Texas Instruments | Safety for BQ79606A-Q1 Precision Monitor (Rev. C) | Application notes | Texas Instruments Safety for BQ79606A-Q1 Precision Monitor (Rev. C) Application notes

Texas Instruments Safety for BQ79606A-Q1 Precision Monitor (Rev. C) Application notes
Application Report
SLUA822C – September 2018 – Revised May 2019
Safety Manual for BQ79606A-Q1 Precision Monitor
................................................................................................................................................. TI
ABSTRACT
This document is a safety manual for the Texas Instruments BQ79606A-Q1 precision monitor. This
manual provides information to help developers integrate the BQ79606A-Q1 device into safety related
systems.
NOTE: Please note that before you begin a project based on the BQ79606A-Q1 you will need to
setup with your local TI sales person a SafeTI NDA in order to receive more safety
documentation than this safety manual from TI.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
1
www.ti.com
1
2
3
4
5
6
Contents
Introduction ................................................................................................................... 4
Product Overview ............................................................................................................ 4
2.1
Target Applications ................................................................................................. 5
2.2
Product Safety Constraints ........................................................................................ 6
BQ79606A-Q1 Development Process for Management of Systematic Faults....................................... 6
3.1
TI New-Product Development Process .......................................................................... 6
3.2
TI Safety Development Flow ...................................................................................... 7
3.3
Development Interface Agreement ............................................................................... 8
BQ79606A-Q1 Product Architecture for Management of Random Faults .......................................... 10
4.1
Device Operating States ......................................................................................... 10
4.2
Safe State .......................................................................................................... 11
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use ........................................ 12
5.1
Safety Mechanisms Per design block .......................................................................... 13
5.2
Architecture Safety Mechanisms Related to Supply Rail and Reference Voltages ...................... 16
5.3
Architecture Safety Mechanisms Related to Cell Voltage Monitoring ...................................... 22
5.4
Architecture Safety Mechanisms Related Temperature Sensor Voltage Monitoring ..................... 33
5.5
Architecture Safety Mechanisms Related to Cell Voltage Protection ...................................... 47
5.6
Architecture Safety Mechanisms Related to Temperature Sensor Voltage Protection .................. 50
5.7
Architecture Safety Mechanisms Related to Communication ............................................... 53
5.8
Miscellaneous Architecture Safety Mechanisms .............................................................. 57
BQ79606A-Q1 as Safety Element Out of Context (SEooC) .......................................................... 60
6.1
BQ79606A-Q1 -Typical Application Circuit .................................................................... 61
List of Figures
1
BQ79606A-Q1 Architecture Overview .................................................................................... 5
2
TI New-Product Development Process ................................................................................... 7
3
BQ79606A-Q1 Operating State machine ............................................................................... 10
4
SM70: REF3 Accuracy Measurement ................................................................................... 19
5
SM80: REF1 vs REF2 Accuracy measurement ........................................................................ 20
6
SM101: VCell ADC Path Accuracy Check .............................................................................. 23
7
SM104: VCell Gain and Offset Register Check ........................................................................ 25
8
SM130: VC Path and Pin Open Check.................................................................................. 27
9
SM131: CB Path and Pin Open Check.................................................................................. 29
10
SM132: VC and CB Pin Short Check.................................................................................... 31
11
SM201: AUXADC Linearity Check ....................................................................................... 34
12
SM202: AUXADC Digital Circuit Check ................................................................................. 36
13
SM203: AUXADC Redundant Digital Filter Fault Injection............................................................ 38
14
SM204: AUXADC Gain Offset and Output Register Check .......................................................... 40
15
SM230: GPIO Pin Open Check .......................................................................................... 42
16
SM231: GPIO Multiplexer and Pin Short Check ....................................................................... 44
17
SM232: AUXMUX GPIO Check .......................................................................................... 45
18
SM302: OV/UV Multiplexor Selector integrity
19
20
..........................................................................
SM402: OT/UT Multiplexor Selector Integrity...........................................................................
Typical Application Circuit .................................................................................................
48
51
61
List of Tables
2
1
TI New-Product Development Process ................................................................................... 8
2
Safety Documentation....................................................................................................... 9
3
Assumed Safety Goal Number ........................................................................................... 12
4
Safety Measure Numbering Scheme Description ...................................................................... 12
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
www.ti.com
5
Safety Mechanism Categories............................................................................................ 12
6
Safety Mechanisms ........................................................................................................ 13
Trademarks
All trademarks are the property of their respective owners.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
3
Introduction
1
www.ti.com
Introduction
The system and equipment manufacturer or designer (as user of this document) is responsible to ensure
that their systems (and any TI hardware or software devices incorporated in the systems) meet all
applicable safety, regulatory and system-level performance requirements. All application and safetyrelated information in this document (including application descriptions, suggested safety measures,
suggested TI products, and other materials) is provided for reference only. Users understand and agree
that their use of TI devices in safety-critical applications is entirely at their risk, and that user (as buyer)
agrees to defend, indemnify, and hold harmless TI from any and all damages, claims, suits, or expense
resulting from such use.
This document is a safety manual for the Texas Instruments BQ79606A-Q1. It provides information to help
system developers create safety-related systems using the BQ79606A-Q1. This document contains:
• An overview of the superset product architecture
• An overview of the development process used to reduce systematic failures
• An overview of the safety architecture for management of random failures and Assumptions of Use
(AoU) that the system integrator may consider to use this device in an ISO26262 compliant system
• The details of architecture partitions and implemented safety mechanisms
The Safety Analysis Report documents the following information, not covered in this document:
• Failure rates estimation
• Qualitative failure analysis (design FMEA, pin-FMEA, DFA, FTA)
• Quantitative failure analysis (quantitative FMEDA)
• Safety metrics calculated per targeted standards per system example implementation
The safety case documents the following information, which is not covered in this document:
• Evidence of compliance to targeted standards
• Results of assessments of compliance to targeted standards
TI expects that the user of this document has a general familiarity with the BQ79606A-Q1. This document
is intended to be used in conjunction with the pertinent data sheets and other documentation for the
products under development. This partition of technical content is intended to simplify development,
reduce duplication of content, and avoid confusion as compared to the definition of safety manual as seen
in IEC 61508:2010.
2
Product Overview
The BQ79606A-Q1 is a multichannel measurement device designed to measure battery cell voltages and
temperatures in safety-relevant applications, such as those found in automotive.
The BQ79606A-Q1 integrates six Delta-Sigma converters for the simultaneous measurement of six battery
voltages, an auxiliary ADC that supports cell temperature measurements for up to six NTCs as well as
internal rails to enable safety checks for the device, and a UART to allow it to communicate with a wide
range of microcontrollers. A die temperature measurement ADC is also included to provide temperature
correction to enable high accuracy results over an extended temperature range. The device supports a
stacked communication architecture through daisy chain communication transmitters and receivers as well
as an optional ring architecture to provide support for communication in the event of a wire harness fault;
a total of fifty-one devices can be addressed by a single microcontroller by taking advantage of the daisy
chain bus. Additionally, there is an optional fault daisy chain that can be used to allow for interrupt driven
faults as opposed to polling. The BQ79606A-Q1 supports passive balancing of battery cells with integrated
balancing FETs.
4
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
Product Overview
www.ti.com
RefLPBG
BAT
AVAO_REF
AVDD_REF
A2
WAKEUP_
WAKEUP
BUF
A7
SHUTDOWN_
A8 DIG
AVDDREF_FLT
AVAO_REF
A17
REF1 AUXADC_
TSREF B7 REF_SW
BAT_DIV
B1
Internal
analog signals
to AUX ADC
REFBG2Buf
RefBG2Buf also called
REF3
AUX
ADC_
MUX
/ 24
AUX_FLT
CVDD_
CVDD UV
A12
RefLBuf
REFH
LDOIN LDO_AVDD C1
AUXADC_
B5 MOD
AUX_LS
B3
B4
LDO_TSREF
GPIO[6:1]
AUXADC_
B6 VCM
RefLPBG
AVDD
CB_CP
D4
TshutOR2
AVDD
TJ voltage to
TJ_ADC
REF1
E1
CBn+1
CB[6:0]
AUXADC_
CORR
TJ_GEN
E2
C2
DVDD
TSHUT
C4
LDO (C)
PREF (E)
CB_FET
TMODE_
DIGCTRL
F1 (Disabled)
DIG_
SPI_
H14 MASTER
BYPASS_
F3 TM
CVSS_
F4 OPEN
VPROG_
F6 OVUV
DVSS_
F5 OPEN
GPIO
GPIO[6:1]
F7
VIO_UV
F8
D1
VC[6:0]
H13
FAULT_CTRL
ANALOG STATUS BUS
H4
CBFET_
COMP
D2
VCn+1
CB_CTRL
H1
(6X)
VCn
CUST_
NVM_
H5 REGS
FACTORY_
NVM_
H6 REGS
H15
DIG_
UART
OTP_
H17ECC
OTP
H16
TX
RX
OTUT_
OTTHRSH_
DAC G5
AVSS
TSREF
OTUT_CTRL
OT
COMP
G2
OTUT_
COMP_
MUX
G1
G7
GND
GPIO[6:1] 850k
UT
COMP
G3
OTUT_
UTTHRSH_
G4
DAC
TSREF
OTUT_
MEAS_EN
OTUT (G)
H2
G8
H8
STAT_
DATA_VM
H9 _REGS
CUST_
VM_
H10 REGS
CVSS
CLK_
H11 CTRL
PROT_
OVUV_
H3 CTRL
to AUX
ADC
DIGCORE (H)
G8
PWR_
MODE
H12
COMM_
H20TIMEOUT
COMM_
COMM_
CMD_PROC
CRC
H22
H21
H23 SPARECELLS
CB[6:0] PRT_
MUX
PRT_
DIAG_
DAC J13
PRT_
J2 LS
J1
RefLBuf
PRT_
COMP_
MUX
J3
RefLBuf
DONE_
MUX
J8
CBVDONE_
LS
J9
CBV_
COMP_
MUX
J10
RefLBuf
PRT_
UVTHRSH_
DAC
J6
I2
RX_
COMMH
I3
RX_
FAULTL
I4
RX_
FAULTH
TX_
I5 COMML
I6
TX_
COMMH
TONEH_
DET
I8
TONEL_
DET
DVDD
PRT_
UV
J4
PRT_
OV
J5
PRT_
OVTHRSH_
DAC
J7
K1
MEAS_ADC_DIAG
OSC_32M
L9
OSC_WD_32M
K2
MEAS_
ADC_
L10 CTRL
MEAS_
ADC_LPF
L8
MEAS_ADC_
CORR
MEAS_SINC3_
FILT
OSC_262K
K3
CBV
DONE_
UV
J11
CBVDONE_
THRSH_
DAC
J12
OSC_WD_262K
K4
VC[6:0]
BCI
BCI
BCI
FILTER
BCI
FILTER
BCI
FILTER
MEAS_
FILTER
FILTER
SW
L1
BCI
BCI
BCI
FILTER
BCI
FILTER
BCI
FILTER
MEAS_
FILTER
FILTER
L2 FLT
AFE
AFE
AFE
LS/LPF
AFE
LS/LPF
AFE
LS/LPF
MEAS_
LS/LPF
LS/LPF
LS
L3
OVUV_
MEAS_EN
to AUX ADC
J14
OSC (K)
MEAS_ADC (L)
L5
TJ_ADC
(M)
TJMEAS_
ADC_COEF
M3
L6
L7
SD
SD
SD
SDMEAS_
SD
ADC_MOD
L4
MEAS_
VCM
TJMEAS_
SINC3_FILT
M2
From
MEAS_ADC_
_CTRL
TJADC_
MOD
M1
TJ voltage
from PREF
ABC
DIAGNOSTIC
SIGNAL
MONITORED
BY AUX ADC
REFERENCE
VOLTAGE
IC PIN
VOLTAGE
NON-CORE
SIGNAL
COMxx
FAULTxx
VIF (I)
VCM
OVUV (J)
I1
RX_
COMML
I7
PROT
RefLBuf
CVDD
DIG_
H19 VIF
RefLBuf
DVSS
PADRING (F)
H18 CTRL
FACT_VM_
REGS
REG_CRC
H7
CONTROL BUS
(ADDRESS_DATA)
OTUT_INPUT_
PULLS
OTUT_
DIAG_
DAC G6
ANALOG
CONTROL
BUS
RefLBuf
Internal analog
signals to AUX ADC
NFAULT
OTP_
TSREF
DIGITAL
SUBSYSTEM
VPROG
VIO
AMUX_
GPIO_
F2 TM
HEATER
VC[6:0] CBV
ANALOG
SUBSYSTEM
TshutOR1
C5
AUX_ADC (B)
REF1 also
called REFH
CBn
AUXADC_SINC3_
FILT
B9
FMEDA
BLOCK REF
NUMBER
VLDO
TSHUT
LDO_DVDD
LDOIN
RefLBuf
B10
REFH
C3
AUXADC_DIAG
B11
AUXADC_CTRL
B8
FMEDA
FUNCTIONAL
GROUP
TSREF_OSC C7
Note: OVUV blocks placed in REFSYS for clarity
TSHUT_CB
D3 (3X)
ABC
TSREF
C2
LDOIN LDO_VLDO
POR,OVUV AND UVLO DETECTION
CB_OW (D)
LEGEND
REF1
LDO monitor
status to
digital core
AVDD_
TSREF_
VLDO_
DVDD_
OVUV
OVUV
OV
OVUV
AVDDA13 TSREF
VLDO A15 DVDD A16
A14
AVDD
TSHUT
AVDD_OSC C6
RefLBuf
B2
RefBG2Buf
WAKE_DLY_DIG
A10
REFH_OK
A11
RefLBuf
BG_LDO_
A9 OVUV
VPTAT to AUX ADC
Power-up flags to digital core
REF_OK
A4 IREF
A6 TWARN
TshutOR1, TshutOR2, WakeupTone,
ToneShutdown, HostShutdown
REFL_BUF
A5
BAT
AVDD_REF
_OK
AVDD_REF
BG_REFL
A3
DigPOR
REFSYS (A)
REFLBuf
also called
REF2
AVAO_SW
AVAO_REF
A1
CORE
CONTROL
SIGNAL
SD DATA PATH
CORE ANALOG
STATUS BUS
CORE ANALOG
CONTROL BUS
CORE
MEMORY
CONTROL AND
DATA BUS
VCM
Figure 1. BQ79606A-Q1 Architecture Overview
2.1
Target Applications
The BQ79606A-Q1 is designed for use as the battery cell voltage and temperature monitor in the following
automotive applications:
• Full electric vehicle (EV), Hybrid electric vehicle (HEV) or Plug In Hybrid (PHEV) power train
• 48-V automotive battery systems
• Industrial safety applications, particularly Energy Storage Systems (ESS)
Analysis of multiple safety applications during concept phase enabled support of Safety Element out of
Context (SEooC) development according to ISO 26262–10. In designing this device, TI made various
assumptions about how it could be used so as to address expected industry requirements for Battery
Monitoring Systems because these safety-critical systems are especially demanding.
Although TI has considered certain applications while developing these devices, this should not restrict a
customer who wishes to implement other systems. With all safety-critical devices, the system integrator
must rationalize the device safety concept to confirm that it meets the system safety needs.
In the case of overlapping requirements between target systems TI has attempted to design the device
respecting the most stringent requirement. For example, the fault-tolerant response-time intervals in an
automotive battery application are typically on the order of 1 second. In such case, TI has performed timer
subsystem analysis respecting a fault-tolerant time interval of 100 ms for an assumed 96 battery cell
application.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
5
Product Overview
2.2
www.ti.com
Product Safety Constraints
The BQ79606A-Q1 safety analysis was performed under the following assumptions of system constrains:
• All inputs to the BQ79606A-Q1 meet the recommended operating conditions defined in the device data
sheet and do not exceed absolute operating conditions defined therein
• The operating temperature of the BQ79606A-Q1 meets the ambient and junction temperature limits
defined in the device data sheet
• All external devices to the BQ79606A-Q1 meet the electrical characteristics defined in the device data
sheet for the devices in question
• The layout of the system board follows the layout guideline as defined in the BQ79606A-Q1 data sheet
• The junction temperature of the BQ79606A-Q1 does not exceed the maximum value as specified in
the BQ79606A-Q1 data sheet.
3
BQ79606A-Q1 Development Process for Management of Systematic Faults
For safety-critical development, it is necessary to manage both systematic and random faults. Texas
Instruments has created a development process for safety-critical semiconductors, which greatly reduces
the probability of systematic failures. This process builds on a standard quality-managed development
process as the foundation for safety-critical development. A second layer of development activities, which
are specific to safety-critical applications developments targeting IEC 61508 and ISO 26262, then
augments this process. The development activity to manage systematic faults during development for the
BQ79606A-Q1 was done to comply with ASIL-D.
3.1
TI New-Product Development Process
Texas Instruments has been developing mixed-signal automotive ICs for safety-critical and non-safety
critical automotive applications for over fifteen years. Automotive markets have strong requirements
regarding quality management and product reliability. Though not explicitly developed for compliance to a
functional safety standard, the TI new-product development process already featured many elements
necessary to manage systematic faults.
The BQ79606A-Q1 was developed using TI’s new product development process which has been certified
as compliant to ISO TS 16949 as assessed by Det Norske Veritas Certification, Inc.
The standard development process breaks development into phases:
• Business Planning
• Validate
• Create
• Evaluate
• Process to Production
6
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Development Process for Management of Systematic Faults
www.ti.com
Figure 2 shows the standard process.
Business
Planning
Validate
Create
Design In Team
Project Cross-Functional Team
IC Design & Layout
Identify New
Product
Opportunities
Release to
Production
Evaluate
Char.
Qual
Develop Test
HW/SW
Develop
Project Plan
Optimize
Test Flow
and Yields
Bench & ATE
Verification
Sample
Customers
Build Initial
Inventory
Develop & Build Marketing Collateral
Manage Project Risks (Market & Execution)
Business Planning Validate Phase
Phase Exit Review
Exit Review
Create Phase
Exit Review
Evaluate
Phase Exit
Review
Release to
Production Phase
Exit Review
Figure 2. TI New-Product Development Process
3.2
TI Safety Development Flow
The TI safety-development flow derives from ISO 26262 as a set of requirements and methodologies to be
applied to mixed-signal circuit safety-development flow. This flow is an integrated part of the TI new
product development process. The goal of the safety-development flow is to reduce systematic faults.
The safety-development flow targets compliance to IEC 61508 second edition and ISO 26262 second
edition, and is under a process of continuous improvement to incorporate new features of future ISO
26262 working-group drafts. It aligns with the TI QRAS AP00210 enhanced-safety development process.
While the safety-development flow is not directly targeted at other functional safety standards, TI expects
that many customers will determine that other functional safety systems can readily use products
developed to industry state-of-the-art.
Key elements of the TI safety-development flow are:
• Assumptions on system-level design, safety concept, and requirements based on TI's expertise in
safety-critical systems development
• Combined qualitative and quantitative or similar safety analysis techniques comprehending the sum of
silicon failure modes and diagnostic techniques
• Fault estimation based on multiple industry standards, as well as TI manufacturing data
• Integration of lessons learned through multiple safety-critical developments to IEC 61508 and
participation in the ISO 26262 international working group
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
7
BQ79606A-Q1 Development Process for Management of Systematic Faults
www.ti.com
Table 1 lists these activities overlaid atop the standard QM development flow.
Table 1. TI New-Product Development Process
3.3
Business Opportunity
Prescreen
Program Planning
Create
Validate, Sample, and
Characterize
Quality
Ramp/Sustain
Determine if safety
process execution is
necessary
Define SIL/ASIL
capability
Execute safety design
Validate safety design
in silicon
Qualification of safety
design
Implement plans to
support operation
and production
Execute development
interface agreement
(DIA) with lead
customers and
suppliers
Generate safety plan
Qualitative analysis of
design (FMEA and FTA)
Release safety manual
Release safety case
report
Update safety case
report (if needed)
Initiate safety case
Incorporate findings into
safety design
Release safety analysis
report
Update safety manual
(if needed)
Periodic
confirmation
measure reviews
Analyze assumed
system to generate
system level safety
assumptions and
requirements
Develop safety product
preview
Characterization of
safety design
Update safety
analysis report (if
needed)
Develop component
level safety
requirements
Validation of mixedsignal safety design at
transistor, gate and RTL
level
Confirmation measure
review
Confirmation measure
review
Validate component
safety requirements
meet system safety
requirements
Quantitative analysis of
design (FMEDA)
Implement safety
requirements in design
specification
Incorporate findings into
safety design
Validate design
specification meets
component safety
requirements
Validation of mixedsignal safety design at
transistor/gate/physical
layout level
Confirmation measure
review
Confirmation measure
review
Development Interface Agreement
The intent of a development interface agreement (DIA) is to define the responsibilities of the customer and
supplier in facilitating the development of a functional safety system.
In custom developments, the DIA is a key document executed between customer and supplier early in the
process of developing both the system and the custom TI device. As the BQ79606A-Q1 device is a
commercial, off-the-shelf (COTS) product, refer requests for custom DIAs to your local TI sales office for
disposition.
The following sections highlight key points of the standard DIA.
3.3.1
Requirements Transfer
The BQ79606A-Q1 product is developed as a safety element out of context (SEooC) with a target safety
goal of ASIL-D for the measurement and reporting of battery cell voltages, ASIL-D for the measurement
and reporting of multiple temperature sensor voltages, and ASIL-B for the secondary protector function of
battery cell and temperature sensor voltages. Detailed safety requirements were not available from lead
customers during development. Therefore, the safety requirements used were based on TI analysis of
target safety applications.
TI is willing to discuss acceptance of new customer safety requirements for future designs; please contact
your local TI sales office for further information.
8
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Development Process for Management of Systematic Faults
www.ti.com
3.3.2
Availability of Safety Documentation
Table 2 lists the safety documentation for the BQ79606A-Q1 device, which are made available either
publicly or under a non-disclosure agreement (NDA):
Table 2. Safety Documentation
Deliverable Name
Contents
Confidentiality
Safety Manual
User guide for the safety features of the product,
including system level assumptions of use
None
Safety Analysis Report Summary for
BQ79606A-Q1 Multi-Rail Power Supply for
Microcontrollers in Safety-Relevant
Applications
Summary of FIT rates and device safety metrics
according to ISO 26262 and/or IEC 61508 at
device level.
SafeTI NDA required
Detailed Safety Analysis Report for
BQ79606A-Q1 Multi-Rail Power Supply for
Microcontrollers in Safety-Relevant
Applications
Full results of all available safety analysis
documented in a format that allows computation of
custom metrics
SafeTI NDA required
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
9
BQ79606A-Q1 Product Architecture for Management of Random Faults
4
www.ti.com
BQ79606A-Q1 Product Architecture for Management of Random Faults
For safety-critical development, both systematic and random faults must be managed. The BQ79606A-Q1
product architecture integrates several modules that can detect and report random faults, allowing a host
microcontroller or other processing engine return the device to a safe state.
The device has a core set of modules allocated for continuously operating hardware safety mechanisms. It
also provides programmable mechanisms to transition the device to the default(safe or shutdown state)
operating mode in the event of systematicor random faults.
This section introduces the operation states and safe state of BQ79606A-Q1
4.1
Device Operating States
The BQ79606A-Q1 has multiple operating states. These operating states should be monitored by the
system developer in their software and system level design concepts. Please refer to the product
datasheet for the BQ79606A-Q1 for details on the operation of the operating-states state machine. The
following figure provides and overview of the operating-states state machine.
Figure 3. BQ79606A-Q1 Operating State machine
This is not really a STATE. The bq79606
remains in the previous state but is not
operating
One or more POR
threshold not satisfied
Invalid
Power
SHUTDOWN
One or more device
PORs not satisfied
Active Circuits
PORs
Active Circuits
UVLO
WAKEUP Detection
Necessary LDOs
LP BG and References
One or more
POR threshold
not satisfied
WAKEUP
BASE device - WAKEUP Pin Low
(tHLD_WAKE)
STACK device - WAKE tone received
SLEEPtoACTIVE
BASE device - RX pin Low (tUART(StA))
STACK device - SLEEPtoACTIVE tone
Received
SHUTDOWN
BASE device - WAKEUP Pin Low
(tHLD_SD), shutdown command
STACK device - Shutdown tone
received, shutdown cmd
Digital held in RESET to hardware
defaults
All device PORs
GOOD
One or more POR
threshold not
satisfied
CommTOLong = 1
SLEEP
WAKEUP = 1
Or
WAKE=1
or
WAKE/WAKEUP from
SHUTDOWN
RESET to OTP DEFAULTs
SLEEPtoACTIVE = 1
OTP Loaded
Active Circuits
UVLO
Cell Balancing(if enabled and CB
complete = 0)
OV/UV Comps (if enabled)
DC Fault Tone (if enabled)
WAKEUP Detection
Necessary LDOs
LP BG and References
CommTOShrt = 1 or
Sleep Command=1
SLEEPtoACTIVE = 1
CommTOLong = 1 or
Shutdown Command=1
Active Idle
OTP Loaded
Active Circuits
All
SOFT_RESET=1 or
WAKEUP = 1 or
WAKE=1
RESET to DEFAULTs
WAKEUP = 1
Or
WAKE = 1
Not actively communicating or
doing an ADC conversion
The BQ79606A-Q1 always operates in one of four modes. The mode depends on the VBAT voltage and
the operational requirements of the system. A high level description of the modes is as follows:
• SHUTDOWN – The lowest power state available. In this state, most internal blocks are powered off
and monitoring is disabled. The device strictly monitors the WAKEUP input (for a stand-alone or
base/bridge device) for a low pulse or the COMx inputs (for stack devices) for a WAKE tone (Stack
Device Wakeup and Hardware Shutdown).
• SLEEP– In SLEEP mode, the device has limited functionality. The functions are limited to the voltage
and temperature protectors(OV/UV and OT/UT Comparator), Cell balancing , Fault tones and
wake/shutdown detection.
10
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Product Architecture for Management of Random Faults
www.ti.com
•POR – In POR mode, the pack voltage too low for functionality. This is not a real state the device
remains in the last state but does not operate.
• ACTIVE – In ACTIVE mode, the device is actively communicating with the host microcontroller or the
device above or below it in the stack.
4.2
Safe State
The device can be considered in a safe state when a battery cell Over-Voltage (OV), Under-Voltage(UV),
Over-Temperature (OT) or associated hardware fault is detected and signaled to an external element of
the system/item. The host is responsible for fault reaction and transitioning of the system to a safe state.
The device can be considered in a safe state when in the Invalid Power (Power Off) or Shutdown states.
