The PMIC security mechanisms you want to know are all here

FS84/FS85 are automotive functional safety multi-output power integrated circuits, suitable for radar, vision, ADAS domain controller, radio and infotainment applications. It includes multiple switch modes and linear regulators, providing external frequency synchronization input and output to optimize system EMC performance.

FS84/FS85 are automotive functional safety multi-output power integrated circuits, suitable for radar, vision, ADAS domain controller, radio and infotainment applications. It includes multiple switch modes and linear regulators, providing external frequency synchronization input and output to optimize system EMC performance.

It has the functional safety features of fail-safe output, covers ASIL B and ASIL D safety integrity levels, and is developed to comply with the ISO 26262 standard. It has two state machines, as shown in the figure below:

Main state machine: management of power supply, standby mode and wake-up source;

Fail-safe state machine: power management monitoring, MCU monitoring and external IC monitoring.

The PMIC security mechanisms you want to know are all here

Figure 1 FS84/85 functional block diagram

The difference between ASIL B and ASIL D can be seen from the table. The following is an introduction to each functional safety feature you want to know.

The PMIC security mechanisms you want to know are all here

1. PGOOD, RSTB, FS0B

These three safety output pins are implemented hierarchically to ensure a safe state:

PGOOD: priority is 1, if PGOOD is set, both RSTB and FS0B are set;

RSTB: Priority is 2. If RSTB is set, FS0B is set but PGOOD may not be set;

FS0B: Priority is 3. If FS0B is valid, RSTB and PGOOD may not be set.

The release of RSTB is managed by the fail-safe state machine and depends on the release of PGOOD and ABIST1 execution. The voltage monitoring assigned to PGOOD and ABIST1 is configured during OTP to determine when to release RSTB.

2. Voltage monitor

The voltage monitor is responsible for overvoltage and undervoltage monitoring of the VCOREMON, VDDIO and VMONx pins. When an overvoltage occurs in the FS84/FS85 regulator monitored by one of these pins, the related FS84/FS85 regulator will shut down until the fault is eliminated.

3. Watchdog

ASIL B and ASIL D correspond to Simple and Challenger watchdog monitors respectively.

Challenger watchdog is based on the question/answer process of the MCU. In FS85, 16-bit pseudo-random words are generated through LFSR (Linear Feedback Shift Register). MCU can use LFSR generated by FS85 and perform predefined calculations. It is sent via SPI/I²C while the watchdog opens the window, and the result is verified by FS85. When the result is correct, the watchdog program window will be restarted and a new LFSR will be generated; when the result is wrong, the watchdog error counter will be incremented, the watchdog window will be restarted and the LFSR value will not change.

When the watchdog error counter reaches its maximum value, use WD_FS_IMPACT in the INIT_FS phase [1:0]RSTB/FS0B, which is configured by bit, will respond fail-safely.

Simple watchdog is a shortened version, so I won’t repeat it here.

4. FCCU monitoring

The FCCU monitoring function is enabled through the OTP_FCCU_EN bit. The FCCU pin is responsible for monitoring the hardware failure of the MCU. The FCCU pins can be configured in pairs or a single independent input. Once INIT_FS is refreshed and closed by the first normal watchdog, FCCU monitoring will be activated.

5. MCU failure recovery strategy

The OTP_FLT_RECOVERY_EN bit enables the failure recovery strategy function. This function expands the window watchdog and allows the MCU to execute failure recovery strategies. The purpose is to not reset the MCU when trying to restore the application after a failure event occurs. When the MCU triggers a fault through its FCCU pin, the FS0B pin is set by the device.
When the FCCU pin indicates an error and FS0B is valid, the transition from WDW_PERIOD to WDW_RECOVERY will occur. If the MCU sends a normal watchdog refresh before the end of the WDW_RECOVERY duration, if the FCCU pin no longer indicates an error, the device will switch back to the WDW_PERIOD duration and related duty cycle. Otherwise, a new WDW_RECOVERY cycle will be started. If the MCU does not send a normal watchdog refresh before the end of the WDW_RECOVERY duration, a reset pulse will be generated and the fail-safe state machine will return to INIT_FS.

The PMIC security mechanisms you want to know are all here

Figure 2 MCU failure recovery strategy

6. External IC monitoring (ERRMON)

The external IC monitoring function is enabled by the OTP_ERRMON_EN bit. The ERRMON pin is responsible for monitoring the external IC in the application, neither FS85 nor MCU. Once INIT_FS is refreshed and closed by the first normal watchdog, ERRMON monitoring will be activated. In the INIT_FS phase, the polarity of the ERRMON fault signal can be configured through the ERRMON_FLT_POL bit.

7. Logic BIST (Built-in self-test)

The fail-safe state machine includes logic built-in self-test (LBIST) to verify the correct function of the safety logic monitoring. LBIST is executed after each POR, or after each wake-up from the standby state. If LBIST fails, RSTB and PGOOD will be released, but FS0B remains low and cannot be released. The flag LBIST_OK can be used for MCU diagnosis via SPI/I²C.

8. Simulate BIST (Built-in self-test)

The fail-safe state machine includes two analog built-in self-tests (ABIST) to verify the correct function of the safety analog monitoring. ABIST1 is automatically executed after each POR or after each wake-up from standby. Check which regulator is done by OTP during ABIST1.

After the INIT_FS phase, ABIST2 is executed by SPI/I²C and Vxxx_ABIST2 bits. If ABIST fails, RSTB and PGOOD will be released, but FS0B remains low and cannot be released. The flags ABIST1_OK and ABIST2_OK can be used for MCU diagnosis through SPI/I²C.

The Links:   HSD150SX82-A C070VW02-V0

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *