_ ch1_ irq_en seq0_ ch1_ irq_en uc_ irq_ en 1 0 0 0 0 1 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c Name 7 534 b74 Note: cksys is the internal PLL clock so this cksys is only missing during the time when PT2001 switch from external to backup clk and vice versa. 1 0 switch_ loss_ to_ of_clock clock_ pin 0 0 5.2.9 PLL PT2001 memory runs on a programmable PLL either set to 12 MHz or 24 MHz. This can be set using the register pll_config. SIR[017] It is recommended to keep this register to default state, which means a PLL set to 24 MHz. Table 12. pll_config (1C6h) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 reserved PLL_spread_disable PLL_ factor 00 0000 0000 0000 0 1 SIR[018] It is also recommended to set the ck_prescaler register to a 03h, allowing each channel to use two microcores. In this case, the microcores run at 6 MHz frequency (167 ns per instruction). Table 13. ck_prescaler register (1C0h) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 4 3 2 reserved ck_per 00 0000 0000 000011 1 0 5.2.10 Current sense monitoring 1 and 2 SIR[019] Current sense monitoring should only be configurable and accessible by the right microcores. This is done using the crossbar switch safety mechanism. SIR[020] The cur_access register1 (see Table 14) should be set according to the application selected. In the architecture considered for the safety analysis, current sense access should be set as follows: • • • • MC33PT2001SMUG User manual COMPANY CONFIDENTIAL Channel 1 ucore 0 (uc0ch1): controls and uses current sense 1 Channel 1 ucore 1 (uc1ch1): controls and uses current sense 2 Channel 2 ucore 0 (uc0ch2): not used Channel 2 ucore 1 (uc1ch2): controls and uses current sense 4 All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 22 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual Table 14. cur_access register1 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 acc_ uc1_ ch1_ curr4L acc_ uc1_ ch1_ curr3 acc_ uc1_ ch1_ curr2 acc_ uc1_ ch1_ curr1 acc_ uc0_ ch1_ curr_ 4H_ 4Neg acc_ uc0_ ch1_ curr4L acc__ uc0_ ch1_ curr3 acc__ uc0_ ch1_ curr2 acc_ uc0_ ch1_ curr1 0 1 1 0 0 0 0 0 1 Name reserved acc_ uc1_ ch1_ curr_ 4H_ 4Neg Value 00 0000 0 534 b74 Bit It is recommended to run at least an offset compensation at power up to improve the accuracy of the current measurement. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c SIR[021] The offset compensation prescaler shall be set to a maximum of 500 kHz. This setting is done in the following register by setting ck_ofscmp_per to 2Fh (default value). Table 15. ck_ofscmp_per register (1C4h) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 4 3 2 reserved ck_ofscmp_per 0000 0000 0010 1111 1 0 5.2.11 Diagnostics (VDS, VSRC, load biasing) VDS and VSRC comparator related to automatic diagnostic should only rise an interrupt on the microcore which is controlling them. This is done using the crossbar switch safety mechanism. The following register should be set according to the application selected. In the architecture considered for the safety analysis diagnostics access should be set as follows: Table 16. fbk_sens_seq0ch1 register (180h) Bit Name Value 15 14 13 12 11 10 Ls6_ Vds_ sens Ls5_ Vds_ sens Ls4_ Vds_ sens Ls3_ Vds_ sens Ls2_ Vds_ sens Ls1_ Vds_ sens 0 0 0 0 1 1 9 8 Hs5_ Hs5_ Vsrc_ Vds_ sens sens 0 0 7 6 Hs4_ Hs4_ Vsrc_ Vds_ sens sens 0 0 5 4 Hs3_ Hs3_ Vsrc_ Vds_ sens sens 0 0 3 2 Hs2_ Hs2_ Vsrc_ Vds_ sens sens 1 1 1 0 Hs1_ Hs1_ Vsrc_ Vds_ sens sens 1 1 Note: Additional information on how to set the diagnostics is available in https:// www.nxp.com/AN4954. 5.2.12 Channel1/2 (CRAM + arithmetic logic unit (ALU) + microcores) PT2001 development studio allows the programmer to compile code and automatically set the code width, checksum, and entry points for each channel. MCU at power up programs all CRAM then set the channel registers and finally set the flash enable bit to activate the CRAM and the signature unit (CRC). SIR[022] Settings of flash_enable register should be done as below to report fault back to MCU when a CRC error occurs. It pulls IRQB pin LOW and stops CRAM. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 23 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual Table 17. flash_enable register 15 14 13 12 11 10 Name reserved Value 0 0000 0000 9 8 7 6 5 checksum_ flash_ disable enable 0 4 3 pre_flash_ enable en_dual_ seq 1 1 1 2 dual_ seq_ failure 1 0 0 chksum_ chksum_ irq_en failure 534 b74 Bit 1 0 For more details on signature unit, see Section 5.3.10 "SM7 CRAM checksum (CRC)". 5.2.13 DRAM1 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c SIR[023] It is recommended to set parameters that are fixed after power-up and safety critical in the private area of the DRAM1. The specified address can be locked, as shown in Table 18. To lock DRAM1, the SPI access shall be the same as the SPI configuration register lock; see Table 7. Table 18. DRAM register map Address (hex) Lock Description no data RAM of channel 1 yes data RAM of channel 1, private area no data RAM of channel 2 yes data RAM of channel 2, private area 0 ... 2F 30 ... 3F 40 ... 6F 70 ... 7F 5.2.14 Crossbar switch As mentioned above, PT2001 crossbar switch is set to give access to each microcores to high side, low side (output access), current sense, Vboost access, feed backs (VDS, VSRC) sensitivity, start signal sensitivity. 5.2.15 MBIST SIR[024] It is recommended to run MBIST at each power-up or every certain amount of power-ups. Running MBIST this way confirms that there is no CRAM corruption. The procedure to run MBIST at each power-up is: 1. The MCU needs to write a 16-bit password (B157h) to the BIST register. 2. This 16-bit password request is accepted only if both CRAMs are unlocked (before flash enable). MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 24 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 3. After this request is performed, the BIST check starts. Its evolution can be monitored by accessing the same BIST register in read mode. The overall BIST operation takes about 2.2 ms (at 24 MHz) to complete. Table 19. BIST register in write mode (1DCh) 15 14 13 12 11 10 9 8 7 6 Name BIST activation password Value B157h 5 4 Table 20. BIST register in read mode (1DCh) Name Value 15 14 13 12 11 10 9 8 7 6 5 4 3 2 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c Bit 3 • • • • 2 534 b74 Bit 1 1 0 0 reserved BIST_result 00 0000 0000 0000 10 BIST result: set to '00' if the BIST has never been requested. BIST result: set to '01' if the BIST operation is in progress. BIST result: set to '10' if the BIST operation has been successfully completed. BIST result: set to '11' if the BIST operation has failed. 5.3 Safety mechanisms integrated in the device Table 21. Safety mechanism SM number Safety mechanism SIR number SM1 voltage supervisor (monitoring of voltage) overvoltage detection n.a. SM1a VCC5 overvoltage detection SIR[025] SM1b VCCIO overvoltage protection SIR[026] SM2 voltage supervisor (monitoring of voltage) undervoltage detection n.a. SM2a VCC5 undervoltage detection SIR[027] SM2b VCC1P5 POR detection SIR[028] SM2c VCCP undervoltage detection SIR[029] SM1 and SM2 voltage supervisor (monitoring of voltage) n.a. SM3 GND monitoring (monitoring of voltage) SIR[030] SM4 input CLK monitoring and backup CLK SIR[031] SM5 DRVEN voltage supervisor (monitoring of output voltage) logical level SIR[032] SM6 safety path DRVEN SIR[033] SM7 CRAM checksum (CRC) SIR[034] SM8 CRAM/DRAM memory BIST SIR[035] SM9 diagnostics (HS VDS, HS VSRC, LS VDS, and logic) SIR[036] SM10 SPI protocol integrity (number, bits, watchdog) SIR[037] MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 25 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual Safety mechanism SIR number SM11 microcode checks (start duration, phase duration, SPI report status reg) SIR[038] SM12 analog output current recopy (OA) n.a. SM13 fuses error correcting code (ECC) SIR[039] SM14 SW reset by SPI 534 b74 SM number SIR[040] 5.3.1 SM1a overvoltage detection on VCC5 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c To protect PT2001 from an overvoltage up to 36 V at supply pin VCC5, there is an overvoltage detection at this pin, which leads to the whole device being switched off at overvoltage condition. Also under this condition all pre-drivers are switched off. 5.3.1.1 Configuration No configuration possible, overvoltage is always enabled. VCC5 overvoltage Description of safety mechanism VCC5 overvoltage monitoring (higher than Vovvcc5 = 8.5 V) Device reaction PT2001 is in power-on reset (POR) SM1a all pre-driver off On next power up, SPI will report a POResetb = 1 in register reset_source – 1CEh MCU reaction Integrator to decide action, need to check SBC status. Exit condition PT2001 will not restart until overvoltage is gone. Fault detection time Td_ovvcc5 = 1 µs Fault reaction time Depends on MCU integrator strategy 5.3.1.2 SPI reporting Once VCC5 overvoltage is gone, MCU can read the reset source to know why the device went in reset mode. In this case, the POResetb is at 1. PT2001 has to be reprogrammed as a normal startup. Table 22. reset_source (1D6h) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 reserved SPI reset Por reset resetb — 0 1 0 5.3.2 SM1b overvoltage detection on VCCIO To protect the output structure of the digital I/O pins, PT2001 includes a clamp around 5.5 V if overvoltage on any of the IOs up to 36 V. If OV detected on VCCIO voltage, all digital outputs are clamped to 5.5 V to avoid any destruction of the MCU or other devices connected to the PT2001 digital pins. Note: The parametric thresholds are defined in the data sheet. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 26 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 5.3.2.1 Configuration There is no configuration needed for this safety mechanism. It is always enabled. Description of safety mechanism VCCIO overvoltage monitoring (higher than 10 V) Device reaction Device detects a voltage higher than 10 V and forces the internal VCCIO to 5.5 V to protect all internal IOs. MCU reaction VCCIO OV is not reported to MCU SBC should have already reported an OV to the MCU Exit condition VCCIO needs to go back to nominal VCCIO Fault detection time n.a. Fault reaction time depends on MCU integrator strategy SM1b 534 b74 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c VCCIO overvoltage 5.3.2.2 SPI reporting There is no reporting for VCCIO OV, PT2001 is only protecting itself and components connected to its IOs. In most of the case, the VCCIO voltage monitoring is done by the SBC on the ECU. 5.3.3 SM2a undervoltage detection on VCC5 The VCC5 undervoltage monitor is used to disable all the pre-drivers as long as the supply voltage at pin VCC5 is not high enough to guarantee full functionality of the analog modules of the device. If undervoltage, all pre-drivers are turned off. In the digital core, a bit in a register is set when a VCC5 undervoltage event occurs. In addition, an interrupt request (in case it is enabled) is issued to the microcontroller as soon as uv_vcc5 is asserted. 