# TI TECH DAYS

## Jacinto<sup>™</sup> 7 SoC and PMIC functional safety

Mahmut Ciftci, Pauline Wang



## Agenda

- Jacinto<sup>™</sup> 7 platform overview
- Jacinto 7 SoC safety architecture and hardware diagnostics capabilities
- Jacinto 7 SoC safety software
- PMIC safety mechanisms
- Q&A



# **Jacinto 7 Functional Safety**

Mahmut Ciftci

Systems Architect, Jacinto Processors



## Jacinto 7 SoC platform for functional safety applications





## ADAS system block diagram up to level 3



## Jacinto 7 platform: heterogeneous compute



## Jacinto 7 platform | common safety architecture





## Jacinto 7 functional safety design for ISO-26262 / IEC-61508





### Jacinto 7 SoC (DRA8xx/TDA4x) functional safety support

| Systematic capability                                                                                                                                                                                                 | Built-in diagnostics, low FIT                                                                                                                                                                                                                                                 | Certification support                                                                                                                                                                                                                                                                   |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Up to ASIL-D / SIL-3 <ul> <li>Integrated Safety MCU</li> <li>Independently certified hardware and software development processes</li> <li>Requirements tracking</li> <li>Documentation</li> <li>Validation</li> </ul> | Up to ASIL-D / SIL-3<br>Asymmetric multi-processing<br>Lockstep CPUs<br>Memory SECDED ECC<br>Interconnect protection<br>MPU/MMU/firewalls<br>Voltage/clock/reset monitors<br>Voltage temperature monitors<br>Logic/memory BIST<br>Built-in tests for diagnostics<br>and more. | <ul> <li>Functional Safety Design<br/>Package</li> <li>Safety manual</li> <li>Safety analysis report</li> <li>Configurable FMEDA</li> <li>Software compliance support<br/>Packages (CSPs)</li> <li>3<sup>rd</sup> party safety element out of<br/>context (SEooC) assessment</li> </ul> |

Note: These are platform capabilities. See 'functional safety' design package for individual device capabilities.



## Jacinto 7 SoC safety architecture highlights

#### Targeted for mixed criticality

- Safety MCU up to ASIL-D / SIL-3
- Main SoC minimum ASIL-B / SIL-2 with many functions up to ASIL-D depending on device
- Some Jacinto 7 SoCs target ASIL-D / SIL-3 through the DDR
- Main SoC may crash while MCU stays alive and on the CAN bus
  - MCU system is boot, safety, security, power management master and needs to be ON
- Whitelist firewalls on all slaves to support FFI
- Each SoC has 1 or more lockstep R5F cores

### • Each SoC has 1 or more MPUs (A53, A72, C7x)

- Intentionally arranged in no more than dual clusters with separate voltage and clocks for FFI
- Interconnect, coherence and inter-processor communication is natively ASIL-B / SIL-2 or up enabling reciprocal comparison by software, software lockstep, program flow monitoring and other system level safety mechanisms for high powered compute





## Jacinto 7 SoC safety architecture concept



- "Safety MCU" concept

   Region of component is heav
  - Region of component is heavily protected by hardware diagnostic measures
    - Power
    - Clock
    - Reset
    - CPUs
    - Memories
    - Interconnect
  - Once the correct operation of a Safety MCU is established, logic in this region can be used to provide diagnostic coverage on other regions
  - This partition provides a basis for effective functional safety metrics while providing benefits to minimize overall system BOM overhead cost
- MCU integration concept
  - Separate voltage supplies
  - Separate clocks and resets
  - Chip inside a chip
  - Main SoC can crash and MCU remains alive, can reboot main SoC







## **Safety mechanisms**





## Jacinto 7 SoC functional safety deliverables

- TI deliverables
  - Functional safety manual
  - Safety analysis report
    - Including customizable FMEDA
  - Software
    - Certification support packages
    - Diagnostic library
  - External assessment as safety element out of context (including certificate)
    - This is not end-product system-level certification which is system integrator's responsibility