In these states the host system will have communication failures to the device. Repeatable and consistent
communication failures are a fault indication and the host is then responsible for determining if the battery
pack contactors should be open.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
11
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5
www.ti.com
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
This section summarizes the safety mechanisms for each major functional block of the BQ79606A-Q1
architecture and provides their assumptions of use. Each assumption of use is indicated by [AoUx] with x
being the identification number. The safety analysis report notes the effectiveness of these safety
mechanisms.
Naturally, the system integrator must comprehensively assess effectiveness in the context of the specific
end use.
The safety measures described in this document may relate to one or more of the safety goals listed in
Table 3. Assumed Safety Goal Number
Goal Number
Description
1
Voltage Monitoring (ADC measurements)
2
Temperature Monitoring (ADC measurements)
3
Voltage Protection (comparator measurements)
4
Temperature Protection (comparator measurements)
The number of each safety measure is not strictly sequential. describes the number range and the related
functionality of the device covered
Table 4. Safety Measure Numbering Scheme Description
Range
Coverage Description
0-99
Substantially related to supply rail and reference diagnostics
100-199
Substantially related to voltage monitoring
200-299
Substantially related to temperature monitoring
300-399
Substantially related to voltage protection
400-499
Substantially related to temperature protection
500-599
Substantially related to communication diagnostics
600+
Safety measures covering device functions not primarily in other categories
Table 5. Safety Mechanism Categories
Diagnostic Interval
Description
FDTI
Mechanisms or diagnostic functions designed to be handled with external
microcontroller assistance within each Fault Tolerant Detection Interval
MPFDI
Mechanisms or diagnostic functions designed to be executed with external
microcontroller assistance at least once within Multi Point Fault Detection Interval
AUTO
Mechanisms that are passive elements or automatically executed by the ASIC
NOTE: Detection - a test which is run frequently or continuously for the purpose of preventing a
single point safety goal violation (e.g. output driver over-current reporting).
Diagnostic - a test which is performed periodically (e.g. once per ignition cycle) for the
purpose of preventing a latent safety goal violation, such as a failed detection (e.g. inject
over-current to verify current over-current detection works).
12
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.1
Safety Mechanisms Per design block
Table 6. Safety Mechanisms
Safety Mechanisms by Design Block that are used for multiple blocks listed once and are not repeated in this table
Design Block
SM #
Functional Requirement Specification (Safety
Features)
FDTI/MPFDI or
Auto
Diagnostic/Detection
REFSYS (A)
SM1
AVDD OV Flag
FDTI
Detection
REFSYS (A)
SM2
AVDD UV Flag
FDTI
Detection
REFSYS (A)
SM4
AVDD Current Limit
Auto
Detection
REFSYS (A)
SM21
VLDO OV Flag
FDTI
Detection
REFSYS (A)
SM22
CVDD UV Flag
FDTI
Detection
REFSYS (A)
SM23
CVDD Current Limit
Auto
Detection
REFSYS (A)
SM31
DVDD OV Flag
FDTI
Detection
REFSYS (A)
SM32
DVDD Dig Reset Flag
FDTI
Detection
REFSYS (A)
SM33
DVDD Current Limit
Auto
Detection
REFSYS (A)
SM41
TSRERF OV Flag
FDTI
Detection
REFSYS (A)
SM42
TSREF UV Flag
FDTI
Detection
REFSYS (A)
SM44
TSREF Current Limit
Auto
Detection
REFSYS (A)
SM61
AVAO_REF OV Flag
FDTI
Detection
REFSYS (A)
SM62
AVAO_REF UV POR
FDTI
Detection
REFSYS (A)
SM63
AVDD_REF UV Flag
FDTI
Detection
REFSYS (A)
SM70
REF3 Accuracy Meas.
MPFDI
Diagnostic
REFSYS (A)
SM81
REF1 Oscillation
FDTI
Detection
AUX_ADC (B)
SM201
AUXADC Linearity Check
FDTI
Detection
AUX_ADC (B)
SM202
AUXADC Digital Circuit Check
FDTI
Detection
AUX_ADC (B)
SM203
AUXADC Redundant Digital Filter Fault Injection
MPFDI
Diagnostic
AUX_ADC (B)
SM204
AUXADC Gain/Offset & Register Check
FDTI
Detection
AUX_ADC (B)
SM240
AUXADC Data Ready Check
FDTI
Detection
AUX_ADC (B)
SM250
AUXADC Measurement Plausibility Check
FDTI
Detection
LDO ( C)
SM3
AVDD OSC Flag
FDTI
Detection
LDO ( C)
SM43
TSREF Osc Flag
FDTI
Detection
LDO ( C)
SM710
Check TWARN Flag
FDTI
Detection
CB-OW (D)
SM130
VC Pin Path and Pin Open Check
FDTI
Detection
CB-OW (D)
SM131
CB Pin Path and Pin Open Check
FDTI
Detection
CB-OW (D)
SM132
VC and CB Pin Short Check
FDTI
Detection
PREF (E)
SM712
Thermal Shutdown
FDTI
Detection
PREF (E)
SM80
REF1 v REF2 Meas
FDTI
Detection
PREF (E)
SM711
Die Temp v PTAT Sensor Accuracy
MPFDI
Diagnostic
PADRING (F)
SM24
CVSS Pin Open Check
FDTI
Detection
PADRING (F)
SM34
DVSS Pin Open Check
FDTI
Detection
PADRING (F)
SM82
VIOUV Flag
FDTI
Detection
PADRING (F)
SM730
Remove OTP Programming Voltage
MPFDI
Diagnostic
PADRING (F)
SM230
GPIO Pin Open Check
FDTI
Detection
PADRING (F)
SM231
GPIO Multiplexor and Pin Short Check
FDTI
Detection
PADRING (F)
SM233
GPIO Fault Check
FDTI
Detection
PADRING (F)
SM520
NFAULT Function Check
FDTI
Detection
OTUT (G)
SM403
OT/UT DAC Voltage Measurement
MPFDI
Diagnostic
OTUT (G)
SM404
Cell Voltage UT Comparator Check
FDTI
Detection
OTUT (G)
SM405
Cell Voltage OT Comparator Check
FDTI
Detection
OTUT (G)
SM401
Over/Under-Temperature BIST
FDTI
Detection
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
13
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
Table 6. Safety Mechanisms (continued)
OTUT (G)
14
Over/Under-Temperature Mux Selector Integrity
FDTI
Detection
Digital Core (H) SM500
SM402
COMM Response CRC & Source Check
FDTI
Detection
Digital Core (H) SM501
Device Addressing Check
FDTI
Detection
Digital Core (H) SM502
Short Comm Timeout Check
FDTI
Detection
Digital Core (H) SM503
Byte Error Check
FDTI
Detection
Digital Core (H) SM504
Start of frame Error Check
FDTI
Detection
Digital Core (H) SM505
UNEXP Error Check
FDTI
Detection
Digital Core (H) SM506
TXDIS Error Check
FDTI
Detection
Digital Core (H) SM507
Wait Error Check
FDTI
Detection
Digital Core (H) SM508
IERR Error Check
FDTI
Detection
Digital Core (H) SM517
UART communication STOP
FDTI
Detection
Digital Core (H) SM518
UART communication Reset
FDTI
Detection
Digital Core (H) SM519
UART communication Clear Break Detection Check
FDTI
Detection
Digital Core (H) SM700
Customer NVM-backed Registers CRC Check
FDTI
Detection
Digital Core (H) SM701
Fact NVM-Backed Register CRC Check
FDTI
Detection
Digital Core (H) SM702
NVM CRC Done Check
MPFDI
Diagnostic
Digital Core (H) SM731
OTP Programming Lock
MPFDI
Diagnostic
Digital Core (H) SM740
OTP ECC
MPFDI
Diagnostic
Digital Core (H) SM741
ECC_TEST manipulation
MPFDI
Diagnostic
Digital Core (H) SM742
OTP Customer load Error Check
FDTI
Detection
Digital Core (H) SM743
OTP Factory load Error Check
FDTI
Detection
Digital Core (H) SM744
OTP OverVoltage Error Check
FDTI
Detection
Digital Core (H) SM745
Normal Shutdown Check
FDTI
Detection
Digital Core (H) SM990
Fact Testmode Disabled
Auto
Detection
VIF (I)
SM509
Daisy Chain communication SYNC1 Error Check
FDTI
Detection
VIF (I)
SM510
Daisy Chain communication SYNC2 Error Check
FDTI
Detection
VIF (I)
SM511
Daisy Chain communication Byte Order Error Check
FDTI
Detection
VIF (I)
SM512
Daisy Chain communication DATA_MISS Error
Check
FDTI
Detection
VIF (I)
SM513
Daisy Chain communication BIT Error Check
FDTI
Detection
VIF (I)
SM514
HeartBeat Fast Error Check
MPFDI
Diagnostic
VIF (I)
SM515
HeartBeat Fail Error Check
MPFDI
Diagnostic
VIF (I)
SM516
Fault Tone Error Check
MPFDI
Diagnostic
OVUV (J)
SM301
Over/Under-Voltage BIST
FDTI
Detection
OVUV (J)
SM302
Over/Under-Voltage Mux Selector Integrity
FDTI
Detection
OVUV (J)
SM303
OV/UV DAC Voltage Measurement
MPFDI
Diagnostic
OVUV (J)
SM304
Cell Voltage UV Comparator Check
FDTI
Detection
OVUV (J)
SM305
Cell Voltage OV Comparator Check
FDTI
Detection
OVUV (J)
SM151
VCB BIST Check
FDTI
Detection
OSC (K)
SM720
LFOSC Accuracy Check
FDTI
Detection
OSC (K)
SM721
LFO Watchdog
FDTI
Detection
OSC (K)
SM722
HFO watchdog
FDTI
Detection
MEAS_ADC (L) SM101
Vcell ADC Path Accuracy Check
FDTI
Detection
MEAS_ADC (L) SM104
Vcell Gain/Offset & Register Check
FDTI
Detection
MEAS_ADC (L) SM107
Vcell Dig LPF Check
FDTI
Detection
MEAS_ADC (L) SM108
Vcell Redundant Dig LPF FI
MPFDI
Diagnostic
MEAS_ADC (L) SM110
Vcell ADC Conv Count
FDTI
Detection
MEAS_ADC (L) SM130
VC/CB Path, Pin Open & Leakage Check
FDTI
Detection
MEAS_ADC (L) SM140
Vcell Data Ready Check
FDTI
Detection
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
Table 6. Safety Mechanisms (continued)
MEAS_ADC (L) SM150
Vcell Plausibility Check
FDTI
Detection
MEAS_ADC (L) SM245
Updated TJ Value
FDTI
Detection
TJ_ADC(M)
TJ Plausibility
MPFDI
Diagnostic
SM246
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
15
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.2
www.ti.com
Architecture Safety Mechanisms Related to Supply Rail and Reference Voltages
The BQ79606A-Q1 architecture safety mechanisms for the supply rail and reference voltages are
described in the next sections.
5.2.1
SM1: AVDD OV Flag
The BQ79606A-Q1 automatically compares the 5V AVDD LDO output voltage against an over-voltage
threshold. If a failure condition is valid, the AVDDOV bit in register RAIL_FAULT will be set. The LDO
output voltage is set based on a ratio to REF2. The OV Comparator threshold voltage is based on a ratio
to REF3.
[AoU1] — The host MCU will read the RAIL_FAULT register every FDTI to verify the AVDDOV bit is 0.
5.2.2
SM2: AVDD UV Flag
The BQ79606A-Q1 automatically compares the 5V AVDD LDO output voltage against an under-voltage
threshold. If a failure condition is valid, the AVDDUV bit in register RAIL_FAULT will be set. The LDO
output voltage is set based on a ratio to REF2. The UV Comparator threshold voltage is based on a ratio
to REF3.
[AoU2] — The host MCU will read the RAIL_FAULT register every FDTI to verify the AVDDUV bit is 0.
5.2.3
SM3: AVDD OSC Flag
The BQ79606A-Q1 analyzes the 5V AVDD LDO output for oscillations and set flag AVDD_OSC in register
SYS_FAULT2 if detected. Oscillation faults may be caused by an open circuit in the decoupling capacitor
path.
[AoU3] — The host MCU will read the SYS_FAULT2 register every FDTI to verify the AVDD_OSC bit is
0.
5.2.4
SM4: AVDD Current Limit
The BQ79606A-Q1 measures the AVDD LDO output current and limits it according to the datasheet
specifications. This protects circuits in the case of a short circuit or severe transient load.
NOTE: The mechanism works continuously and has no status indication that can be monitored.
5.2.5
SM21: VLDO OV Flag
The BQ79606A-Q1 compares the 5V VLDO output voltage against an overvoltage threshold and sets flag
bit VLDOOV in register RAIL_FAULT. The OV comparator threshold voltage is based on a ratio to REF3.
[AoU4] — The host MCU will read the RAIL_FAULT register every FDTI to verify the VLDOOV bit is 0.
5.2.6
SM22: CVDD UV Flag
The BQ79606A-Q1 compares the 5V CVDD LDO output voltage against an undervoltage threshold and
sets flag bit CVDDUV in register RAIL_FAULT. The UV comparator threshold voltage is based on a ratio
to REF3.
[AoU5] — The host MCU will read the RAIL_FAULT register every FDTI to verify the CVDDUV bit is 0.
5.2.7
SM23: CVDD Current Limit
The BQ79606A-Q1 measures the CVDD LDO output current and limits it according to the datasheet
specifications. This protects circuits in the case of a short circuit or severe transient load.
NOTE: The mechanism works continuously and has no status indication that can be monitored.
16
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.2.8
SM24: CVSS Pin Open Check
The BQ79606A-Q1 CVSS pins are connected to AVSS at the system level by a connection on the PCB.
Internally, they are connected to AVSS by anti-parallel diodes. In case of an open circuit, it is possible that
under some conditions the IC will function almost normally. For that reason, an open pin detector has
been added to these pins with output flags in the SYS_FAULT2 register
[AoU6] — The host MCU will read the SYS_FAULT2 register every FDTI to verify the CVSS_OPEN bit is
0.
5.2.9
SM31: DVDD OV Flag
The BQ79606A-Q1 compares the 1.8-V DVDD LDO output voltage against an overvoltage threshold and
sets flag bit DVDDOV in register RAIL_FAULT. The LDO output voltage is set based on a ratio to REF2.
The OV comparator threshold voltage is based on a ratio to REF3.
[AoU7] — The host MCU will read the RAIL_FAULT register every FDTI to verify the DVDDOV bit is 0.
5.2.10
SM32: DVDD DRST Flag
The BQ79606A-Q1 compares the 1.8-V DVDD LDO output voltage against an undervoltage threshold.
Whenever the DVDD supply is below the UV threshold, the DRST flag in register SYS_FAULT1 is set.
The LDO output voltage is set based on a ratio to REF2. The OV comparator threshold voltage is based
on a ratio to REF3.
[AoU8] — The host MCU will read the SYS_FAULT1 register after the device resets to verify the DRST
bit is 1. In this condition, the bit can be cleared to 0 without issue.
[AoU9] — The host MCU will read the SYS_FAULT1 register every FDTI after waking the device to verify
the POR bit is 0. If the bit is not 0 then the device went through a SHUTDOWN cycle. The bit
should be cleared and the appropriate action should be taken depending on the conditions
surrounding the event.
5.2.11
SM33: DVDD Current Limit
The BQ79606A-Q1 measures the DVDD LDO output current and limits it according to the datasheet
specifications. This protects circuits in the case of a short circuit or severe transient load.
NOTE: The mechanism works continuously and has no status indication that can be monitored.
5.2.12
SM34: DVSS Pin Open Check
The BQ79606A-Q1 DVSS pins are connected to AVSS at the system level by a connection on the PCB.
Internally, they are connected to AVSS by anti-parallel diodes. In case of an open circuit, it is possible that
under some conditions the IC will function almost normally. For that reason, an open pin detector has
been added to these pins with output flags in the SYS_FAULT2 register
[AoU10] — The host MCU will read the SYS_FAULT2 register every FDTI to verify the DVSS_OPEN bit
is 0.
5.2.13
SM41: TSREF OV Flag
The BQ79606A-Q1 compares the 2.5-V TSREF LDO output voltage against an overvoltage threshold and
sets flag bit TSREFOV in register RAIL_FAULT. The LDO output voltage is set based on a ratio to REF1.
The OV comparator threshold voltage is based on a ratio to REF3.
[AoU11] — The host MCU will read the RAIL_FAULT register every FDTI to verify the TSREFOV bit is 0.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
17
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.2.14
www.ti.com
SM42: TSREF UV Flag
The BQ79606A-Q1 compares the 2.5-V TSREF LDO output voltage against an undervoltage threshold
and sets flag bit TSREFUV in register RAIL_FAULT. The LDO output voltage is set based on a ratio to
REF1. The UV comparator threshold voltage is based on a ratio to REF3.
[AoU12] — The host MCU will read the RAIL_FAULT register every FDTI to verify the TSREFUV bit is 0.
5.2.15
SM43: TSREF OSC Flag
The BQ79606A-Q1 analyzes the 2.5-V TSREF LDO output for oscillations and sets flag TSREF_OSC in
register SYS_FAULT2 if detected. Valid reading of the flag bit register ensures SPF and MPF coverage.
MPF coverage may be obtained by any communication check.
[AoU13] — The host MCU will read the SYS_FAULT2 register every FDTI to verify the TSREF_OSC bit is
0.
5.2.16
SM44: TSREF Current Limit
The BQ79606A-Q1 measures the TSREF LDO output current and limits it according to the datasheet
specifications. This protects circuits in the case of a short circuit or severe transient load.
NOTE: The mechanism works continuously and has no status indication that can be monitored.
5.2.17
SM61: AVAO_REF OV Flag
The BQ79606A-Q1 compares the 2.4-V always-on AVAO_REF LDO output voltage against an
overvoltage threshold and sets flag bit AVAO_REF_OV in register SYS_FAULT1. The output is selfregulated. The OV comparator threshold voltage is also self-generated within the block.
[AoU14] — The host MCU will read the SYS_FAULT1 register every FDTI to verify the AVAO_REF_OV
bit is 0.
5.2.18
SM62: AVAO_REF UV POR
The BQ79606A-Q1 compares the 2.4-V AVAO_REF LDO output voltage against an undervoltage
threshold. If undervoltage occurs, the device is in the Power-On-Reset (POR) state with nearly all circuits
shutdown and held in reset; the communication block will cease to function in this case. The output of
AVAO_REF is self-regulated. The UV comparator threshold voltage is also self-generated within the block.
[AoU15] — The host MCU will run other safety mechanisms described in this safety manual and will
detect if communication fails for those diagnostics.
[AoU16] — The host MCU will take appropriate action to put the system in a safe state if communication
fails as a result of the device going into Power-On-Reset.
[AoU17] — The host MCU will read the SYS_FAULT1 register if the device recovers after a detected
communication fault to determine if the DRST bit is 1. The host will then clear the bit to 0 and
record that a Power-On-Reset event occurred.
5.2.19
SM63: AVDD_REF UV Flag
The BQ79606A-Q1 compares the 2.4-V AVAO_REF LDO output voltage against the AVDD_REF rail,
which is the supply for references REF2 and REF3 among other things. The two rails are connected by a
switch that should have a very small voltage drop across it. If the voltage drop exceeds the datasheet limit
specified by VAVDDREF_FLTZ, the AVDD_REFUV flag in register RAIL_FAULT is set.
[AoU18] — The host MCU will read the RAIL_FAULT register every FDTI to verify the AVDD_REFUV bit
is 0.
18
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.2.20
SM70: REF3 Accuracy Measurement
The BQ79606A-Q1 REF3 is the reference for the LDO OV and UV comparator thresholds. The voltage
can be measured via the AUXADC. The host can then compare the 16-bit value of AUX_REF3 to the
expected value. The voltage is used only for diagnostic functions, providing latent fault coverage only.
[AoU19] — The host MCU will execute the procedure once every drive cycle.
SM70
Write
REF3_EN in AUX_ADC_CTRL1
Read
DRDY_AUX bit in DEV_STAT to confirm that
value = 0
Write
AUX_ADC_GO in CONTROL2
Wait
time for AUXADC measurements to complete
Read
AUX_REF3H/L
Read
DRDY_AUX bit in DEV_STAT to confirm that
the measurement result is fresh
Host compare
compare 16-bit value of AUX_REF3 to
the expected value
Host Decision
Figure 4. SM70: REF3 Accuracy Measurement
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
19
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.2.21
www.ti.com
SM80: REF1 vs REF2 Accuracy Measurement
The BQ79606A-Q1 REF1 is the primary reference for the ADCs and REF2 is the primary reference for the
protection comparators. The REF2 voltage can be measured via the AUXADC. The host can then
compare the 16-bit value of AUX_REF2 to the expected value, to ensure SPF coverage for the two
references.
[AoU20] — The host MCU will execute the procedure once every FDTI.
[AoU21] — If the result of the procedure in AoU20 is incorrect, the host MCU will take appropriate action
to put the system in a safe state.
SM80
Write
REF2_EN in AUX_ADC_CTRL1
Read
DRDY_AUX bit in DEV_STAT to confirm that
value = 0
Write
AUX_ADC_GO in CONTROL2
Wait
time for AUXADC measurements to complete
Read
AUX_REF2H/L
Read
DRDY_AUX bit in DEV_STAT to confirm that
the measurement result is fresh
Host compare
compare 16-bit value of AUX_REF2 to
the expected value
Host Decision
Figure 5. SM80: REF1 vs REF2 Accuracy measurement
20
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.2.22
SM81: REF1 Oscillation
The BQ79606A-Q1 REF1 is the primary reference for the ADCs. An internal circuit automatically runs to
detect if REF1 is oscillating by more than 200 mV with a frequency greater than 10 kHz.
[AoU22] — The host MCU will read the SYS_FAULT2 register every FDTI to verify the REF1_OSC bit is
0.
5.2.23
SM82: VIOUV Flag
VIO is the supply for digital inputs. VIO is monitored for under-voltage continuously and if the voltage is
less than a threshold, VIOUV flag is set in SYS_FAULT3 register
NOTE: Do not toggle VIO in shut down mode, otherwise a device may exist shutdown mode.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
21
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.3
www.ti.com
Architecture Safety Mechanisms Related to Cell Voltage Monitoring
The following sections describe safety mechanisms that diagnose faults in the path from the cell input pins
to communication block.
5.3.1
SM101: Vcell ADC Path Accuracy Check
Accuracy of all six Vcell measurement paths is primarily diagnosed by measuring each of the source
voltages, one at a time, through a redundant path using the CB input pins and the AUXADC. One of the
cell positions is selected to be measured by the auxiliary path. The primary and auxiliary paths are
measured nearly simultaneously and with both paths having the same frequency responses. That means
the results may be compared directly to check for inaccuracies. The OV/UV comparator round-robin
execution is stopped while the AUXADC path is connected to the cell voltage under test.
[AoU23] — The host MCU will execute the procedure once per channel every FDTI.
[AoU24] — If the result of the procedure in AoU23 indicates a fault, the host MCU will either fall back to
using only the Cell Over-Voltage/Under-Voltage protectors to determine state of the battery cells or
take appropriate action to put the system in a safe state.
22
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
SM101
Write
AUX_CELL_SEL_EN and AUX_CELL_SEL[2:0] in DIAG_CTRL2
to 0xn, where n is cell channel under test
Wait
For AUXADC analog filter to settle
Write
AUX_ADC_GO in CONTROL2
Wait
For Vcell and AUXADC measurement to be complete
Read
VcellnH/L, where n is the cell channel under test
Read
AUX_CELLH/L
Read
DRDY_AUX bit in DEV_STAT to confirm that the measurement
result is fresh
Clear
AUX_CELL_SEL[2:0] and AUX_CELL_SEL_EN in DIAG_CTRL2
Host compare
Compare 16bit value of AUX_CELL to VCELLn; the
difference between the two values should be less than
the specficied range
Host Decision
Figure 6. SM101: VCell ADC Path Accuracy Check
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
23
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.3.2
www.ti.com
SM104: Vcell Gain/Offset and Output Register Check
VCell has factory and field programmable gain and offset registers. The registers are programmed at the
factory for Vcell. Further adjustment of the registers can be performed in the field.
This check can be performed by comparing the expected value of VCELLn calculated to the actual value.
The two values should match bit for bit.
This procedure assumes that any changes to the field programmable gain and offset registers maintain
specified accuracies of measurements at the system level.
[AoU25] — The host MCU will execute the procedure once per channel every FDTI.
[AoU26] — If the result of the procedure in AoU25 indicates a fault, the host MCU will either fall back to
using only the Cell Over-Voltage/Under-Voltage protectors to determine state of the battery cells or
take appropriate action to put the system in a safe state.
24
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
SM104
Write
AUX_CELL_SEL_EN and AUX_CELL_SEL[2:0] in DIAG_CTRL2 to
0xn, where n is cell channel under test
Write
CELL_ADC_GO in CONTROL2
Wait
For Vcell measurement to be complete
Read
VCELLnH/L, where n is the cell channel under test
Read
VCELL_FACTCORRH/L
Read
DRDY_AUX bit in DEV_STAT to confirm that the measurement
result is fresh
Clear
AUX_CELL_SEL_EN and AUX_CELL_SEL[2:0] in DIAG_CTRL2
Host Write
Take theVCELL_FACTCORR 16-bit value. and apply the gain and
offset correction factors specified by registers CELLn_GAIN and
CELLn_OFF
Host compare
the expected value of VCELLn calculated in the
previous step to the actual value; the two values
should match bit for bit
Host Decision
Figure 7. SM104: VCell Gain and Offset Register Check
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
25
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.3.3
www.ti.com
SM107: Vcell Digital Low-Pass Filter Check
When the digital low-pass filter is enabled and the results read by the system, the filter performance can
be diagnosed one channel at a time through a redundant filter circuit. The channel to be diagnosed is
selected by AUX_CELL_SEL[2:0] in register DIAG_CTRL2. The IC initializes the redundant filter when
AUX_CELL_SEL is changed and continuously compares the primary low-pass filter output of the channel
under test with the redundant circuit output and sets the LP_FILT flag in register SYS_FAULT3 if the
results do not match.
[AoU27] — The BQ79606A-Q1 is running in continuous conversion mode and the host is reading the
CONV_CNTH and CONV_CNTL registers every FDTI.
[AoU28] — If running in continuous conversion mode, the host reads the SYS_FAULT3 register every
FDTI to verify the LP_FILT bit is 0.
5.3.4
SM108: Vcell Redundant Digital Low-Pass Filter Fault Injection
The redundant low-pass filter result is compared to the primary path low-pass filter value with the fault/nofault result being indicated by LP_FILT flag in SYS_FAULT3. A fault may be injected into the redundant
low-pass filter circuit to diagnose proper operation of the redundant filter and the fault flag. Since the
redundant low-pass filter circuit is multiplexed to one channel at a time, it is only necessary to diagnose
the redundant circuit for a single channel setting.
[AoU29] — The host MCU will execute the procedure in the BQ79606A-Q1 datasheet once every drive
cycle if configuring the device to run with continuous conversions and the low pass filter enabled.
[AoU30] — The host MCU will read the SYS_FAULT3 register to confirm that the LP_FILT bit is toggled
from 0 to 1 and back to 0.
5.3.5
SM110: Vcell ADC Conversion Count
In continuous conversion mode, the Vcell ADCs are strobed internally to update the measurement results
for both the filtered and non-filtered outputs. A counter keeps track of how many conversions have
completed. To ensure proper updates are occurring, the counter should be read periodically and the result
compared to the expected conversion count based on the elapsed time and the ADC configuration
settings. The counter is reset when ADC_GO = 1 or when it is read.
[AoU31] — The BQ79606A-Q1 is running in continuous conversion mode and the host is reading the
CONV_CNTH and CONV_CNTL registers every FDTI.
5.3.6
SM130: VC Path and Pin Open Check
Each VCn and corresponding CBn pin pair have a current sink that is shared between the two. To
diagnose Vc path and pin opens, the current sources are turned on, which produces a voltage change that
can be detected in the case of an open circuit. By taking voltage measurements before and after the
current sources are turned on and verifying that the difference between the voltage values is minimal , the
integrity of the path is confirmed.
[AoU32] — The host MCU runs the procedure for open pin connection every FDTI.
26
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
SM130
Write
CELL_ADC_GO in CONTROL2
Wait
For Vcell measurement to be complete
Read
VCELLnH/L, where n is the cell channel under test and
store results
Store
result A
Write
VC_CS_CTRL to 7Fh each to turn on current sinks and
sources
Wait
Wait time for circuit to drift if open circuit; (~100mV/ms; or
wait 2ms) total since current sources turned on and
for filter to settle
Write
CELL_ADC_GO in CONTROL2
Wait
For Vcell measurement to be complete
Read
DRDY_CELL bit in DEV_STAT to confirm that the
measurement result is fresh
Read
VCELLnH/L, where n is the cell channel under test and
store results
Store
result B
Host compare
compare results A and results B. The results
should be within TBD mV of each other,
otherwise the Vcell path from the cell is open
Host Desicion
Figure 8. SM130: VC Path and Pin Open Check
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
27
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.3.7
www.ti.com
SM131: CB Path and Pin Open Check
Each VCn and corresponding CBn pin pair have a current sink that is shared between the two. To
diagnose CB path and pin opens, the current sources are turned on, which produces a voltage change
that can be detected in the case of an open circuit. By taking voltage measurements before and after the
current sources are turned on and verifying that the difference between the voltage values is minimal, the
integrity of the path is confirmed.
[AoU33] — The host MCU runs the procedure for open pin connection every FDTI.
28
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
SM131
Set
AUX_CELL_SEL_EN and AUX_CELL_SEL[2:0] in
DIAG_CTRL2 to 0xn where n is cell channel under test
Write
AUX_ADC_GO in CONTROL2
Read
AUXCELLnH/L, where n is the cell channel under test and
store results
Store
result A
Write
CB_CS_CTRL to 7Fh each to turn on current sinks and
sources
Wait
Wait time for circuit to drift if open circuit; (~100mV/ms; or
wait 2ms) total since current sources turned on and
for AUXADC amalog filter to settle
Write
AUX_ADC_GO in CONTROL2
Wait
For AUX measurement to be complete
Read
DRDY_AUX bit in DEV_STAT to confirm that the
measurement result is fresh
Clear
AUX_CELL_SEL_EN and AUX_CELL_SEL[2:0] in
DIAG_CTRL2
Read
AUXCELLnH/L, where n is the cell channel under test and
store results
Store
result B
Host compare
compare results A and results B. The results
should be within TBD mV of each other,
otherwise the Vcell path from the cell is open
Host Desicion
Figure 9. SM131: CB Path and Pin Open Check
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
29
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.3.8
www.ti.com
SM132: VC and CB Pin Short Check
A short between the VC and CB pins can be detected by monitoring the VC voltage. The Vcell voltage
values must be read before the CB FET is turned ON. If the pins are not shorted the difference between
the before and after voltage values will be minimal
30
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
SM132
Write
CELL_ADC_GO in CONTROL2
Wait
For Vcell measurement to be complete
Read
VCELLnH/L, where n is the cell channel
under test and store results
Store
result A
Read
CB_SW_STAT register,
To ensure Cell balancing is not active
Write
CELLn_EN = 1 bit in CB_SW_EN register,
where n is the cell and test
Write
CELL_ADC_GO in CONTROL2
Wait
For Vcell measurement to be complete
Read
VCELLnH/L, where n is the cell channel
under test and store results
Store
result B
Write
CELLn_EN = 1 bit in CB_SW_EN register,
where n is the cell and test
Host compare
compare results A and results B. The
results should be within TBD mV of
each other, otherwise the CB Pin is
shorted to VC Pin
Host
Decision
Figure 10. SM132: VC and CB Pin Short Check
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
31
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.3.9
www.ti.com
SM140: Vcell Data Ready Check
Reading the data ready bit, DRDY_CELL in DEV_STAT, confirms that the previous single conversion
measurement cycle completed.
[AoU34] — The host MCU reads the DEV_STAT every FDTI only if a single conversion mode is enabled.
5.3.10
SM150: Vcell Measurement Plausibility Check
If a Vcell ADC conversion is expected and requested, the updated result should be checked for
plausibility. First, the result in the output register should not be equal to 0x8000. That value is the default
value at the start of the conversion and signifies that the conversion was not completed for that channel,
either because the channel was not enabled or the state machine did not complete for that channel.
Secondly, the result should be within the normal operating range of the source voltage.
[AoU35] — The host MCU will read all VCELL ADC output values every FDTI
[AoU36] — The host MCU compare the read values against an expected range that is determined by the
system designer.
5.3.11
SM151: VCB BIST Check
The CBDONE comparator contains a BIST function for diagnostic purposes. The BIST can be enabled by
OVUV_MODE bit in the DIAG_CTRL1 register. When enabled, the BIST tests the comparators. The
comparator is tested by comparing a diagnostic DAC voltage (generated from REF2) to the selected
threshold. The diagnostic DAC voltage is switched from 2 LSB below the threshold to 2 LSB above the
threshold and the output of the comparator is checked to ensure it switches.
If the BIST fails during the VCBDONE comparator BIST test, the CB_VDONE flag in SYS_FAULT3 is set.
32
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.4
Architecture Safety Mechanisms Related Temperature Sensor Voltage Monitoring
The BQ79606A-Q1 has a shared ADC for all temperature sensor measurements. These sensors should
be connected to the GPIO pins of the BQ79606A-Q1. The following safety mechanisms deal with the
diagnostics of that ADC and the GPIO pins.
5.4.1
SM201: AUXADC Linearity Check
The analog front end of the delta-sigma ADC consists of a modulator circuit outputting a stream of dutycycle modulated pulses. Since this circuit is linear, its operation is verified by confirming the output results
for at least two known voltage inputs. For this check, three known voltages, 0 V, REF2 (1.1 V), and AVDD
(scaled to 4.5V) are available for conversion through the AUXADC.
[AoU37] — The BQ79606A-Q1 is fully powered and addressed prior to the start of the diagnostic.
[AoU38] — The host MCU will run the AUXADC Linearity Test every FDTI.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
33
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
SM201
Write
AVDD_EN,ZERO_EN and REF2_EN in
AUX_ADC_CTRL1
Write
AUX_ADC_GO in CONTROL2
Read
AUX_REF2H/L and compare value to 0x8000
AUX_ZEROH/L and compare value to 0x8000
AUX_AVDDH/L and compare value to 0x8000
Wait
1 Conversion Cycle
Read
AUX_STAT and DRDY_AUX in DEVSTAT and
verify conversion is complete
Write
AVDD_EN,ZERO_EN and REF2_EN in
AUX_ADC_CTRL1
Read
AUX_REF2H/L and compare value to 2.5V
AUX_ZEROH/L and compare value to 0V
AUX_AVDDH/L and compare value to1.1
End
Figure 11. SM201: AUXADC Linearity Check
34
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.4.2
SM202: AUXADC Digital Circuit Check
The digital filter and correction circuitry of the AUXADC can be diagnosed one channel at a time through a
redundant circuit. The channel to be diagnosed is selected by AUX_GPIO_SEL[2:0] in register
DIAG_CTRL2. The IC continuously compares the primary digital output of the AUXADC with the
redundant circuit output and sets the AUX_FILT flag in register SYS_FAULT3 if the results do not match.
[AoU39] — The BQ79606A-Q1 will run the GPIO Digital Circuit Check for each enabled GPIO
temperature sensor channel and read the SYS_FAULT3 register every FDTI .
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
35
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
SM202
Write
AUX_GPIO_SEL[2:0] in DIAG_CTRL2 to 0xn
where n is cell channel under test
Write
AUX_ADC_GO in CONTROL2
Wait
For Filter fault state to update
Read
AUX_FLT in SYS_FLT3 and verify it is not FALSE
Write
AUX_FLT_INJ in DIAG_CTRL1
Write
AUX_ADC_GO in CTRL2
Wait
For Filter fault state to update
Read
AUX_FLT in SYS_FLT3 and verify it is TRUE
Write
AUX_FLT_RST to clear fault
Clear
AUX_GPIO_SEL[2:0] in DIAG_CTRL2 to 0xn
where n is cell channel under test
End
Figure 12. SM202: AUXADC Digital Circuit Check
36
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.4.3
SM203: AUXADC Redundant Digital Filter Fault Injection
The redundant digital SINC filter result is compared to the primary path SINC filter value with the fault/nofault result being indicated by AUX_FILT flag in SYS_FAULT3. A fault may be injected into the redundant
SINC filter circuit to diagnose proper operation of the redundant filter and the fault flag. Since the
redundant filter circuit is multiplexed to one channel at a time, it is only necessary to diagnose the
redundant circuit for a single channel setting.
[AoU40] — The BQ79606A-Q1 is fully powered and addressed prior to the start of the diagnostic. The
SYS_FAULT3[AUX_FILT] bit will be cleared to 0 and the GPIO1 channel will be enabled for AUX
measurement.
[AoU41] — The host MCU will run the Redundant Digital Filter Fault Injection once every drive cycle.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
37
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
SM203
Write
AUX_GPIO_SEL[2:0] in DIAG_CTRL2 to 0xn
where n is cell channel under test
Write
AUX_ADC_GO in CONTROL2
Wait
For Filter fault state to update
Read
AUX_FLT in SYS_FLT3 and verify it is not
FALSE
Write
AUXDIG_FLT_INJ in DIAG_CTRL1
Write
AUX_ADC_GO in CTRL2
Wait
For Filter fault state to update
Read
AUX_FLT in SYS_FLT3 and verify it is TRUE
Write
AUX_FLT_RST to clear fault
Clear
AUX_GPIO_SEL[2:0] in DIAG_CTRL2 to 0xn
where n is cell channel under test
End
Figure 13. SM203: AUXADC Redundant Digital Filter Fault Injection
38
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.4.4
SM204: AUXADC Gain/Offset and Output Register Check
AUX ADCs have factory and field programmable gain and offset registers. The registers are programmed
at the factory for AUXADC. Further adjustment of the registers can be performed in the field.
This check can be performed by comparing the expected value of AUXADC calculated to the actual value.
The two values should match bit for bit.
This procedure assumes that any changes to the field programmable gain and offset registers maintain
specified accuracies of measurements at the system level
[AoU42] — The BQ79606A-Q1 is fully powered and addressed prior to the start of the diagnostic.
[AoU43] — The host MCU will run the GPIO Output Register Check diagnostic once per used GPIO
channel per FDTI.
[AoU44] — The host MCU will apply the appropriate gain and offset found in GPIO[6:1]_GAIN and
GPIO[6:1]_OFF to the output of AUX_FACTCORRH/L and compare the result to the
AUX_GPIO[6:1] register pair of the same channel. The two values should match at every bit.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
39
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
SM204
Write
GPIOn_CONF, where n is GPIO channel under test
Write
AUX_ADC_GO in CONTROL2
Wait
For AUX measurement to be complete
Read
AUX_GPIOnH/L, where n is the cell channel under test
Read
AUX_FACTCORRH/L
Read
DRDY_AUX bit in DEV_STAT to confirm that the measurement result is fresh
Clear
AUX_GPIO_SEL[2:0] in DIAG_CTRL2
Host Write
Take the AUX_FACTCORR 16-bit value and apply the gain and offset correction
factors specified by registers GPIOn_GAIN and CELLn_OFF
Host compare
the expected value of AUX_GPIOn calculated in the previous step to
the actual value; the two values should match bit for bit
Host Decision
Figure 14. SM204: AUXADC Gain Offset and Output Register Check
40
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.4.5
SM230: GPIO Pin Open Check
When the GPIO pins are used to measure safety-relevant temperature sensors, the signal path integrity
must be diagnosed. A safety measure for finding pin open conditions is provided.
[AoU45] — The BQ79606A-Q1 is fully powered and addressed prior to the start of the diagnostic.
[AoU46] — The host MCU will run the GPIO Pin Open diagnostic once per used GPIO channel per FDTI.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
41
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
SM230
Write
TEMP_DG[1:0](DeglitchTime) in COMP_DG to min value
Write
OTUT_MODE[1:0] in DIAG_CTRL1 to configure single channel
Write
DIAG_CTRL3 to enable weak pulldown on GPIO
Write
OTUT_CTRL to chose the GPIO for this iteration
Write
OTUT_EN= 0 in CONTROL2
Write
OTUT_EN= 1 in CONTROL2
Wait
For Pulldown to take effect
Read
OT_FAULT
Host compare
Value of OT_FAULT = 1 to verify fault
Reset
OT_FLT_RST and TEMP_DG
Host Decision
Figure 15. SM230: GPIO Pin Open Check
42
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.4.6
SM231: GPIO Multiplexor and Pin Short Check
When the GPIO pins are used to measure safety-relevant temperature sensors, the signal path integrity
must be diagnosed. A safety measure for finding pin short conditions is provided.
[AoU47] — The BQ79606A-Q1 is fully powered and addressed prior to the start of the diagnostic.
[AoU48] — The host MCU will run the GPIO Multiplexor and Pin Short diagnostic once per used GPIO
channel per FDTI.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
43
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
SM231
Write
TEMP_DG[1:0](DeglitchTime) in COMP_DG to min value
Write
GPIO_OUT to drive GPIO pins 2, 4 6 high
Write
OTUT_CTRL to enable the GPIO for this iteration
Write
OTUT_EN= 0 in CONTROL2
Write
OTUT_EN= 1 in CONTROL2
Wait
For OTUT_CTRL = 1
Read
OT_FAULT
Host compare
Value of OT_FAULT = 1 to verify
fault
Reset
GPIO_OUT, OT_FLT_RST and TEMP_DG
End
Figure 16. SM231: GPIO Multiplexer and Pin Short Check
44
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.4.7
SM232: AUXMUX GPIO Check
When the GPIO pins are used to measure safety-relevant temperature sensors, the signal path integrity
must be diagnosed. This check can be performed by driving the GPIO pin in test to VIO and then
comparing the voltage to VIO.
[AoU49] — GPIO pins can be driven High/Low independent of AUX ADC measurement
SM232
Write
GPIO_SEL in GPIOn_CONF to configure GPIO as
output, where n is GPIO channel under test
Write
PUPD_SEL[2:0] in GPIOn_CONF to configure GPIO as
Push-Pull, where n is GPIO channel under test
Write
GPIOn in GPIO_OUT to drive GPIO to VIO,
where n is GPIO channel under test
Run
AUXADC convergence on GPIOn
Read
GPIOn Voltage
Host compare
Value of GPIOn should be similar to
VIO.If another GPIO pin is shorted to
GPIOn its voltage value will also be
similar to GPIOn
Host Decision
Figure 17. SM232: AUXMUX GPIO Check
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
45
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.4.8
www.ti.com
SM233: GPIO Fault Check
There is a configurable option (GPIOn_CONF[FAULT_EN]) for the GPIO to trigger a FAULT condition
when high or low. When enabled, the GPIOs that are in a fault state set the GPIOn bit in the
GPIO_FAULT register. These faults are triggered regardless of the GPIOn_CONF[GPIO_SEL] setting for
the GPIO, where n is the channel under test.
NOTE: The high threshold (VIH) and low threshold (VIL) to trigger the fault condition are defined in the
electrical characteristics section in the datasheet.
5.4.9
SM240: AUXADC Data Ready Check
Reading the data ready bit, DRDY_AUX in DEV_STAT, confirms that the previous single conversion
measurement cycle completed.
[AoU50] — The BQ79606A-Q1 is running in single conversion mode.
[AoU51] — The host MCU reads the DRDY_AUX bit in the DEV_STAT register every FDTI.
5.4.10
SM245: Updated TJ Value for AUXADC
The AUXADC uses the internal die temperature to compensate the measurement result. The Tj ADC
measures the die temperature in conjunction with the Vcell measurements. Therefore, it is necessary to
make sure a Vcell measurement result is taken within a short time before the AUX ADC measurement for
maximum accuracy. If the two measurements cannot be started at the same time, starting them within 50
ms is sufficient as long as there is no change in the balancing switch states. Near balancing switch state
changes, timing of 10 ms or less is preferred.
5.4.11
SM246: Die Temp Plausibility
The Tj ADC measures the die temperature in conjunction with the Vcell measurements and stores the
results in the DIE_TEMPH and DIE_TEMPL registers. Whenever a conversion is started the value of
DIE_TEMP will be reset to 0x8000, which indicates a temperature of –851°C, before it is updated with the
output of the ADC. If a reading of 0x8000 persists after completion of a cell conversion then it indicates
that there is a problem with the TJ ADC signal path. When not balancing, the die temperature reading
should be similar to any temperature sensor readings, meaning that any higher reading of DIE_TEMP will
indicate a issue with the BQ79606A-Q1. The DIE_TEMP should also be below the thermal shutdown
threshold of the device.
[AoU52] — The host MCU reads the DIE_TEMP registers every FDTI.
5.4.12
SM250: AUXADC Measurement Plausibility Check
If an AUXADC conversion is expected and requested, the updated result should be checked for
plausibility. First, the result in the output register should not be equal to 0x8000. That value is the default
value at the start of the conversion and signifies that the conversion was not completed for that channel,
either because the channel was not enabled or the state machine did not complete for that channel.
Secondly, the result should be within the normal operating range of the source voltage. For externally
generated voltages, the expected measurement result must be determined by the system. For voltages
generated internal to the BQ79606A-Q1, the expected ranges are documented in the Electrical
Characteristics section of the datasheet.
[AoU53] — The host MCU reads that all enabled AUX ADC output values to ensure they are not equal to
0x8000 every FDTI.
46
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.5
Architecture Safety Mechanisms Related to Cell Voltage Protection
The BQ79606A-Q1 has internal secondary protection comparators for over-voltage and under-voltage
detection in the event of a failure of mission path ADC. This section describes the safety diagnostics for
the comparator data path.
5.5.1
SM301: Over-Voltage / Under-Voltage BIST
The OV and UV comparators can be checked by a built-in self test that can be enabled to run every other
tcycle. The self-test checks the comparators themselves by applying voltages just above and just below the
user-configured threshold VOV and VUV.
[AoU54] — The host MCU will run the built-in self test every other FDTI.
[AoU55] — The host MCU will read and clear the CELL_OV_UV flag in the FAULT_SUMMARY register,
OVUV_BIST_DONE in the LOOP_STAT register, and the OVUV_BIST_FAULT register .
5.5.2
SM302: Over-Voltage / Under-Voltage Multiplexor Selector Integrity
A single pair of OV and UV comparators monitor all cell positions and transfer the result to the appropriate
status register using an input and output multiplexor. The multiplexor selectors and state machine control
can be diagnosed by using the cell balancing switches to reduce Vcell by approximately 33% to the
channel under test. By comparing the UV comparator results with the expected results based on the cell
balancing switch stimulus, the multiplexor and control integrity is confirmed.
NOTE: This diagnostic is not required to meet the ASIL-B goal for the secondary protectors.
[AoU56] — The host MCU will run the OV/UV Multiplexor Selector Integrity Check.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
47
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
SM302
Write
TEMP_DG[1:0] = 2'b11 and OVUV_DG[1:0] = 2'b00
Write
CB_SW_EN = 0x00 (Disable all balance switches)
Write
OVUV_EN= 0 in CONTROL2 (Disable Comparators)
Write
DIAG_CTRL2 (Disconnect AUX ADC from inputs)
Write
DIAG_CTRL1 (Enable Single Conversion Mode)
Write
CB_SW_EN = 0x00 (Enable Cell1 balance switches)
Write
OVUV_EN= 1 in CONTROL2 (Enable Comparators)
Wait for 1ms
Write
OVUV_EN= 0 in CONTROL2 (Disable Comparators)
Host compare
Host shall read the UV_FAULT for the cell under test
and verify it is set
Repeat
For the remaining channels
Reset
UV_FLT_RST, TEMP_DG, OVUV_DG and DIAG_CTRL2 to
pre-test value
End
Figure 18. SM302: OV/UV Multiplexor Selector integrity
48
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.5.3
SM303: Over-Voltage / Under-Voltage Threshold DAC Measurement
The Over/Under-Voltage comparators use DACs to convert the OV_THRESH and UV_THRESH bytes to
the appropriate comparator reference voltage. The output of these DACs can be converted by the
AUXADC to confirm the thresholds are set correctly. OV_DAC_EN and UV_DAC_EN sets the AUXADC to
convert the Over-Voltage and Under-Voltage thresholds respectively. The OV DAC results are stored in
AUX_OV_DACH/L registers and the UV DAC results are stored in the AUX_UV_DACH/L registers.
[AoU57] — The host MCU will convert the Over-Voltage and Under-Voltage DAC voltages once every
drive cycle to confirm the voltages are correct.
5.5.4
SM304: UV Comparator Check
A UV window comparator provides cell voltage monitoring for all six channels. The analog comparator
uses a programmable UV threshold (UV_THRESH) and deglitch time (OVUV_DG) to set the UV_Faultn
flag in CELL_OVUV register, where n is the cell channel under test. The cell voltage is compared to the
UV threshold and a counter is incremented when the comparator is tripped and decremented when the
comparator is not tripped. Once the counter reaches the programmed threshold, the UV_FAULTn, flag in
CELL_OVUV register is set.
[AOU58] — Use OVUV_CTRL[CELL*_EN] bits to enable the cells that are required for UV monitoring
[AOU59] — Use the CONTROL2[OVUV_EN] bit to enable the comparators
5.5.5
SM305: OV Comparator Check
An OV window comparator provides cell voltage monitoring for all six channels. The analog comparator
uses a programmable OV threshold (OV_THRESH) and deglitch time (OVUV_DG) to set the OV_Faultn
flag in CELL_OVUV register, where n is the cell channel under test. The cell voltage is compared to the
OV threshold and a counter is incremented when the comparator is tripped and decremented when the
comparator is not tripped. Once the counter reaches the programmed threshold, the OV_FAULTn, flag in
CELL_OVUV register is set.
[AOU60] — Use OVUV_CTRL[CELL*_EN] bits to enable the cells that are required for OV monitoring.
[AOU61] — Use the CONTROL2[OVUV_EN] bit to enable the comparators
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
49
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.6
www.ti.com
Architecture Safety Mechanisms Related to Temperature Sensor Voltage Protection
The BQ79606A-Q1 has internal secondary protection comparators for overtemperature and
undertemperature detection in the event of a failure of mission path ADC. This section describes the
safety diagnostics for the comparator data path.
5.6.1
SM401: Overtemperature, Undertemperature BIST
The OT and UT comparators can be checked by a built-in self test that can be enabled to run every other
tcycle. The self-test checks the comparators themselves by applying voltages just above and just below
the user-configured threshold VOT and VUT.
[AoU62] — The host MCU will run the built-in self test every other FDTI.
[AoU63] — The host MCU will read and clear the CELL_OT_UT flag in the FAULT_SUMMARY register,
OTUT_BIST_DONE in the LOOP_STAT register, and the OTUT_BIST_FAULT register .
5.6.2
SM402: Overtemperature, Undertemperature Multiplexor Selector Integrity
A single pair of OT and UT comparators monitor all enabled GPIO inputs and transfer the result to the
appropriate status register using an input and output multiplexor. The multiplexor selectors and state
machine control can be diagnosed by using the GPIO pin pullups and pulldowns to move the input signal
measurement near 0 V or near full-scale for the channel under test. By comparing the OT and UT
comparator results with the expected results based on the cell balancing switch stimulus, the multiplexor
and control integrity is confirmed.
NOTE: This diagnostic is not required to meet the ASIL-B goal for the secondary protectors.
[AoU64] — The host MCU will run the OT/UT Multiplexor Selector Integrity Check.
50
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
SM402
Write
AUX_GPIO_SEL[2:0] in DIAG_CTRL2 to 0xn
where n is cell channel under test
Write
AUX_ADC_GO in CONTROL2
Wait
For AUXADC measurement to be complete
Read
AUX_GPIOnH/L, where n is the cell channel under test
Read
AUX_FACTORRH/L
Read
DRDY_AUX bit in DEV_STAT to confirm that the measurement result is
fresh
Clear
AUX_GPIO_SEL[2:0] in DIAG_CTRL2
Host Write
Calculated expected value of AUX_GPIOn by taking 16bit
AUX_FACTORR and appling gain and offset correction factors specified
by registers GPIOn_Gain and GPIOn_Offset.
Host compare
compare the expected value of AUX_GPIOn calculated in
the previous step to the actual value; the two values should
match bit for bit
Host Decision
Figure 19. SM402: OT/UT Multiplexor Selector Integrity
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
51
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.6.3
www.ti.com
SM403: Overtemperature, Undertemperature Threshold DAC Measurement
The overtemperature and undertemperature comparators use DACs to convert the OTUT_THRESH byte
to the appropriate comparator reference voltage. The output of these DACs can be converted by the
AUXADC to confirm the thresholds are set correctly. OT_DAC_EN and UT_DAC_EN sets the AUXADC to
convert the Over-Voltage and Under-Voltage thresholds respectively. The OT DAC results are stored in
AUX_OT_DACH/L registers and the UT DAC results are stored in the AUX_UT_DACH/L registers.
[AoU65] — The host MCU will convert the overtemperature and undertemperature DAC voltages once
every drive cycle to confirm the voltages are correct.
5.6.4
SM404: UT Comparator Check
An UT window comparator provides the under temperature monitoring for GPIO1 to GPIO6 inputs. The
analog comparator uses a programmable UT threshold (UT_THRESH) and deglitch time (OTUT_DG) to
set the UT_Faultn flag in GPIO_OTUT register, where n is the cell channel under test.
The cell temperature is compared to the UT threshold and a counter is incremented when the comparator
is tripped and decremented when the comparator is not tripped. Once the counter reaches the
programmed threshold, the UT_FAULTn, flag in GPIO_OTUT register is set.
[AoU66] — The UT threshold is programmable to OFF or from 60% to 75% of TSREF in steps of 1%
using the OTUT_THRESH[UT_THRESH] bits
[AoU67] — TSREF must be enabled (CONTROL2[TSREF_EN]=1) for at least 2 ms (for recommended
capacitor value, larger capacitors may lead to longer startup time) before enabling the OT/UT
function.
[AoU68] — Use OTUT_CTRL[GPIO*_EN] bits to enable the cells that are required for OT/UT monitoring.
Use the CONTROL2[OTUT_EN] bit to enable the comparators
5.6.5
SM405: OT Comparator Check
An OT window comparator provides the over temperature monitoring for GPIO1 to GPIO6 inputs. The
analog comparator uses a programmable OT threshold (OT_THRESH) and deglitch time (OTUT_DG) to
set the OT_Faultn flag in GPIO_OTUT register, where n is the cell channel under test.
The cell temperature is compared to the OT threshold and a counter is incremented when the comparator
is tripped and decremented when the comparator is not tripped. Once the counter reaches the
programmed threshold, the OT_FAULTn, flag in GPIO_OTUT register is set.
[AOU69]— The OT threshold is programmable to OFF or from 20% to 35% of TSREF in steps of 1%
using the OTUT_THRESH[OT_THRESH] bits
[AoU70]— Use OTUT_CTRL[GPIO*_EN] bits to enable the cells that are required for OT/UT monitoring.
Use the CONTROL2[OTUT_EN] bit to enable the comparators.
[AoU71]— TSREF must be enabled (CONTROL2[TSREF_EN]=1) for at least 2 ms (for recommended
capacitor value, larger capacitors may lead to longer startup time) before enabling the OT/UT
function.
52
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.7
Architecture Safety Mechanisms Related to Communication
The BQ79606A-Q1 communication path has several diagnostics to achieve the safety goals of the device.
Failure to run the recommended diagnostics on the communication path calls into questions the validity of
the data obtained from the devices.
5.7.1
SM500: COMM Response Packet CRC and Source Check
All response packets received by the system controller should be checked for correct CRC, correct
starting register address, correct number of bytes received, in the correct sequence matching to the
expected communication response. Any non-conforming packets should be discarded.
NOTE: CRC generation by the BQ79606A-Q1 is automatic and there is no fixed time for the running
of this diagnostic.
[AoU72] — The host MCU will calculate the CRC for all received response packets and compare to the
received CRC.
[AoU73] — The host MCU will check the device and register address information on each received
response packets and compare expected device and register addresses.
[AoU74] — Any packet with non-matching CRC, out of order, or from an unexpected device or register
address will be discarded by the host MCU.
5.7.2
SM501: Device Addressing Check
For communication to be successful to all devices, each device must be addressed appropriately based
on its position in the daisy-chain and the direction of communication. When any change to the daisy-chain
or device configuration occurs or are suspected, the device addressing must be verified.
NOTE: Typically only one daisy-chain is connected to a given system controller. In the case of a
daisy-chain break and the BQ79606A-Q1 is configured for ring communication, multiple
daisy-chains may be present.
[AoU75] — The host MCU will send a broadcast read command to each daisy-chain connected to it and
verify that all expected responses are present and correct with respect to number, order, device
address, and data correctness.
5.7.3
SM502: Short Communication Timeout Check
To detect any communication delays a Short Communication Timeout check can be performed by setting
SHORT[2:0] in COMM_TO register. If the timeout expires the CTS flag in SYS_FAULT1 register is set
5.7.4
SM503: Byte Error Check
The daisy chain retransmits the data on a bit level to improve daisy-chain robustness. If an error is
detected in the received data(COMM_COM*_FAULT register, where COM* represents the communication
lines UART, COML and COMH), the data is still forwarded, but the byte error bit is set to indicate to the
devices up the stack that the data is likely corrupted and must be ignored.
Different registers and bits are set based on receiving a response frame or a response command. The
BERR bit in the COMM_COM*_R*_FAULT register is set and the byte is ignored whenever a byte is
received with the byte error set, where COM* represents COMH and COML and R* represents Response
frame (RR) and Command Frame (RC).
The BERR bit in COMM_UART_RC_FAULT is set when a STOP error occurs on any byte received on the
UART interface that is not directly followed by a communication clear (<BRK>).
[AOU76] — The COMM_COM*_RR_FAULT registers indicate faults that occur while receiving a response
frame. The COMM_*_RC_FAULT registers indicate faults that occur while receiving a command
frame.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
53
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.7.5
www.ti.com
SM504: Start of Frame Error Check
If a break is received before the current frame is finished, on either the UART or differential stack
communications, then the SOF bit in COMM_COM*_R*_Fault register is set, where COM* represents
UART, COML and COMH and R* represents Receiving Command(RC), Receiving Response(RR) and
Transmitting Data(TR)
[AOU77]— The response frames on the UART only apply in multidrop mode
5.7.6
SM505: UNEXP Error Check
If the direction for the command of stack communication is incorrect or if the stack device received UART
command for stack communication, UNEXP bit in COMM_COM*_R*_FAULT register is set, where COM*
represents UART, COML and COMH and R* represents Receiving Command(RC), Receiving
Response(RR) and Transmitting Data(TR)
[AOU78] — The response frames on the UART only apply in multidrop mode
5.7.7
SM506: TXDIS Error Check
If read command frame were discarded because TX was disabled on UART, COMH or COML, the TXDIS
bit in COMM_COM*_R*_Fault register is set, where COM* represents UART, COML and COMH and R*
represents Receiving Command(RC), Receiving Response(RR)
5.7.8
SM507: Wait Error Check
If the device was unable to send the response frame for the previous read command on COML, COMH or
UART due to receiving a new command from any interface before receiving the response from the device
above the current one, the Wait flag bit in COMM_COM*_R*_Fault is set, where COM* represents UART,
COML and COMH and R* represents Receiving Command(RC), Transmitting Data(TR)
[AOU79]— New commands are not checked for the TXDIS or UNEXP conditions prior to causing the
termination of the currently waiting command
5.7.9
SM508: IERR Error Check
Initialization byte errors are the result of improper formatting of a byte. If a frame initialization byte is
expected, but the SOF bit of the received byte is not set or an invalid frame type (one of the reserved
commands) is selected the IERR bit in the COMM_COM*_RC_FAULT register is set, where COM*
represents COML and COMH.
If the frame initialization byte has a stop error, reserved command bits set, or is configured as a response
frame (not in multidrop mode), the IERR bit in the COMM_UART_RC_FAULT register is set.
Frame initialization bytes are the 1st byte after a break, or based on frame sequence. When in the
multidrop configuration, IERR is also set when the first frame received after a break is a response frame.
[AOU80] — When an initialization byte error occurs, the UART disregards communication (that is, CRC is
not calculated and, therefore, no CRC error is indicated) and does not forward communication until
a break/reset is received.
[AoU81] — In multi drop, during stack read, stack write, reverse direction this bit will not be flipped. Only
reverse direction will create an IERR error.
54
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.7.10
SM509: Daisy Chain communication SYNC1 Error Check
The differential stack interface uses an asynchronous 12-bit byte-transfer protocol that operates at
baudDC. Data is transferred lsb first and every bit is duplicated (with a complement) so that the
transmission has no DC content. The receiver samples the signal 8 times per half bit time. A zero is
transmitted as one half-bit period low followed by one half-bit period high, while transmission of a one is a
half-bit period high followed by a half-bit period low.
If the demodulation of the preamble half-bit and the two full bits of synchronization data have errors and
the timing is not correct, the SYNC1 bit in COMM_COM*_FAULT register is set and the byte is not
processed, where COM* represents COML and COMH
5.7.11
SM510: Daisy Chain communication SYNC2 Error Check
The differential stack interface uses an asynchronous 12-bit byte-transfer protocol that operates at baud
DC. Data is transferred lsb first and every bit is duplicated (with a complement) so that the transmission
has no DC content. The receiver samples the signal 8 times per half bit time. A zero is transmitted as one
half-bit period low followed by one half-bit period high, while transmission of a one is a half-bit period high
followed by a half-bit period low.
If the timing information extracted from the demodulation of the preamble half-bit and the two full bits of
synchronization is outside of the expected window, SYNC2 flag in the COMM_COM*_FAULT register is
set and the byte is not processed, where COM* represents COML and COMH.
5.7.12
SM511: Daisy Chain communication Byte Order Check
If, during the demodulation of the bus traffic, one or more of the received data bits does not have the
expected complement bit structure, the DATA_ORDER bit in COMM_COM*_FAULT register is set and the
byte is not decoded, where COM* represents COML and COMH.
5.7.13
SM512: Daisy Chain communication DATA_MISS Check
During the communication, if there is a failure to detect a valid '1' or '0' on the bus when one is expected
(every bit time),DATA_MISS bit in the COMM_COM*_FAULT register is set and the byte is not decoded,
where COM* represents COML and COMH.
5.7.14
SM513: Daisy Chain communication BIT Error Check
During the demodulation of the bus traffic, a bit is decoded that is not a "strong" '1' or '0' (meaning there
were not sufficient samples to indicate the logic level with certainty), the BIT flag in COMM_COM*_FAULT
register is set and the byte is not decoded, where COM* represents COML and COMH.
5.7.15
SM514: HeartBeat Fast Error Check
The TONE_FAULT register indicates faults related to the FAULT_bus. The daisy-chain transmits a
heartbeat tone from north to south on the FAULT* interface. The heartbeat tone is sent out every tWAITHB. If
a heartbeat is received more often than expected (time between heartbeats is less than tHBFAST), the
HB_Fast bit in TONE_FAULT register is set to indicate a possible error condition.
5.7.16
SM515: HeartBeat Fail Error Check
The daisy-chain transmits a heartbeat tone from north to south on the FAULT* interface. This is to monitor
the integrity of the fault bus. The devices continuously monitors for the heartbeat of the device above. If a
heartbeat pulse is not received for tHBTO then the HB_FAIL bit in TONE_FAULT register is set.
5.7.17
SM516: Fault Tone Error Check
The daisy-chain transmits a heartbeat tone on the FAULT* interface. In case an unmasked fault is
detected, the device sends a fault tone down the FAULT* interface and stops sending any heartbeat tones
until the fault is reset or cleared. As the lower devices receive the fault detected tone, the FF_REC bit in
TONE_FAULT register is set and the fault tone is propagated down the stack until ultimately received by
the base device, which notifies the host via the NFAULT output.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
55
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.7.18
www.ti.com
SM517: UART Communication STOP Check
The UART interface follows the standard serial protocol of 8-N-1, where it sends information as a START
bit, followed by eight data bits, and then one STOP bit. The STOP bit indicates the end of the byte. If a
byte is received that does not have the STOP bit set, the STOP flag in the COMM_UART_FAULT register
is set, indicating a baud rate issue between the host and the device
5.7.19
SM518: UART communication Reset Check
If the baud rate is inadvertently changed or unknown, the baud rate of the base device resets to 250 kbps
(regardless of the value stored in the OTP COMCONFIG register). This sets the baud rate to a known,
fixed rate (250 kbps), and the COMMRST_DET bit in the COMM_UART_FAULT register is set
5.7.20
SM519: UART communication Clear Break Detection Check
The next byte following the <BRK> is considered a "start of frame" byte. The receiver continuously
monitors the RX line for break condition (<BRK>). When detected, a <BRK> sets COMMCLR_DET flag in
COMM_UART_FAULT register.
[AOU82] — The host must wait at least tUART(RXMIN) after the <BRK> to start sending the frame.
5.7.21
SM520: NFAULT Function Check
The NFAULT signal on the base device pulls low to indicate to the host that a monitored fault condition
has occurred in the base device or the stack devices. To detect NFAULT function and connection to the
host the host transmits a UART command to the base device with an incorrect CRC. The NFAULT signal
should be monitored by the host before and after sending an incorrect CRC to verify the NFAULT signal
changes state from high to low. The host should then reset the CRC fault COMM_UART_RC_FLT_RST
[CRC_RST] and verify the NFAULT signal changes state from low to high.
NOTE: Other UART communication from the host with a sequence intended to intentionally cause
NFAULT to go low and then reset NFAULT may be used in place of CRC fault detection.
56
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.8
Miscellaneous Architecture Safety Mechanisms
The following safety mechanisms support features of the BQ79606A-Q1 that do not easily fit in the above
categories. This does not make these diagnostics any less critical to achieve the safety goals of the
system.
5.8.1
SM700: Customer NVM-Backed Register CRC Check
The OTP-backed customer registers are protected by a CRC. The CRC engine cyclically computes a
checksum value from the current register contents and compares it to the CRC checksum value stored in
the CUST_CRCH/L registers. The result is reported by the flag CUST_CRC in the SYS_FAULT2 register.
The calculated result of the engine can be viewed in CUST_CRC_RSLTH/L.