5.3.3.1 Configuration SIR[041] VCC5 undervoltage is called a driver disabled interrupt. The VCC5 undervoltage can be propagated to the MCU, thanks to the IRQB pin or the microcores. Register driver_config 1C5h is used to configure this setting. Note: The parametric thresholds are defined in the data sheet. Table 23. driver_config (1C5h) Bit Name Value 15 14 13 Hs5_ ls36_ ovr vccp_ exten Ls7_ ovr 0 0 0 MC33PT2001SMUG User manual COMPANY CONFIDENTIAL 12 11 10 Vboost_ Vboost_ Over mon_en disable_ temp_ en irq_en 0 0 0 9 8 7 6 5 4 3 2 1 0 Drv_ en_ irq_en Vboost_ irq_en Vcc5_ irq_en Vccp_ irq_en Iret_ en Irq_ uc1_ ch2_ en Irq_ uc0_ ch2_ en Irq_ uc1_ ch1_ en Irq_ uc0_ ch1_ en Irq_ uc_en 0 0 1 0 0 0 0 0 0 1 All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 27 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual VCC5 undervoltage Description of safety mechanism VCC5 undervoltage monitoring (higher than Vuvvcc5– = 4.5 V) Device reaction PT2001 is in POR SM2a all pre-driver off 534 b74 On next power up, SPI will report a POResetb = 1 in register reset_source – 1CEh Integrator to decide action, need to check SBC status. Exit condition PT2001 will not restart until overvoltage is gone. Fault detection time Td_ovvcc5 = 1 µs Fault reaction time depends on MCU integrator strategy Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c MCU reaction 5.3.3.2 SPI reporting Once VCC5 undervoltage is gone, MCU can read the reset source to know why the device went in reset mode. In this case, the POResetb is at 1. PT2001 has to be reprogrammed as a normal startup. Table 24. driver_status (1D2h) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 reserved cksys_ missing DrvEn_ latch DrvEn_ value Over temp uv_ vboost uv_vcc5 uv_vccp 0 0000 0000 0 1 — 0 0 0 1 5.3.4 SM2b VCC1P5 POR detection The VCC1P5 POR detection is an undervoltage monitoring used to disable all the pre-drivers and the logic in case the supply is not high enough. If POR, all pre-drivers are turned off and the device is reset. This behavior is similar as the VCC5 overvoltage. VCC1P5 POR Description of safety mechanism Device reaction VCC1P5 POR (lower than VPOResetB– = 1.5 V) SM2b PT2001 is in POR all pre-driver off On next power up, SPI will report a POResetb = 1 in register reset_source – 1CEh MC33PT2001SMUG User manual COMPANY CONFIDENTIAL MCU reaction Integrator to decide action, need to check SBC status, because this issue might come from a bad VCC5. Exit condition PT2001 will not restart until voltage on VCC1P5 goes higher than 1.5 V. Fault detection time TPOResetB = 278 ns Fault reaction time depends on MCU integrator strategy All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 28 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 5.3.4.1 SPI reporting Once VCC1P5 goes back to normal, MCU can read the reset source to know why the device went in reset mode. In this case, the POResetb is at 1. Table 25. reset_source (1CEh) Bit 15 14 13 12 11 10 9 8 7 6 5 4 3 534 b74 PT2001 has to be reprogrammed as a normal startup. 2 1 0 Name reserved SPI reset Por_reset resetb Value 0 0000 0000 0000 0 1 0 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c 5.3.5 SM2c VCCP undervoltage detection The VCCP undervoltage monitor is used to disable all the pre-drivers as long as the supply voltage at pin VCCP is not high enough to guarantee full functionality of the internal drivers and to make sure that external field effect transistors (FETs) are in RDSON mode. If undervoltage, all pre-drivers are turned off. In the digital core, a bit in a register is set when a VCCP undervoltage event occurs. In addition, an interrupt request (in case it is enabled) is issued to the microcontroller as soon as uv_vccp is asserted. 5.3.5.1 Configuration VCCP undervoltage is part of the driver disabled interrupt, it shall be propagated to the MCU thanks to IRQB pin or/and to the microcores, register driver_config 1C5h is used to configure it. Table 26. driver_config – 1C5h Bit Name Value 15 14 13 12 Hs5_ vccp_ Ls7_ Vboost_ ls36_ ext_ ovr mon_en ovr en 0 0 1 0 11 10 9 8 7 6 5 Vboost_ Over Drv_ Vboost_ Vcc5_ Vccp_ Iret_ disable_ temp_ en_ irq_en irq_en irq_en en en irq_en irq_ en 0 VCCP undervoltage 0 0 0 1 1 0 4 3 2 Irq_ seq1_ ch2_ en Irq_ seq0_ ch2_ en Irq_ seq1_ ch1_ en Irq_ Irq_ seq0_ uc_ ch1_ en en 0 0 0 0 Description of safety mechanism VCCP undervoltage monitoring (higher than VUVVCCP– = 4.68 V) Device reaction IRQB pin is pulled LOW and 1 0 1 SM2c all pre-driver off On next power up, SPI will report a POResetb = 1 in register reset_source – 1CEh MC33PT2001SMUG User manual COMPANY CONFIDENTIAL MCU reaction Integrator to decide action, need to check SBC status. Exit condition PT2001 will not restart until overvoltage is gone. Fault detection time Td_ovvcc5 = 1 µs Fault reaction time depends on MCU integrator strategy All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 29 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 5.3.5.2 SPI reporting When VCCP is in undervoltage, all output drivers are disabled. This is not configurable. 534 b74 If configure as above IRQB goes LOW, MCU needs to read driver_status register to check which undervoltage is detected. Until VCCP undervoltage is gone, uv_vccp is set to logic 1 and IRQB stays LOW. When VCCP goes back to normal, uv_vccp is cleared on read (goes back to logic 0) and IRQB goes HIGH. Pre-driver restarts automatically even if the MCU is not clearing the fault. Table 27. driver_status (1D2h) Name Value 15 14 13 12 11 10 9 8 7 reserved 6 5 4 3 cksys_ missing DrvEn_ latch DrvEn_ value Over temp 0 1 — 0 2 0 0000 0000 1 0 uv_ vboost uv_vcc5 uv_vccp 0 0 1 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c Bit 5.3.6 SM3 GND monitoring It is possible to detect a single and multiple missing connections of a ground pin (PGND, DGND, AGND) of the device in the following way: There is a loss detection function between each ground: AGND to PGND, AGND to DGND, PGND to DGND, PGND to AGND, DGND to AGND, DGND to PGND. If the event is detected, the digital supply VCC1P5 is switched off and the pre-drivers are disabled. 5.3.6.1 Configuration There is no configuration needed for this safety mechanism. It is always enabled. GND monitoring Description of safety mechanism GND monitoring Device reaction PT2001 is in POR SM3 all pre-driver off On next power up, SPI will report a POResetb = 1 in register reset_source – 1CEh MC33PT2001SMUG User manual COMPANY CONFIDENTIAL MCU reaction Integrator to decide action, need to check SBC status to confirm that VCC5 is regulating properly and not in undervoltage. Exit condition PT2001 will not restart until GND is connected again. Fault detection time TD_POResetB < 1.5 µs Fault reaction time depends on MCU integrator strategy All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 30 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 5.3.6.2 SPI reporting Once GND is connected, MCU can read the reset source to know why the device went in reset mode. In this case, the POResetb is at logic 1. Table 28. reset_source (1CEh) Bit 15 14 13 12 11 10 9 8 7 6 5 4 3 534 b74 PT2001 has to be reprogrammed as a normal startup. 2 1 0 Name reserved SPI_reset Poresetb resetb Value 0 0000 0000 0000 0 1 0 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c 5.3.7 SM4 input CLK monitoring and backup CLK This block monitors the CLK input clock and switches to the backup clock if an unsuitable external clock is detected. This block integrates a backup clock running at 1 MHz. An internal PLL is supplied either by the clock input (CLK pin) or the backup clock. This PLL output (cksys) is the digital blocks (including microcores and RAMs) clock reference. Cksys can be lost during only two cases: • When external clock is lost and PT2001 needs to switch to internal backup clock. • When PT2001 switches from internal backup clock to external, this can happen when the SPI bit switch_to_ck_pin is set to logic 1. 5.3.7.1 Configuration For safety reason, it is better to supply external 1 MHz to have redundancy with backup CLK. Only this case is considered below. It is possible to configure the way the cksys loss is reported and also how it reacts. SIR[042] In this case, we pull the IRQB pin LOW if cksys failure. We also disable the driver during that phase. Table 29. backup_clock_status (1C7h) Bit Name Value 15 14 13 12 11 reserved 000 0000 MC33PT2001SMUG User manual COMPANY CONFIDENTIAL 10 9 8 7 Timing_ cksys_ violation missing_ disable_ driver 0 1 6 5 4 3 2 1 0 uc1_ ch2_ irq_en uc0_ ch2_ irq_en uc1_ ch1_ irq_en uc0_ ch1_ irq_en uc_ irq_en switch_ to_ clock_ pin loss_ of_clock 0 0 0 0 1 0 0 All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 31 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual Input CLK monitoring and backup CLK Description of safety mechanism Input CLK monitoring and backup CLK Device reaction IRQB pulled LOW until fault is cleared by SPI SM4 All driver disabled during cksys loss 1. IRQB goes LOW 2. Read interrupt register 1D4h (cksys_missing = 1) 3. Read backup_clock_status 1C7h (loss of clock =1) it unlatches IRQB and also clears the fault in register 1D4h 4. MCU to check external 1 MHz CLK Exit condition 1. Once the MCU is sure that 1 MHz CLK is working, write bit switch_to_clock_pin. This creates another cksys loss so previous procedure needs to be applied again. 