electronics

Article Power Supply Platform and Functional Safety Concept Proposals for a Powertrain Transmission Electronic Control Unit

Diana Raluca Biba 1, Mihaela Codruta Ancuti 1,*, Alexandru Ianovici 2, Ciprian Sorandaru 1 and Sorin Musuroi 1 1 Electrical Engineering Department, Faculty of Electrical and Power Engineering, University Politehnica Timisoara, 300223 Timisoara, Romania; [email protected] (D.R.B.); [email protected] (C.S.); [email protected] (S.M.) 2 Continental Automotive, Powertrain Transmission Department, 90411 Nurnberg, Germany; [email protected] * Correspondence: [email protected]; Tel.: +40-766-699556



Received: 12 May 2020; Accepted: 15 September 2020; Published: 27 September 2020


Abstract: In the last decade, modern vehicles have become very complex, being equipped with embedded electronic systems which include more than a thousand of electronic control units (ECUs). Therefore, it is mandatory to analyze the potential risk of automotive systems failure because it could have a significant impact on humans’ safety. This paper proposes a novel, functional safety concept at the power management level of a system basis chip (SBC), from the development phase to system design. In the presented case, the safety-critical application is represented by a powertrain transmission electronic control unit. A step-by-step design guideline procedure is presented, having as a focus the cost, safety, and performance to obtain a robust, cost-efficient, safe, and reliable design. To prove compliance with the ISO 26262 standard, quantitative worst-case evaluations of the hardware have been done. The assessment results qualify the proposed design with automotive safety integrity levels (ASIL, up to ASIL-D). The main contribution of this paper is to demonstrate how to apply the functional safety concept to a real, safety-critical system by following the proposed design methodology.

Keywords: electronic control unit (ECU); functional safety; microcontroller (µc); power supply; system basis chip (SBC)

1. Introduction It is well known that automotive integrated circuit packages continue to get smaller, but with more and more integrated functions inside the package. This is also available for the power supply module, which represents one of the main circuits from the electronic control unit (ECU). Usually, in automobiles, this type of power supply module is called the system basis chip (SBC) [1]. It integrates multiple functions besides voltage supplies, such as integrated transceivers for communication interfaces, a high-speed controller area network (CAN), and a local interconnect network (LIN), and supervision features like wake-up logic inputs, watchdogs, reset generators, fail outputs, and interrupt outputs. SBC devices are not new to the market, but their usage was increasing in the last period due to their high levels of integration, performance, and reliability. These advantages make them the perfect solution to limit the design’s costs. The ECU cost is significantly reduced by integrating the discrete components. However, this does not mean that all the components are integrated. Due to the limited power dissipation, some power elements remain discrete like, for example, the power switching transistor modules within the converters.

Electronics 2020, 9, 1580; doi:10.3390/electronics9101580 www.mdpi.com/journal/electronics Electronics 2020, 9, 1580 2 of 16

It is necessary to highlight that not only is the cost targeted, but also the safety and security, which represent special requirements in the automotive industry, especially for powertrain applications where the safety SBC architecture shall support independent monitoring of critical safety parameters. For example, it is an essential function for the energy and power management of the battery management systems, as well as the steering and transmission control in electric and hybrid vehicle applications. In these cases, the SBC shall meet automotive safety integrity level (ASIL) C x, or even higher, ASIL-D, and must be ISO 26262 [2] and IEC 61508 [3] compliant. Therefore, the advanced diagnosis of power management must be combined with the safety of power management and trigger the safe state when it is requested by the system. In a typical transmission control unit (TCU) application, the microcontroller represents the master and controls the SBC (the slave) through a serial peripheral interface (SPI). Safe operation is ensured by the capability of the microcontroller to detect faults using the integrated function of the SBC, called the question and answer (Q&A) watchdog. When detecting possible SBC faults by the integrated function control unit, multiple diagnostics like over–under voltage or over temperature are expected to be made. To meet the powertrain requirements in terms of cost and safety, a suitable SBC can be FS65xx from NXP [4]. The flexible and scalable NXP SBCs complement the powertrain microcontroller platforms that require functional safety. With buck–boost DC-to-DC architectures that support input voltage ranges from 2.7 V to 60 V for 12- and 24-V markets and scalable power options, these SBCs provide an energy-efficient solution for high-performance microcontrollers [5,6]. The latest Infineon AURIX™ TC3xx microcontrollers are also well suited for safety-critical applications. These microcontrollers combine performance functioning with a powerful safety architecture, which makes them perfectly fitting for powertrain applications. Infineon released its second-generation AURIX™ microcontroller in embedded flash 40 nm technology. It provides increased performance, memory size, connectivity, and more scalability to address the new automotive trends and challenges. In terms of performance, the highest product, TC39x, can have up to six cores running at 300 MHz and up to 6.9 MB of embedded RAM and has embedded voltage regulators. The total power consumption is below 2 W [7,8]. For hardware engineers, designing and optimizing safety supplies has become a mandatory task. Unfortunately, this task is often time-consuming and technically challenging. To simplify the design tasks and improve design quality and engineer productivity (i.e., to become more agile), this paper describes in detail, as a procedure, the design steps of a power supply concept for safety-critical application [9,10]. The proposed methodology represents a specific, but very well-organized guide to transmission control unit function, and it can be easily extended to other safety-relevant applications. The design procedure has as its focus cost, safety, and performance to obtain a robust, cost-efficient, safe, and reliable supply design. The paper is organized as follows. Section2 discusses design challenges related to safety operation for a novel concept of a safety-relevant power supply with only 5 V for the main component from an ECU, the microcontroller. In order to prevent and limit design difficulties and challenges, a design flow procedure is proposed in Section3. In Section4, special attention is paid to getting proper values of the 5 V regulator components by analyzing the SBC and microcontroller requirements, in terms of safety supply. The selection of components is proved by performing worst-case analysis to accomplish the hardware robustness target. Section5 deals with the enhanced features of the microcontroller and power SBC, in terms of power management, to guarantee a safe state by switching off the entire system in case of supply faults. Accordingly, a complete safety switch off path (SWOP) circuit is proposed for a printed circuit board (PCB) schematic. Finally, Section6 draws conclusions and proposes future research work.

2. Design Challenges There are three questions which represent the starting point of the proposed design:

1. What is needed (simplest solution) to supply the TC3xx with power from the FS65xx SBC to fulfill ASIL-D? How are the 3.3 V and 1.3 V internally generated by the TC3xx? Electronics 20202020,, 99,, xx FORFOR PEERPEER REVIEWREVIEW 33 ofof 1616

2. Design Challenges There are three questions which representrepresent thethe startingstarting pointpoint ofof thethe proposedproposed design:design: Electronics 2020, 9, 1580 3 of 16 1. What is needed (simplest solution) to supply the TC3xx with power from thethe FS65xx SBC to fulfillfulfill ASILASIL--D? How are the 3.3 V and 1.3 V internally generated by the TC3xx? 2.2. WhatWhat happens happens (over (over a a lifetime)lifetime) withwith thethe TC3xxTC3xx ifif the the power power supply supply from from the the SBC is mademade asas describeddescribed in in the the datasheet? datasheet? 3.3.. HowHow will will the the overall overall safety safety concept concept look? look? TheThe proposed proposed power power supply concept is to have an SBC,SBC, which which is is delivering delivering only 5 VV to to microcontroller.microcontroller. The The 3.3 3.3 V V and and 1.3 1.3 V V signals signals are are internally internally generated generated by by the the microcontroller microcontroller itselfitself itself byby byusing using its embedded its embedded voltage voltage regulators, regulators, as can as be can seenseen be seen inin Figure in Figure 1. By1 .using By using this concept, this concept, two major two majoradvantages advantages can be can derived: be derived: (1)(1) reducingreducing (1) reducing the the the use use use of of of external external external components, components, components, which which which automatically automatically involvesinvolves aa priceprice reductionreduction forfor thethe electricalelectrical billbill ofof materialmaterial (eBOM)(eBOM) andand PCBPCB spacespace [[11]11],,, andand (2)(2) avoidavoid electromagneticelectromagnetic interference (EMI) noise emissions; EMI requirements requirements are are anan importantimportant demanddemand toto bebe fulfilledfulfilled withinwithin transmissiontransmission applications.applicationss.. By By reducing reducing the the external external 3.3 3.3 V supply, thisththisis eliminateseliminateeliminatess aa potentialpotentialial EMIEMI noisenoise emissionemission [[12].[12].12].

