Power Supply Platform and Functional Safety Concept Proposals for a Powertrain Transmission Electronic Control Unit

: In the last decade, modern vehicles have become very complex, being equipped with embedded electronic systems which include more than a thousand of electronic control units (ECUs). Therefore, it is mandatory to analyze the potential risk of automotive systems failure because it could have a signiﬁcant impact on humans’ safety. This paper proposes a novel, functional safety concept at the power management level of a system basis chip (SBC), from the development phase to system design. In the presented case, the safety-critical application is represented by a powertrain transmission electronic control unit. A step-by-step design guideline procedure is presented, having as a focus the cost, safety, and performance to obtain a robust, cost-e ﬃ cient, safe, and reliable design. To prove compliance with the ISO 26262 standard, quantitative worst-case evaluations of the hardware have been done. The assessment results qualify the proposed design with automotive safety integrity levels (ASIL, up to ASIL-D). The main contribution of this paper is to demonstrate how to apply the functional safety concept to a real, safety-critical system by following the proposed design methodology.


Introduction
It is well known that automotive integrated circuit packages continue to get smaller, but with more and more integrated functions inside the package. This is also available for the power supply module, which represents one of the main circuits from the electronic control unit (ECU). Usually, in automobiles, this type of power supply module is called the system basis chip (SBC) [1]. It integrates multiple functions besides voltage supplies, such as integrated transceivers for communication interfaces, a high-speed controller area network (CAN), and a local interconnect network (LIN), and supervision features like wake-up logic inputs, watchdogs, reset generators, fail outputs, and interrupt outputs. SBC devices are not new to the market, but their usage was increasing in the last period due to their high levels of integration, performance, and reliability. These advantages make them the perfect solution to limit the design's costs. The ECU cost is significantly reduced by integrating the discrete components. However, this does not mean that all the components are integrated. Due to the limited power dissipation, some power elements remain discrete like, for example, the power switching transistor modules within the converters.
It is necessary to highlight that not only is the cost targeted, but also the safety and security, which represent special requirements in the automotive industry, especially for powertrain applications where the safety SBC architecture shall support independent monitoring of critical safety parameters. For example, it is an essential function for the energy and power management of the battery management systems, as well as the steering and transmission control in electric and hybrid vehicle applications. In these cases, the SBC shall meet automotive safety integrity level (ASIL) C x, or even higher, ASIL-D, and must be ISO 26262 [2] and IEC 61508 [3] compliant. Therefore, the advanced diagnosis of power management must be combined with the safety of power management and trigger the safe state when it is requested by the system.
In a typical transmission control unit (TCU) application, the microcontroller represents the master and controls the SBC (the slave) through a serial peripheral interface (SPI). Safe operation is ensured by the capability of the microcontroller to detect faults using the integrated function of the SBC, called the question and answer (Q&A) watchdog. When detecting possible SBC faults by the integrated function control unit, multiple diagnostics like over-under voltage or over temperature are expected to be made.
To meet the powertrain requirements in terms of cost and safety, a suitable SBC can be FS65xx from NXP [4]. The flexible and scalable NXP SBCs complement the powertrain microcontroller platforms that require functional safety. With buck-boost DC-to-DC architectures that support input voltage ranges from 2.7 V to 60 V for 12-and 24-V markets and scalable power options, these SBCs provide an energy-efficient solution for high-performance microcontrollers [5,6]. The latest Infineon AURIX™ TC3xx microcontrollers are also well suited for safety-critical applications. These microcontrollers combine performance functioning with a powerful safety architecture, which makes them perfectly fitting for powertrain applications. Infineon released its second-generation AURIX™ microcontroller in embedded flash 40 nm technology. It provides increased performance, memory size, connectivity, and more scalability to address the new automotive trends and challenges. In terms of performance, the highest product, TC39x, can have up to six cores running at 300 MHz and up to 6.9 MB of embedded RAM and has embedded voltage regulators. The total power consumption is below 2 W [7,8].
For hardware engineers, designing and optimizing safety supplies has become a mandatory task. Unfortunately, this task is often time-consuming and technically challenging. To simplify the design tasks and improve design quality and engineer productivity (i.e., to become more agile), this paper describes in detail, as a procedure, the design steps of a power supply concept for safety-critical application [9,10]. The proposed methodology represents a specific, but very well-organized guide to transmission control unit function, and it can be easily extended to other safety-relevant applications. The design procedure has as its focus cost, safety, and performance to obtain a robust, cost-efficient, safe, and reliable supply design.
The paper is organized as follows. Section 2 discusses design challenges related to safety operation for a novel concept of a safety-relevant power supply with only 5 V for the main component from an ECU, the microcontroller. In order to prevent and limit design difficulties and challenges, a design flow procedure is proposed in Section 3. In Section 4, special attention is paid to getting proper values of the 5 V regulator components by analyzing the SBC and microcontroller requirements, in terms of safety supply. The selection of components is proved by performing worst-case analysis to accomplish the hardware robustness target. Section 5 deals with the enhanced features of the microcontroller and power SBC, in terms of power management, to guarantee a safe state by switching off the entire system in case of supply faults. Accordingly, a complete safety switch off path (SWOP) circuit is proposed for a printed circuit board (PCB) schematic. Finally, Section 6 draws conclusions and proposes future research work.

Design Challenges
There are three questions which represent the starting point of the proposed design:

1.
What is needed (simplest solution) to supply the TC3xx with power from the FS65xx SBC to fulfill ASIL-D? How are the 3.3 V and 1.3 V internally generated by the TC3xx?