2. Read 1C7h loss of clock should be at 0 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c 534 b74 MCU reaction Fault detection time tPLL < 60 µs Fault reaction time depends on MCU integrator strategy 5.3.7.2 SPI reporting If configured as above IRQB goes LOW. Interrupt register reports a cksys_missing as below. Because the cksys_driver_disable bit was set to logic 1, it also reports on the driver_status 1D2h register. Table 30. interrupt register (1D4h) Bit Name Value 15 14 13 12 11 reserved check sum_ ch2 000 0 10 9 8 check cksys_ spi_irq drv_irq sum_ missing ch1 0 1 0 0 7 6 7 6 5 4 3 2 1 0 irq_ uc1_ ch2 irq_ uc0_ ch2 irq_ uc1_ ch1 irq_ uc0_ ch1 halt_ uc1_ ch2 halt_ uc0_ ch2 halt_ uc1_ ch1 halt_ uc0_ ch1 0 0 0 0 0 0 0 0 Table 31. driver_status (1D2h) Bit Name Value 15 14 13 12 11 10 9 8 reserved 0 0000 0000 5 4 3 2 1 0 cksys_ missing DrvEn_ latch DrvEn_ value Overtemp uv_ vboost uv_vcc5 uv_vccp 1 1 1 0 0 0 0 MCU then reads 1C7h to clear the fault and if needed switch to external CLK. Once this register is read, it unlatches the IRQB pin and also clear both 1D4h and 1D2h register. Table 32. backup_clock_status (1C7h) Bit Name 15 Value 14 13 12 11 reserved 000 0000 MC33PT2001SMUG User manual COMPANY CONFIDENTIAL 10 9 8 7 Timing_ cksys_ violation missing_ disable_ driver 0 1 6 5 4 3 2 1 0 uc1_ ch2_ irq_en uc0_ ch2_ irq_en uc1_ ch1_ irq_en uc0_ ch1_ irq_en uc_ irq_en switch_ to_ clock_ pin loss_ of_clock 0 0 0 0 1 0 1 All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 32 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual As explained in the table it is possible to switch back to external clk by writing bit 1 to logic 1. This has the effect to generate another cksys_loss but this time, because external CLK is back to normal when register 1C7h is read bit 0 is at logic 0. 534 b74 5.3.8 SM5 DRVEN voltage supervisor The PT2001 provides a general low side and high side enablement pin. This driver enable path directly enables the HS pre-drivers and the LS pre-drivers. In order to guarantee the functionality of this path, it is possible during runtime to confirm the state of DRVEN pin. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c SIR[043] It is recommended to check the state at each power up, in order to confirm that DRVEN is not stuck HIGH or LOW. Register driver_status (1D2h) is used for this purpose. The bit value of DrvEn_value is a 'living copy' of the DRVEN pin: 1: DRVEN pin is HIGH 0: DRVEN pin is LOW 5.3.8.1 Configuration There is no configuration needed for this safety mechanism. It is always enabled. DRVEN voltage supervisor Description of safety mechanism DRVEN voltage supervisor Device reaction DrvEn_value report state of DRVEN pin MCU reaction If SPI is reporting a latch to MCU, should not start the device Exit condition MCU to reset PT2001 to confirm behavior and should not start the car if error is still present Fault detection time n.a. Fault reaction time n.a. SM5 5.3.8.2 SPI reporting DRVEN pin state is reported on Table 33. MCU to make sure that pin state and SPI bit match. Table 33. driver_status (1D2h) Bit Name Value 15 14 13 MC33PT2001SMUG User manual COMPANY CONFIDENTIAL 12 11 10 reserved 0 0000 0000 9 8 7 6 5 4 3 2 1 0 cksys_ missing DrvEn_ latch DrvEn_ value Overtemp uv_ vboost uv_vcc5 uv_vccp 0 1 0/1 0 0 0 0 All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 33 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 5.3.9 SM6 safety path DRVEN This safety mechanism is the highest protection of the system since it can shut down all HS and LS. It has been designed to avoid dependency with the rest of the device. Missing clock signal for the device digital core Missing supply voltage for the device digital core Missing supply voltage of level shifter Missing supply voltage (Vbs) of HS pre-driver Single damaged pre-driver should not influence DrvEn level Missing supply voltage VCCP of LS pre-driver Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c • • • • • • 534 b74 If there is a failure the shut off path is still functional or the driver has to be in a safe off state. These failures are: HS5, LS3, LS6, and LS7 can be configured in a way that even if DRVEN is pulled LOW it still works as commanded by the microcores. This can be useful in case the user wants to keep fuel pump valve on or DC-to-DC even during a safety event. Table 34. DrvEn path for HS pre-drivers HS pre-driver Implementation HS1 Direct wire from DrvEn pin to HS pre-driver input. HS2 HS3 HS4 HS5 Configuration option for DrvEn path. Signal is routed via the digital core only. Table 35. DrvEn path for LS pre-drivers (RQS3202) LS pre-driver Implementation LS1 Direct wire from DrvEn pin to LS pre-driver input. LS2 LS4 LS5 LS3 Configuration option for DrvEn path. Signal is routed via the digital core only. LS6 5.3.9.1 Configuration In this case, all HS and LS are turned off by safety path. Table 36. driver_config (1C5h) Bit Name Value 15 14 13 Hs5_ ls36_ ovr vccp_ exten Ls7_ ovr 0 0 0 MC33PT2001SMUG User manual COMPANY CONFIDENTIAL 12 11 10 Vboost_ Vboost_ Over mon_ disable_ temp_ en en irq_en 0 0 0 9 8 7 Drv_ Vboost_ Vcc5_ en_ irq_en irq_en irq_en 0 0 1 6 5 4 3 2 1 0 Vccp_ irq_en Iret_en Irq_ uc1_ ch2_ en Irq_ uc0_ ch2_ en Irq_ uc1_ ch1_ en Irq_ uc0_ ch1_ en Irq_ uc_en 1 0 0 0 0 0 1 All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 34 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual Description of safety mechanism safety path DRVEN Device reaction HS and LS turned off MCU reaction force DRVEN LOW to disable all outputs Exit condition pull DRVEN HIGH when fault condition disappeared Fault detection time turn off propagation delay < 200 ns Fault reaction time depends on MCU integrator strategy SM6 534 b74 Safety path DRVEN 5.3.10 SM7 CRAM checksum (CRC) Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c The signature block is responsible to run a CRC on both CRAM to insure integrity of the memory and the address decoder. The CRC is continuously running after flash enable bit are written to logic 1. PT2001 Developer Studio automatically generates the checksum high, low, and code with value corresponding the microcode written for your application. 5.3.10.1 Configuration First checksum and code shall be set for each channel, this should be done automatically by PT2001 Developer Studio. Table 37. code_width (107h, 127h) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 4 reserved code width 00 0000 00 0000 0000 3 2 1 0 Table 38. checksum_h (108h, 128h) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 5 4 3 2 1 0 checksum_high 0000 0000 0000 0000 Table 39. checksum_l (109h, 129h) Bit Name Value 15 14 13 12 11 10 9 8 7 6 checksum_low 0000 0000 0000 0000 Once those 3 registers per channel are set, CRAM can be enabled using the flash_enable registers. SIR[044] The integrator shall enable an interrupt on the IRQB pin in case the CRC fails to let the MCU know that CRAM has stopped. This is done by setting bit 1 to logic 1. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 35 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual Table 40. flash_enable (100h) and (120h) 15 14 13 12 11 10 9 8 7 6 5 4 3 2 check en_ flash_ pre_flash_ sum_ dual_ enable enable disable seq Name reserved Value 0 0000 0000 0 1 1 dual_ seq_ failure 0 chk chk sum_ sum_ irq_en failure 0 1 Description of safety mechanism CRAM checksum (CRC) Device reaction IRQB pulled LOW until fault is cleared by SPI Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c CRAM checksum (CRC) 1 1 534 b74 Bit 0 SM7 corrupted CRAM is shut down MCU reaction 1. IRQB goes LOW 2. Read interrupt register 1D4h (chksum chX = 1) 3. Read flash enable register Exit condition 1. Reprogram CRAM affected 2. Reflash CRAM 3. If still in error reset device Fault detection time tcrc (full memory) = 850 µs Fault reaction time depends on MCU integrator strategy 5.3.10.2 SPI reporting Once flash enable register is written and if there is no CRC error bit 5, flash_enable should be at logic 1. If failure happens and it is configured as above, IRQB goes LOW. Interrupt register reports a checksum chX depending on the channel affected as shown below. Table 41. interrupt register (1D4h) Bit Name Value 15 14 13 12 reserved check sum_ ch2 000 0 11 10 9 8 check cksys_ spi_irq drv_irq sum_ missing ch1 0 0 0 7 6 5 4 3 2 1 0 irq_ uc1_ ch2 irq_ uc0_ ch2 irq_ uc1_ ch1 irq_ uc0_ ch1 halt_ uc1_ ch2 halt_ uc0_ ch2 halt_ uc1_ ch1 halt_ uc0_ ch1 0 0 0 0 0 0 0 0 0 Table 42. flash_enable (100h, 120h) Bit Name Value 15 14 13 12 11 10 6 5 4 reserved check sum_ disable flash_ enable preflash_ enable 0 0000 0000 0 0 0 MC33PT2001SMUG User manual COMPANY CONFIDENTIAL 9 8 7 All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 3 2 en_ dual uc dual_ uc failure 0 0 1 0 chk sum_ irq_en chk sum_ failure 0 0 © NXP B.V. 2019. All rights reserved. 36 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual Checksum_failure. This bit is set to logic 1 when a mismatch is found between the calculated checksum and the checksum code stored in the appropriate registers. This bit is reset each time the pre_flash_enable bit is set to logic 1 to lock the memory. 534 b74 5.3.11 SM8 CRAM/DRAM MBIST An MBIST function ensures that the code RAM and data RAM integrity at device start-up. SIR[045] A full BIST check of the device memories can be required. This is done by accessing the BIST register in write mode and writing a 16-bit password (B157h). This request is accepted only if both CRAMs are unlocked. The overall BIST operation takes about 2.2 ms to complete, at 24 MHz. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c 5.3.11.1 Configuration Following register shall be written to enable the MBIST. Both CRAM and DRAM are cleared. It is recommended to run this before programming the CRAM and DRAM. Table 43. BIST_interface in write mode (1DCh) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 0 1 0 1 1 1 BIST activation password 1 0 1 1 CRAM/DRAM MBIST 0 0 0 1 0 1 Description of safety mechanism CRAM/DRAM MBIST Device reaction BIST results are reported on 1DCh register MCU reaction Read register 1DCh until BIST is completed. If BIST fails Exit condition wait until BIST is complete Fault detection time tBIST = 2.2 ms Fault reaction time n.a. SM8 5.3.11.2 SPI reporting After this request is performed, the BIST check starts and its evolution can be monitored accessing the same BIST register in read mode. Table 44. BIST_interface in read mode (1DCh) Bit Name Value 15 14 13 12 11 10 9 8 7 6 reserved 5 4 3 2 1 BIST result 1 00 0000 0000 0000 • • • • MC33PT2001SMUG User manual COMPANY CONFIDENTIAL 0 0 BIST result: set to '00' if the BIST has never been requested BIST result: set to '01' if the BIST operation is in progress BIST result: set to '10' if the BIST operation has been successfully completed BIST result: set to '11' if the BIST operation has failed All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 37 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 5.3.12 SM9 diagnostics (HS VDS, HS VSRC, LS VDS, and logic) The PT2000 gives the possibility to check faults on external FETs using two different methods: Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c 534 b74 • Automatic diagnostics (actuation phase) Boost phase (HSBoost on): automatic diagnostics are used during actuation phase; it performs a coherency check between an output and the related VDS feedback (for all the outputs) and VSRC feedback (for the high-side outputs only). Peak and hold phase (HSBat on): automatic diagnostics are used during actuation phase; it performs a coherency check between an output and the related VDS feedback (for all the outputs) and VSRC feedback (for the high-side outputs only). • Idle diagnostics (pre-actuation) Internal voltage biasing VBIAS should be applied to the load to enable diagnostics in this phase. STARTx signal peak phase hold phase linjector idle phase boost phase bypass phase end of injection phase idle phase idle diagnostics pre-actuation automatic diagnostics aaa-028461 Figure 6. Typical peak and hold current profile with diagnostics 5.3.12.1 Idle diagnostics Idle diagnostics are done manually by microcode either before or after each injection. The comparator state check should be done when load bias reaches a proper level. This depends on the external load condition. A specific dwell time shall be used to avoid detecting unwanted faults. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 38 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual idle_diag0: bias all on ; * Enable all biasing structures, kept ON even during actuation … * Make sure that you wait enough time to let the voltage settle … idle_diag_fail0 idle_diag_fail0 idle_diag_fail0 idle_diag_fail0 idle_diag_fail0 _sc1v _sc2v _sc3v _sc1s _sc3s ; ; ; ; ; * Error detected if Vds of shortcut1 (HS) is low * Error detected if Vds of shortcut2 (LS) is low * Error detected if Vds of shortcut3 (Boost) is low * Error detected if Vsrc of shortcut1 (HS) is low * Error detected if Vsrc of shortcut3 (Boost)is low 534 b74 jocr jocr jocr jocr jocr idle_diag_fail0: reqi 1; * Go to software interrupt subroutine is fault detected in idle phase HSBat error In case of failure an interrupt will be generated and several actions can be selected either retry or disable the injector. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c 5.3.12.2 Automatic diagnostics Automatic diagnostics are used during actuation phase. PT2001 includes an automatic state machine that compares the state of each VDS VSRC comparator with the gate command. If an error is detected, it jumps to interrupt phase. See the following microcode example that enables auto diagnostics during boost phase. Once this instruction is executed, state machine starts. If error, see below an example of interrupt routine where the microcore jumps. First thing to do is to turn off the outputs concerned by the interrupt and then report the fault to the MCU using the IRQB pin. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 39 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 5.3.12.2.1 Configuration For more details on the diagnostics configuration, refer to https://www.nxp.com/AN4954. Description of safety mechanism diagnostics (HS VDS, HS VSRC, LS VDS, and logic) Device reaction PT2001 goes in interrupt SM9 534 b74 Diagnostics turn off concerned outputs put IRQB LOW read interrupt registers Exit condition Depending on the MCU integrator. But, one option could be that, depending on the error, do some retrials and if critical error, avoid any turn on. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c MCU reaction Fault detection time tdetection = tdisablewindows + tfilter (programmable by SPI for each comparator) Fault reaction time depends on MCU integrator strategy 5.3.12.2.2 SPI reporting After interrupt generated, the MCU reads the interrupt register to check which fault occured and which core generated it. • Halt bit: for automatic diagnostics • Irq bit: for idle diagnostics Table 45. interrupt register (1D4h) Bit Name Value 15 14 13 12 reserved check sum_ ch2 000 0 11 10 9 8 check cksys_ spi_irq drv_irq sum_ missing ch1 0 0 0 0 7 6 5 4 3 2 1 0 irq_ uc1_ ch2 irq_ uc0_ ch2 irq_ uc1_ ch1 irq_ uc0_ ch1 halt_ uc1_ ch2 halt_ uc0_ ch2 halt_ uc1_ ch1 halt_ uc0_ ch1 0 0 0 0 0 0 0 0 As described in AN4954, additional reporting can be done using the general purpose status register of each microcore. 5.3.13 SM10 SPI protocol integrity (number, bits, watchdog) Only SPI mode A is covered in this safety mechanism paragraph, because it is the one recommended for safety purpose. The duty of this block is to monitor the spi_protocol and the spi_interface to find errors during the communication with the microcontroller. If an error is detected, the corresponding code is stored in the spi_error_code register. To warn the microcontroller, during the write transfer (from microcontroller to ASIC) the master input slave output (MISO) signal transfers a diagnostic word: the first 13 bits of this word are constant (1010101010101) and are used to detect short circuits on the MISO line, the last 3 bits copy the three least significant bits (LSBs) of the spi_error register. After an error code is written in this register, the register becomes write-protected in order to latch the error condition and is blind to other errors occurring. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 40 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual Furthermore, PT2001 has the possibility to generate an interrupt request toward the microcontroller. This is possible only if this interrupt is enabled by setting the appropriate bit in the spi_config register; see Section 5.3.13.1 "Configuration". 534 b74 5.3.13.1 Configuration As mentioned above, mode A is selected, interrupt on IRQB when an SPI error occurred (irq_en = 1) is enabled and watchdog is set to minimum value. It means that maximum timing between two transactions during the burst is 1.36 ms. Where Tcksys is the period of the cksys internal clock. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c Table 46. spi_config (1C8h) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 MISO_ protocol_ slewrate mode reserved 0 0000 0000 SPI protocol Description of safety integrity mechanism (number, bits, Device reaction watchdog) 0 4 3 2 1 irq_en watchdog 1 01010 SPI protocol integrity (number, bits, watchdog) 0 SM10 SPI error is reported and SPI is locked IRQB goes LOW MCU reaction read interrupt register 1D4h (SPI irq = 1) read SPI error register 1D3h (only word accepted) Exit condition to clear the fault, read SPI error register (only word accepted) Fault detection time Twatchdog = 1/24MHz × 32768 = 1.36 ms Fault reaction time 5.3.13.2 SPI reporting Any SPI error is reported on each MISO transaction (last 3 bits). Table 47. spi_error (1D3h) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 reserved cksys_ missing frame_ error word_ error 0 0000 0000 0000 X X X From now on, the possible errors and their relative code are reported (during correct operations the value of the register is 0000h). • cksys missing: this error is set if an SPI transfer is required (the SPI chip select csb is pulled LOW) while the cksys clock is missing. • frame error: this error is set if the number of data words in a burst is not the expected number programmed in the command word. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 41 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c 534 b74 – Mode A is selected, the slave_protocol block received a control word that specifies n word transfers, but the microcontroller performs fewer operations and then end the communication. In this case, this module provides a watchdog function: if during a programmed transfer, the communication with the microcontroller is inactive for a time longer than a prefixed limit, the transfer is considered aborted and an error is detected. – This case also happens if MOSI line shorted to 0. Unfortunately in this case DRAM0 erases until error is detected. • word error: during the transfer of a word long data, the device received or sent an incorrect number of bit (15 or 17 instead of 16 for example). If multiple words are transferred in a row with the chip select always active (the fastest way), the error is detected at the end of the sequence and it is not possible to identify the incorrect word. To identify the incorrect data, the chip select shall be deactivated and reactivated between each word transfer. In case the SPI was not locked at the time of the SPI error, it is recommended to reprogram the device register and DRAM. This process guarantees the right configuration. 5.3.14 SM11 microcode checks (start sensitivity, start duration, phase duration, SPI reporting) The microcores (uc0Ch1, uc1Ch1, uc0Ch2, uc1Ch2) are controlling the outputs and also checking the current senses. There are four timers available per microcore that can be used for fault detection. For example, during boost phase a timer can be used to see if current rise is too fast or too slow. These situations could indicate either a short circuit or open load or even an issue on the injector. Also use for safety purpose the sensitivity of each microcores vs the start pin and outputs is controlled by several SPI registers. This means that if something is wrong on one of the start or output pin only the microcore sensible to this pin is in fault mode. It allows to keep one bank running, for example, while the other is off. 5.3.14.1 Configuration In the example below, we focus only on uc0Ch1, which is controlling BANK1 (INJ1 and INJ2). Start sensitivity Table 48. start_config_reg (104h, 124h) Bit Name Value 15 14 reserved 00 13 12 11 10 9 8 7 6 5 4 3 2 1 0 smart_ start_ u c1 smart_ start_ u c0 start6_ sens_ u c1 start5_ sens_ u c1 start4_ sens_ u c1 start3_ sens_ u c1 start2_ sens_ u c1 start1_ sens_ u c1 start6_ sens_ u c0 start5_ sens_ u c0 start4_ sens_ u c0 start3_ sens_ u c0 start2_ sens_ u c0 start1_ sens_ u c0 X X X X X X X X 0 0 0 0 1 1 Table 49. out_acc_uc0_ch1 (184h) Bit Name 15 Value 14 13 11 10 9 8 7 6 5 4 3 2 1 0 reserved Acc_ seq0_ ch1_ ls7 Acc_ seq0_ ch1_ ls6 Acc_ seq0_ ch1_ ls5 Acc_ seq0_ ch1_ ls4 Acc_ seq0_ ch1_ ls3 Acc_ seq0_ ch1_ ls2 Acc_ seq0_ ch1_ ls1 Acc_ seq0_ ch1_ hs5 Acc_ seq0_ ch1_ hs4 Acc_ seq0_ ch1_ hs3 Acc_ seq0_ ch1_ hs2 Acc_ seq0_ ch1_ hs1 0000 0 0 1 0 0 0 1 0 0 0 0 1 MC33PT2001SMUG User manual COMPANY CONFIDENTIAL 12 All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 42 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual Below is example on what can be done to add timing check on each phase of the peak and hold waveform (similar strategy can be applied to DC-to-DC also). Microcode example Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c 534 b74 Total start maximum timing per injection. This will guarantee that if start pin stuck HIGH, injector will be shut down after Tmax timing. If an error occurred, it generates an SW interrupt. A similar strategy can be applied to a phase duration like the boost phase where both HS and on LS are on to reach Iboost current. If this phase is too long or too short, it generates an interrupt to let the MCU know that an error occurred during the boost phase. Description of safety Microcode checks (start mechanism sensitivity, Device reaction start duration, phase duration) microcode checks (start duration, phase duration) SM11 IRQB pulled LOW reporting depends on how microcode is done (status reg.) failing injector turned off MC33PT2001SMUG User manual COMPANY CONFIDENTIAL MCU reaction read interrupt register 1D4h ( irq ucX chX = 1) read status register of the failing microcore (this depends on the way the microcode is written) Exit condition fault should not be latched, but MCU takes the decision to continue injection or not Fault detection time tfault = timer duration (depends on integrator) Fault reaction time depends on MCU integrator strategy All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 43 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 5.3.15 SM12 analog output current recopy (OA) 534 b74 SM12 is an optional safety mechanism and it is not considered in the safety analysis. This is not really a mechanism but more of a redundant path available for current monitoring. PT2001 offers the possibility to use the analog output pins OA1 and OA2 to send analog values to the MCU ADC. This can be used to send an image of the current going in the injector to the MCU for safety purpose. 5.3.15.1 Configuration OA path shall be enabled by SPI using the oa_out config (1AAh, 1ABh) registers. Because there are two OA pins and four current senses, the monitoring shall be selected by the MCU according to the load that is used. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c For example, consider that the MCU ADC monitors current sense1 and current sense2 and that the MCU ADC has a full range at 5 V (important to set OA gain). Table 50. oa_out1_config (1AAh) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 reserved oa1_g1 oa_sel1 oa1_gain oa1_en 0 0000 0000 0 000 01 1 Table 51. oa_out2_config (1ABh) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 reserved oa2_g1 oa_sel2 oa2_gain oa2_en 0 0000 0000 0 000 01 1 5.3.15.2 Reporting In this case, there is no reporting. If the OA voltage is not what was expected, the MCU makes the decision. The MCU can then decide to either shut down the injector or continue and rely on the diagnostics. 5.3.16 SM13 fuses ECC PT2001 uses fuses to set up several internal voltages, current, clock, and cypher key. Some of these fuses are considered as safety relevant. To guarantee the safety of the device, fuses are covered by an ECC and a CRC. In case the ECC is not able to correct, fuses are not loaded in the mirror registers and no microcode is executed. Device is then in safe state. 5.3.16.1 Configuration No need to do any configuration. This is done on an NXP production site. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 44 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual Fuses ECC Description of safety mechanism fuses ECC Device reaction cypher key not loaded SM13 534 b74 if set properly, IRQ goes LOW (refer to Section 5.3.10 "SM7 CRAM checksum (CRC)") checksum fails MCU detect IRQB LOW Read interrupt register (refer to Section 5.3.10 "SM7 CRAM checksum (CRC)") Exit condition POR is required to retry to load the fuses Fault detection time Flash enable will not work, device will not start. Fault reaction time n.a. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c MCU reaction 5.3.16.2 Reporting If ECC is not able to correct faults, it is reported as a checksum error, because the cypher key will not load into PT2001. Table 52. flash_enable (100h, 120h) Bit Name Value 15 14 13 12 11 10 9 8 7 6 5 reserved check sum_ disable flash_ enable 0 0000 0000 0 0 4 3 2 1 0 preflash_ en_ dual uc chksum_ chksum_ enable dual_ uc failure irq_en failure 0 0 0 1 1 5.3.17 SM14 SW reset by SPI If RESETB pin stuck HIGH we want to give the possibility to the MCU to generate a reset using SPI transaction to keep the device in a safe state, even if pulling the DRVEN pin LOW could be sufficient. 5.3.17.1 Configuration To enable this reset two SPI write transaction to the global reset register 1, 2 (1D0h, 1D1h) are necessary. The global reset code is F473h for global reset register 1 and 57A1h for global reset register 2. Table 53. Global_Reset_code_part1 (1D0h) Bit Name Value 15 14 MC33PT2001SMUG User manual COMPANY CONFIDENTIAL 13 12 11 10 9 8 7 6 5 4 3 2 1 0 Global_Reset_Register_code_1 F473h All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 45 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual Table 54. Global_Reset_code_part2 (1D1h) 15 14 13 12 11 10 9 8 7 6 Name Global_Reset_Register_code_2 Value 57A1h 4 3 2 1 0 Description of safety mechanism SW reset by SPI Device reaction device resets and is in safe state MCU reaction MCU is able to force PT2001 in reset mode even if RESETB is stuck HIGH SM14 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c SW reset by SPI 5 534 b74 Bit Exit condition n.a. Fault detection time n.a. Fault reaction time n.a. 5.4 Off chip assumed safety mechanisms 5.4.1 List of safety mechanism off chip Table 55. Off chip safety mechanism SM number Safety mechanism SIR number SMA1 independent current recopy path optional for ASIL C SMA1 and SM6 independent current recopy path + safety path (decision made by MCU) optional for ASIL C SMA2 read back init config register and SPI lock SIR[046] system level information on MCU (sensor, fuel quantity, etc.) + safety path optional for ASIL C SMA3 5.4.2 SMA1 independent current recopy path Same as the SM12, this safety mechanism SMA1 is not considered in the safety analysis. However, SMA1 could be important to use in case the system target is ASIL D. This is an optional application level safety mechanism needed if the current profile generated by PT2001 is safety critical. For example, if transmission device the current profile needs to be very accurate to avoid activating a gear. For our use case, this is not mandatory and this is not enabled in the FMEDA as what is critical is the energizing time and not the current shape, because it cannot influence the acceleration of the car. If independent current monitoring is needed, an external operational amplifier shall be added and connected to the MCU ADC. 5.4.2.1 Configuration Configuration is done only on MCU ADC side. If MCU decides that waveform is not as expected, it will not send any start pulse for this particular load. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 46 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b MC33PT2001SMUG NXP Semiconductors PT2001 functional safety manual 5.4.2.2 Reporting Reporting is done only on MCU side. 534 b74 5.4.3 SMA2 read back init config register and SPI lock PT2001 configuration registers can be locked for safety purpose after initialization. Locked registers can be read but cannot be written. The lock is not mandatory for the correct working of the device, it is only a safety feature. Recommendation is on power up after PT2001 programming MCU should read back all configuration registers and both private DRAM to guarantee their right value and then lock all of them. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c 5.4.3.1 Configuration Register device_lock register is used to select which portion of the device should be locked: • dev_lock: lock all configuration registers • Dram1_private_area_lock: lock DRAM address from 30h to 3Fh • Dram2_private_area_lock: lock DRAM address from 70h to 7Fh Those bits cannot be reset by writing the device lock register, but only by writing the correct password in unlock password. In the example below, PT2001 locks the configuration registers and the last 16 addresses of both DRAM. Table 56. device_lock register (1CDh) Bit Name Value 15 14 13 12 11 Read back init config register and SPI lock 10 9 8 7 6 5 4 3 2 1 0 Dram2_private _area_lock Dram1_private _area_lock Dev_lock 1 1 1 Description of safety mechanism read back init config register and SPI lock Device reaction MCU sends a corrupted SPI transaction that is not violating SPI protocol SMA2 PT2001 receives transaction but blocks it for all registers that are locked MCU reaction no fault reported to MCU, because SPI transaction is not violating the SPI protocol Exit condition n.a. Fault detection time no fault reported Fault reaction time n.a. 5.4.3.2 Reporting No reporting, because SPI protocol is not violated. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 47 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual 5.4.4 Startup sequence recommendation 534 b74 After the internal POResetB signal is deactivated, it takes a maximum time of tDIGIOREADY = 100 μs until the digital outputs of the device are functional. CLK can be sent even before this tDIGIOREADY, but it is not taken into account. Inside the logic core, POResetB is combined with the external reset signal ResetB (active LOW) and the SPIResetB signal coming from the SPI interface. As long as RSTB is asserted, the SPI module is inactive. After the first RESETB rising edge, it is required to wait t_SPIREADY_t0 = 100 μs to allow time for the fuses to load. Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c Note that the logic core is properly supplied at 1.5 V when 5.0 V is present at the VCC5 pin (thus allowing logic core operations and SPI communication with the microcontroller), even if no voltage is provided at the VBATT pin and by consequence no voltage is present on the VCCP pin. VBATT Vboost level Vbat level VBOOST VCCIO (5V or 3.3V) Vcc5_uv VCC5 (5V) V1p5_uv VCC1P5 VCCP POReset CLK (from MCU) RESETB SPI download tD_POResetB tDIGIOREADY tPLL_lock tSPI_ResetB_t0 ChannelX Flash enable (100h, 120h, 140h) External power supplies Internal regulators External Digital Signals Internal Digital Signals Figure 7. Recommended startup sequence timing 5.4.4.1 VCCP power up for high speed bootstrap charge It is recommended to let the DBG pin open in order to start VCCP regulator as soon as RESETB is released. This has the effect to start PT2001 in an init phase allowing the charge of all bootstrap capacitors. Once this phase is done or timer elapses, VCCP voltage depends on driver_config register settings. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 48 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual 5.5 Safety requirements summary table Table 57. Summary table Description SIR[001] Use PT2001 according to the maximum ratings table in the MC33PT2001 data sheet. SIR[002] The PT2001 is used in applications for which the mission profile is the following, or less aggressive: • Junction temperature: –40 °C to ≤ +150 °C • Operation lifetime: 12000 hours • Number of key-on/key-off cycles: 55000 SIR[003] The HS pre-driver and LS pre-driver should be controlled by only a specific microcore. SIR[004] Following registers should be set according to the application selected. SIR[005] User shall make sure that the path between the MCU or the power SBC and the PT2001 is working properly. SIR[007] SIR[008] SIR[009] SIR[010] SIR[011] SIR[012] SIR[013] SIR[014] SIR[015] SIR[016] SIR[017] SIR[018] SIR[019] SIR[020] SIR[021] SIR[022] Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c SIR[006] 534 b74 Number Before flashing the CRAM, it is recommended to change the level of DRVEN from LOW to HIGH and then check DRVEN value in SPI using driver_status register. At each control word instruction (write), read the data back on the MCU. In order to avoid getting noise or spikes on VCC5 monitoring, it is required to add a filtering capacitor close to PT2001 VCC5 pin. This undervoltage is enabled by default and shuts down all output automatically without any configuration needed. However, the reporting of the fault back to the MCU using the IRQB shall be configured by setting the bit Vcc5_irq_en to logic 1. VCCP supply is an internal regulator supplying the drivers. This supply also includes an undervoltage monitoring. This regulator is enabled by SPI at power up using the driver_config register (1C5h). VCCP is used as a supply for the low-side gates, it is then mandatory to add a tank 4.7 μF capacitor and an optional 100 nF in parallel to filter noise and spikes that could happen during the application. This undervoltage is enabled by default and shuts down all output automatically without any configuration needed, but the reporting of the fault back to the MCU using the IRQB needs to be configured by setting the bit Vccp_irq_en to logic 1. Positions of those capacitors on PCB are critical. Connect them as close as possible to the VCC1P5 pin and the DGND. Important is also to set which microcode is sensitive to which start pulse using the register start_config_reg for each channel. For our safety case, see below how register start_config_reg (104h) should be set. For redundancy, the MCU shall send a precise 1 MHz CLK to PT2001. It is also recommended to shut down all drivers if cksys loss. It is recommended to keep this register to default state, which means a PLL set to 24 MHz. It is also recommended to set the ck_prescaler register to a 03h, allowing each channel to use two microcores. In this case, the microcores run at 6 MHz frequency (167 ns per instruction). Current sense monitoring should only be configurable and accessible by the right microcores. This is done using the crossbar switch safety mechanism. The cur_access register1 (see Table 14) should be set according to the application selected. In the architecture considered for the safety analysis, current sense access should be set as follows. The offset compensation prescaler shall be set to a maximum of 500 kHz. This setting is done in the following register by setting ck_ofscmp_per to 2Fh (default value). Settings of flash_enable register should be done as below to report fault back to MCU when a CRC error occurs. It pulls IRQB pin LOW and stops CRAM. MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 49 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual Description SIR[023] It is recommended to set parameters that are fixed after power-up and safety critical in the private area of the DRAM1. The specified address can be locked, as shown in Table 18. SIR[024] It is recommended to run MBIST at each power-up or every certain amount of power-ups. Running MBIST this way confirms that there is no CRAM corruption. SIR[025] SM1a – VCC5 overvoltage detection SIR[026] SM1b – VCCIO overvoltage protection SIR[027] SM2a – VCC5 undervoltage detection SIR[028] SM2b – VCC1P5 POR detection SIR[029] SM2c – VCCP undervoltage detection SIR[030] SM3 – GND monitoring (monitoring of voltage) SIR[032] SIR[033] SIR[034] SIR[035] SIR[036] SIR[037] SIR[038] SIR[039] SIR[040] SIR[041] SIR[042] SIR[043] SIR[044] SIR[045] SIR[046] Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c SIR[031] 534 b74 Number SM4 – input CLK monitoring and backup CLK SM5 – DRVEN voltage supervisor (monitoring of output voltage) logical level SM6 – safety path DRVEN SM7 – CRAM checksum (CRC) SM8 – CRAM/DRAM memory BIST SM9 – diagnostics (HS VDS, HS VSRC, LS VDS, and logic) SM10 – SPI protocol integrity (number, bits, watchdog) SM11 – microcode checks (start duration, phase duration, SPI report status reg) SM13 – fuses ECC SM14 – SW reset by SPI VCC5 undervoltage is called a driver disabled interrupt. The VCC5 undervoltage can be propagated to the MCU, thanks to the IRQB pin or the microcores. Register driver_config 1C5h is used to configure this setting. In this case, we pull the IRQB pin LOW if cksys failure. We also disable the driver during that phase. It is recommended to check the state at each power up, in order to confirm that DRVEN is not stuck HIGH or LOW. Register driver_status (1D2h) is used for this purpose. The bit value of DrvEn_value is a 'living copy' of the DRVEN pin: 1: DRVEN pin is HIGH 0: DRVEN pin is LOW The integrator shall enable an interrupt on the IRQB pin in case the CRC fails to let the MCU know that CRAM has stopped. This is done by setting bit 1 to logic 1. A full BIST check of the device memories can be required. This is done by accessing the BIST register in write mode and writing a 16-bit password (B157h). This request is accepted only if both CRAMs are unlocked. SMA2 – read back init config register and SPI lock MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 50 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual 6 Production-related instructions affecting safety 534 b74 The installation of the device at the module level is the responsibility of the customer. However, NXP gives recommendations on NXP QFP packages during PCB assembly. This document serves only as a guideline to help users develop a specific solution. Actual experience and development efforts are still required to optimize the assembly process and application design per individual device requirements, industry standards such as IPC and JEDEC, and prevalent practices in the assembly environment of the user. PFMEA analysis shows that particular care shall be taken to avoid short circuit between VCC5 and VCC1P5, between VCCP and VBAT, and between IRQB and Vboost. 7 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c To sustain electrostatic discharge (ESD) gun on the pins that are getting out of the module, it is recommended to use a small capacitor (~4.7 nF) connected close to the connector. Related documents This section lists all the documentation mentioned in this safety manual. This safety manual is to be used in combination with the data sheet. Table 58. Related documents Document Name Description ISO 26262 ISO 26262 Road vehicles - Functional safety, November 2011 MC33PT2001 data sheet https://www.docstore.nxp.com/products/product-hierarchy?query=Ds520950 PT2001_Dynamic_FMEDA_IEC62380 Dynamic FMEDA – Failure mode effects and diagnostic analysis document eGas_Version_5.5 Automotive standard for powertrain application Safety analysis summary report Description and outcome of the safety analysis conducted on the PT2001 project. 8 Revision history Revision history Rev v 2.0 v 1.0 Date Description 20190612 • Table 21: updated SM13 • Table 57: updated SIR[039] 20180110 initial version MC33PT2001SMUG User manual COMPANY CONFIDENTIAL All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 51 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual Legal information 9.1 Definitions Draft — The document is a draft version only. The content is still under internal review and subject to formal approval, which may result in modifications or additions. NXP Semiconductors does not give any representations or warranties as to the accuracy or completeness of information included herein and shall have no liability for the consequences of use of such information. 9.2 Disclaimers Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c Limited warranty and liability — Information in this document is believed to be accurate and reliable. However, NXP Semiconductors does not give any representations or warranties, expressed or implied, as to the accuracy or completeness of such information and shall have no liability for the consequences of use of such information. NXP Semiconductors takes no responsibility for the content in this document if provided by an information source outside of NXP Semiconductors. In no event shall NXP Semiconductors be liable for any indirect, incidental, punitive, special or consequential damages (including - without limitation - lost profits, lost savings, business interruption, costs related to the removal or replacement of any products or rework charges) whether or not such damages are based on tort (including negligence), warranty, breach of contract or any other legal theory. Notwithstanding any damages that customer might incur for any reason whatsoever, NXP Semiconductors’ aggregate and cumulative liability towards customer for the products described herein shall be limited in accordance with the Terms and conditions of commercial sale of NXP Semiconductors. products using NXP Semiconductors products, and NXP Semiconductors accepts no liability for any assistance with applications or customer product design. It is customer’s sole responsibility to determine whether the NXP Semiconductors product is suitable and fit for the customer’s applications and products planned, as well as for the planned application and use of customer’s third party customer(s). Customers should provide appropriate design and operating safeguards to minimize the risks associated with their applications and products. NXP Semiconductors does not accept any liability related to any default, damage, costs or problem which is based on any weakness or default in the customer’s applications or products, or the application or use by customer’s third party customer(s). Customer is responsible for doing all necessary testing for the customer’s applications and products using NXP Semiconductors products in order to avoid a default of the applications and the products or of the application or use by customer’s third party customer(s). NXP does not accept any liability in this respect. 534 b74 9 Right to make changes — NXP Semiconductors reserves the right to make changes to information published in this document, including without limitation specifications and product descriptions, at any time and without notice. This document supersedes and replaces all information supplied prior to the publication hereof. Suitability for use — NXP Semiconductors products are not designed, authorized or warranted to be suitable for use in life support, life-critical or safety-critical systems or equipment, nor in applications where failure or malfunction of an NXP Semiconductors product can reasonably be expected to result in personal injury, death or severe property or environmental damage. NXP Semiconductors and its suppliers accept no liability for inclusion and/or use of NXP Semiconductors products in such equipment or applications and therefore such inclusion and/or use is at the customer’s own risk. Applications — Applications that are described herein for any of these products are for illustrative purposes only. NXP Semiconductors makes no representation or warranty that such applications will be suitable for the specified use without further testing or modification. Customers are responsible for the design and operation of their applications and MC33PT2001SMUG User manual COMPANY CONFIDENTIAL Suitability for use in automotive applications — This NXP Semiconductors product has been qualified for use in automotive applications. Unless otherwise agreed in writing, the product is not designed, authorized or warranted to be suitable for use in life support, life-critical or safety-critical systems or equipment, nor in applications where failure or malfunction of an NXP Semiconductors product can reasonably be expected to result in personal injury, death or severe property or environmental damage. NXP Semiconductors and its suppliers accept no liability for inclusion and/or use of NXP Semiconductors products in such equipment or applications and therefore such inclusion and/or use is at the customer's own risk. Export control — This document as well as the item(s) described herein may be subject to export control regulations. Export might require a prior authorization from competent authorities. Translations — A non-English (translated) version of a document is for reference only. The English version shall prevail in case of any discrepancy between the translated and English versions. Security — While NXP Semiconductors has implemented advanced security features, all products may be subject to unidentified vulnerabilities. Customers are responsible for the design and operation of their applications and products to reduce the effect of these vulnerabilities on customer’s applications and products, and NXP Semiconductors accepts no liability for any vulnerability that is discovered. Customers should implement appropriate design and operating safeguards to minimize the risks associated with their applications and products. 9.3 Trademarks Notice: All referenced brands, product names, service names and trademarks are the property of their respective owners. POR — is a trademark of NXP B.V. All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 52 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual Tables Tab. 30. Tab. 31. Tab. 32. Tab. 33. Tab. 34. Tab. 35. Tab. 36. Tab. 37. Tab. 38. Tab. 39. Tab. 40. Tab. 41. Tab. 42. Tab. 43. Tab. 44. Tab. 45. Tab. 46. Tab. 47. Tab. 48. Tab. 49. Tab. 50. Tab. 51. Tab. 52. Tab. 53. Tab. 54. Tab. 55. Tab. 56. Tab. 57. Tab. 58. interrupt register (1D4h) .................................. 32 driver_status (1D2h) ........................................32 backup_clock_status (1C7h) ........................... 32 driver_status (1D2h) ........................................33 DrvEn path for HS pre-drivers .........................34 DrvEn path for LS pre-drivers (RQS3202) .......34 driver_config (1C5h) ........................................34 code_width (107h, 127h) .................................35 checksum_h (108h, 128h) ...............................35 checksum_l (109h, 129h) ................................35 flash_enable (100h) and (120h) ...................... 36 interrupt register (1D4h) .................................. 36 flash_enable (100h, 120h) .............................. 36 BIST_interface in write mode (1DCh) ..............37 BIST_interface in read mode (1DCh) .............. 37 interrupt register (1D4h) .................................. 40 spi_config (1C8h) ............................................ 41 spi_error (1D3h) .............................................. 41 start_config_reg (104h, 124h) ......................... 42 out_acc_uc0_ch1 (184h) .................................42 oa_out1_config (1AAh) ....................................44 oa_out2_config (1ABh) ....................................44 flash_enable (100h, 120h) .............................. 45 Global_Reset_code_part1 (1D0h) ...................45 Global_Reset_code_part2 (1D1h) ...................46 Off chip safety mechanism ..............................46 device_lock register (1CDh) ............................ 47 Summary table ................................................ 49 Related documents ......................................... 51 Fig. 5. Fig. 6. Safety block diagram ...................................... 18 Typical peak and hold current profile with diagnostics .......................................................38 Recommended startup sequence timing ......... 48 534 b74 Major safety deliverables and gates ..................3 ISO 26262 Life cycle at component level .......... 4 Mission profile table ........................................ 10 out_acc_uc0_ch1 register (184h) ....................19 driver_status register (1D2h) ...........................19 driver_config register (1C5h) ...........................19 device_lock register (1CDh) ............................ 20 driver_config (1C5h) ........................................20 driver_config (1C5h) ........................................21 start_config_reg register for channel 1 ............ 21 backup_clock register (1C7h) ..........................22 pll_config (1C6h) ............................................. 22 ck_prescaler register (1C0h) ........................... 22 cur_access register1 ....................................... 23 ck_ofscmp_per register (1C4h) ....................... 23 fbk_sens_seq0ch1 register (180h) .................. 23 flash_enable register ....................................... 24 DRAM register map ........................................ 24 BIST register in write mode (1DCh) ................ 25 BIST register in read mode (1DCh) .................25 Safety mechanism ...........................................25 reset_source (1D6h) ........................................26 driver_config (1C5h) ........................................27 driver_status (1D2h) ........................................28 reset_source (1CEh) ....................................... 29 driver_config – 1C5h ....................................... 29 driver_status (1D2h) ........................................30 reset_source (1CEh) ....................................... 31 backup_clock_status (1C7h) ........................... 31 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c Tab. 1. Tab. 2. Tab. 3. Tab. 4. Tab. 5. Tab. 6. Tab. 7. Tab. 8. Tab. 9. Tab. 10. Tab. 11. Tab. 12. Tab. 13. Tab. 14. Tab. 15. Tab. 16. Tab. 17. Tab. 18. Tab. 19. Tab. 20. Tab. 21. Tab. 22. Tab. 23. Tab. 24. Tab. 25. Tab. 26. Tab. 27. Tab. 28. Tab. 29. Figures Fig. 1. Fig. 2. Fig. 3. Fig. 4. BCAM functional safety life cycle ...................... 3 Example of an automotive powertrain direct fuel injection driver electronic system ................7 Fault tolerant time interval diagram ................. 11 PT2001 internal block diagram ....................... 13 MC33PT2001SMUG User manual COMPANY CONFIDENTIAL Fig. 7. All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 53 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual Contents 2.3 3 3.1 3.1.1 3.2 3.3 4 4.1 4.1.1 4.1.2 4.2 4.2.1 4.2.2 4.2.3 4.3 4.3.1 4.3.2 4.3.3 5 5.1 5.1.1 5.1.1.1 5.1.1.2 5.1.1.3 5.1.1.4 5.1.1.5 5.1.1.6 5.1.2 5.1.2.1 5.1.2.2 5.1.2.3 5.1.2.4 5.1.3 5.1.3.1 5.1.3.2 5.1.3.3 5.1.4 5.1.5 5.1.5.1 5.1.5.2 5.1.6 5.1.6.1 5.1.6.2 5.1.7 5.1.8 5.1.9 5.1.10 5.1.11 5.1.12 5.2 5.2.1 5.2.2 5.2.3 5.2.4 5.2.4.1 5.2.4.2 5.2.5 5.2.5.1 5.2.5.2 5.2.6 5.2.6.1 5.2.7 5.2.7.1 5.2.8 5.2.8.1 5.2.8.2 5.2.9 5.2.10 5.2.11 5.2.12 VDS monitor .................................................... 16 LS7 pre-drivers ................................................ 16 Current measure (1, 2, and 3) ......................... 17 Current measure 4 .......................................... 17 OA mux out (1 and 2) ..................................... 17 Temperature warning .......................................17 Ground disconnect detection ........................... 17 Safety related functions ................................... 17 HS pre-driver HS1 to HS4 and LS pre-driver LS1, LS2, LS4, and LS5 ..................................19 DRVEN path .................................................... 19 SPI ................................................................... 19 VCC5 monitoring ............................................. 20 Hardware recommendation ............................. 