Figure 1.1. Supply concept overview of a unique 5 V supply supply generated generated byby aa systemsystem basisbasis chipchip (SBC).(SBC))..

For the SBC, the pre-regulator (V ) is configured to be a non-inverting, buck–boost type For the SBC, the pre--regulatorregulator (V(VPREPREPRE)) isis configuredconfigured toto bebe aa non--invertinginverting,, buck–boost type DC-- DC-to-DC converter, and the core output (V ) is configured to incorporate a buck topology. A linear toto--DC converter, and the core output (VCORECORECORE)) isis configuredconfigured toto incorporateincorporate aa buckbuck topology.topology. AA linearlinear topologytopology is is also also available, available, but but in in the the current current case, case, the the scope scope is is to to to minimize minimize minimize energy energy energy consumption consumption consumption through the DC-to-DC switching regulator. The V is 5 V, representing the main supply for the throughthrough thethe DCDC--toto--DC switching regulator. The VCORECORE isis 55 V,V, representingrepresenting thethe mainmain supplysupply forfor thethe microcontroller.microcontroller. It also suppliessupplies otherother safety-relevantsafetysafety--relevantrelevant circuits.circuits. The The total total currentcurrent consumptionconsumption waswas calculatedcalculated andand consideredconsidered atat aa maximummaximum valuevalue ofof 1.51.5 A. A. For For communication, communication, a physical interface with integratedintegrated CANCAN FDFD andand LINLIN transceiverstransceivers waswass chosen.chosen. A A longlong durationduration timertimer (LDT)(LDT) waswass enabledenabled toto checkcheck thethe SBCSBC inin power power ooffoffff mode.mode. As As can can be be seen seen in in FigureFigure 2 2,2,, the thethe orderingorderingordering code codecode of ofof the thethe SBC SBCSBC component componentcomponent isis MC33FS6512LAEMC33FS6512LAE/R2MC33FS6512LAE/R2/R2 [[13[1313––1515].].

FigureFigure 2.2. SBC (NXP) (NXP) c componentcomponent nomenclature.nomenclature.. Reproduced Reproduced from from [[1].[1].1].

For the microcontroller, the second generation of the Infineon AURIX family, the TC397 microcontroller, is considered. The ordering code for the microcontroller is SAK-TC397TP-64F200N. This nomenclature, as shown in Figure3, corresponds to a production device with a temperature range Electronics 2020, 9, x FOR PEER REVIEW 4 of 16

ElectronicsFor 2020 the, 9, microcontroller, 1580 the second generation of the Infineon AURIX family, the TC3974 of 16 microcontroller, is considered. The ordering code for the microcontroller is SAK-TC397TP-64F200N. This nomenclature, as shown in Figure 3, corresponds to a production device with a temperature from 40 C up to 125 C, with board assembly recommendations (BGA) package 292, which consumes range− from◦ −40 °C up◦ to 125 °C, with board assembly recommendations (BGA) package 292, which belowconsum 2es W, below a triple 2 core W, runninga triple at core 200 runningMHz, support at 200 for MHz, floating support and fixed-point for floating operations, and fixed a- 4point MB flashoperations size, and, a 4CAN MB flash FD communication size, and CAN FD [16 ].communication [16].

Figure 3. Microcontroller (AURIX Infineon)Infineon) component nomenclature.nomenclature. Reproduced from [[4].4].

3. Design Flow Proposal TheThe design design of of safety safety power power supplies supplies requires requires significant significant attention attention to detail. to A detail.simplified A simplifiedprocedure isprocedure proposed is by proposed using an Xmindby using tool an to Xmind map all tool the to mandatory map all the steps, mandatory as can be steps, seen in as Figure can be4. Asseen can in beFigure seen, 4. safety As can is thebe seen, word safety dominating is the theword entire dominating flow. The the design entire must flow. start The from design the vehicle’s must start original from equipmentthe vehicle’s manufacturer’s original equipment (OEM) manufacturer requirements’s in (OEM) terms ofrequirements safety because in terms a critical of applicationsafety because shall a supportcritical application and enable shall the safety support function. and enable For athe typical safety automotive function. For application, a typical automotive it is mandatory application, to start fromit is mandatory the OEM’s to safety start requirementsfrom the OEM’s to take safety active requirements measures to achievetake active the measures required riskto achieve reduction the inrequired the sphere risk reduction of active in safety. the sphere For example, of active forsafety. a TCU For example, application for fora TCU a double-clutch application for automated a double- transmission,clutch automated the safe transmission, state reaction the is safe to disable state reaction the functions is to of disable the actuators the functions (putting of in the break actuators mode the(put brushlessting in break DC motors). mode the For brushless the airbag DC control motors). unit (ACU), For the the airbag safety control reaction unit is the (ACU), opposite, the safetyand it shallreaction enable is the the opposite actuators., and Therefore, it shall enable Step 1 the is important actuators. to Therefore define the, Step safety 1 is measures important to to be define taken the for thesafety applications. measures to be taken for the applications. The safetysafety mechanismmechanism shall shall be be carefully carefully analyzed analyzed from from both both cost cost and and effectiveness effectiveness points points of view. of Therefore,view. Therefore, in Step in 2, S thetep designers2, the designers shall put shall on put paper on apaper proposed a proposed configuration configuration for a proper for a supplyproper concept.supply concept. It represents It represents the time the for time noting for noting all the all challenges, the challenges, advantages, advantages, and risks.and risks. Then, Then, based based on theseon these assumptions, assumptions, the design the design will be created, will be taking created into, taking consideration into consid the components’eration the specifications components’ andspecifications safety recommendations. and safety recommendations. In order to check Inand order prove to that check all the and delivered prove voltagesthat all arethe within delivered the desiredvoltages range, are within a worst-case the desired analysis range (WCA), a worst shall-case be performed, analysis (WCA) as listed shall in Step be performed, 4. For functional as listed safety in managementStep 4. For functional (FSM), the safety WCA manageme representsnt a(FSM), safety the metric WCA through represent designs a safety and implementation.metric through design If the WCAand implementation. shows that monitoring If the isWCA not ensured, shows that major monitoring changes shall is not be ensured,considered major in the changes design. shallUsually, be thereconsidered are two in options: the design. adding Usually, an extra there circuit are fortwo monitoring options: adding or reconsidering an extra circuit components for monitoring which may or havereconsidering better performance. components Only which after may the have design better is improved,performance. in orderOnly toafter have the good design coverage is improved, of the fault’sin order detection, to have shallgood the coverage safety concept of the fault’s be released detection, (Step shall 6). In the the safety switch concept off or on be path released safety ( concept,Step 6). allIn the the safety switch activation off or on signals path are safety considered concept, in all redundant the safety logic. activation After a final signals review, are the considered design can in beredundant completely logic. released. After a final review, the design can be completely released.

