SNVAA92 November   2023 LM63625-Q1 , TPS37-Q1 , TPS3703-Q1 , TPS3850-Q1

 

  1.   1
  2.   Abstract
  3. 1Introduction
  4. 2Power Designs for Safety MCUs With Functional Safety Requirements
  5. 3ASIL B Power-Supply Design Example and FMEDA Analysis
    1. 3.1 Functional Safety Requirements
    2. 3.2 Proposed Power Design
    3. 3.3 FMD and Pin FMA
    4. 3.4 LM63625-Q1 and TPS37A-Q1 FMEDA Analysis at the Die Level
    5. 3.5 LM63625-Q1 and TPS37A-Q1 FMEDA Analysis at the Pin Level
      1.      11
    6. 3.6 Total FMEDA Analysis of the LM63625-Q1 and TPS37A-Q1
  6. 4Summary
  7. 5Additional Resources

3.3 FMD and Pin FMA

TI products provide FIT rates derived from the reliability guides of Siemens (SN) 29500 or International Electrotechnical Commission (IEC) TR 62380. SN 29500 differs from IEC TR 62380 in accounting for failures caused by silicon and package interactions. SN29500 provides only a total FIT rate, while IEC TR 62380 distinguishes between die FIT rate and package FIT rate for analysis.

Functional safety standards recommend that semiconductor component manufacturers estimate failures caused by silicon interaction with package materials and silicon-to-package connection points (pins). For functional safety-capable devices such as pre-regulators, low-dropout regulators, and voltage supervisors, TI provides functional safety FIT rate, failure mode distribution, and pin FMA reports.

Using the LM63625-Q1 as a reference, Table 3-1 lists the failure modes and their respective distribution.

Table 3-1 Die Failure Modes and Distribution
Die Failure Modes Failure Mode Distribution (%)
SW no output 35
SW output not in specification – voltage or timing 45
SW driver FET stuck on 10
RESET false trip or fails to trip 5
Short circuit any two pins 5

The die failure modes listed in Table 3-1 are described in the following list:

  • SW no output means that there is no voltage output. The MCU is unpowered. This failure mode can be classified as a safe fault.
  • SW output not in specification – voltage or timing means that the power-supply output is out of specification. The TPS37A-Q1 detects under- and overvoltage faults with an accuracy of ±1%, and resets the MCU into a safe state.
  • SW driver FET stuck on can lead to a power output equal to VIN. The TPS37A-Q1 detects this fault and outputs the reset signal to the MCU. In this example, the power output is not switched off to protect the MCU, so the MCU is potentially damaged resulting in a black screen in an instrument cluster, which is considered as a safe state. If a damaged MCU is a concern in more rigorous applications, an external metal-oxide semiconductor field-effect transistor (MOSFET) switch can switch off the power output to protect the MCU.
  • The RESET output of LM63625-Q1 is not used in this example. Therefore the RESET false trip or fails to trip failure mode is considered not safety relevant.
  • Short circuit any two pins is analyzed in the pin failure mode and effects analysis.