A number of assumptions must be made in order to calculate the safety metrics according to ISO 26262:2018 or IEC 61508:2010. The assumptions of use for the reference are detailed below:

• Confidence level applied to permanent FIT rates: 99%
• Confidence level applied to transient FIT rates: 99%
• Neutron flux: set to 1 (equivalent to exposure at sea level, as measured in New York City)
• Thermal management (Theta-Ja): 53.4 Deg.C/W
• Average use case power: 10mW
• Safe vs non-safe: All permanent faults other than ROM are considered 0% safe by default. Permanent faults of ROM are considered to be 50% by default. Transient faults of digital SRAM, digital logic, and flash are considered 50% by default.
• Operational (mission) profile used: IEC62380 Motor Control profile

• FMEDA considers the voltage supervisor and monitoring safety goals

• Special considerations on pin level tailoring: In the out of context FMEDA

  • TPS389006-Q1 6-channel voltage supervisor and monitor was used to set the pin tailoring

• Special considerations on function and diag tailoring: In the out of context FMEDA

  • TPS389006-Q1 6-channel voltage supervisor and monitor was used in the function and diag tailoring

• Special considerations on the application of diagnostics: In the out of context FMEDA

  • The system transitions to a safe state as determined by the assumed MCU within the reaction time when the TPS38900x-Q1 signals a safety related error using NIRQ pin and/or polled I2C response

  • The system will meet the data sheet requirements for voltage and current for the supply input of the TPS38900x-Q1. In the event of voltage error, the system including TPS38900x-Q1 will be transitioned to a safe state.

  • The MCU reads the error status of the TPS38900x-Q1 when the TPS38900x-Q1 sends an interrupt signal to the MCU

  • If the TPS38900x-Q1 reports self-test errors, the MCU-software takes the necessary action to prevent violation of the system safety-goal. This may include cutting of power to certain power domains.

  • The MCU-software has a safety mechanism which performs a Cyclic Redundancy Check on the information the MCU receives from the TPS38900x-Q1 through the I2C interface. In case of a PEC error, the MCU-software takes the necessary action to prevent violation of the system safety-goal.

  • The MCU-software provides the correct configuration for the expected power sequencing for both Active and Sleep transitions. Readback of the register configuration to confirm the write is required at a system level. This is only required if violating sequencing of power rails violates a safety goal. In some systems sequencing of power rails is not mandatory.

  • The system-integrator validates the configuration registers of the TPS38900x-Q1 and TPS38900x-Q1 Safety Mechanisms register settings against System Safety Requirements, either as provided by Texas Instruments, or modified by the system-integrator at run time. Configuration of OV/UV thresholds, deglitch times and masking of faults duration during startup shall be verified.

  • System integrator is responsible for determining FTTI and determining if FTTI can be achieved by use of TPS38900x-Q1

  • System-integrator is responsible for verifying I2C communication with each TPS38900x-Q1 is established since each will have a unique address based on resistor used on ADDR pin. When there are multiple instances of TPS38900x-Q1 on a board communication must be established with each unique device.