2.
What happens (over a lifetime) with the TC3xx if the power supply from the SBC is made as described in the datasheet? 3.
How will the overall safety concept look?
The proposed power supply concept is to have an SBC, which is delivering only 5 V to microcontroller. The 3.3 V and 1.3 V signals are internally generated by the microcontroller itself by using its embedded voltage regulators, as can be seen in Figure 1. By using this concept, two major advantages can be derived: (1) reducing the use of external components, which automatically involves a price reduction for the electrical bill of material (eBOM) and PCB space [11], and (2) avoid electromagnetic interference (EMI) noise emissions; EMI requirements are an important demand to be fulfilled within transmission applications. By reducing the external 3.3 V supply, this eliminates a potential EMI noise emission [12].

Design Challenges
There are three questions which represent the starting point of the proposed design: 1. What is needed (simplest solution) to supply the TC3xx with power from the FS65xx SBC to fulfill ASIL-D? How are the 3.3 V and 1.3 V internally generated by the TC3xx? 2. What happens (over a lifetime) with the TC3xx if the power supply from the SBC is made as described in the datasheet? 3. How will the overall safety concept look?
The proposed power supply concept is to have an SBC, which is delivering only 5 V to microcontroller. The 3.3 V and 1.3 V signals are internally generated by the microcontroller itself by using its embedded voltage regulators, as can be seen in Figure 1. By using this concept, two major advantages can be derived: (1) reducing the use of external components, which automatically involves a price reduction for the electrical bill of material (eBOM) and PCB space [11], and (2) avoid electromagnetic interference (EMI) noise emissions; EMI requirements are an important demand to be fulfilled within transmission applications. By reducing the external 3.3 V supply, this eliminates a potential EMI noise emission [12]. For the SBC, the pre-regulator (VPRE) is configured to be a non-inverting, buck-boost type DCto-DC converter, and the core output (VCORE) is configured to incorporate a buck topology. A linear topology is also available, but in the current case, the scope is to minimize energy consumption through the DC-to-DC switching regulator. The VCORE is 5 V, representing the main supply for the microcontroller. It also supplies other safety-relevant circuits. The total current consumption was calculated and considered at a maximum value of 1.5 A. For communication, a physical interface with integrated CAN FD and LIN transceivers was chosen. A long duration timer (LDT) was enabled to check the SBC in power off mode. As can be seen in Figure 2, the ordering code of the SBC component is MC33FS6512LAE/R2 [13][14][15].  For the SBC, the pre-regulator (V PRE ) is configured to be a non-inverting, buck-boost type DC-to-DC converter, and the core output (V CORE ) is configured to incorporate a buck topology. A linear topology is also available, but in the current case, the scope is to minimize energy consumption through the DC-to-DC switching regulator. The V CORE is 5 V, representing the main supply for the microcontroller. It also supplies other safety-relevant circuits. The total current consumption was calculated and considered at a maximum value of 1.5 A. For communication, a physical interface with integrated CAN FD and LIN transceivers was chosen. A long duration timer (LDT) was enabled to check the SBC in power off mode. As can be seen in Figure 2, the ordering code of the SBC component is MC33FS6512LAE/R2 [13][14][15].

Design Challenges
There are three questions which represent the starting point of the proposed design: 1. What is needed (simplest solution) to supply the TC3xx with power from the FS65xx SBC to fulfill ASIL-D? How are the 3.3 V and 1.3 V internally generated by the TC3xx? 2. What happens (over a lifetime) with the TC3xx if the power supply from the SBC is made as described in the datasheet? 3. How will the overall safety concept look?
The proposed power supply concept is to have an SBC, which is delivering only 5 V to microcontroller. The 3.3 V and 1.3 V signals are internally generated by the microcontroller itself by using its embedded voltage regulators, as can be seen in Figure 1. By using this concept, two major advantages can be derived: (1) reducing the use of external components, which automatically involves a price reduction for the electrical bill of material (eBOM) and PCB space [11], and (2) avoid electromagnetic interference (EMI) noise emissions; EMI requirements are an important demand to be fulfilled within transmission applications. By reducing the external 3.3 V supply, this eliminates a potential EMI noise emission [12]. For the SBC, the pre-regulator (VPRE) is configured to be a non-inverting, buck-boost type DCto-DC converter, and the core output (VCORE) is configured to incorporate a buck topology. A linear topology is also available, but in the current case, the scope is to minimize energy consumption through the DC-to-DC switching regulator. The VCORE is 5 V, representing the main supply for the microcontroller. It also supplies other safety-relevant circuits. The total current consumption was calculated and considered at a maximum value of 1.5 A. For communication, a physical interface with integrated CAN FD and LIN transceivers was chosen. A long duration timer (LDT) was enabled to check the SBC in power off mode. As can be seen in Figure 2, the ordering code of the SBC component is MC33FS6512LAE/R2 [13][14][15].  For the microcontroller, the second generation of the Infineon AURIX family, the TC397 microcontroller, is considered. The ordering code for the microcontroller is SAK-TC397TP-64F200N. This nomenclature, as shown in Figure 3, corresponds to a production device with a temperature range Electronics 2020, 9, 1580 4 of 16 from −40 • C up to 125 • C, with board assembly recommendations (BGA) package 292, which consumes below 2 W, a triple core running at 200 MHz, support for floating and fixed-point operations, a 4 MB flash size, and CAN FD communication [16].
Electronics 2020, 9, x FOR PEER REVIEW 4 of 16 For the microcontroller, the second generation of the Infineon AURIX family, the TC397 microcontroller, is considered. The ordering code for the microcontroller is SAK-TC397TP-64F200N. This nomenclature, as shown in Figure 3, corresponds to a production device with a temperature range from −40 °C up to 125 °C, with board assembly recommendations (BGA) package 292, which consumes below 2 W, a triple core running at 200 MHz, support for floating and fixed-point operations, a 4 MB flash size, and CAN FD communication [16].