Electronics 2020, 9, 1580 5 of 16 Electronics 2020, 9, x FOR PEER REVIEW 5 of 16

Figure 4. Proposed power supply design steps for safety safety-relevant-relevant applications.applications.

4. Power Supply Design and Safety Requirements Evaluation TheThe focus of of this this section section is is to to provide provide a acorrect correct and and robust robust SBC SBC design design which which will will withstand withstand the theautomotive automotive requirements requirements,, in terms in terms of safety. of safety. This Thispaper paper will break will break the procedure the procedure down down into a into step a- step-by-stepby-step action action that every that every designer designer can follow can follow to create to create a prope a properr safety safety circuit circuit between between the supply the supply and andmicrocontroller microcontroller in safety in safety-relevant-relevant applications. applications.

4.1. What Is Needed (Simplest(Simplest Solution)Solution) to to Supply Supply the the TC397 TC397 with with Power Power from from FS6512 FS6512 SBC SBC to Fulfillto Fulfill ASIL-D? ASIL- D? 4.1.1. V Configuration of FS6512: For VCORE—BUCK Regulator

4.1.1.The V Configuration FS6512 VCORE of regulatorFS6512: For is V aCORE buck—BUCK DC–DC Regulator topology, operating in voltage control mode. The high side of the switching transistor is connected to the VPRE and is integrated into the SBC. The FS6512 VCORE regulator is a buck DC–DC topology, operating in voltage control mode. The The VCORE buck regulator shall regulate the output voltage only against the output loading. In this case, high side of the switching transistor is connected to the VPRE and is integrated into the SBC. The VCORE the input variations are stable. The typical switching frequency is fixed at 2.4 MHz. The V buck buck regulator shall regulate the output voltage only against the output loading. In thisCORE case, the accomplishes proper regulation within the feedback loop by integrating an error amplified by linear input variations are stable. The typical switching frequency is fixed at 2.4 MHz. The VCORE buck feedback. The output voltage V is configurable in a range from 1 V up to 5 V through an external accomplishes proper regulationCORE within the feedback loop by integrating an error amplified by linear resistor bridge (R3/R4), as can be seen in Figure5. Therefore, it is necessary to adjust the divider values feedback. The output voltage VCORE is configurable in a range from 1 V up to 5 V through an external to get 5 V. The first divider is connected between the VCORE and the FB_CORE feedback pin. VCORE resistor bridge (R3/R4), as can be seen in Figure 5. Therefore, it is necessary to adjust the divider values = VCORE_FB ((R3 + R4)/R4). For safety purposes, to meet ASIL-D requirements, a second feedback to get 5 V. The first divider is connected between the VCORE and the FB_CORE feedback pin. VCORE = monitor can be used to monitor redundantly the VCORE voltage, having the feedback loop connected VCORE_FB ((R3 + R4)/R4). For safety purposes, to meet ASIL-D requirements, a second feedback monitor to the FCRBM (feedback core resistor bridge monitoring) pin. If not used, the pin is connected directly can be used to monitor redundantly the VCORE voltage, having the feedback loop connected to the to the FB_CORE. The safety manual recommends using less than 1.0% accuracy resistors, setting R FCRBM (feedback core resistor bridge monitoring) pin. If not used, the pin is connected directly to4 = 8.06 kΩ, and adjusting R3 to obtain a VCORE of 5 V. The component datasheet provides a voltage the FB_CORE. The safety manual recommends using less than 1.0% accuracy resistors, setting R4 = 8.06 kΩ, and adjusting R3 to obtain a VCORE of 5 V. The component datasheet provides a voltage accuracy of ± 2.0% (without considering the accuracy of the external resistors). The stability of the

Electronics 2020, 9, 1580 6 of 16

ElectronicsElectronics 20202020,, 99,, xx FORFOR PEERPEER REVIEWREVIEW 66 ofof 1616 accuracy of 2.0% (without considering the accuracy of the external resistors). The stability of the ± overall converter is ensured only by using an external compensation network (R1/C1/R2/C2) connected overalloverall converterconverter isis ensuredensured onlyonly byby usingusing anan externalexternal compensationcompensation networknetwork (R(R11/C/C11/R/R22/C/C22)) connectedconnected tototo thethethe COMP_CORECOMP_CORECOMP_CORE pin.pinpin..

FigureFigureFigure 5. 5.5. F6512 F6512F6512 SBC SBCSBC 5 55 V, VV, V, VVCORECORECORE designdesign.design.. ReproducedReproduced fromfrom [1].[1]. [1].

Usually,Usually, the the the components’ components’ components’ datasheets datasheets datasheets tell tell only only one one part part part of of of the the the story story story and and and recommend recommend recommend generic generic generic (typical)(typical)(typical) valuesvaluesvalues forforfor thethethe components,componentscomponents,, asasas cancancan bebebe seenseenseen ininin FigureFigureFigure6 6..6. It ItIt is isis necessary necessarynecessary to toto highlight highlighthighlight that thatthat when whenwhen workingworkingworking with withwith safety-critical safetysafety--criticalcritical design, design,design, all allall hardware hardwarehardware designers designersdesigners shall shallshall add addadd proofs proofsproofs for theforfor designthethe designdesign and notandand take notnot thetaketake manufacturer’s thethe manufacturermanufacturer stated’’ss stated stated output output output capabilities capabilities capabilities for granted. for for granted. granted. Therefore, Therefore, Therefore, in this paper, in in this this for paper, paper, the proposed for for the the concept,proposedproposed the concept,concept, authors thethe added authorsauthors proofs addedadded and proofs consideredproofs andand aconsidconsid worst-caseeredered aa scenario worstworst--casecase for buckscenarioscenario inductor forfor buckbuck (LCORE inductorinductor) and compensation(L(LCORECORE)) andand compensationcompensation network (R1 network/networkC1/R2/C 2 (R(R) selection.11/C/C11/R/R22/C/C22 The)) selection.selection. component TheThe componentcomponent selection must selectionselection be done mustmust in such bebe donedone a way inin thatsuchsuch the aa wayway SBC thatthat should thethe provideSBCSBC shouldshould output provideprovide voltage outputoutput (output voltagevoltage power) (output(output with power) somepower) safety withwith margin somesome safetysafety on top, marginmargin in terms onon oftop,top, stability. inin termsterms ofof stability.stability.

FigureFigure 6.6. TypicalTypical valuesvalues recommendedrecommended byby thethethe F6512F6512F6512 SBCSBCSBC datasheet. datasheet.datasheet.