## **Jacinto 7 SoC Functional Safety Software**





## **Functional safety software components**

| Diagnostics                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Functional Software                                                                                                                                                                                                                                                                                                                                                                                                                                               | Reference Software                                                                                                                                                                                                  |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <ul> <li>Software Diagnostic Library (SDL)<br/>LBIST / PBIST</li> <li>Power on self test on MCU R5F, M3</li> <li>SW controlled on R5F, A72, C7x</li> <li>SW controlled PBIST of MSMC<br/>RAM</li> <li>Loopback: CAN, SPI,</li> <li>Functionality check: CRC, ECC,</li> <li>Monitors: RTI, DCC, ESM, Frame<br/>freeze detect,</li> <li>Error Injection</li> <li>Software Test Library(STL)</li> <li>C66x, MMA, C7x: TBD</li> <li>A72, R5F: ARM STL release</li> </ul> | <ul> <li>ASIL-C/D</li> <li>AUTOSAR MCAL on Safety Island<br/>(CAN, DIO, SPI, ETH, IPC, ADC,<br/>PWM, WDG, GPT)</li> <li>CSL-FLs for Safety IPs (ECC,<br/>CRC, DCC, ESM, BIST, VTM,<br/>PGD, POK, ADC)</li> <li>SCI Client, UDMA, Resource<br/>Manager</li> <li>DMSC Firmware</li> <li>TI-RTOS</li> <li>ASIL-B</li> <li>CSL-FLs for all IPs in safety path</li> <li>MMA, TIDL Library</li> <li>LLDs for CSI2, DSS, VHWA, IPC</li> <li>Compiler Qual Kit</li> </ul> | <ul> <li>Reference SW for Safety IP usage</li> <li>Reference SW for safety manual<br/>items allocated to SW</li> <li>Example code for FFI, Main / MCU<br/>island isolation and other safety<br/>features</li> </ul> |



## Software certification support package

### **Compliance Support Package (CSP):**

- Software safety manual
- TI internal audit report
- Requirements, test plan and reports
- Traceability data
- Dynamic code coverage analysis
- Static code analysis/MISRA-C
- Safety diagnostics library and manual
- Compiler qualification kit
- Software FMEA report



# Jacinto 7 PMIC functional safety

Pauline Wang



### TPS6594x-Q1 and LP8764x-Q1 Multi-PMIC Connection – Our Solution

 The multi-PMIC connection module in TPS6594x provides a method to synchronize multiple integrated PMICs and make them look like a <u>virtual single PMIC</u> to each variant of the Jacinto 7 platform.

This is done by *sharing power state information between the devices*.

- The advantages of this control scheme:
  - Enables a scalable power solution that can be optimized for high/mid/low end variants of the Jacinto 7 platform
  - Preserves system interface towards Jacinto 7 SoC <u>same as with a</u> <u>single PMIC</u>. So no additional software overhead needed on Jacinto 7 SoC when multiple PMICs are used
  - Partitioning of the power management functions into any desired number of smaller PMICs, transparent to the Jacinto 7 SoC
  - Enables fully synchronous operation of all PMICs without the need for external sequencer or glue logic. So no software overhead needed on Jacinto 7 SoC
  - Supports diagnostics and functional safety monitoring of the Jacinto 7 SoC inside the fault-tolerant time of the system



## TPS6594-Q1 and LP8764-Q1 Functional Safety Capability

#### Systematic

 Developed according SafeTI™ Development Process with TÜV SÜD certification for ISO26262 ASIL-D target



#### **Hardware Metrics**

- > 99% Single-Point Metric and >90% Latent-Fault Metrics
- Accurate and fast Output Voltage Monitoring
- Accurate and fast Input Voltage Monitoring
- Fast Over-Voltage Protection
- Q&A Watchdog
- Error Signal Monitors
- CRC on Communication Interfaces and SPMI bus
- CRC on Configuration Registers
- CRC on internal memory
- Built-In Self-Tests on Voltage Monitors, State Machine, SPMI Bus, Watchdog and Error Signal Monitors

## Supporting tools and documents

- FMEDA
- Safety Manual
- Functional Safety Analysis Report:
   > DFMEA
  - ≻pin-FMEA
  - ≻ FTA & DFA
- Technical Reference Manual(s) for powering Jacinto 7 SoC with TPS6594x / LP8764x PMICs
- ♦ SDK for Jacinto 7 SoCs





#### Fail-Silent Safety Concept

As long as SoC and Safety MCU in Jacinto 7 SoC work properly:

- SoC checks sensor data
- Safety MCU:
  - Checks the SoC operation
  - Controls the actuators
  - Checks whether the actuators react on the control in the expected way







#### Fail-Silent Safety Concept

As long as SoC and Safety MCU in Jacinto 7 **SoC** work properly:

- SoC checks sensor data
- Safety MCU:
  - Checks the SoC operation
  - Controls the actuators
  - Checks whether the actuators react on the control in the expected way

#### For failures which would cause improper operation of the Safety MCU or SoC:

- PMIC puts system in safe state through EN DRV pin
- PMIC resets SoC and/or Safety MCU if necessary





#### Fail-Silent Safety Concept

As long as SoC and Safety MCU in Jacinto 7 SoC work properly:

- · SoC checks sensor data
- Safety MCU:
  - Checks the SoC operation
  - Controls the actuators
  - Checks whether the actuators react on the control in the expected way

## For failures which would cause improper operation of the Safety MCU or SoC:

- PMIC puts system in safe state through EN\_DRV pin
- II. PMIC resets SoC and/or Safety MCU if necessary
- III. PMIC reports all previously occurred errors during a drive-cycle to Jacinto 7 SoC



### Safety Concept for supplying MCU + SoC domains in Jacinto 7 SoC



### Safety Concept for supplying MCU + SoC domains in Jacinto 7 SoC



PMIC puts system in assumed safe state for failures which would cause improper operation of the Safety MCU or SoC.

These failures include:

1. A) Failures in supply voltages to Safety MCU or SoC

#### Tailorable handling of output voltage faults:

- 1. Fault in MCU supply domain:
- I. PMIC pulls ENDRV low
- II. PMIC puts MCU and SoC in reset and shuts down all powersupply rails
- III. PMIC reports the error to the MCU on re-start (nINT pin low + error flag)
- **SoC supply domain**:
- I. PMIC puts SoC in reset. MCU not put in reset
- II. PMIC shuts down the power-supply rails mapped to the SoC. PMIC keeps MCU supply rails on. ENDRV can stay high
- III. PMIC reports the error to the MCU (nINT pin low + error flag)

**OTHER supply domain**:

- Enable

PMIC reports the error to the MCU. PMIC keeps all rails on, and no reset to MCU and SoC (nINT pin low + error flag)



27

### Safety Concept for supplying MCU + SoC domains in Jacinto 7 SoC



PMIC puts system in assumed safe state for failures which would cause improper operation of the Safety MCU or SoC.

These failures include:

1. A) Failures in supply voltages to Safety MCU or SoC

#### Tailorable handling of output voltage faults:

- . Fault in MCU supply domain:
- I. PMIC pulls ENDRV low
- II. PMIC puts MCU and SoC in reset and shuts down all powersupply rails
- III. PMIC reports the error to the MCU on re-start (nINT pin low + error flag)

#### 2. SoC supply domain:

- Enable

- I. PMIC puts SoC in reset. MCU not put in reset
- II. PMIC shuts down the power-supply rails mapped to the SoC. PMIC keeps MCU supply rails on. ENDRV can stay high
- III. PMIC reports the error to the MCU (nINT pin low + error flag)

**OTHER supply domain**:

PMIC reports the error to the MCU. PMIC keeps all rails on, and no reset to MCU and SoC (nINT pin low + error flag)



28

### Safety Concept for supplying MCU + SoC domains in Jacinto<sup>™</sup> 7



PMIC puts system in assumed safe state for failures which would cause improper operation of the Safety MCU or SoC.

These failures include:

1. A) Failures in supply voltages to Safety MCU or SoC

#### Tailorable handling of output voltage faults:

- . Fault in MCU supply domain:
- I. PMIC pulls ENDRV low
- II. PMIC puts MCU and SoC in reset and shuts down all powersupply rails
- III. PMIC reports the error to the MCU on re-start (nINT pin low + error flag)
- **SoC supply domain**:
- I. PMIC puts SoC in reset. MCU not put in reset
- I. PMIC shuts down the power-supply rails mapped to the SoC. PMIC keeps MCU supply rails on. ENDRV can stay high
- III. PMIC reports the error to the MCU (nINT pin low + error flag)

#### OTHER supply domain:

PMIC reports the error to the MCU. PMIC keeps all rails on, and no reset to MCU and SoC (nINT pin low + error flag)







PMIC puts system in assumed safe state for failures which would cause improper operation of the Safety MCU or SoC.

#### These failures include:

1. A) Failures in supply voltages to Safety MCU or SoC

#### 1. B) Failure in input supply voltage to PMIC

- 2. A) SoC hardware error
- 2. B) Safety MCU hardware error
- 3. Safety MCU software error

Safety functions for detecting fault 1B:

- Input voltage monitoring (VMON) => independent /isolated function inside PMIC
- Switch control
- External FET (HV load switch)

Note: LP8764 does not have the switch control. Use supply line behind external FET to supply the LP8764 30





PMIC puts system in assumed safe state for failures which would cause improper operation of the Safety MCU or SoC.

#### These failures include:

1. A) Failures in supply voltages to Safety MCU or SoC

Interfaces to remote 1. B) Failure in input supply voltage to PMIC

#### Two use-cases:

- I. PRE\_REG only used as input supply for TPS6594x-Q1 and LP8764x-Q1
- II. PRE\_REG uses as as input supply for TPS6594x-Q1, LP8764x-Q1 and Jacinto<sup>™</sup> 7

For both uses-cases, TPS6594x-Q1 has following safety features included which allow usage of a PRE\_REG without ASIL-rating:

- A. Over-Voltage Protection (for use-case I & II)
- B. Under-Voltage Lock-out (for use-case I & II)
  - **UV/OV PGOOD monitoring** (for use-case II only, same error-handling as for Fault 1A)





PMIC puts system in assumed safe state for failures which would cause improper operation of the Safety MCU or SoC.

