The diagnostic and protection functions of the embedded motor controllers are mapped by software on the top application layer. Among other things, this application software evaluates voltages, currents, and temperatures measured by the A/D converter or other peripherals. In the layer below, software-independent protection and diagnostic functions are implemented in hardware. They can be partially configured by the application software, but their effect cannot be influenced. They bring the corresponding function block or the entire IC into a fail-safe state, for example by switching off the motor bridge due to an overcurrent event or by performing a system reset via the digital/window watchdog. By implementing the protection mechanisms described in the safety manual with regard to programming, configuration, and wiring, the customer achieves defined diagnostic coverage.
Power supply from the 12 V electrical system
HVC 5x family devices can be powered directly from the 12 V electrical system and are ISO pulse compliant (ISO 7637-2 and ISO 16750-2). Reverse polarity protection is provided, e.g., by an upstream diode. Controllers for the subordinate supply domains (analog, digital, and standby) are fully integrated.
Various diagnostic options are available for voltage monitoring. An important function is the continuous monitoring of the BVDD supply voltage with corresponding overvoltage and undervoltage interrupts. Voltage monitoring generates control signals for configuring the analog and digital power supply system for the different voltage ranges.
The HVC 5x motor controllers are functional up to a BVDD voltage of 4.8 V (typically). If the BVDD voltage drops further, the ICs enter what is known as retention mode. In this mode, all analog peripherals, including the analog controller and motor functions, are switched off, the digital peripherals and the CPU are reset, and a program is no longer executed. However, memory contents are retained. A system reset occurs when returning from retention mode. The application software can determine the cause of the most recent reset by reading a status register and take appropriate precautions.
An overvoltage condition is also indicated by a system register flag. The IC is functional up to 40 V. However, prolonged operation under overvoltage is critical due to the rising junction temperature and will shorten the IC’s service life (Fig. 2).
The overvoltage flag is a software-based safety feature that should be used by the application software to, for example, limit power consumption and maintain the power loss budget. This can be done by switching off peripheral modules or by lowering the CPU clock frequency.
Additional software-based diagnostics of the supply voltage and controller voltages can be performed by the internal 12-bit ADC. The BVDD supply voltage can be measured cyclically, for example. It is also possible to measure the battery voltage (VBAT) using a suitably sized passive RC protection filter (e.g. via an LGPIO port). By measuring both voltages, it is possible to respond to electrical system instabilities or overshoots before they affect the internal supply. Overvoltage and undervoltage conditions can thus be detected in good time and indicated by the existing interrupt sources in the software to ensure the IC can be put into a safe state. The 64 kB version of the HVC 5x family also allows measurements of the internal regulator and band-gap voltages, for example to detect relative voltage drifts over the service life.
Clock system with two oscillators
The clock system of the motor controllers has two independent on-chip oscillators, the main oscillator and the auxiliary oscillator. The main oscillator provides the system’s 40 MHz main clock and serves as the basis for the clock of the analog and digital modules. The main oscillator is supplied by the analog controller, whereas the auxiliary oscillator is supplied independently of the standby controller. The auxiliary oscillator serves as the clock source for the window watchdog (WWDG), which monitors the oscillators and the program flow. Triggering the WWDG results in a system reset.
In addition to the WWDG, HVC 5x motor controllers also have a digital watchdog (DWDG) for monitoring correct program execution. Unlike the WWDG, the DWDG is clocked by the main oscillator. Any error in the program execution that prevents the DWDG from being re-triggered within a programmable time will result in a system reset (Fig. 3).
In all cases, the cause of the most recent reset can be evaluated after startup by reading the system status. The WWDG is always enabled and can only be disabled for debug purposes with a special keyword.
I/O protection functions
The HVC 5x family has 3.3 V I/O ports (for debugging, digital/analog functions), a LIN bus interface and ports for direct BLDC, and stepper motor control. Depending on the actual version, the HVC 5x motor controllers support BLDC and stepper motors or BLDC motors only.
The AVDD controller output can be used, for example, to supply external sensors up to a rated output current of 15 mA. Among other things, the AVDD controller contains undervoltage detection and generates a reset if the voltage level is not achieved.
The LIN port is used for communication with external devices via the LIN bus and meets the requirements of ISO 17987 and SAE J2602. It can also be used for other communication protocols (e.g. PWM). It has 8 kV ESD protection and an overcurrent shutdown feature that switches the pin to a recessive state once the overcurrent limit has been reached. The LIN pin is automatically recessive in retention and power-saving modes during thermal shutdown and after a system reset.
An overcurrent event on the LIN port is indicated by an overcurrent flag in the port registers and can be evaluated accordingly by the application software. In addition, the application software can evaluate the overcurrent events by interrupts and immediately initiate appropriate safety measures.
Thermal safety functions
The HVC 5x motor controllers have three temperature sensors for monitoring the junction temperature: One temperature sensor directly triggers a thermal shutdown (TSD) of the IC when the overtemperature limit is exceeded. The TSD is a fail-safe state in which all analog and digital modules are shut down to minimize internal power loss and prevent device malfunction.
Another temperature sensor, supplied by the standby controller, monitors the junction temperature after a TSD to reactivate the IC when the temperature drops below a specified junction temperature. Upon return from the TSD, a system status flag is set that the application software can evaluate to then initiate appropriate actions such as a self-test.
The third temperature sensor can be read out via the A/D converter. Cyclic temperature monitoring allows the user to respond to a rising junction temperature by taking actions such as switching off certain modules, reducing the CPU clock frequency, or putting the device into one of the energy-saving modes.
Diagnostic and protection functions of the motor bridges
Depending on the variant, the ICs of the HVC 5x family have three (e.g. HVC 5222C, HVC 5223C) or up to four integrated half-bridges to which BLDC or stepper motors can be directly connected without any additional external components. Each port is equipped with internal overcurrent protection with programmable response time as well as interlocking by monitoring the gate voltages of the bridge transistors. Exceeding the overcurrent threshold results in an interrupt. Suitable flags identify the port where the overcurrent occurred. In response, either all or only the half-bridges affected by the overcurrent are deactivated. A half-bridge can then only be reactivated after the application software has cleared the overcurrent flag. To ensure the safe state, all bridge transistors are set to HiZ in retention, energy-saving, or TSD modes and after a system reset (Fig. 4).
In addition to the integrated diagnostic functions of the motor bridges, software-based safety functions are possible to adapt the IC to the specific motor or application.
The integrated back-EMF comparators allow the regenerative voltage of the motor to be evaluated and compared with the feedback from the rotor position sensors, for example. In addition, the connections to the motor phases can be checked by evaluating the back-EMF on the non-driven motor phase.
Especially for stepper motor applications (for HVC 5x variants with four MOUT ports), the 12-bit ADC can be used to measure the EMF voltages on both motor phases and thus to check the torque load on the motor. This makes it possible to implement tuned stall detection in the application software, for example. For practical ADC current measurements, integrated current shunts (RS0 and RS1) are available for the HVC 5x variants with four MOUT ports, as well as the measurement option via an external shunt resistor for all HVC 5x. These can be used, for example, for motor current control and diagnostic functions.
Memory protection and diagnostic functions
The ICs of the HVC 5x family offer several on-chip memory blocks. A 1 kB start-up ROM contains the start-up sequence, interrupt table, flash utility functions, and verification that IC trimming has been performed. The program data are stored in the internal SRAM (2–4 kB depending on HVC 5x version). A flash memory (32–64 kB depending on HVC 5x version) is available for application programs and diagnostic functions. The HVC 5x ICs also have 512–2048 bytes of EEPROM and 256–1024 bytes of NVR for storing non-volatile application data. Write protection prevents any data misuse. The flash main memory also contains write/erase protection. Flash, EEPROM, and NVR have ECC to detect double- and single-bit errors and to correct single-bit errors. In case of error detection, the specific error type and the affected memory can be read out. In addition, an interrupt can be triggered to ensure application software can respond quickly by performing an application-specific error analysis or correction.
Summary
The HVC 5x family from TDK-Micronas includes extensive diagnostic and protection mechanisms that enable its use in systems with safety-relevant functions. Conformity to industry standards such as ISO 26262 (automotive) or IEC 61508 (industrial) and their influence on the “Product Safety Life Cycle” is taken into account in its chip architecture.
Customers receive relevant data sheets for the design of their system and for the fulfillment of the “Safety Goal”, an FMEDA summary report for failure mode, failure effect and failure diagnosis analysis and base failure rates as well as corresponding safety manuals. Coordinated diagnostic coverage is achieved through the interaction of hardware and software functions. This provides the customer with the ability to customize the ICs to application-specific functions and configurations to meet the safety requirements of the application.
For more information and a direct ordering option, please visit our e-commerce platform at www.rutronik24.com.
Subscribe to our newsletter and stay updated.