Design Flow Proposal
The design of safety power supplies requires significant attention to detail. A simplified procedure is proposed by using an Xmind tool to map all the mandatory steps, as can be seen in Figure 4. As can be seen, safety is the word dominating the entire flow. The design must start from the vehicle's original equipment manufacturer's (OEM) requirements in terms of safety because a critical application shall support and enable the safety function. For a typical automotive application, it is mandatory to start from the OEM's safety requirements to take active measures to achieve the required risk reduction in the sphere of active safety. For example, for a TCU application for a doubleclutch automated transmission, the safe state reaction is to disable the functions of the actuators (putting in break mode the brushless DC motors). For the airbag control unit (ACU), the safety reaction is the opposite, and it shall enable the actuators. Therefore, Step 1 is important to define the safety measures to be taken for the applications.
The safety mechanism shall be carefully analyzed from both cost and effectiveness points of view. Therefore, in Step 2, the designers shall put on paper a proposed configuration for a proper supply concept. It represents the time for noting all the challenges, advantages, and risks. Then, based on these assumptions, the design will be created, taking into consideration the components' specifications and safety recommendations. In order to check and prove that all the delivered voltages are within the desired range, a worst-case analysis (WCA) shall be performed, as listed in Step 4. For functional safety management (FSM), the WCA represents a safety metric through design and implementation. If the WCA shows that monitoring is not ensured, major changes shall be considered in the design. Usually, there are two options: adding an extra circuit for monitoring or reconsidering components which may have better performance. Only after the design is improved, in order to have good coverage of the fault's detection, shall the safety concept be released (Step 6). In the switch off or on path safety concept, all the safety activation signals are considered in redundant logic. After a final review, the design can be completely released.

Design Flow Proposal
The design of safety power supplies requires significant attention to detail. A simplified procedure is proposed by using an Xmind tool to map all the mandatory steps, as can be seen in Figure 4. As can be seen, safety is the word dominating the entire flow. The design must start from the vehicle's original equipment manufacturer's (OEM) requirements in terms of safety because a critical application shall support and enable the safety function. For a typical automotive application, it is mandatory to start from the OEM's safety requirements to take active measures to achieve the required risk reduction in the sphere of active safety. For example, for a TCU application for a double-clutch automated transmission, the safe state reaction is to disable the functions of the actuators (putting in break mode the brushless DC motors). For the airbag control unit (ACU), the safety reaction is the opposite, and it shall enable the actuators. Therefore, Step 1 is important to define the safety measures to be taken for the applications.
The safety mechanism shall be carefully analyzed from both cost and effectiveness points of view. Therefore, in Step 2, the designers shall put on paper a proposed configuration for a proper supply concept. It represents the time for noting all the challenges, advantages, and risks. Then, based on these assumptions, the design will be created, taking into consideration the components' specifications and safety recommendations. In order to check and prove that all the delivered voltages are within the desired range, a worst-case analysis (WCA) shall be performed, as listed in Step 4. For functional safety management (FSM), the WCA represents a safety metric through design and implementation. If the WCA shows that monitoring is not ensured, major changes shall be considered in the design. Usually, there are two options: adding an extra circuit for monitoring or reconsidering components which may have better performance. Only after the design is improved, in order to have good coverage of the fault's detection, shall the safety concept be released (Step 6). In the switch off or on path safety concept, all the safety activation signals are considered in redundant logic. After a final review, the design can be completely released.

Power Supply Design and Safety Requirements Evaluation
The focus of this section is to provide a correct and robust SBC design which will withstand the automotive requirements, in terms of safety. This paper will break the procedure down into a stepby-step action that every designer can follow to create a proper safety circuit between the supply and microcontroller in safety-relevant applications.

V Configuration of FS6512: For VCORE-BUCK Regulator
The FS6512 VCORE regulator is a buck DC-DC topology, operating in voltage control mode. The high side of the switching transistor is connected to the VPRE and is integrated into the SBC. The VCORE buck regulator shall regulate the output voltage only against the output loading. In this case, the input variations are stable. The typical switching frequency is fixed at 2.4 MHz. The VCORE buck accomplishes proper regulation within the feedback loop by integrating an error amplified by linear feedback. The output voltage VCORE is configurable in a range from 1 V up to 5 V through an external resistor bridge (R3/R4), as can be seen in Figure 5. Therefore, it is necessary to adjust the divider values to get 5 V. The first divider is connected between the VCORE and the FB_CORE feedback pin. VCORE = VCORE_FB ((R3 + R4)/R4). For safety purposes, to meet ASIL-D requirements, a second feedback monitor can be used to monitor redundantly the VCORE voltage, having the feedback loop connected to the FCRBM (feedback core resistor bridge monitoring) pin. If not used, the pin is connected directly to the FB_CORE. The safety manual recommends using less than 1.0% accuracy resistors, setting R4 = 8.06 kΩ, and adjusting R3 to obtain a VCORE of 5 V. The component datasheet provides a voltage accuracy of ± 2.0% (without considering the accuracy of the external resistors). The stability of the