[AoU83] — The host MCU will read the CUST_CRC bit in SYS_FAULT2 every FDTI.
[AoU84] — The host MCU will determine the source of the error and decide if the system should be put in
a safe state.
5.8.2
SM701: Factory NVM-Backed Register CRC Check
The OTP-backed factory registers are protected by a CRC. The CRC engine cyclically computes a
checksum value from the current register contents and compares it to the CRC checksum value stored
from the factory. The result is reported by the flag FACT_CRC in the SYS_FAULT2 register.
[AoU85] — The host MCU will read the FACT_CRC bit in SYS_FAULT2 every FDTI.
[AoU86] — The host MCU will reset the device in an attempt to clear the CRC error. The host will decide
if the system should be put in a safe state.
5.8.3
SM702: NVM CRC DONE Check
The OTP-backed registers that are protected by a CRC engine that cyclically computes a checksum value
from the current register contents. When the CRC engine has completed the CRC calculation, the
CRC_DONE bit in register DEV_STAT is set so that the system can know the CRC engine is operational
[AoU87] — The host MCU will read the CRC_DONE bit in DEV_STAT once every drive cycle.
[AoU88] — If the CRC_DONE bit is not set, the host MCU will wait tCRC_OTP and re-read the bit.
[AoU89] — If the CRC_DONE bit remains at 0 after waiting tCRC_OTP the device should be reset or the
system put in a safe state.
5.8.4
SM710: Check TWARN Flag
The BQ79606A-Q1 compares the Tj ADC result vs a threshold that is equivalent to 115°C typical and
outputs the result to the TWARN flag in register SYS_FAULT1. If the TWARN flag is set, the system
should assume the environmental conditions are outside of the safety bounds and take appropriate action.
The TWARN flag is only updated after a Vcell ADC measurement is made.
[AoU90] — The host MCU will check the TWARN bit in SYS_FAULT1 is 0 every FDTI.
[AoU91]— If TWARN is set, the host MCU will assume the environmental conditions are outside the
safety bounds and take appropriate action.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
57
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
5.8.5
www.ti.com
SM711: Die Temperature versus PTAT Sensor Accuracy Measurement
The Tj ADC measurement and digital comparison of the result indicates if the IC is operating above or
below 115°C typical, 125°C max. The IC is characterized beyond the max TWARN temperature to ensure
that operating performance is reasonable even if not meeting full datasheet specifications. Measuring the
PTAT voltage and comparing it to the Die Temperature sensor result gives a diagnosis of the validity of
the two sensors, which is latent fault coverage.
[AoU92] — A VCELL measurement was completed so the DIE_TEMP value is fresh.
[AoU93] — The host MCU will perform the procedure for comparing the PTAT voltage against the
DIE_TEMP once every drive cycle.
[AoU94]— In the case of a mismatch between the PTAT voltage and the DIE_TEMP, the host MCU will
put the device in a safe state.
5.8.6
SM712: Thermal Shutdown
The BQ79606A-Q1 has multiple thermal shutdown sensors that will force the device into SHUTDOWN if
the die temperature exceeds TSD. When this occurs, all communication to the device will fail, which
indicates that the device is in SHUTDOWN. When the device temperature drops by TSDHYS the device can
be woken by the host and communication will resume working. The bit TSD in SYS_FAULT1 will be set
whenever the device enters SHUTDOWN as a result of a thermal sensor trip.
NOTE: Thermal Shutdown by the BQ79606A-Q1 is automatic and there is no requirement by the
host to enable the diagnostic.
5.8.7
SM720: LFOSC Accuracy Check
The BQ79606A-Q1 compares the LF oscillator to the HF oscillator using a counter. If the frequency is
outside of the specified range, the LFO flag is set in register SYS_FAULT3.
[AoU95] — The host MCU will read the SYS_FAULT3 register every FDTI to confirm the LFO flag is 0.
5.8.8
SM721: HFO Watchdog
The High Frequency Oscillator is monitored by an independent HFO watchdog for clocking activity while
the HFO is enabled. If the HFO does not transition high to low or low to high within tHFOWD the watch dog
will reset the digital core and hold the digital core in reset state until the HFO watchdog signal is reset.
The watch dog timer will reset and start a new tHFOWD period anytime the HFO clock transitions high to low
or low to high.
5.8.9
SM722: LFO Watchdog
The Low Frequency Oscillator is monitored by an LFO independent watchdog for clocking activity while
the LFO is enabled. If the LFO does not transition high to low or low to high within tLFOWD the watch dog will
reset the digital core and hold the digital core in reset state until the LFO watchdog signal is reset. The
watch dog timer will reset and start a new tLFOWD period anytime the LFO clock transitions high to low or
low to high.
58
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
5.8.10
SM730: Remove OTP Programming Voltage
System must not apply a valid programming voltage to the VPROG pin during normal operation to avoid
accidental programming of the OTP memory.
[AoU76] — No programming voltage will be applied to the VPROG pin during normal operation of the
device.
5.8.11
SM731: OTP Programming Lock
OTP programming should remain locked during normal operation to avoid accidental programming.
[AoU97] — The host MCU will read the OTP_PROG_STAT register to confirm the UNLOCK bit is 0 once
every drive cycle.
5.8.12
SM740: OTP ECC
Error correction and detection logic is implemented for the OTP memory as it is loaded into latched
memory. Single errors are corrected and flagged by SEC_DETECT in SYS_FAULT3 while dual errors are
detected and flagged by DED_DETECT in the same register.
[AoU98] — The host MCU will read the SYS_FAULT3 register to confirm the both SEC_DETECT and
DED_DETECT are 0 once every drive cycle.
5.8.13
SM741: OTP ECC Test
The ECC engine can be tested for both Single Bit Error Correction or Double Bit Error Detection.
NOTE: ECC_TEST can be run in either MANUAL or AUTO mode. MANUAL mode requires that the
host write test data to the device. AUTO mode uses internal data to perform the tests. Either
mode provides sufficient diagnostic coverage.
[AoU99] — The host MCU will run the ECC_TEST once every drive cycle.
5.8.14
SM742: OTP Customer load Error Check
Error check and correction for both single error correction (SEC) and double error detection (DED) are
performed during customer space OTP load. Any load errors of the customer OTP space sets a
CUSTLOADERR flag in the using the OTP_FAULT register
5.8.15
SM743: OTP Factory load Error Check
Error check and correction for both single error correction (SEC) and double error detection (DED) are
performed during factory space OTP load. Any load errors of the factory OTP space sets a
FACTLOADERR flag in the using the OTP_FAULT register
5.8.16
SM744: OTP OverVoltage Error Check
The factory or customer OTP pages space is continuously monitored for an over-voltage condition. An
overvoltage error in the factory or customer OTP pages sets the GBLOVERR flag in the OTP_FAULT
register.
NOTE: Information received from the device with this error must not be considered reliable.
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
59
BQ79606A-Q1 as Safety Element Out of Context (SEooC)
5.8.17
www.ti.com
SM745: Normal Shutdown Check
In order to differentiate a normal shutdown event from an abnormal shutdown event, the DRST bit in
SYS_FAULT1 register can be monitored. In case of an abnormal shutdown the AVDDUV_DRST bit in
RAIL_FAULT register or TSD bit in SYS_FAULT1 or AVDD_REFUV_DRST in SYS_FAULT1 register are
set.
NOTE: Abnormal shutdown events are caused by Thermal Shutdown, Digital Reset, Communication
timeout and LDO faults.
5.8.18
SM990: Factory Test mode Disabled
The factory testmode should be disabled at all times during normal operation. The testmode status is
indicated by a non-zero value in register address 0x500. A value of 0x00 in this register indicates that the
device is in normal operating mode.
[AoU100] — The host MCU will read register address 0x500 to confirm the value are 0 every FDTI.
[AoU101] — If the host MCU reads a value other than 0 the device will be reset.
6
BQ79606A-Q1 as Safety Element Out of Context (SEooC)
This section contains a Safety Element out of Context (SEooC) schematic of the BQ79606A-Q1. Texas
Instruments has made assumptions on the typical safety system configurations using this device. Systemlevel safety analysis is the responsibility of the developer of these systems and not Texas Instruments. As
such, this section is intended to be informative only to help explain how to use the features of the
BQ79606A-Q1 to assist the system designer in achieving a given ASIL level. Customers are responsible
for putting this device into the context of their system and analyzing the ASIL coverage achieved therein.
The BQ79606A-Q1 has been designed to perform/function in the ways described in this safety manual
presuming that it is incorporated into a system that uses and interconnects the BQ79606A-Q1 with other
devices and elements as described. Please note that the system designer may choose to use this
BQ79606A-Q1 in other safety-relevant systems.
60
Safety Manual for BQ79606A-Q1 Precision Monitor
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
BQ79606A-Q1 as Safety Element Out of Context (SEooC)
www.ti.com
6.1
BQ79606A-Q1 -Typical Application Circuit
47
50 V
2.2 …F
2.2 …F
VLDO
2.2 …F
2.2 …F
LDOIN
CVDD
CVSS
AVDD
DVSS
2
2.2 …F
DVDD
2
2
TSREF
2
AVSS
2
2
2
BAT
50 V
0.33 …F
0.1 µF, 10 V
2
2.2 …F
GPIO1
10 V caps
47 Ÿ
2
VC6
2
VC5
C5S
0.47 µF
CELL5 +
VC4
0.47//0.33 µF
C4S
CELL4
1 µF
0.47//0.33 µF
VC1
C2S
CELL2
47 Ÿ
LV
+
0.47 µF
VC0
C1S
HV
CELL1
0.47 µF
+
Requires only
differential filter with
low voltage capacitors
C0S
2.2 µF
CVDD
¼ W, 10 Ÿ
50 V
0.33 µF
2.2 µF
VLDO
2
DEVICE 01
10 V caps
AVDD
2.2 µF
CB6
LDOIN
REF1
CB5
0.47 µF
C4S
DVSS
2.2 µF
GPIO2
GPIO3
GPIO4
GPIO5
GPIO6
VC2
+
GPIOs
available,
but not
required
C3S
CELL3
VC3
+
1
CB4
VLDO
VIO
0.47//0.33 …F
1
2.2 …F
CB3
1 µF
1
2.2 µF
1
CB2
DVDD
System I/O Rail
(3.3 V)
VIO
0.47//0.33 µF
2.2 …F
10 k
10 k
CB0
COMLP
1
BAT
50 V
0.33 µF
2
COMHP
0.47 µF
10 k
COMHN
2
100
COMLN
RX
UART
TX
TSREF
GPIOs available, but
not required
Power Supply
4.75 V to 5.5 V
10 k
AVSS
1
CB1
0.47 µF
C0S
1
GPIO1
NFAULT
GPIO
GPIO2
WAKEUP
GPIO
GPIO3
GPIO4
REF1
GPIO5
GPIO6
COMLP
1
Microcontroller
COMHP
BQ79606
Isolation Circuit
Isolation Circuit
1 kŸ
BQ79606
Isolation Circuit
1 kŸ
COMLN
COMHN
Optional Ring
Figure 20. Typical Application Circuit
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Safety Manual for BQ79606A-Q1 Precision Monitor
Copyright © 2018–2019, Texas Instruments Incorporated
61
Revision History
www.ti.com
Revision History
NOTE: Page numbers for previous revisions may differ from page numbers in the current version.
Changes from B Revision (April 2019) to C Revision .................................................................................................... Page
•
•
Replaced SM130: VC Path and Pin Open Check image. .......................................................................... 27
Replaced SM131: CB Path and Pin Open Check image. .......................................................................... 29
Changes from A Revision (March 2019) to B Revision .................................................................................................. Page
•
62
Updated part name to BQ79606A-Q1. ................................................................................................. 1
Revision History
SLUA822C – September 2018 – Revised May 2019
Submit Documentation Feedback
Copyright © 2018–2019, Texas Instruments Incorporated
IMPORTANT NOTICE AND DISCLAIMER
TI PROVIDES TECHNICAL AND RELIABILITY DATA (INCLUDING DATASHEETS), DESIGN RESOURCES (INCLUDING REFERENCE
DESIGNS), APPLICATION OR OTHER DESIGN ADVICE, WEB TOOLS, SAFETY INFORMATION, AND OTHER RESOURCES “AS IS”
AND WITH ALL FAULTS, AND DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION ANY
IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD
PARTY INTELLECTUAL PROPERTY RIGHTS.
These resources are intended for skilled developers designing with TI products. You are solely responsible for (1) selecting the appropriate
TI products for your application, (2) designing, validating and testing your application, and (3) ensuring your application meets applicable
standards, and any other safety, security, or other requirements. These resources are subject to change without notice. TI grants you
permission to use these resources only for development of an application that uses the TI products described in the resource. Other
reproduction and display of these resources is prohibited. No license is granted to any other TI intellectual property right or to any third
party intellectual property right. TI disclaims responsibility for, and you will fully indemnify TI and its representatives against, any claims,
damages, costs, losses, and liabilities arising out of your use of these resources.
TI’s products are provided subject to TI’s Terms of Sale (www.ti.com/legal/termsofsale.html) or other applicable terms available either on
ti.com or provided in conjunction with such TI products. TI’s provision of these resources does not expand or otherwise alter TI’s applicable
warranties or warranty disclaimers for TI products.
Mailing Address: Texas Instruments, Post Office Box 655303, Dallas, Texas 75265
Copyright © 2019, Texas Instruments Incorporated
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Related manuals

Download PDF

advertising