4.1 Achieving ASIL-B System Requirements
To achieve a system functional safety level of ASIL-B, the following PDN features are available:
• PMIC over voltage and under voltage monitoring on the power resource voltage outputs
• PMIC over-voltage monitoring and protection on the input to the PMIC (VCCA)
• Watchdog monitoring of safety processor
• MCU error monitoring
• MCU reset
• I
2
C communication
• Error indicator for driving external circuitry (optional)
The PDN has an in-line, external power FET, as shown in
, between the input supply and PMICs.
The voltage before and after the FET is monitored by the PMIC, and the PMIC controls the FET through the
OVPGDRV pin. The FET can quickly isolate the PMIC when an over-voltage event greater than 6 V is detected
on the input supply to protect the system from being damaged. Any power connected upstream from the FET is
not protected from over voltage events. In
the load switches that supply power to the MCU and Main
I/O domains, the discrete buck supplying the DDR, and the discrete LDO supplying EFUSE are all connected
after the FET to extend the over voltage protection to these processor domains and discrete power resources.
The PMIC internal over voltage and under voltage monitoring and their respective monitoring threshold levels
are enabled by default and can be updated through I
2
C after startup. PMIC power rails connected directly to the
processor are monitored by default.
The steps for configuring and starting the watchdog can be found in the TPS6594-Q1 data sheet. Setting the
DISABLE_WDOG signal high on GPIO_8 disables the watchdog timer if this feature needs to be suspended
during initial development or is not required in the system. An example of re-purposing GPIO_8 is provided in
.
GPIO_7 is configured as the MCU error signal monitor, but must be enabled though the ESM_MCU_EN
register bit. MCU reset is supported through the connection between the primary PMIC nRSTOUT pin and
the MCU_PORz of the processor. Lastly, there are two I
2
C ports between the TPS6594-Q1 and the processor.
The first is used for all non-watchdog communication, such as voltage level control, and the second allows the
watchdog monitoring to be on an independent communication channel.
There is an option to use the EN_DRV pin to indicate an error has been detected and the system is entering
SAFE state. This signal can be utilized if the system has external circuitry that needs to be driven by an error
event. In this PDN, the EN_DRV is not utilized, but available if needed.
4.2 Achieving up to ASIL-D System Requirements
For ASIL-C or ASIL-D systems, the following features in addition to the ones described in
used:
• PMIC current monitoring on all output power rails
• SoC error monitoring
• Residual Voltage Monitoring
• Read-back of Logic Output Pins
– nINT
– nRSTOUT
– EN_DRV (when used)
The current monitoring is enabled by default for all BUCKs and LDOs for the PMIC. Additionally,
shows that the MCU domain of the processor is powered by different power resources of the PMICs than the
main power domain of the processor.
GPIO_3 is configured as the SoC error signal monitor. Similar to the MCU error signal monitor, this feature is
enabled through I
2
C using the ESM_SOC_EN register bit. For the TPS65941515, an SoC reset is not supported
but an interrupt fires and the nINT pin driven low.
Supporting Functional Safety Systems
10
User Guide for Powering Jacinto
TM
7 J7200 DRA821 with Single TPS6594-Q1
PMIC, PDN-2A
Copyright © 2022 Texas Instruments Incorporated