InInIn order order order to to to design design design the the the V V VCORECORECORE forfor 555 V,VV,, the the the L LCORE LCORECORE inductorinductorinductor was was was calculated. calculated. calculated. A A correct correct correct inductor inductor inductor selectionselectionselection isisis mandatorymandatory forfor properproper designdesign becausebecause thethe inductorinductor hashas anan impactimpact on on the the efficiency, eefficiency,fficiency, ononon thetthehe transienttransienttransient response,responseresponse,, andand onon controlcontrol looplooploop stability.stability.stability. AAA poorpoorpoor inductorinductorinductor selectionselectionselection cancan causecause damagedamage toto thethe converter,converter, leadleadlead tototo prematureprematurepremature overcurrentovercurrentovercurrent protection,protectionprotection,, andandand limitlimitlimit outputoutputoutput capability.capability.capability. TheTheThe inductorinductorinductor waswawass sizedsizedsized so so so asasas tototo avoid avoid avoid saturation saturation saturation and and and help helphelp the thethe V V VCORECORECORE convertercoconverternverter remain remain in in continuous continuous continuous current current mode mode mode (CCM)(CCM)(CCM) through through through this this this range, range, range, considering considering considering the worst-case the the worst worst-- limits.casecase limits. limits. The calculation The The calculation calculation of the minimum of of the the minimum minimum inductor valueinductorinductor (Lbuck_min valuevalue (L(L) wasbuckbuck__minmin performed)) wawass performedperformed using a Mathcadusingusing aa MathcadMathcad tool. The tool.tool. following TheThe followingfollowing formula formulaformula was used: wawass used:used: (V(Vin V V out V V R )Duty )Duty _ _ Cycle Cycle (V inmaxmaxV out rated ratedV R ds ds _ _ on on)maxmaxDuty_Cycle LL  inmax outrated Rds_onmax (1) buckbuck _ _ min min − 2I2IL− f f sw (1) Lbuck_min  Lminminmin sw min min (1) 2IL minfsw minmin min wherewhere thethe followingfollowing parametersparameters wewerere consideredconsidered:: VVinin == VVPREPRE (the(the prepre--regulatorregulator inputinput voltage)voltage);; VVoutout == where the following parameters were considered: V = V (the pre-regulator input voltage); VVCORECORE,, thethe outputoutput currentcurrent throughthrough inductorinductor (I(ILL));; ffswsw,, thethein converterconverterPRE switchingswitching frequencyfrequency;; andand VVRRds_onds_on V(implicitly(implicitlyout = VCORE,, thethe, voltage thevoltage output acrossacross current thethe switchingswitching through eleele inductorment).ment). (IL); fsw, the converter switching frequency; and VTheTheRds_on dutyduty(implicitly, cyclecycle wawass the computedcomputed voltage acrossasas depicteddepicted the switching byby thethe belowbelow element). equationequation,, consideringconsidering thethe voltagevoltage dropsdrops throughthrough thethe switchingswitching elementelement andand acrossacross thethe diodediode (V(Vf_diodef_diode)):: VVVV outoutratedrated f f _ _ diode diode max max DutyDuty _ _ Cycle Cycle ( ( ) ) (2)(2) VVVVinin R R maxmax ds_ ds_ on onmaxmax

TheThe minimumminimum currentcurrent throughthrough thethe inductorinductor (I(ILminLmin)) wawass calculatcalculateded asas shownshown below:below:

Electronics 2020, 9, 1580 7 of 16

The duty cycle was computed as depicted by the below equation, considering the voltage drops through the switching element and across the diode (Vf_diode):

Vout + Vf_diode Duty_Cycle  ( rated max ) (2) V V Electronics 2020, 9, x FOR PEER REVIEW inmax − Rds_onmax 7 of 16

The minimum current through the inductor (ILmin) was calculated as shown below: I kI L outmax

∆IL  kIoutmaxI (3) I  L (3) L ∆IL ILmin 22 where k is the inductor ripple current factor (20–40%) applied to the maximum allowed output where k is the inductor ripple current factor (20–40%) applied to the maximum allowed output current ( I ). current (Ioutoutmaxmax). By running the above calculation, a minimum value of 2.118 µHµH was obtained for the buck coil, which correspondscorresponds toto aa 2.22.2 µµHH standardstandard value.value. Taking intointo considerationconsideration this coil value, the maximum output current of 1.5 A, the 5 V outputoutput voltage, and by using the Graphical User Interface (GUI)(GUI) provided by NXP to check the converter stability, plots plots for for transient transient and and Bode Bode characteristics characteristics were were evaluated evaluated in order in order to obtain to obtain the right the values right valuesfrom the from compensation the compensation network. network. Considering Considering the following the following values— values—CC1 = 330 pF,1 = R3301 = pF,1.1 RkΩ,1 = C1.12 = k1Ω00, CpF,2 = R1002 = 4 pF,7 kΩ R2—=it47 can kΩ be—it stated can bethat stated the control that the loop control was loop properly was properlycompensated. compensated. Figure 7 Figureshows 7a shows a simulated Bode plot with a sufficient phase margin around 55 C and a gain margin of 20 dB. simulated Bode plot with a sufficient phase margin around 55 °C and◦ a gain margin of −20 dB.−

Figure 7. Buck converter stability in transienttransient and Bode plots.

4.1.2. V Configuration Configuration Supply Concept for TC397 TheThe 55 VV signalsignal provided provided by by the the SBC SBC is is the the unique unique supply supply of theof the microcontroller, microcontroller as can, as alsocan bealso seen be inseen Figure in Figure8. It directly 8. It directly supplies supplies the embedded the embedded voltage voltage regulators regulators for core for andcore flash and flash supply supply (EVRC (EVRC and EVR33).and EVR33). It supplies It supplies theanalog the analog ports ports (VDDM (VDDM and VADC),and VADC), the flexible the flexible ports ports (VFLEX, (VFLEX, configured configured to be suppliedto be supplied from 5 from V and 5 notV and from not 3.3 from V), and 3.3 theV), embeddedand the embedded voltage regulator voltage regulator in standby in mode standby (ERVRSB). mode It(ERVRSB). is important It is to important mention that to mention the supply that mode the supply selection mode is done selection in an externalis done in hardware an external configuration. hardware Theconfiguration. microcontroller The microcontroller contains dedicated contains pins dedicated called HWCFG_x pins called for HWCFG this purpose._x for this At purpose. the HWCFG_1 At the pin,HWCF correspondingG_1 pin, corresponding to port P14.5, to EVR33 port P14.5, is enabled EVR3 or3 disabled is enabled at startup. or disabled At the at startup.HWCFG_2 At pin,the HWCFG_2 pin, corresponding to port P14.2, EVRC is enabled or disabled at startup. The enabled function is selected in this design by adding pull-up resistors externally in order to have a logic 1 on the input ports.

Electronics 2020, 9, 1580 8 of 16 corresponding to port P14.2, EVRC is enabled or disabled at startup. The enabled function is selected Electronicsin this design 2020, 9, byx FOR adding PEER REVIEW pull-up resistors externally in order to have a logic 1 on the input ports.8 of 16

FigureFigure 8. 8. MicrocontrollerMicrocontroller proposed proposed supply supply overview. overview.

TheThe EVRC EVRC (embedded (embedded voltage voltage regulator regulator for for core core supply) supply) regulator regulator wa wass impl implementedemented as asa switcheda switched mode mode power power supply supply regulator regulator (buck topology), (buck topology), generating generating the core supply the core VDD supply (the label VDD of(the the label power of the suplly) power of suplly)1.25 V. of This 1.25 step V.- Thisdown step-down (VDD) contain (VDD)ed contained not only notthe onlyintegrated the integrated voltage regulator,voltage regulator, but the voltage but the feedback voltage feedbackloop too. loopDue too.to power Due loss to power limitation, loss limitation,the switching the switchingelements (theelements N channel (the and N channel P channel and of P the channel MOSFETs of the (Metal MOSFETs-Oxide (Metal-Oxide Semiconductor Semiconductor Field-Effect Transistor Field-Effect)) andTransistor)) the LC (an and electric the LC circuit (an electric consisting circuit of consisting an inductor of andan inductor a capacitor) and afilter capacitor) were considered filter were externally.considered For externally. the schematic, For the in order schematic, to minimize in order the to PCB minimize space, theInfineon PCB space,BSZ215C Infineon H component BSZ215Cs— H complementarycomponents—complementary power MOSFETs power—were MOSFETs—were used, with both used, N- withand Pboth-channel N- and MOSFETs P-channel within MOSFETs the samewithin package. the same For package. the filter, For due the to filter,the resonance due to the frequency resonance of frequency3.6 MHz, the of3.6 coil MHz, value the wa coils 3.3 value µH (Vishaywas 3.3—µIHLP1616BZH (Vishay—IHLP1616BZ-ER-3R3-M-5A)-ER-3R3-M-5A) and the output and capacitor the output value capacitor was 22 value µF (ceramic was 22 µ Fcapacitor (ceramic 22capacitor µF, TDK 22 − µCGA6PF, TDK1 × CGA6P17R1C226KT).7R1C226KT). − × TheThe EVR33 EVR33 regulator regulator represent representeded the the embedded embedded voltage voltage regulator regulator for for the the 3.3 3.3 V V voltage voltage supply. supply. ItIt wa wass always always implemente implementedd as as an an LDO LDO (Low (Low Dropout) Dropout) regulator regulator and and generate generatedd a a digital digital supply supply for for FlashFlash (VDDP3 (VDDP3)) of of 3. 3.33 V V (with (with internal internal pass pass devices). devices). It It contains contains an an integrated integrated voltage voltage regulator, regulator, a a pass pass devicedevice control control unit unit,, and a voltagevoltage feedbackfeedback loop.loop. OnlyOnly the the output output capacitor capacitor (ceramic (ceramic capacitor capacitor 100 100 nF, nF,TDK—CGA3E2X7R1H104KT0Y9N) TDK—CGA3E2X7R1H104KT0Y9N) is not is not integrated. integrated.

4.2.4.2. WhatWhat Happens Happens (over Lifetime)Lifetime) with with the the TC3xx TC3xx If if the the Power Power Supply Supply from from PSBC PSBC Is Done Is D Likeone Like in the in Data the Data Sheet? Sheet?The design for the power supply was completed by delivering 5 V to the microcontroller with a VCOREThe design buck for and the to power its proper supply selected was completed components. by delivering The supply 5 V structure to the microcontroller for the controller with was a VCOREcompleted buck by and choosing to its suitableproper outputselected components. components. It wasThe notsupply enough. structure This sectionfor the highlightscontroller thatwas a completeddeeper investigation by choosing is necessarysuitable output by looking components. for the worst-case It was not scenario. enough. The This worst-case section highlights analysis for that the adesign deeper is investigation a proof that the is hardwarenecessary meets by looking or exceeds for the designworst-case specifications scenario. forThe its worst lifetime.-case For analysis a safety for the design is a proof that the hardware meets or exceeds the design specifications for its lifetime. For a safety application like the TCU, the WCA is mandatory to be performed; it is not an option. The designers can foresee potential damages of the design, predict the lifetime decreasing and, in addition, anticipate the predictable faults in the system (SBC microcontroller). In other words,

Electronics 2020, 9, 1580 9 of 16 application like the TCU, the WCA is mandatory to be performed; it is not an option. The designers can foresee potential damages of the design, predict the lifetime decreasing and, in addition, anticipate the predictable faults in the system (SBC microcontroller). In other words, designers can reduce financial, legal, and safety risks and help to ensure satisfactory performance for the application.

4.2.1. TC397 Microcontroller Requirements in Terms of Supply An important step in the design is to check the remaining useful life of the microcontroller when the SBC exceeds 5 V, which is the rated voltage. Verification is needed in order to get a precise understanding of the worst-case behavior of the TCU. The 5 V signal provided by the SBC shall match the microcontroller specification regarding quality, robustness, lifespan, and safety goals. The microcontroller requirements, in terms of supply voltage range, are depicted in Table1 below.

Table 1. Microcontroller supply operation range.

TC3xx, C40 nm Technology Range Behavior 5.6–6.5 V 60 h (Safety case, reset asserted, rated max. voltage +30%) 5.6–6.5 V 10 h (Safety case, reset unasserted, rated max. voltage +30%) 5.3–5.6 V 100 h (Safety case, reset unasserted) 4.5–5.3 V 100% of lifetime (Normal functioning, rated max. voltage of 6%)

Normal functioning is ensured between 4.5 V (corresponding to a 10% tolerance) and 5.3 V − (corresponding only to a 6% voltage tolerance). This is the reason for the SBC supply main limitation. A larger margin for an overvoltage condition of at least +10% was expected. In this case, it means that the SBC must trigger the safety case when the VCORE already exceeds 5.3 V. In addition, as it is listed in the table, the microcontroller will still operate without resetting, but in safety cases up to 5.6 V for 100 h, or up to 6.5 V for 10 h. In addition to that, during the reset mode, it can handle 6.5 V for a maximum of 60 h. The operation hours are given by the microcontroller manufacturer based on lifetime measurements of a large number of components within its structure. From the designers’ points of view, the results obtained are trustworthy, but in the automotive domain, proofs are needed. For the current technology, there is no possibility to measure the lifetime reduction (counting the remaining hours before damage) in an overvoltage situation, but only to predict it. In addition, in a safety-critical operation case, it is more crucial. The risks come when the hours listed in the table are not reflecting reality. No one will take such risks in the context of damaging the master component of the TCU in ASIL-C or D applications. The safety shall be triggered at 5.3 V and stop the TCU system’s operation. This means that the FS6512 SBC shall detect the overvoltage at 5.3 V and generate the safety at the FS0B pin. FS0B represents the first output of the safety block (active low signal type). For this action, the designers shall demonstrate by calculation the safety activation at 5.3 V. Only by calculation can the designers identify the design issues and the alternatives or get confidence in a good critical design.

4.2.2. VCORE 5 V Worst-Case Mathcad Calculation The computational method used as a validation of overvoltage detection in this paper was the extreme value analysis (EVA) method. The purpose of the calculation is to obtain an accurate indication of the worst-case results, especially for the overvoltage detection range. Along the calculation process, all the electronic components’ tolerances were considered, including initial manufacturing tolerances, environmental (temperature) tolerances, aging tolerances, detraction, and drift factors. A WCA was then performed, using a Mathcad tool, for the VCORE circuit by setting all the components’ values to their end tolerance limits. For the feedback resistors (R3,R4) in the calculation Electronics 2020, 9, 1580 10 of 16 process, 0.1% initial tolerance, 0.25% aging tolerance, and a temperature coefficient (temp_coef) of 25 ppm were considered. The formula below was used:

 ( + )( + )( + )   R 1 tolerance 1 ageing 1 ∆Temp temp_coeff   ·  Rn(R,tolerance,ageing,temp_coeff,t)   R  (4)    R(1 tolerance)(1 ageing)(1 ∆Temp temp_coeff)  − − − · where ∆Temp is the difference between the application’s maximum temperature (125 ◦C) and its rated temperature (25 ◦C). The following results were obtained:

 3   3   42.454 10   8.108 10   × 3   × 3  R3 =  42.2 10 ;R4 =  8.06 10 . (5)  ×   ×   42.052 103   8.012 103  × ×

The maximum, rated, and minimum VCORE computed values are in correlation with the feedback directional sensitivity circuit of the FS6152 supply (VCORE_FB). Therefore, the undervoltage and overvoltage feedback values (VCORE_FB_UV;VCORE_FB_OV) were extracted from the manufacturer specification and introduced in a Mathcad tool as listed in the below formula:    0.816    VCORE_FB =  0.8 ;    0.784  (6)

VCORE_FB_UVmax = 0.773; VCORE_FB_OVmax = 0.905; = = VCORE_FB_UVmin 0.67; VCORE_FB_OVmin 0.84.

For the rated VCORE obtained using (6), the rated range will be

 R3 + R4   V max min   CORE_FBmax R     4min  5.14  R + R     3rated 4rated    VCORE_5V   VCORE_FB ;VCORE_5V =  4.989 . (7)  rated R     4rated     R + R  4.85  3min 4max   VCORE_FBmin  R4max

For the overvoltage detection range (VCORE_5V_OV), the VCORE limit will be + R3max R4min VCORE_5V_OVmax  VCORE_FB_OVmax ;VCORE_5V_OVmax = 5.701; R4min R + R (8) 3min 4max = VCORE_5V_OVmin  VCORE_FB_OVmin ;VCORE_5V_OVmin 5.196. R4max

For the undervoltage detection range (VCORE_5V_UV), the VCORE limit will be + R3max R4min VCORE_5V_UVmax  VCORE_FB_UVmax ;VCORE_5V_UVmax = 4.869; R4min R + R (9) 3min 4max = VCORE_5V_UVmin  VCORE_FB_UVmin ;VCORE_5V_UVmin 4.145. R4max

The results of the above calculus represent, basically, the best approach to predict the under and overvoltage 5 V supply faults in the circuit. As can be derived from Figure9, the normal operation is ensured within the range of 4.85–5.15 V. The main drawback occurs in the detection range of the undervoltage and overvoltage monitored behaviors. From the plot in Figure9, it can be seen that the detection is significantly out of range. In the case of undervoltage detection, a power-on reset can be generated. The critical point represents overvoltage detection when the microcontroller could Electronics 2020, 9, 1580 11 of 16 be damaged completely. From this moment, it is clear that the design needs improvements in order to operate properly and safely. There are two options, and the first one is to use components with better performance. However, in this case, 0.1% resistors were already used, despite the fact that theElectronics SBC manufacturer 2020, 9, x FOR PEER specifies REVIEW 1%. The remaining option is to add to the design a specific circuit11 of 16 which could limit or switch off operation when the VCORE voltage goes higher than 5.3 V. A proposed voltagesupervisor supervisor component component is TPS3702 is TPS3702-DX50Q1.-DX50Q1. It generates It generates a safe a safestate state activation activation or reset or reset when when the thevoltage voltage is higher is higher than than 5.3 5.3 V. V.

FigureFigure 9. 9.Mathcad Mathcad plot plot overview overview of of the the detection detection range range in in a a worst-case worst-case scenario. scenario.

5. Power Supply Safety Concept Design Proposal 5. Power Supply Safety Concept Design Proposal 5.1. Safety Connections 5.1. Safety Connections The selection of the best safety mechanism, as listed in this paper, will be a tradeoff between The selection of the best safety mechanism, as listed in this paper, will be a tradeoff between performance and cost. Because improved detection cannot be done from the components point of performance and cost. Because improved detection cannot be done from the components point of view, an additional circuit will be considered and, thus, the total cost of the application will increase. view, an additional circuit will be considered and, thus, the total cost of the application will increase. This additional cost cannot be avoided, because the statement of safety first prevails. The effort This additional cost cannot be avoided, because the statement of safety first prevails. The effort made made for the design to meet safety constraints is moved now into design efforts to create a proper for the design to meet safety constraints is moved now into design efforts to create a proper interconnection switch-off path for the TCU considering all the three blocks: the microcontroller, the interconnection switch-off path for the TCU considering all the three blocks: the microcontroller, the SBC, and the overvoltage and undervoltage monitoring circuit. This section provides a good safety SBC, and the overvoltage and undervoltage monitoring circuit. This section provides a good safety activation concept, looking step by step at safety activation signal configuration for each main block. activation concept, looking step by step at safety activation signal configuration for each main block. 5.1.1. Check the SBC Safety Activation 5.1.1. Check the SBC Safety Activation The FS6512 SBC plays an important role in safety-oriented TCU system partitioning. A dedicated fail-safeThe state FS6512 machine SBC plays is implemented an important to role bring in safety and maintain-oriented theTCU TCU system application partitioning. into aA safe dedicated state. Thefail- SBCsafe providesstate machine an overvoltage is impleme andnted undervoltage to bring and monitoring maintain featurethe TCU of theapplication FB_CORE, into which a safe is state. part ofThe the SBC fail-safe provides state machine,an overvoltage as can and be seen undervoltage in Figure 10 monitoring. feature of the FB_CORE, which is partIf of the the FB_CORE fail-safe state is above machine, or below as can the be value seen specified in Figure by 10. the SBC datasheet, RSTB (the reset pin) and/or FS0B (depending on the device configuration) are asserted as low. The reset pin controls and monitors the microcontroller’s reset pin. The FS0B is available to control or deactivate any fail-safe circuitry in redundancy with the microcontroller. Both RSTB and FS0B shall be integrated in the switch-off concept. In addition, FS6512 has an interrupt output pin, called the INTB pin, for error information, connected at the microcontroller’s non-maskable interrupt interface.

Figure 10. F6512 SBC internal safety activation circuit. Reproduced from [1].

Electronics 2020, 9, x FOR PEER REVIEW 11 of 16 supervisor component is TPS3702-DX50Q1. It generates a safe state activation or reset when the voltage is higher than 5.3 V.

Figure 9. Mathcad plot overview of the detection range in a worst-case scenario.

5. Power Supply Safety Concept Design Proposal

5.1. Safety Connections The selection of the best safety mechanism, as listed in this paper, will be a tradeoff between performance and cost. Because improved detection cannot be done from the components point of view, an additional circuit will be considered and, thus, the total cost of the application will increase. This additional cost cannot be avoided, because the statement of safety first prevails. The effort made for the design to meet safety constraints is moved now into design efforts to create a proper interconnection switch-off path for the TCU considering all the three blocks: the microcontroller, the SBC, and the overvoltage and undervoltage monitoring circuit. This section provides a good safety activation concept, looking step by step at safety activation signal configuration for each main block.

5.1.1. Check the SBC Safety Activation The FS6512 SBC plays an important role in safety-oriented TCU system partitioning. A dedicated fail-safe state machine is implemented to bring and maintain the TCU application into a safe state. ElectronicsThe SBC2020 provides, 9, 1580 an overvoltage and undervoltage monitoring feature of the FB_CORE, which12 of 16is part of the fail-safe state machine, as can be seen in Figure 10.

Electronics 2020, 9, x FOR PEER REVIEW 12 of 16

If the FB_CORE is above or below the value specified by the SBC datasheet, RSTB (the reset pin) and/or FS0B (depending on the device configuration) are asserted as low. The reset pin controls and monitors the microcontroller’s reset pin. The FS0B is available to control or deactivate any fail-safe circuitry in redundancy with the microcontroller. Both RSTB and FS0B shall be integrated in the switch-off concept. In addition, FS6512 has an interrupt output pin, called the INTB pin, for error Figure 10. F6512 SBC internal safety activation circuit circuit.. Reproduced from [1] [1].. information, connected at the microcontroller’s non-maskable interrupt interface. 5.1.2. Check the µC Safety Activation 5.1.2. Check the µC Safety Activation In order to fulfill technical safety requirements, the TC397 microcontroller has a PMS (Power ManagementIn order Systems, to fulfill astechnical shown safety in Figure requirements, 11) module, the which TC397 implements microcontroller software has a withPMS staggered(Power voltageManagement monitoring. Systems The, as PMS shown is built in Figure upon 11 a primary) module, and which a secondary implements monitor, software providing with staggered adequate voltage monitoring. The PMS is built upon a primary and a secondary monitor, providing adequate redundancy to activate the safe state in case of under or overvoltage faults. The primary monitoring redundancy to activate the safe state in case of under or overvoltage faults. The primary monitoring circuit can generate only an undervoltage detection for the following voltages: 5 V, 3.3 V, and 1.25 V. circuit can generate only an undervoltage detection for the following voltages: 5 V, 3.3 V, and 1.25 V. In case of undervoltage detection, in the primary monitoring unit of the PMS, a power-on reset In case of undervoltage detection, in the primary monitoring unit of the PMS, a power-on reset will will be generated. In the secondary monitoring block, both functions of under and overvoltage be generated. In the secondary monitoring block, both functions of under and overvoltage protection protection are implemented. In case of detection in the secondary monitoring unit of the PMS, are implemented. In case of detection in the secondary monitoring unit of the PMS, the SMU (Safety theMonitoring SMU (Safety Unit) Monitoringwill generate Unit)an alarm will on generate the error pin an (FSPx alarm, the on fail the-safe error pin). pin Detection (FSPx, thresholds the fail-safe pin).can Detection be set thresholds in the cansoftware be set in the code software via code SWDUVVAL via SWDUVVAL/SWDOVVAL/SWDOVVAL bits in bits the in the PMS_EVRUVMONPMS_EVRUVMON/PMS_EVROVMON/PMS_EVROVMON registers. The The signal signal provided provided by by the the microcontroller microcontroller at the at the FSPFSP pin pin shall shall be be part part of of the the switch-o switch-offff concept.concept.

FigureFigure 11. 11.TC397 TC397 PowerPower managementmanagement system system block block diagram diagram.. Reproduced Reproduced from from [4]. [ 4].

5.2. Safety Architecture for the Switch-off Concept Continuous monitoring of the voltage levels alone in critical applications may not be enough for safety implementation. Any out-of-order fault event detected by the redundant supervisors (the SBC via the internal FB_CORE, or the microcontroller via the PMS or voltage supervisory) needs to be reported in order to take appropriate corrective action (switch off or on the actuation, depending on the application). For TCUs, the SWOP represents the off position; all actuators will be stopped (e.g.,

Electronics 2020, 9, 1580 13 of 16

5.2. Safety Architecture for the Switch-Off Concept Continuous monitoring of the voltage levels alone in critical applications may not be enough for safety implementation. Any out-of-order fault event detected by the redundant supervisors (the SBC via the internal FB_CORE, or the microcontroller via the PMS or voltage supervisory) needs to be reported in order to take appropriate corrective action (switch off or on the actuation, depending on theElectronics application). 2020, 9, x FOR For PEER TCUs, REVIEW the SWOP represents the off position; all actuators will be stopped13 (e.g.,of 16 motors will be put on break mode). For ACUs (airbag control units), this is also a safety-relevant application.motors will be The put SWOP on break represents mode). the For on ACUs position (airbag for the control switch-on units), path, this becauseis also a the safety appropriate-relevant restraintapplication. systems The SW shallOP be represents triggered. the When on position the SWOP for the is created, switch-on the path, designers because shall the consider appropriate in a redundantrestraint systems logic all shall the activationbe triggered. signals When to guaranteethe SWOP the is created, safe state the of thedesigners application shall andconsider cover in the a stringentredundant ASIL-C logic all or the D requirements.activation signals A simple to guarantee but effi thecient safe approach state of isthe the ap logicplication OR (aand gate cover circuit the whichstringent produces ASIL-C an or output D requirements. if there is aA signal simple on but any efficient of its inputs). approach The is article the logic proposed OR (a agate switch-o circuitff pathwhich architecture produces an concept output (represented if there is a signal by Figure on any 12) of that its isinputs deployed). The by article collecting proposed in a nodea switch all- theoff activationpath architecture signals inconcept a redundant (represented way as by follows: Figure 12) that is deployed by collecting in a node all the activation signals in a redundant way as follows: 1. FS0B from the SBC; 2.1. FSPFS0B from from the the microcontroller; SBC;

3.2. RedundantFSP from the digital microcontroller; output pin from the microcontroller (GPIOR pin); 3. Redundant digital output pin from the microcontroller (GPIOR pin); 4. Under or overvoltage reset pin from the voltage supervisor block (OV/UV). 4. Under or overvoltage reset pin from the voltage supervisor block (OV/UV).

Figure 12. Safety switch off off path proposal for transmission control unitunit (TCU)(TCU) safetysafety activation.activation. As listed in Step 6 of the design flow proposed in Section2, before releasing the concept by the As listed in Step 6 of the design flow proposed in Section 2, before releasing the concept by the functional safety manager and stating the PCB manufacturing, it is mandatory to add proofs for proper functional safety manager and stating the PCB manufacturing, it is mandatory to add proofs for functioning of safety activation using redundant logic. An OrCAD PSpice simulation of the circuit was proper functioning of safety activation using redundant logic. An OrCAD PSpice simulation of the performed, considering all four redundant signals (UV_OV, FS0B, FSP, uC_GPIO), as is depicted in circuit was performed, considering all four redundant signals (UV_OV, FS0B, FSP, uC_GPIO), as is Figure 13. For the FS0B and UV_OV signals from the voltage monitoring circuit, the internal open depicted in Figure 13. For the FS0B and UV_OV signals from the voltage monitoring circuit, the drain structure was emulated. Because the SWOP concept chosen is to switch off, an intermediary internal open drain structure was emulated. Because the SWOP concept chosen is to switch off, an signal, called ACTIVE_GND, is considered. The function of this signal is as follows: only when intermediary signal, called ACTIVE_GND, is considered. The function of this signal is as follows: ACTIVE_GND is low (0 V) and the uC_GPIO pin is low can the gate of the bridge switches (LS- low only when ACTIVE_GND is low (0 V) and the uC_GPIO pin is low can the gate of the bridge switches side MOSFETs) used in actuation be controlled. When a fault is raised by the FS0B, FSP, or UV_OU (LS- low side MOSFETs) used in actuation be controlled. When a fault is raised by the FS0B, FSP, or UV_OU signals, ACTIVE_GND goes to a high level, which leads to the actuation switching off (gate pulled to the ground). After compiling the simulation for all cases and combinations of signals (low and high levels for each signal), the SWOP concept was released. The schematic and layout board were started to finally obtain the evaluation board, a TCU board, as shown in Figure 14. On the PCB, voltage fault test cases were performed to see that the safety reaction was working as expected from the simulation. The measurements were performed with a digital multimeter by considering stable under or overvoltage faults (e.g., generating an external UV or OV fault) or open signals (e.g., disconnection pins). For all tested cases, the safe state

Electronics 2020, 9, 1580 14 of 16

Electronics 2020, 9, x FOR PEER REVIEW 14 of 16 signals, ACTIVE_GND goes to a high level, which leads to the actuation switching off (gate pulled to thewas ground). ensured After and thus compiling provid theed the simulation reason for for why all casesthe proposed and combinations SWOP concept of signals could (low be extended and high levelsto all forsafety each-relevant signal), applications. the SWOP concept was released.

Figure 13. Simulation of safety switch-off path proposal for TCU safety activation. Figure 13. Simulation of safety switch-off path proposal for TCU safety activation. The schematic and layout board were started to finally obtain the evaluation board, a TCU board, as shown in Figure 14. On the PCB, voltage fault test cases were performed to see that the safety reaction was working as expected from the simulation. The measurements were performed with a digital multimeter by considering stable under or overvoltage faults (e.g., generating an external UV or OV fault) or open signals (e.g., disconnection pins). For all tested cases, the safe state was ensured and thus provided the reason for why the proposed SWOP concept could be extended to all safety-relevant applications.

Figure 14. TCU evaluation board.

Electronics 2020, 9, x FOR PEER REVIEW 14 of 16 was ensured and thus provided the reason for why the proposed SWOP concept could be extended to all safety-relevant applications.

Electronics 2020, 9, 1580 15 of 16 Figure 13. Simulation of safety switch-off path proposal for TCU safety activation.

Figure 14. TCU evaluation board board..

6. Discussion The focus of this paper was to provide a novel, safety-relevant supply design (with only 5 V delivered by an SBC to a microcontroller) which will withstand automotive requirements in terms of safety. The proposed design procedure was broken down into an original step-by-step action that every designer can follow to create a proper safety circuit between the supply and the microcontroller in safety-relevant applications. In other words, following the proposed design methodology, designers can reduce financial, legal, and safety risks and help to ensure satisfactory performance for an application in case of voltage faults. Hardware robustness was validated through worst-case analysis for proper selection of components. A complete safety reaction was considered and validated through simulation. In the SWOP circuit, there are four redundant ways to generate a safety reaction in case of over or undervoltage fault occurrence: three are software-based integrated solutions in the SBC and microcontroller and one is hardware-based on an external monitoring circuit. All four ways are essential for achieving safety, ensuring that the TCU design is robust and reliable upon voltage fault occurrence. Additionally, the authors plan to expand the method and supply concept for other ECUs with higher grades of ASIL requirements after a complete product validation.

Author Contributions: Writing—original draft preparation, D.R.B.; conceptualization, S.M.; methodology, S.M.; software, D.R.B. and A.I.; validation, D.R.B., A.I., and C.S.; formal analysis, D.R.B. and C.S.; investigation, D.R.B. and A.I.; resources, M.C.A.; data curation, C.S.; writing—review and editing, M.C.A.; visualization, S.M.; supervision, M.C.A.; project administration, M.C.A. All authors have read and agreed to the published version of the manuscript. Funding: This research was funded by University POLITEHNICA Timisoara, GNaC2018 ARUT, no.1357/01.02.2019. Acknowledgments: The authors would like to thank the Continental Automotive Powertrain Transmission Department for support, cooperation, and for disposal of equipment, tools, and resources, indispensable for the proposed investigation presented in this work. Conflicts of Interest: The authors declare no conflict of interest.

References

1. FS6500-FS4500—Safety Power System Basis Chip with CAN FD and LIN Transceivers—Datasheet (REV 6.0), 4 October 2017. Available online: https://www.nxp.com/docs/en/product-numbering-scheme/FS6500- FS4500SDS.pdf (accessed on 23 February 2019). 2. ISO 26262—Road Vehicles—FunctionSafety; International Organization for Standardization. Available online: https://www.iso.org/standard/68383.html (accessed on 5 March 2019). Electronics 2020, 9, 1580 16 of 16

3. IEC 61508 Standard—Electrical, Electronic and Programmable Electronic Safety Related Systems. Available online: https://www.iecee.org/dyn/www/f?p=106:49:0::::FSP_STD_ID:5516 (accessed on 26 February 2019). 4. AURIXTM TC3xx. Available online: https://www.infineon.com/dgdl/Infineon-AURIX_TC3xx_Part1- UserManual-v01_00-EN.pdf?fileId=5546d462712ef9b701717d3605221d96 (accessed on 14 March 2019). 5. Ismail, A.; Jung, W. Research trends in automotive functional safety. In Proceedings of the 2013 International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (QR2MSE), Chengu, China, 15–18 July 2013; pp. 1–4. 6. Mariani, R. The impact of functional safety standards in the design and test of reliable and available integrated circuits. In Proceedings of the 2012 17th IEEE European Test Symposium (ETS), Annecy, France, 28–31 May 2012; p. 1. 7. Park, J.S.; Suh, I.; Choe, C.Y.; Ro, M.; Brewerton, S.P. Intelligent ECU End of Line Testing to Support ISO26262 Functional Safety Requirements. SAE Int. J. Passeng. Cars Electron. Electr. Syst. 2013, 6, 162–168. [CrossRef] 8. Leu, K.L.; Huang, H.; Chen, Y.Y.; Huang, L.R.; Ji, K.M. An intelligent brake-by-wire system design and analysis in accordance with ISO-26262 functional safety standard. In Proceedings of the International Conference on Connected Vehicles and Expo (ICCVE), Shenzhen, China, 19–23 October 2015; pp. 150–156. 9. Hillenbrand, M.; Heinz, M.; Adler, N.; Matheis, J.; Müller-Glaser, K.D. Failure mode and effect analysis based on electric and electronic architectures of vehicles to support the safety lifecycle ISO/DIS 26262. In Proceedings of the 21st IEEE International Symposium on Rapid System Protyping, Fairfax, VA, USA, 8–11 June 2010; pp. 1–7. 10. Chang, Y.C.; Huang, L.R.; Liu, H.C.; Yang, C.J.; Chiu, C.T. Assessing automotive functional safety microprocessor with ISO 26262 hardware requirements. In Proceedings of the 2014 International Symposium on VLSI Design, Automation and Test (VLSIDAT), Hsinchu, Taiwan, 28–30 April 2014; pp. 1–4. 11. Azevedo, L.S.; Parker, D.; Walker, M.; Papadopoulos, Y.; Araújo, R.E. Assisted Assignment of Automotive Safety Requirements. IEEE Softw. 2014, 31, 62–68. [CrossRef] 12. Takeichi, M.; Sato, Y.; Suyama, K.; Kawahara, T. Failure rate calculation with priority FTA method for functional safety of complex automotive subsystems. In Proceedings of the 2011 International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (ICQR2MSE), Xi’an, China, 17–19 June 2011; pp. 55–58. 13. Sinha, P. Architectural design and reliability analysis of a fail operational brake-by-wire system from ISO 26262 perspectives. Reliab. Eng. Syst. Saf. 2011, 96, 1349–1359. [CrossRef] 14. Siegl, S.; Hielscher, S.; German, K.R.; Berger, C. Formal specification and systematic model-driven testing of embedded automotive systems. In Proceedings of the Design, Automation & Test in Europe Conference & Exhibition (DATE), Grenoble, France, 14–18 March 2011; pp. 1–6. 15. Grimm, T.; Djones Lettnin, I.D.; Hübner, M. A Survey on Formal Verification Techniques for Safety-Critical Systems-on-Chip. Electronics 2018, 7, 81. [CrossRef] 16. Ferlini, F.; Seman, L.O.; Bezerra, E.A. Enabling ISO 26262 Compliance with Accelerated Diagnostic Coverage Assessment. Electronics 2020, 9, 732. [CrossRef]

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).