#### These failures include:

1. A) Failures in supply voltages to Safety MCU or SoC

#### 1. B) Failure in input supply voltage to PMIC

Objective of TPS6594x-Q1 input over-voltage protection:

KEEP VCCA voltage < EOS voltage level of TPS6594x-Q1 to allow TPS6594x-Q1 keeping system in safe state

#### How?

*In case of PRE\_REG overvoltage, TPS6594x-Q1 opens external FET fast enough* 

⇒ Complete system will reach a powereddown state, which is a safe state from Functional Safety point-of-view





PMIC puts system in assumed safe state for failures which would cause improper operation of the Safety MCU or SoC.

These failures include:

1. A) Failures in supply voltages to Safety MCU or SoC

- 1. B) Failure in input supply voltage to PMIC
- 2. A) SoC hardware error
- 2. B) Safety MCU hardware error
- 3. Safety MCU software error

Safety function in TPS6594-Q1 for detecting:

- Fault 2A: SoC error signal monitor
- Fault 2B: MCU error signal monitor

Customer support: PMIC SDK for Jacinto 7 SoC for setting up the ESMs will be available at RTM (Q1 2021)





PMIC puts system in assumed safe state for failures which would cause improper operation of the Safety MCU or SoC.

These failures include:

- 1. A) Failures in supply voltages to Safety MCU or SoC
- 1. B) Failure in input supply voltage to PMIC
- 2. A) SoC hardware error
- 2. B) Safety MCU hardware error
- 3. Safety MCU software error

Safety function in TPS6594-Q1 for detecting fault 3:

- Q&A watchdog

Customer support: PMIC SDK for Jacinto 7 SoC for setting up the watchdog will be available at RTM (Q1 2021)





Safety mechanisms inside each PMIC for internal faults :

- Clock monitor
- Internal bias voltage monitor

Safety mechanisms inside each PMIC for latent-faults:

- ABIST (for VMON and temp monitor)

 LBIST (for watchdog, error signal monitors, Error handling logic, I2C interfaces, clock monitor)

- CRC on volatile and non-volatile memory
- Read-back on EN\_DRV, nRSTOUT, nRSTOUT\_SoC, nINT
- Watchdog + CRC on PMIC interconnect bus
- CRC on I2C interfaces
- Fail-short test on VSYS-OVP FET



### Alternative Safety Concept with Extended MCU: 2<sup>nd</sup> Watchdog



PMIC puts system in assumed safe state for failures which would cause improper operation of the Safety MCU or SoC.

These failures include:

1. A) Failures in supply voltages to Safety MCU or SoC

- 1. B) Failure in input supply voltage to PMIC
- 2. A) SoC hardware error
- 2. B) Safety MCU hardware error
- 3. A) Safety MCU software error
- 3. B) Extended MCU sofware error

Safety function for detecting fault 3A: - **Q&A watchdog in TPS6594xx** 

Safety function for detecting fault 3B:

- Q&A watchdog in LP8764x



# Thank you for joining.





### ©2020 Texas Instruments Incorporated. All rights reserved.

The material is provided strictly "as-is" for informational purposes only and without any warranty. Use of this material is subject to TI's **Terms of Use**, viewable at TI.com

#### IMPORTANT NOTICE AND DISCLAIMER

TI PROVIDES TECHNICAL AND RELIABILITY DATA (INCLUDING DATASHEETS), DESIGN RESOURCES (INCLUDING REFERENCE DESIGNS), APPLICATION OR OTHER DESIGN ADVICE, WEB TOOLS, SAFETY INFORMATION, AND OTHER RESOURCES "AS IS" AND WITH ALL FAULTS, AND DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS.

These resources are intended for skilled developers designing with TI products. You are solely responsible for (1) selecting the appropriate TI products for your application, (2) designing, validating and testing your application, and (3) ensuring your application meets applicable standards, and any other safety, security, or other requirements. These resources are subject to change without notice. TI grants you permission to use these resources only for development of an application that uses the TI products described in the resource. Other reproduction and display of these resources is prohibited. No license is granted to any other TI intellectual property right or to any third party intellectual property right. TI disclaims responsibility for, and you will fully indemnify TI and its representatives against, any claims, damages, costs, losses, and liabilities arising out of your use of these resources.

TI's products are provided subject to TI's Terms of Sale (www.ti.com/legal/termsofsale.html) or other applicable terms available either on ti.com or provided in conjunction with such TI products. TI's provision of these resources does not expand or otherwise alter TI's applicable warranties or warranty disclaimers for TI products.

Mailing Address: Texas Instruments, Post Office Box 655303, Dallas, Texas 75265 Copyright © 2020, Texas Instruments Incorporated