Power Supply Design and Safety Requirements Evaluation
The focus of this section is to provide a correct and robust SBC design which will withstand the automotive requirements, in terms of safety. This paper will break the procedure down into a step-by-step action that every designer can follow to create a proper safety circuit between the supply and microcontroller in safety-relevant applications.
4.1. What Is Needed (Simplest Solution) to Supply the TC397 with Power from FS6512 SBC to Fulfill ASIL-D?
The FS6512 V CORE regulator is a buck DC-DC topology, operating in voltage control mode. The high side of the switching transistor is connected to the V PRE and is integrated into the SBC. The V CORE buck regulator shall regulate the output voltage only against the output loading. In this case, the input variations are stable. The typical switching frequency is fixed at 2.4 MHz. The V CORE buck accomplishes proper regulation within the feedback loop by integrating an error amplified by linear feedback. The output voltage V CORE is configurable in a range from 1 V up to 5 V through an external resistor bridge (R 3 /R 4 ), as can be seen in Figure 5. Therefore, it is necessary to adjust the divider values to get 5 V. The first divider is connected between the V CORE and the FB_CORE feedback pin. V CORE = V CORE_FB ((R 3 + R 4 )/R 4 ). For safety purposes, to meet ASIL-D requirements, a second feedback monitor can be used to monitor redundantly the VCORE voltage, having the feedback loop connected to the FCRBM (feedback core resistor bridge monitoring) pin. If not used, the pin is connected directly to the FB_CORE. The safety manual recommends using less than 1.0% accuracy resistors, setting R 4 = 8.06 kΩ, and adjusting R 3 to obtain a V CORE of 5 V. The component datasheet provides a voltage accuracy of ±2.0% (without considering the accuracy of the external resistors). The stability of the overall converter is ensured only by using an external compensation network (R 1 /C 1 /R 2 /C 2 ) connected to the COMP_CORE pin.
Electronics 2020, 9, x FOR PEER REVIEW 6 of 16 overall converter is ensured only by using an external compensation network (R1/C1/R2/C2) connected to the COMP_CORE pin. Usually, the components' datasheets tell only one part of the story and recommend generic (typical) values for the components, as can be seen in Figure 6. It is necessary to highlight that when working with safety-critical design, all hardware designers shall add proofs for the design and not take the manufacturer's stated output capabilities for granted. Therefore, in this paper, for the proposed concept, the authors added proofs and considered a worst-case scenario for buck inductor (LCORE) and compensation network (R1/C1/R2/C2) selection. The component selection must be done in such a way that the SBC should provide output voltage (output power) with some safety margin on top, in terms of stability. In order to design the VCORE for 5 V, the LCORE inductor was calculated. A correct inductor selection is mandatory for proper design because the inductor has an impact on the efficiency, on the transient response, and on control loop stability. A poor inductor selection can cause damage to the converter, lead to premature overcurrent protection, and limit output capability. The inductor was sized so as to avoid saturation and help the VCORE converter remain in continuous current mode (CCM) through this range, considering the worst-case limits. The calculation of the minimum inductor value (Lbuck_min) was performed using a Mathcad tool. The following formula was used: where the following parameters were considered: Vin = VPRE (the pre-regulator input voltage); Vout = VCORE, the output current through inductor (IL); fsw, the converter switching frequency; and VRds_on (implicitly, the voltage across the switching element).
The duty cycle was computed as depicted by the below equation, considering the voltage drops through the switching element and across the diode (Vf_diode): The minimum current through the inductor (ILmin) was calculated as shown below: Usually, the components' datasheets tell only one part of the story and recommend generic (typical) values for the components, as can be seen in Figure 6. It is necessary to highlight that when working with safety-critical design, all hardware designers shall add proofs for the design and not take the manufacturer's stated output capabilities for granted. Therefore, in this paper, for the proposed concept, the authors added proofs and considered a worst-case scenario for buck inductor (L CORE ) and compensation network (R 1 /C 1 /R 2 /C 2 ) selection. The component selection must be done in such a way that the SBC should provide output voltage (output power) with some safety margin on top, in terms of stability.
Electronics 2020, 9, x FOR PEER REVIEW 6 of 16 overall converter is ensured only by using an external compensation network (R1/C1/R2/C2) connected to the COMP_CORE pin. Usually, the components' datasheets tell only one part of the story and recommend generic (typical) values for the components, as can be seen in Figure 6. It is necessary to highlight that when working with safety-critical design, all hardware designers shall add proofs for the design and not take the manufacturer's stated output capabilities for granted. Therefore, in this paper, for the proposed concept, the authors added proofs and considered a worst-case scenario for buck inductor (LCORE) and compensation network (R1/C1/R2/C2) selection. The component selection must be done in such a way that the SBC should provide output voltage (output power) with some safety margin on top, in terms of stability. In order to design the VCORE for 5 V, the LCORE inductor was calculated. A correct inductor selection is mandatory for proper design because the inductor has an impact on the efficiency, on the transient response, and on control loop stability. A poor inductor selection can cause damage to the converter, lead to premature overcurrent protection, and limit output capability. The inductor was sized so as to avoid saturation and help the VCORE converter remain in continuous current mode (CCM) through this range, considering the worst-case limits. The calculation of the minimum inductor value (Lbuck_min) was performed using a Mathcad tool. The following formula was used: where the following parameters were considered: Vin = VPRE (the pre-regulator input voltage); Vout = VCORE, the output current through inductor (IL); fsw, the converter switching frequency; and VRds_on (implicitly, the voltage across the switching element).
The duty cycle was computed as depicted by the below equation, considering the voltage drops through the switching element and across the diode (Vf_diode): The minimum current through the inductor (ILmin) was calculated as shown below: In order to design the V CORE for 5 V, the L CORE inductor was calculated. A correct inductor selection is mandatory for proper design because the inductor has an impact on the efficiency, on the transient response, and on control loop stability. A poor inductor selection can cause damage to the converter, lead to premature overcurrent protection, and limit output capability. The inductor was sized so as to avoid saturation and help the V CORE converter remain in continuous current mode (CCM) through this range, considering the worst-case limits. The calculation of the minimum inductor value (L buck_min ) was performed using a Mathcad tool. The following formula was used: where the following parameters were considered: V in = V PRE (the pre-regulator input voltage); V out = V CORE , the output current through inductor (I L ); f sw , the converter switching frequency; and V Rds_on (implicitly, the voltage across the switching element). The duty cycle was computed as depicted by the below equation, considering the voltage drops through the switching element and across the diode (V f_diode ): The minimum current through the inductor (I Lmin ) was calculated as shown below: where k is the inductor ripple current factor (20-40%) applied to the maximum allowed output current (I out max ). By running the above calculation, a minimum value of 2.118 µH was obtained for the buck coil, which corresponds to a 2.2 µH standard value.
Taking into consideration this coil value, the maximum output current of 1.5 A, the 5 V output voltage, and by using the Graphical User Interface (GUI) provided by NXP to check the converter stability, plots for transient and Bode characteristics were evaluated in order to obtain the right values from the compensation network. Considering the following values-C 1 = 330 pF, R 1 = 1.1 kΩ, C 2 = 100 pF, R 2 = 47 kΩ-it can be stated that the control loop was properly compensated. Figure 7 shows a simulated Bode plot with a sufficient phase margin around 55 • C and a gain margin of −20 dB.
where k is the inductor ripple current factor (20-40%) applied to the maximum allowed output current ( I out max ).
By running the above calculation, a minimum value of 2.118 µ H was obtained for the buck coil, which corresponds to a 2.2 µ H standard value.
Taking into consideration this coil value, the maximum output current of 1.5 A, the 5 V output voltage, and by using the Graphical User Interface (GUI) provided by NXP to check the converter stability, plots for transient and Bode characteristics were evaluated in order to obtain the right values from the compensation network. Considering the following values-C1 = 330 pF, R1 = 1.1 kΩ, C2 = 100 pF, R2 = 47 kΩ-it can be stated that the control loop was properly compensated. Figure 7 shows a simulated Bode plot with a sufficient phase margin around 55 °C and a gain margin of −20 dB.

V Configuration Supply Concept for TC397
The 5 V signal provided by the SBC is the unique supply of the microcontroller, as can also be seen in Figure 8. It directly supplies the embedded voltage regulators for core and flash supply (EVRC and EVR33). It supplies the analog ports (VDDM and VADC), the flexible ports (VFLEX, configured to be supplied from 5 V and not from 3.3 V), and the embedded voltage regulator in standby mode (ERVRSB). It is important to mention that the supply mode selection is done in an external hardware configuration. The microcontroller contains dedicated pins called HWCFG_x for this purpose. At the HWCFG_1 pin, corresponding to port P14.5, EVR33 is enabled or disabled at startup. At the HWCFG_2 pin, corresponding to port P14.2, EVRC is enabled or disabled at startup. The enabled function is selected in this design by adding pull-up resistors externally in order to have a logic 1 on the input ports.

V Configuration Supply Concept for TC397
The 5 V signal provided by the SBC is the unique supply of the microcontroller, as can also be seen in Figure 8. It directly supplies the embedded voltage regulators for core and flash supply (EVRC and EVR33). It supplies the analog ports (VDDM and VADC), the flexible ports (VFLEX, configured to be supplied from 5 V and not from 3.3 V), and the embedded voltage regulator in standby mode (ERVRSB). It is important to mention that the supply mode selection is done in an external hardware configuration. The microcontroller contains dedicated pins called HWCFG_x for this purpose. At the HWCFG_1 pin, corresponding to port P14.5, EVR33 is enabled or disabled at startup. At the HWCFG_2 pin, corresponding to port P14.2, EVRC is enabled or disabled at startup. The enabled function is selected in this design by adding pull-up resistors externally in order to have a logic 1 on the input ports. The EVRC (embedded voltage regulator for core supply) regulator was implemented as a switched mode power supply regulator (buck topology), generating the core supply VDD (the label of the power suplly) of 1.25 V. This step-down (VDD) contained not only the integrated voltage regulator, but the voltage feedback loop too. Due to power loss limitation, the switching elements (the N channel and P channel of the MOSFETs (Metal-Oxide Semiconductor Field-Effect Transistor)) and the LC (an electric circuit consisting of an inductor and a capacitor) filter were considered externally. For the schematic, in order to minimize the PCB space, Infineon BSZ215C H componentscomplementary power MOSFETs-were used, with both N-and P-channel MOSFETs within the same package. For the filter, due to the resonance frequency of 3.6 MHz, the coil value was 3.3 µ H (Vishay-IHLP1616BZ-ER-3R3-M-5A) and the output capacitor value was 22 µ F (ceramic capacitor 22 µ F, TDK − CGA6P1 × 7R1C226KT).
The EVR33 regulator represented the embedded voltage regulator for the 3.3 V voltage supply. It was always implemented as an LDO (Low Dropout) regulator and generated a digital supply for Flash (VDDP3) of 3.3 V (with internal pass devices). It contains an integrated voltage regulator, a pass device control unit, and a voltage feedback loop. Only the output capacitor (ceramic capacitor 100 nF, TDK-CGA3E2X7R1H104KT0Y9N) is not integrated.

What Happens (over Lifetime) with the TC3xx if the Power Supply from PSBC Is Done Like in the Data Sheet?
The design for the power supply was completed by delivering 5 V to the microcontroller with a VCORE buck and to its proper selected components. The supply structure for the controller was completed by choosing suitable output components. It was not enough. This section highlights that a deeper investigation is necessary by looking for the worst-case scenario. The worst-case analysis for the design is a proof that the hardware meets or exceeds the design specifications for its lifetime. For a safety application like the TCU, the WCA is mandatory to be performed; it is not an option. The designers can foresee potential damages of the design, predict the lifetime decreasing and, in addition, anticipate the predictable faults in the system (SBC microcontroller). In other words, The EVRC (embedded voltage regulator for core supply) regulator was implemented as a switched mode power supply regulator (buck topology), generating the core supply VDD (the label of the power suplly) of 1.25 V. This step-down (VDD) contained not only the integrated voltage regulator, but the voltage feedback loop too. Due to power loss limitation, the switching elements (the N channel and P channel of the MOSFETs (Metal-Oxide Semiconductor Field-Effect Transistor)) and the LC (an electric circuit consisting of an inductor and a capacitor) filter were considered externally. For the schematic, in order to minimize the PCB space, Infineon BSZ215C H components-complementary power MOSFETs-were used, with both N-and P-channel MOSFETs within the same package. For the filter, due to the resonance frequency of 3.6 MHz, the coil value was 3.3 µH (Vishay-IHLP1616BZ-ER-3R3-M-5A) and the output capacitor value was 22 µF (ceramic capacitor 22 µF, TDK − CGA6P1 × 7R1C226KT).
The EVR33 regulator represented the embedded voltage regulator for the 3.3 V voltage supply. It was always implemented as an LDO (Low Dropout) regulator and generated a digital supply for Flash (VDDP3) of 3.3 V (with internal pass devices). It contains an integrated voltage regulator, a pass device control unit, and a voltage feedback loop. Only the output capacitor (ceramic capacitor 100 nF, TDK-CGA3E2X7R1H104KT0Y9N) is not integrated.

What Happens (over Lifetime) with the TC3xx If the Power Supply from PSBC Is Done Like in the Data Sheet?
The design for the power supply was completed by delivering 5 V to the microcontroller with a VCORE buck and to its proper selected components. The supply structure for the controller was completed by choosing suitable output components. It was not enough. This section highlights that a deeper investigation is necessary by looking for the worst-case scenario. The worst-case analysis for the design is a proof that the hardware meets or exceeds the design specifications for its lifetime. For a safety application like the TCU, the WCA is mandatory to be performed; it is not an option. The designers can foresee potential damages of the design, predict the lifetime decreasing and, in addition, anticipate the predictable faults in the system (SBC microcontroller). In other words, designers can reduce financial, legal, and safety risks and help to ensure satisfactory performance for the application.

TC397 Microcontroller Requirements in Terms of Supply
An important step in the design is to check the remaining useful life of the microcontroller when the SBC exceeds 5 V, which is the rated voltage. Verification is needed in order to get a precise understanding of the worst-case behavior of the TCU. The 5 V signal provided by the SBC shall match the microcontroller specification regarding quality, robustness, lifespan, and safety goals. The microcontroller requirements, in terms of supply voltage range, are depicted in Table 1 below. Normal functioning is ensured between 4.5 V (corresponding to a −10% tolerance) and 5.3 V (corresponding only to a 6% voltage tolerance). This is the reason for the SBC supply main limitation. A larger margin for an overvoltage condition of at least +10% was expected. In this case, it means that the SBC must trigger the safety case when the V CORE already exceeds 5.3 V. In addition, as it is listed in the table, the microcontroller will still operate without resetting, but in safety cases up to 5.6 V for 100 h, or up to 6.5 V for 10 h. In addition to that, during the reset mode, it can handle 6.5 V for a maximum of 60 h. The operation hours are given by the microcontroller manufacturer based on lifetime measurements of a large number of components within its structure. From the designers' points of view, the results obtained are trustworthy, but in the automotive domain, proofs are needed. For the current technology, there is no possibility to measure the lifetime reduction (counting the remaining hours before damage) in an overvoltage situation, but only to predict it. In addition, in a safety-critical operation case, it is more crucial. The risks come when the hours listed in the table are not reflecting reality. No one will take such risks in the context of damaging the master component of the TCU in ASIL-C or D applications. The safety shall be triggered at 5.3 V and stop the TCU system's operation. This means that the FS6512 SBC shall detect the overvoltage at 5.3 V and generate the safety at the FS0B pin. FS0B represents the first output of the safety block (active low signal type). For this action, the designers shall demonstrate by calculation the safety activation at 5.3 V. Only by calculation can the designers identify the design issues and the alternatives or get confidence in a good critical design.

V CORE 5 V Worst-Case Mathcad Calculation
The computational method used as a validation of overvoltage detection in this paper was the extreme value analysis (EVA) method. The purpose of the calculation is to obtain an accurate indication of the worst-case results, especially for the overvoltage detection range. Along the calculation process, all the electronic components' tolerances were considered, including initial manufacturing tolerances, environmental (temperature) tolerances, aging tolerances, detraction, and drift factors.
A WCA was then performed, using a Mathcad tool, for the V CORE circuit by setting all the components' values to their end tolerance limits. For the feedback resistors (R 3 , R 4 ) in the calculation process, 0.1% initial tolerance, 0.25% aging tolerance, and a temperature coefficient (temp_coef) of 25 ppm were considered. The formula below was used: R n(R,tolerance,ageing,temp_coeff,t) where ∆Temp is the difference between the application's maximum temperature (125 • C) and its rated temperature (25 • C). The following results were obtained: The maximum, rated, and minimum V CORE computed values are in correlation with the feedback directional sensitivity circuit of the FS6152 supply (V CORE_FB ). Therefore, the undervoltage and overvoltage feedback values (V CORE_FB_UV ; V CORE_FB_OV ) were extracted from the manufacturer specification and introduced in a Mathcad tool as listed in the below formula: For the rated V CORE obtained using (6), the rated range will be For the overvoltage detection range (V CORE_5V_OV ), the V CORE limit will be V CORE_5V_OV max V CORE_FB_OV max R 3 max + R 4 min R 4 min ; V CORE_5V_OV max = 5.701; For the undervoltage detection range (V CORE_5V_UV ), the V CORE limit will be The results of the above calculus represent, basically, the best approach to predict the under and overvoltage 5 V supply faults in the circuit. As can be derived from Figure 9, the normal operation is ensured within the range of 4.85-5.15 V. The main drawback occurs in the detection range of the undervoltage and overvoltage monitored behaviors. From the plot in Figure 9, it can be seen that the detection is significantly out of range. In the case of undervoltage detection, a power-on reset can be generated. The critical point represents overvoltage detection when the microcontroller could be damaged completely. From this moment, it is clear that the design needs improvements in order to operate properly and safely. There are two options, and the first one is to use components with better performance. However, in this case, 0.1% resistors were already used, despite the fact that the SBC manufacturer specifies 1%. The remaining option is to add to the design a specific circuit which could limit or switch off operation when the V CORE voltage goes higher than 5.3 V. A proposed voltage supervisor component is TPS3702-DX50Q1. It generates a safe state activation or reset when the voltage is higher than 5.3 V.
Electronics 2020, 9, x FOR PEER REVIEW 11 of 16 supervisor component is TPS3702-DX50Q1. It generates a safe state activation or reset when the voltage is higher than 5.3 V.

Safety Connections
The selection of the best safety mechanism, as listed in this paper, will be a tradeoff between performance and cost. Because improved detection cannot be done from the components point of view, an additional circuit will be considered and, thus, the total cost of the application will increase. This additional cost cannot be avoided, because the statement of safety first prevails. The effort made for the design to meet safety constraints is moved now into design efforts to create a proper interconnection switch-off path for the TCU considering all the three blocks: the microcontroller, the SBC, and the overvoltage and undervoltage monitoring circuit. This section provides a good safety activation concept, looking step by step at safety activation signal configuration for each main block.

Check the SBC Safety Activation
The FS6512 SBC plays an important role in safety-oriented TCU system partitioning. A dedicated fail-safe state machine is implemented to bring and maintain the TCU application into a safe state. The SBC provides an overvoltage and undervoltage monitoring feature of the FB_CORE, which is part of the fail-safe state machine, as can be seen in Figure 10.

Safety Connections
The selection of the best safety mechanism, as listed in this paper, will be a tradeoff between performance and cost. Because improved detection cannot be done from the components point of view, an additional circuit will be considered and, thus, the total cost of the application will increase. This additional cost cannot be avoided, because the statement of safety first prevails. The effort made for the design to meet safety constraints is moved now into design efforts to create a proper interconnection switch-off path for the TCU considering all the three blocks: the microcontroller, the SBC, and the overvoltage and undervoltage monitoring circuit. This section provides a good safety activation concept, looking step by step at safety activation signal configuration for each main block.

Check the SBC Safety Activation
The FS6512 SBC plays an important role in safety-oriented TCU system partitioning. A dedicated fail-safe state machine is implemented to bring and maintain the TCU application into a safe state. The SBC provides an overvoltage and undervoltage monitoring feature of the FB_CORE, which is part of the fail-safe state machine, as can be seen in Figure 10.
If the FB_CORE is above or below the value specified by the SBC datasheet, RSTB (the reset pin) and/or FS0B (depending on the device configuration) are asserted as low. The reset pin controls and monitors the microcontroller's reset pin. The FS0B is available to control or deactivate any fail-safe circuitry in redundancy with the microcontroller. Both RSTB and FS0B shall be integrated in the switch-off concept. In addition, FS6512 has an interrupt output pin, called the INTB pin, for error information, connected at the microcontroller's non-maskable interrupt interface.

Check the SBC Safety Activation
The FS6512 SBC plays an important role in safety-oriented TCU system partitioning. A dedicated fail-safe state machine is implemented to bring and maintain the TCU application into a safe state. The SBC provides an overvoltage and undervoltage monitoring feature of the FB_CORE, which is part of the fail-safe state machine, as can be seen in Figure 10.

Check the µC Safety Activation
In order to fulfill technical safety requirements, the TC397 microcontroller has a PMS (Power Management Systems, as shown in Figure 11) module, which implements software with staggered voltage monitoring. The PMS is built upon a primary and a secondary monitor, providing adequate redundancy to activate the safe state in case of under or overvoltage faults. The primary monitoring circuit can generate only an undervoltage detection for the following voltages: 5 V, 3.3 V, and 1.25 V. In case of undervoltage detection, in the primary monitoring unit of the PMS, a power-on reset will be generated. In the secondary monitoring block, both functions of under and overvoltage protection are implemented. In case of detection in the secondary monitoring unit of the PMS, the SMU (Safety Monitoring Unit) will generate an alarm on the error pin (FSPx, the fail-safe pin). Detection thresholds can be set in the software code via SWDUVVAL/SWDOVVAL bits in the PMS_EVRUVMON/PMS_EVROVMON registers. The signal provided by the microcontroller at the FSP pin shall be part of the switch-off concept.
Electronics 2020, 9, x FOR PEER REVIEW 12 of 16 If the FB_CORE is above or below the value specified by the SBC datasheet, RSTB (the reset pin) and/or FS0B (depending on the device configuration) are asserted as low. The reset pin controls and monitors the microcontroller's reset pin. The FS0B is available to control or deactivate any fail-safe circuitry in redundancy with the microcontroller. Both RSTB and FS0B shall be integrated in the switch-off concept. In addition, FS6512 has an interrupt output pin, called the INTB pin, for error information, connected at the microcontroller's non-maskable interrupt interface.

Check the µ C Safety Activation
In order to fulfill technical safety requirements, the TC397 microcontroller has a PMS (Power Management Systems, as shown in Figure 11) module, which implements software with staggered voltage monitoring. The PMS is built upon a primary and a secondary monitor, providing adequate redundancy to activate the safe state in case of under or overvoltage faults. The primary monitoring circuit can generate only an undervoltage detection for the following voltages: 5 V, 3.3 V, and 1.25 V. In case of undervoltage detection, in the primary monitoring unit of the PMS, a power-on reset will be generated. In the secondary monitoring block, both functions of under and overvoltage protection are implemented. In case of detection in the secondary monitoring unit of the PMS, the SMU (Safety Monitoring Unit) will generate an alarm on the error pin (FSPx, the fail-safe pin). Detection thresholds can be set in the software code via SWDUVVAL/SWDOVVAL bits in the PMS_EVRUVMON/PMS_EVROVMON registers. The signal provided by the microcontroller at the FSP pin shall be part of the switch-off concept.

Safety Architecture for the Switch-off Concept
Continuous monitoring of the voltage levels alone in critical applications may not be enough for safety implementation. Any out-of-order fault event detected by the redundant supervisors (the SBC via the internal FB_CORE, or the microcontroller via the PMS or voltage supervisory) needs to be

Safety Architecture for the Switch-Off Concept
Continuous monitoring of the voltage levels alone in critical applications may not be enough for safety implementation. Any out-of-order fault event detected by the redundant supervisors (the SBC via the internal FB_CORE, or the microcontroller via the PMS or voltage supervisory) needs to be reported in order to take appropriate corrective action (switch off or on the actuation, depending on the application). For TCUs, the SWOP represents the off position; all actuators will be stopped (e.g., motors will be put on break mode). For ACUs (airbag control units), this is also a safety-relevant application. The SWOP represents the on position for the switch-on path, because the appropriate restraint systems shall be triggered. When the SWOP is created, the designers shall consider in a redundant logic all the activation signals to guarantee the safe state of the application and cover the stringent ASIL-C or D requirements. A simple but efficient approach is the logic OR (a gate circuit which produces an output if there is a signal on any of its inputs). The article proposed a switch-off path architecture concept (represented by Figure 12) that is deployed by collecting in a node all the activation signals in a redundant way as follows: motors will be put on break mode). For ACUs (airbag control units), this is also a safety-relevant application. The SWOP represents the on position for the switch-on path, because the appropriate restraint systems shall be triggered. When the SWOP is created, the designers shall consider in a redundant logic all the activation signals to guarantee the safe state of the application and cover the stringent ASIL-C or D requirements. A simple but efficient approach is the logic OR (a gate circuit which produces an output if there is a signal on any of its inputs). The article proposed a switch-off path architecture concept (represented by Figure 12) that is deployed by collecting in a node all the activation signals in a redundant way as follows: 1. FS0B from the SBC; 2. FSP from the microcontroller; 3. Redundant digital output pin from the microcontroller (GPIOR pin); 4. Under or overvoltage reset pin from the voltage supervisor block (OV/UV). As listed in Step 6 of the design flow proposed in Section 2, before releasing the concept by the functional safety manager and stating the PCB manufacturing, it is mandatory to add proofs for proper functioning of safety activation using redundant logic. An OrCAD PSpice simulation of the circuit was performed, considering all four redundant signals (UV_OV, FS0B, FSP, uC_GPIO), as is depicted in Figure 13. For the FS0B and UV_OV signals from the voltage monitoring circuit, the internal open drain structure was emulated. Because the SWOP concept chosen is to switch off, an intermediary signal, called ACTIVE_GND, is considered. The function of this signal is as follows: only when ACTIVE_GND is low (0 V) and the uC_GPIO pin is low can the gate of the bridge switches (LS-low side MOSFETs) used in actuation be controlled. When a fault is raised by the FS0B, FSP, or UV_OU signals, ACTIVE_GND goes to a high level, which leads to the actuation switching off (gate pulled to the ground). After compiling the simulation for all cases and combinations of signals (low and high levels for each signal), the SWOP concept was released.
The schematic and layout board were started to finally obtain the evaluation board, a TCU As listed in Step 6 of the design flow proposed in Section 2, before releasing the concept by the functional safety manager and stating the PCB manufacturing, it is mandatory to add proofs for proper functioning of safety activation using redundant logic. An OrCAD PSpice simulation of the circuit was performed, considering all four redundant signals (UV_OV, FS0B, FSP, uC_GPIO), as is depicted in Figure 13. For the FS0B and UV_OV signals from the voltage monitoring circuit, the internal open drain structure was emulated. Because the SWOP concept chosen is to switch off, an intermediary signal, called ACTIVE_GND, is considered. The function of this signal is as follows: only when ACTIVE_GND is low (0 V) and the uC_GPIO pin is low can the gate of the bridge switches (LS-low side MOSFETs) used in actuation be controlled. When a fault is raised by the FS0B, FSP, or UV_OU signals, ACTIVE_GND goes to a high level, which leads to the actuation switching off (gate pulled to the ground). After compiling the simulation for all cases and combinations of signals (low and high levels for each signal), the SWOP concept was released.
Electronics 2020, 9, x FOR PEER REVIEW 14 of 16 was ensured and thus provided the reason for why the proposed SWOP concept could be extended to all safety-relevant applications.   The schematic and layout board were started to finally obtain the evaluation board, a TCU board, as shown in Figure 14. On the PCB, voltage fault test cases were performed to see that the safety reaction was working as expected from the simulation. The measurements were performed with a digital multimeter by considering stable under or overvoltage faults (e.g., generating an external UV or OV fault) or open signals (e.g., disconnection pins). For all tested cases, the safe state was ensured and thus provided the reason for why the proposed SWOP concept could be extended to all safety-relevant applications.

Discussion
The focus of this paper was to provide a novel, safety-relevant supply design (with only 5 V delivered by an SBC to a microcontroller) which will withstand automotive requirements in terms of safety. The proposed design procedure was broken down into an original step-by-step action that every designer can follow to create a proper safety circuit between the supply and the microcontroller in safety-relevant applications. In other words, following the proposed design methodology, designers can reduce financial, legal, and safety risks and help to ensure satisfactory performance for an application in case of voltage faults. Hardware robustness was validated through worst-case analysis for proper selection of components. A complete safety reaction was considered and validated through simulation. In the SWOP circuit, there are four redundant ways to generate a safety reaction in case of over or undervoltage fault occurrence: three are software-based integrated solutions in the SBC and microcontroller and one is hardware-based on an external monitoring circuit. All four ways are essential for achieving safety, ensuring that the TCU design is robust and reliable upon voltage fault occurrence. Additionally, the authors plan to expand the method and supply concept for other ECUs with higher grades of ASIL requirements after a complete product validation.