20 Software recommendation ............................... 20 VCCP internal regulator ...................................20 Hardware recommendation ............................. 20 Software recommendation ............................... 21 VCC1P5 internal regulator ...............................21 Hardware recommendation ............................. 21 Start 1-4 ...........................................................21 Software recommendation ............................... 21 CLK monitoring, backup CLK .......................... 21 Hardware recommendation ............................. 21 Software recommendation ............................... 22 PLL ...................................................................22 Current sense monitoring 1 and 2 ................... 22 Diagnostics (VDS, VSRC, load biasing) .......... 23 Channel1/2 (CRAM + arithmetic logic unit (ALU) + microcores) ........................................ 23 DRAM1 ............................................................ 24 Crossbar switch ............................................... 24 MBIST .............................................................. 24 Safety mechanisms integrated in the device ....25 SM1a overvoltage detection on VCC5 .............26 Configuration ....................................................26 SPI reporting ....................................................26 SM1b overvoltage detection on VCCIO ........... 26 Configuration ....................................................27 SPI reporting ....................................................27 SM2a undervoltage detection on VCC5 ...........27 Configuration ....................................................27 SPI reporting ....................................................28 SM2b VCC1P5 POR detection ........................ 28 SPI reporting ....................................................29 SM2c VCCP undervoltage detection ............... 29 Configuration ....................................................29 SPI reporting ....................................................30 SM3 GND monitoring ...................................... 30 Configuration ....................................................30 SPI reporting ....................................................31 SM4 input CLK monitoring and backup CLK ....31 Configuration ....................................................31 SPI reporting ....................................................32 SM5 DRVEN voltage supervisor ......................33 Configuration ....................................................33 534 b74 2.1 2.2 Document purpose and scope .......................... 1 Purpose ..............................................................1 Scope .................................................................1 Content .............................................................. 1 Component safety analysis ............................... 2 General information ........................................... 2 Description of ISO 26262 lifecycle used for the component development ............................. 2 Brief description of NXP safety life cycle ........... 2 Tailored ISO 26262 life cycle applied at component level ................................................ 4 Customer specific actions required ....................5 System architecture ............................................6 Component overview in the system architecture ........................................................ 6 Use case overview ............................................ 6 Architecture overview ........................................ 6 Features overview ............................................. 7 Assumption on use ............................................ 9 Electrical specification and environmental limits ...................................................................9 Electrical specification limits ............................ 10 Mission profile ..................................................10 System safety goal .......................................... 11 System safe state ............................................11 Assumptions on fault tolerant time interval ...... 11 Assumption on multiple point fault detection interval ............................................................. 11 Component safety goal ....................................11 Component safe state ..................................... 12 Assumptions on fault tolerant time interval ...... 12 HW architectural metrics ................................. 12 Safety concept .................................................. 12 Safety architecture ...........................................12 Power management .........................................14 BOOST monitor ............................................... 14 Charge pump ...................................................14 VCCP low dropout (LDO) and UV monitoring ...14 VCC5 external supply ......................................14 VCC1P5 regulator ............................................14 IO buffers supply ............................................. 14 Logic control .................................................... 14 Clock monitor and oscillator ............................ 14 Serial peripheral interface (SPI) .......................14 Debug interface ............................................... 15 Controls ............................................................15 Logic channel 1 and 2 .....................................15 Digital microcores (Uc0ChX, Uc1ChX) ............ 15 Code RAM 1 and 2 ......................................... 15 Data RAM 1 and 2 .......................................... 15 Crossbar switch ............................................... 15 HS pre-drivers and VDS VSRC monitors .........16 HS pre-drivers ................................................. 16 VDS and VSRC monitors ................................ 16 LS1 to LS6 pre-drivers and VDS monitors ....... 16 LS pre-drivers .................................................. 16 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c 1 1.1 1.2 1.3 1.4 1.5 2 MC33PT2001SMUG User manual COMPANY CONFIDENTIAL 5.2.13 5.2.14 5.2.15 5.3 5.3.1 5.3.1.1 5.3.1.2 5.3.2 5.3.2.1 5.3.2.2 5.3.3 5.3.3.1 5.3.3.2 5.3.4 5.3.4.1 5.3.5 5.3.5.1 5.3.5.2 5.3.6 5.3.6.1 5.3.6.2 5.3.7 5.3.7.1 5.3.7.2 5.3.8 5.3.8.1 All information provided in this document is subject to legal disclaimers. Rev. 2.0 — 12 June 2019 © NXP B.V. 2019. All rights reserved. 54 / 55 9f7199f7-7e51-4add-8950-e986ff862c4b NXP Semiconductors MC33PT2001SMUG PT2001 functional safety manual SPI reporting ....................................................33 SM6 safety path DRVEN .................................34 Configuration ....................................................34 SM7 CRAM checksum (CRC) ......................... 35 Configuration ....................................................35 SPI reporting ....................................................36 SM8 CRAM/DRAM MBIST .............................. 37 Configuration ....................................................37 SPI reporting ....................................................37 SM9 diagnostics (HS VDS, HS VSRC, LS VDS, and logic) ............................................... 38 5.3.12.1 Idle diagnostics ................................................38 5.3.12.2 Automatic diagnostics ......................................39 5.3.13 SM10 SPI protocol integrity (number, bits, watchdog) ........................................................ 40 5.3.13.1 Configuration ....................................................41 5.3.13.2 SPI reporting ....................................................41 5.3.14 SM11 microcode checks (start sensitivity, start duration, phase duration, SPI reporting) ...42 5.3.14.1 Configuration ....................................................42 5.3.15 SM12 analog output current recopy (OA) ........ 44 5.3.15.1 Configuration ....................................................44 5.3.15.2 Reporting ......................................................... 44 5.3.16 SM13 fuses ECC .............................................44 5.3.16.1 Configuration ....................................................44 5.3.16.2 Reporting ......................................................... 45 5.3.17 SM14 SW reset by SPI ................................... 45 5.3.17.1 Configuration ....................................................45 5.4 Off chip assumed safety mechanisms ............. 46 5.4.1 List of safety mechanism off chip .................... 46 5.4.2 SMA1 independent current recopy path .......... 46 5.4.2.1 Configuration ....................................................46 5.4.2.2 Reporting ......................................................... 47 5.4.3 SMA2 read back init config register and SPI lock ...................................................................47 5.4.3.1 Configuration ....................................................47 5.4.3.2 Reporting ......................................................... 47 5.4.4 Startup sequence recommendation ................. 48 5.4.4.1 VCCP power up for high speed bootstrap charge .............................................................. 48 5.5 Safety requirements summary table ................ 49 6 Production-related instructions affecting safety .................................................................. 51 7 Related documents ........................................... 51 8 Revision history ................................................ 51 9 Legal information .............................................. 52 Pro v CO ided u M Do PAN nder ngF N Y 180 eng PRO DA o a0d n P M R 25- otor IET ly d53 AR c o a-4 Y 0c7 -bd 09a22 d3c 534 b74 5.3.8.2 5.3.9 5.3.9.1 5.3.10 5.3.10.1 5.3.10.2 5.3.11 5.3.11.1 5.3.11.2 5.3.12 Please be aware that important notices concerning this document and the product(s) described herein, have been included in section 'Legal information'. © NXP B.V. 2019. All rights reserved. For more information, please visit: http://www.nxp.com For sales office addresses, please send an email to: salesaddresses@nxp.com Date of release: 12 June 2019 Document identifier: MC33PT2001SMUG

sm495320 - MC33PT2001 Safety manual (2.0)

Related documents

Products

Support

sm495320 - MC33PT2001 Safety manual (2.0)

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib