

## Safety Manual for PGA411-Q1 Resolver Sensor Interface

#### ABSTRACT

This document is a safety manual for the Texas Instruments PGA411-Q1 resolver sensor interface. This manual provides information to help developers integrate the PGA411-Q1 device into safety related systems.

| 1 | Introdu | uction                                                                                   | 2  |
|---|---------|------------------------------------------------------------------------------------------|----|
| 2 | Produ   | ct Overview                                                                              | 3  |
|   | 2.1     | Target Applications                                                                      | 4  |
|   | 2.2     | Product Safety Constraints                                                               | 5  |
| 3 | PGA4    | 11-Q1 Development Process for Management of Systematic Faults                            | 5  |
|   | 3.1     | 3.1. TI New-Product Development Process                                                  | 6  |
|   | 3.2     | TI Safety Development Flow                                                               | 7  |
|   | 3.3     | Development Interface Agreement                                                          | 8  |
| 4 | PGA4    | 11-Q1 Product Architecture for Management of Random Faults                               | 8  |
|   | 4.1     | Device State Controller                                                                  | 9  |
| 5 | PGA4    | 11-Q1 Architecture Safety Mechanisms and Assumptions of Use                              | 12 |
|   | 5.1     | Independent Bandgap for Monitoring Circuitry                                             | 13 |
|   | 5.2     | VCC Supply Undervoltage Reset                                                            | 14 |
|   | 5.3     | V <sub>DD</sub> Regulator Output Undervoltage Reset                                      | 14 |
|   | 5.4     | V <sub>DD</sub> Regulator Output Overvoltage Fault                                       | 14 |
|   | 5.5     | V <sub>DD</sub> Regulator Output Over Current Fault                                      | 14 |
|   | 5.6     | Thermal Warning Faults                                                                   | 14 |
|   | 5.7     | Exciter Power Supply (Boost) Overvoltage                                                 | 15 |
|   | 5.8     | V <sub>cc</sub> Supply Overvoltage Fault                                                 | 15 |
|   | 5.9     | Invalid Exciter Mode Selection Protection                                                | 15 |
|   | 5.10    | Differential Exciter Overvoltage Fault                                                   | 15 |
|   | 5.11    | Single Ended Exciter Overvoltage Fault                                                   | 16 |
|   | 5.12    | Differential Exciter Undervoltage Fault                                                  | 16 |
|   | 5.13    | Exciter Current Limit Fault                                                              | 16 |
|   | 5.14    | Configuration and Control Registers CRC Fault                                            |    |
|   | 5.15    | User EEPROM Space CRC Fault                                                              | 19 |
|   | 5.16    | Trim EEPROM Space CRC Fault                                                              | 21 |
|   | 5.17    | SPI Communication Fault                                                                  | 21 |
|   | 5.18    | Output Pin Read-Back Missmatch Error Fault                                               | 21 |
|   | 5.19    | Exciter Monitor High Fault                                                               | 21 |
|   | 5.20    | Exciter Monitor Low Fault                                                                | 22 |
|   | 5.21    | FEXTMONL (bit 14) in DEV_STAT4 Register. See Section 5.19 Exciter Monitor High Fault for |    |
|   |         | details.                                                                                 |    |
|   | 5.22    | Input Izx (x = 14) High Overvoltage Fault                                                |    |
|   | 5.23    | Input Izx (x = 14) Low Overvoltage                                                       |    |
|   | 5.24    | Input IZ1/IZ3 or IZ2/IZ4 Short Fault (or FOSHORT)                                        |    |
|   | 5.25    | Sine Input (IZ2-IZ4) High Open Fault (or FOSINOPH)                                       |    |
|   | 5.26    | Cosine Input (IZ1-IZ3) High Open Fault (or FOCOSOPH)                                     |    |
|   | 5.27    | Sine Input (IZ2-IZ4) Low Open Fault (or FOSINOPL)                                        | 25 |

All trademarks are the property of their respective owners.

1



|    | 5.28 Cosine Input (IZ1-IZ3) Low Open Fault (or FOCOSOPL) 25                     |
|----|---------------------------------------------------------------------------------|
|    | 5.29 Digital Tracking Loop Input Error Fault 25                                 |
|    | 5.30 Passcode Testmode Prevention 25                                            |
|    | 5.31 Analog Built in Self-Test (ABIST) Fault 25                                 |
|    | 5.32 Logic Built in Self-Test (LBIST) Fault 27                                  |
|    | 5.33 Oscillator Fault                                                           |
| 6  | PGA411-Q1 as Safety Element Out of Context (SEooC)                              |
|    | 6.1 PGA411-Q1 used in an EV/HEV Inverter System 28                              |
|    | List of Figures                                                                 |
| 1  | PGA411-Q1 Architecture Overview 4                                               |
| 2  | Presumed System Configuration for Electric and Hybrid Electric Vehicle Inverter |
| 3  | TI New-Product Development Process 6                                            |
| 4  | Device Controller State Diagram 10                                              |
| 5  | Two Bandgaps 14                                                                 |
| 6  | PGA411-Q1 Thermal Protection 15                                                 |
| 7  | PGA411-Q1 Single Ended Exciter Overvoltage 16                                   |
| 8  | Exciter Amplifier Current Limit Diagnostic 17                                   |
| 9  | Exciter Monitor Faults 22                                                       |
| 10 | FAFECAL Flow Diagram 22                                                         |
| 11 | Analog Front End Input Diagnostics Diagrams 23                                  |
| 12 | Open Input, Short Input, and Input Fault Diagnostics Threshold Levels           |
| 13 | BIST Comparator Check 26                                                        |
| 14 | BIST Progress Flow Diagram 27                                                   |
| 15 | Oscillator Fault Diagram 28                                                     |
| 16 | EV/HEV Inverter System                                                          |
|    |                                                                                 |

#### List of Tables

| 1 | TI New-Product Development Process                             | 7  |
|---|----------------------------------------------------------------|----|
| 2 | Safety Documentation                                           | 8  |
| 3 | PGA411-Q1 Fault Reporting Summary                              | 12 |
| 4 | Configuration CRC Data Bus Order                               | 17 |
| 5 | CRC-8 Calculation Examples                                     | 18 |
| 6 | User EEPROM Space SPI Mapping                                  | 19 |
| 7 | User EEPROM CRC Bus Order                                      | 20 |
| 8 | SPI Status or Fault Bits                                       | 21 |
| 9 | Example Fault Detection for the Assumed EV/HEV Inverter System | 29 |

#### 1 Introduction

The system and equipment manufacturer or designer (as user of this document) is responsible to ensure that their systems (and any TI hardware or software components incorporated in the systems) meet all applicable safety, regulatory and system-level performance requirements. All application and safetyrelated information in this document (including application descriptions, suggested safety measures, suggested TI products, and other materials) is provided for reference only. Users understand and agree that their use of TI components in safety-critical applications is entirely at their risk, and that user (as buyer) agrees to defend, indemnify, and hold harmless TI from any and all damages, claims, suits, or expense resulting from such use.

This document is a safety manual for the Texas Instruments PGA411-Q1 device, resolver sensor interface. This manual provides information to help system developers create safety related system using a supported PGA411-Q1 device. This document contains:

· An overview of the development process used to reduce systematic failures

Introduction



- An overview of the safety architecture for management of random failures and Assumptions of Use (AoU) that the system integrator may consider to use this part in an ISO26262 compliant system
- The details of architecture partitions and implemented safety mechanisms

The Safety Analysis Report documents the following information, not covered in this document:

- Failure rates estimation
- Qualitative failure analysis (design FMEA and FTA)
- Quantitative failure analysis (quantitative FMEDA)
- Safety metrics calculated per targeted standards per system example implementation

The safety case documents the following information, which is not covered in this document:

- · Evidence of compliance to targeted standards
- Results of assessments of compliance to targeted standards

TI expects that the user of this document has a general familiarity with the PGA411-Q1 device. This document is intended to be used in conjunction with the pertinent data sheets and other documentation for the products under development. This partition of technical content is intended to simplify development, reduce duplication of content, and avoid confusion as compared to the definition of safety manual as seen in IEC 61508:2010.

#### 2 Product Overview

The PGA411-Q1 device is a resolver sensor interface device with an integrated exciter amplifier and boost power supply. The PGA411-Q1 device is capable of running with either 10-bit or 12-bit resolution. The internal boost power supply for the exciter can be used from 10 V to 17 V which enables the exciter output to be adjustable between 4VRMS or 7VRMS mode. The integrated exciter amplifier enables up to 145 mA of excitation current with an exciter frequency from 10 kHz to 20 kHz. The analog front end (AFE) along with the digital tracking loop performs the resolver-to-digital-converter functionality. The AFE uses the cosine and sine signals and amplifies them by differential input amplifiers with programmable gain. The tracking loop is based on a Type-II Pi-controller architecture which enables the device to support up to 200,000 RPM in 10-bit mode. Each block inside the device has dedicated diagnostics for fault coverage. All of the fault conditions are reported out through the SPI registers with a dedicated FAULT pin that can be used to interrupt a microcontroller unit (MCU) when a fault is detected in the system. The PGA411-Q1 device has programmable features that allow system flexibility when working with a wide range of resolver sensors.

З





Figure 1. PGA411-Q1 Architecture Overview

## 2.1 Target Applications

The PGA411-Q1 device targets general-purpose safety-critical applications. Analysis of multiple safety critical applications during the concept phase enabled support of Safety Element out of Context (SEooC) development according to ISO 26262-10:2011. Example target applications include:

- Electronic power steering (EPS) systems
- Electrical vehicle (EV) motor inverters
- Hybrid-electric vehicle (HEV) motor inverters
- Integrated start-stop generators
- Other motor control applications

In the case of overlapping requirements between target systems, TI has attempted to design the device respecting the most stringent requirement. For example, the fault-tolerant response time intervals in an EPS application is in the order of 10 ms, while for other motor driver applications the interval could be greater than 100 ms. In such a case, TI has performed timer subsystem analysis respecting a fault tolerant time interval of 10 ms.

4



While TI has considered certain applications while developing this device, this should not restrict a customer who wishes to implement other systems. With all safety-critical components, the system integrator must rationalize the component safety concept to the system safety concept.



#### Figure 2. Presumed System Configuration for Electric and Hybrid Electric Vehicle Inverter

## 2.2 Product Safety Constraints

The PGA411-Q1 Safety Analysis was performed under the following system assumptions:

- This device receives appropriate power on Vcc, QVcc, and VCCSW input rails.
- A resolver sensor is appropriately connected to the excitation output and sine and cosine inputs.
- The PGA411-Q1 device is configured correctly for the resolver sensor used.
- Angle accuracy errors less than 5° are not considered to violate the safety goal.
- An external crystal is used to clock this device.
- This device is connected to a microcontroller or other control unit capable of reading and reacting to reported faults.
- Key device pins such as FAULT, FAULTRES, and NRESET are connected to a microcontroller or other control unit.
- All requirements in the PGA411-Q1 data sheet are followed.

#### **3** PGA411-Q1 Development Process for Management of Systematic Faults

For safety-critical development, it is necessary to manage both systematic and random faults. Texas Instruments has created a development process for safety-critical semiconductors, which greatly reduces the probability of systematic failures. This process builds on a standard quality-managed development process as the foundation for safety-critical development. A second layer of development activities, which are specific to safety-critical applications developments targeting IEC 61508 and ISO 26262, then augments this process.



#### PGA411-Q1 Development Process for Management of Systematic Faults

#### 3.1 3.1. TI New-Product Development Process

Texas Instruments has been developing mixed-signal automotive ICs for safety-critical and non-safety critical automotive applications for over fifteen years. Automotive markets have strong requirements regarding quality management and product reliability. Though not explicitly developed for compliance to a functional safety standard, the TI new-product development process already featured many elements necessary to manage systematic faults.

The PGA411-Q1 device was developed using TI's new product development process which has been certified as compliant to ISO TS 16949 as assessed by Det Norske Veritas Certification, Inc.

The standard development process breaks development into phases:

- Business Planning
- Validate
- Create
- Evaluate
- Process to Production

Figure 3 shows the standard process.



Figure 3. TI New-Product Development Process

6



#### 3.2 TI Safety Development Flow

The TI safety-development flow derives from ISO 26262 as a set of requirements and methodologies to be applied to mixed-signal circuit safety-development flow. This flow is an integrated part of the TI new product development process. The goal of the safety-development flow is to reduce systematic faults.

The safety-development flow targets compliance to IEC 61508 second edition and ISO 26262:2011, and is under a process of continuous improvement to incorporate new features of future ISO 26262 working-group drafts. It aligns with the TI QRAS AP00210 enhanced-safety development process.

While the safety-development flow is not directly targeted at other functional safety standards, TI expects that many customers will determine that other functional safety systems can readily use products developed to industry state-of-the-art.

Key elements of the TI safety-development flow are:

- Assumptions on system level design, safety concept, and requirements based on TI's expertise in safety-critical systems development
- Combined qualitative and quantitative or similar safety analysis techniques comprehending the sum of silicon failure modes and diagnostic techniques
- Fault estimation based on multiple industry standards as well as TI manufacturing data
- Integration of lessons learned through multiple safety-critical developments to IEC 61508 and participation in the ISO 26262 international working group

Table 1 lists these activities overlaid atop the standard QM development flow.

| Business Opportunity<br>Prescreen                                                           | Program Planning                                                                                | Create                                                                                      | Validate, Sample, and<br>Characterize | Quality                                         | Ramp/Sustain                                              |
|---------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------|---------------------------------------|-------------------------------------------------|-----------------------------------------------------------|
| Determine if safety<br>process execution is<br>necessary                                    | Define SIL/ASIL capability                                                                      | Execute safety design                                                                       | Validate safety design<br>in silicon  | Qualification of safety design                  | Implement plans to<br>support operation<br>and production |
| Execute development<br>interface agreement<br>(DIA) with lead<br>customers and<br>suppliers | Generate safety plan                                                                            | Qualitative analysis of design (FMEA and FTA)                                               | Release safety manual                 | Release safety case report                      | Update safety case<br>report (if needed)                  |
|                                                                                             | Initiate safety case                                                                            | Incorporate findings into safety design                                                     | Release safety analysis report        | Update safety manual<br>(if needed)             | Periodic<br>confirmation<br>measure reviews               |
|                                                                                             | Analyze assumed<br>system to generate<br>system level safety<br>assumptions and<br>requirements | Develop safety product preview                                                              | Characterization of<br>safety design  | Update safety<br>analysis report (if<br>needed) |                                                           |
|                                                                                             | Develop component<br>level safety<br>requirements                                               | Validation of mixed-<br>signal safety design at<br>transistor, gate and RTL<br>level        | Confirmation measure<br>review        | Confirmation measure review                     |                                                           |
|                                                                                             | Validate component<br>safety requirements<br>meet system safety<br>requirements                 | Quantitative analysis of design (FMEDA)                                                     |                                       |                                                 |                                                           |
|                                                                                             | Implement safety<br>requirements in design<br>specification                                     | Incorporate findings into<br>safety design                                                  |                                       |                                                 |                                                           |
|                                                                                             | Validate design<br>specification meets<br>component safety<br>requirements                      | Validation of mixed-<br>signal safety design at<br>transistor/gate/physical<br>layout level |                                       |                                                 |                                                           |
|                                                                                             | Confirmation measure review                                                                     | Confirmation measure review                                                                 |                                       |                                                 |                                                           |

 Table 1. TI New-Product Development Process

7



#### 3.3 Development Interface Agreement

The intent of a development interface agreement (DIA) is to define the responsibilities of the customer and supplier in facilitating the development of a functional safety system.

In custom developments, the DIA is a key document executed between customer and supplier early in the process of developing both the system and the custom TI component. As the PGA411-Q1 device is a commercial, off-the-shelf (COTS) product, TI has prepared a standard DIA which describes the support TI can provide for customer developments. Refer requests for custom DIAs to your local TI sales office for disposition.

The following sections highlight key points of the standard DIA.

#### 3.3.1 Requirements Transfer

The PGA411-Q1 product is developed as a safety element out of context (SEooC) with a target safety goal of ASIL-D. The safety requirements used were based on TI analysis of target safety applications.

#### 3.3.2 Availability of Safety Documentation

Table 2 lists the safety documentation for the PGA411-Q1 device, which are made available either publicly or under a non-disclosure agreement (NDA):

| Deliverable Name                                 | Contents                                                                                                                                    | Confidentiality |
|--------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------|
| Safety Product Preview                           | Overview of safety considerations in<br>product development and product<br>architecture. Delivered ahead of public<br>product announcement. | NDA required    |
| Safety Manual                                    | User guide for the safety features of the<br>product, including system level<br>assumptions of use                                          | Public          |
| Safety Analysis Report Summary for<br>PGA411-Q1  | Summary of FIT rates and device safety metrics according to ISO 26262 and/or IEC 61508 at device level.                                     | NDA required    |
| Detailed Safety Analysis Report for<br>PGA411-Q1 | Full results of all available safety analysis documented in a format that allows computation of custom metrics                              | NDA required    |
| Functional Safety Report for PGA411-Q1           | Summary of the conformance of the product to the relevant safety standard (i.e. ISO 26262 or IEC 61508)                                     | NDA required    |

#### **Table 2. Safety Documentation**

#### 3.3.3 External Product Audits

TI has no current plans to perform an external audit of the PGA411-Q1 products to IEC 61508 or ISO 26262 standards. Refer to the Functional Safety Report for the details on the results of the audits and assessments that TI has performed to ensure that this product meets the appropriate requirements of these standards. Detailed documentation can be made available after product qualification to support customer system audit/certification.

#### 4 PGA411-Q1 Product Architecture for Management of Random Faults

For safety-critical development, it is necessary to manage both systematic and random faults. The PGA411-Q1 product architecture integrates several modules which can detect and respond to random faults by returning the device to a safe state. The PGA411-Q1 is highly configurable and allows adjustable thresholds, adjustable deglitch timings, masking of fault reporting, and exciter output override controls on many of the diagnostic features. This configurability allows the user to customize the fault detection and coverage to their specific application. Below is a list of the safety features that have been integrated into the PGA411-Q1 device.

- Independent Bandgap for Monitoring
- VCC Supply Undervoltage



- VDD Regulator Output Undervoltage
- VDD Regulator Output Overvoltage
- VDD Regulator Output Overcurrent
- Exciter Thermal Warning Fault
- Exciter Power Supply (Boost) Overvoltage
- VCC Supply Overvoltage
- Invalid Exciter Mode Selection
- Differential Exciter Overvoltage
- Single Ended Exciter Overvoltage
- Differential Exciter Undervoltage
- Exciter Current Limit Fault
- Configuration and Control Registers CRC Fault
- User EEPROM Space CRC Fault
- Trim EEPROM Space CRC Fault
- SPI Communication Fault
- Output pin Read-Back Mismatch Error
- Exciter Monitor High Fault
- Exciter Monitor Low Fault
- Analog Front End Zero Offset calibration Fault
- Input Izx (x=1..4) High Overvoltage
- Input Izx (x=1..4) Low Overvoltage
- Input IZ1/IZ3 or IZ2/IZ4 Short Fault
- Sine Input (IZ2-IZ4) High Open Fault
- Cosine Input (IZ1-IZ3) High Open Fault
- Sine Input (IZ2-IZ4) Low Open Fault
- Cosine Input (IZ1-IZ3) Low Open Fault
- Digital Tracking Loop Input Error Fault
- Passcode
- Analog Built in Self-Test (ABIST)
- Logic Built in Self-Test (LBIST)
- Oscillator Fault

## 4.1 Device State Controller

The PGA411-Q1 device implements a digital state machine responsible for device functional operation, decision making and system monitoring. A detailed device power-up Timing Diagram is provided in the PGA411-Q1 data sheet (*PGA411-Q1 Resolver Sensor Interface*, <u>SLASE76</u>).

When the SPI interface is active the current device operating state can always be checked by reading DEVSTATE (bit 6) in the DEV\_STAT7 register.

9



#### PGA411-Q1 Product Architecture for Management of Random Faults



- (1) Depends on Exciter Override selection, behavior implementation, or both as listed in Table 3.
- (2) Not a physical state. When the device is in the RESET state, an nPOR signal is asserted to digital logic.
- (3) Setting the EXTEN bit to 1 enables the exciter amplifier. Setting the LPEN bit to 1 enables the digital tracking loop.

#### Figure 4. Device Controller State Diagram

#### 4.1.1 PGA411-Q1 Reset

The RESET state is not a physical state-machine controller state. The RESET state in Figure 4 signifies an nPOR asserted in the PGA411-Q1 device, forcing the digital logic into reset (digital is frozen). On nPOR release the digital logic begins operating from the DIAGNOSTICS state.

In the system, the NRESET pin asserts the nPOR in the device logic. When the NRESET pin is low (DGND), the PGA411-Q1 logic is frozen and the device is in the RESET state. When the NRESET pin is pulled up, the logic is enabled after a 70-µs deglitch period and the device is operational.

In the RESET state, all functional blocks inside PGA411-Q1 are disabled, including the exciter boost regulator, exciter output amplifier, digital tracking loop, AFE, V<sub>DD</sub> regulator, and oscillator. The state of the FAULT pin is low.

During active device operation in any state the PGA411-Q1 device can cause an internal reset because of the following:

- An undervoltage event on the V<sub>cc</sub> pin
- A  $V_{DD}$  regulator undervoltage event on the  $V_{DD}$  pin
- An oscillator fault condition signaled by the loss-of-clock monitor as described in the Loss-of-Clock Monitor section in the data sheet
- A device overtemperature condition which causes the thermal-protection circuit to generate a thermalshutdown signal

The device resumes normal operation when the fault is cleared and the state of the NRESET pin is HIGH (VIO) which removes the nPOR.

#### 4.1.2 DIAGNOSTIC State

The DIAGNOSTIC state is the first functional state in which the digital logic operates when the nPOR internal signal is removed. No faults are present and the NRESET pin is pulled-up.



In the DIAGNOSTICS state the exciter boost regulator (PGA411-Q1 only) and the  $V_{DD}$  regulator are enabled. The exciter output amplifier, the digital tracking loop, and the diagnostics monitor are disabled. The FAULT pin state is Low.

In this state the PGA411-Q1 device runs all internal checks before proceeding to the NORMAL operating state. These internal checks include the following:

- EEPROM CRC check
- Analog BIST diagnostics
- Logic BIST diagnostics
- AFE auto-offset calibration

The device transitions to the NORMAL operating state when the internal checks are complete and no faults have been reported. In the case of a fault, the device is locked in the DIAGNOSTICS state. When a fault is reported, the user has the ability to force the device to exit the DIAGNOSTICS state by setting the DIAGEXIT bit in the DEV\_CONTROL1 register. When the user forces exit from the DIAGNOSTICS state, the PGA411-Q1 device transitions into the NORMAL operating state, however the faults continue to be reported through the corresponding SPI flags.

When the PGA411-Q1 device is in the NORMAL operating state, it can transition back to the DIAGNOSTICS state to rerun the start-up diagnostics when requested by the system. The device can transition back to the DIAGNOSTICS state by setting the SPIDIAG bit in the DEV\_CONTROL3 register. The SPIDIAG and the DIAGEXIT bits are self-clearing bits and therefore return to 0 (reset) when the action is complete.

**NOTE:** If the user enters the DIAGNOSTICS state by SPI command after the device has poweredup normally and 150ms have passed (the blanking time is ended), a fault may be flagged because the entering the diag mode will automatically disable the exciter and tracking loop. The user can reenable the exciter and tracking loop by SPI command and wait for the short fault to go away, clearing with a SPI read later.

#### 4.1.3 NORMAL OPERATING State

The NORMAL operating state is the default active state of the device. The exciter amplifier, digital tracking loop, and the diagnostics monitor are enabled and operational in this state. These blocks are enabled in the following order:

- Exciter amplifier
- Digital tracking loop
- Diagnostics monitor

The EXTEN and the LPEN bits in the DEV\_CONTROL3 register can be used as monitors to determine the state of the exciter amplifier and the tracking loop. These bits can also manually enable and disable these blocks.

When all of the previously listed blocks are enabled, the device provides valid angle and velocity data at the output. While in this state the FAULT pin is Low.

In case of a fault in the NORMAL operating state, the PGA411-Q1 device transitions into the FAULT state.

#### 4.1.4 FAULT State

A device fault is indicated by setting the FAULT pin in the hi-Z state (High with required pull-up resistor) in which case the PGA411-Q1 device is in the FAULT state. While in this state, the digital tracking loop is disabled and no angle or velocity data is updated at the output if the device. The exciter output amplifier can either be enabled or disabled depending on the type of fault. The following faults cause a transition to the FAULT state but do not disable the exciter amplifier output:

- AFE zero offset calibration (FAFECAL)
- V<sub>DD</sub> regulator-output overcurrent (FVDDOC)
- Exciter thermal-warning fault (FTSD2)

STRUMENTS

Texas

- User EEPROM-space CRC fault (FCECRC)
- Trim EEPROM-space CRC fault (FTECRC)
- SPI communication fault (SPI\_ERR)

The following faults also signal the FAULT state but the user can configure the system to keep the exciter amplifier enabled by setting the respective override bit:

- Differential exciter undervoltage (EXTUV) with the override bit, ENEXTUV
- IZx input-high overvoltage (FIZHx), IZx input-low overvoltage (FIZLx), SIN and COS input short fault (FOSHORT), SIN input-high open fault (FOSINOPH), COS input-high open fault (FOCOSOPH), SIN input-low open fault (FOSINOPL), and COS input-low open fault (FOCOSOPL) with the override bit, ENINFAULT
- Digital tracking-loop fault (FLOOPE) with the override bit, ENFLOOPE
- Analog BIST fault (ABISTF) and Logic BIST Fault (LBISTF) with the override bit, ENBISTF
- FAULT-pin read-back mismatch error IOFAULT with the override bit, ENIOFAULT

All remaining faults transition the device into the FAULT state, setting the FAULT pin in the high/hi-Z state. These faults do not allow enabling of the exciter amplifier until all the faults have been removed and the state machine is transitions back to the NORMAL operating state.

When all fault conditions have been removed, a HIGH to LOW transition (falling edge) on the FAULTRES pin transitions the state machine into the NORMAL operating state which recovers the device from the FAULT state and resumes active device operation in the NORMAL state.

## 5 PGA411-Q1 Architecture Safety Mechanisms and Assumptions of Use

This section summarizes the safety mechanisms for each major functional block of PGA411-Q1 architecture and provides general assumptions of use. The product data sheet contains the details of each safety mechanism. The safety analysis report notes the effectiveness of these safety mechanisms.

Fault Reporting in the PGA411-Q1 device is signaled through the FAULT pin and SFAULT SPI register. The FAULT pin is an open-drain output structure. The pin is LOW when no fault is reported. The pin is in hi-Z state when a fault is present in the system. An external pull-up resistor is required to bring this rail HIGH when the pin enters the hi-Z state during a fault. To clear the fault state in the system, when all fault conditions have been removed the FAULTRES pin must be toggled (high-low-high) and the PGA411-Q1 device transitions back into normal mode of operation. For evaluation or testing purposes, the FAULTRES pin can be held LOW to keep the exciter enabled even during fault conditions. Optionally, masking some faults that can signal a fault condition in the system is possible. By doing so, the PGA411-Q1 device reports the fault through the assigned SPI fault flag however no action occurs as long as the mask is set. To help protect the output exciter amplifier, some faults disable the exciter override bits are defined for some of these faults to keep the exciter amplifier (pins OE1 and OE2) . Exciter override bits are defined for some of these faults to keep the exciter amplifier enabled if that fault occurs. If the exciter is disabled through a SPI command, a 100-µs delay is recommended before the device changes state or is re-enabled. Table 3 contains a summary of the diagnostics implemented inside the PGA411-Q1 device and details on masking the fault from affecting the state of the FAULT pin or exciter output.

| Fault Description                 | SPI Fault Bit | Fault Pin Mask<br>Bit | Fault Pin<br>State | Exciter<br>Output  | Exciter<br>Override |
|-----------------------------------|---------------|-----------------------|--------------------|--------------------|---------------------|
| EXCITER AMPLIFIER                 |               |                       |                    |                    |                     |
| Invalid exciter mode selection    | EXTMODE = 00  |                       |                    |                    |                     |
|                                   | EXTMODE = 11  |                       |                    | Off                |                     |
| Differential exciter overvoltage  | EXTOV         | MEXTOV                | hi-Z/High          | OII                |                     |
| Single-ended exciter overvoltage  |               |                       | ni-z/nign          |                    |                     |
| Differential exciter undervoltage | EXTUV         | MEXTUV                |                    | Off <sup>(1)</sup> | ENEXTUV             |
| Exciter current-limit fault       | EXTILIM       |                       |                    | Off                |                     |

#### Table 3. PGA411-Q1 Fault Reporting Summary

<sup>(1)</sup> The exciter output can be kept enabled if the corresponding over drive bit is set.



| Fault Description                              | SPI Fault Bit | Fault Pin Mask<br>Bit | Fault Pin<br>State | Exciter<br>Output  | Exciter<br>Override |
|------------------------------------------------|---------------|-----------------------|--------------------|--------------------|---------------------|
| ANALOG FRONT END (AFE)                         |               |                       |                    |                    |                     |
| Exciter-monitor high fault                     | FEXTMONH      |                       |                    | 0"                 |                     |
| Exciter-monitor low fault                      | FEXTMONL      | MEXTMON               |                    | Off                |                     |
| AFE zero-offset calibration fault              | FAFECAL       | MAFECAL               |                    | On                 |                     |
| Input IZx (x = 1 through 4) high overvoltage   | FIZHx         | MIZOVx                |                    |                    |                     |
| Input IZx (x = 1 through 4) low overvoltage    | FIZLx         | MIZUVx                |                    |                    |                     |
| Input IZ1 or IZ3, or IZ2 or IZ4 short fault    | FOSHORT       | MFOSHORT              |                    |                    |                     |
| Sine input (IZ2 through IZ4) high-open fault   | FOSINOPH      | MFOSINOPH             | hi-Z/High          | Off(1)             | ENINFAULT           |
| Cosine input (IZ1 through IZ3) high-open fault | FOCOSOPH      | MFOCOSOPH             |                    | Off <sup>(1)</sup> |                     |
| Sine input (IZ2 through IZ4) low-open fault    | FOSINOPL      | MFOSINOPL             |                    |                    |                     |
| Cosine input (IZ1 through IZ3) low-open fault  | FOCOSOPL      | MFOCOSOPL             |                    |                    |                     |
| Digital tracking-loop input-error fault        | FLOOPE        | MFLOOPE               |                    |                    | ENFLOOPE            |
| POWER SUPPLY                                   |               | U                     |                    |                    |                     |
| Exciter power supply (boost) overvoltage       | FBSTOV        |                       |                    |                    |                     |
| V <sub>cc</sub> supply overvoltage             | FVCCOV        |                       |                    | Off                |                     |
| V <sub>DD</sub> regulator output overvoltage   | FVDDOV        |                       | hi-Z/High          |                    |                     |
| V <sub>DD</sub> regulator output overcurrent   | FVDDOC        |                       |                    | On                 |                     |
| Exciter thermal warning fault                  | FTSD2         |                       |                    | On                 |                     |
| V <sub>cc</sub> supply undervoltage            |               |                       | Low                | Off                | -                   |
| V <sub>DD</sub> regulator output undervoltage  | (RESET state) |                       | LOW                | OII                |                     |
| FUNCTIONAL                                     |               |                       |                    |                    |                     |
| Configuration and control registers CRC fault  | FRCRC         |                       |                    | Off                |                     |
| User EEPROM space CRC fault                    | FCECRC        |                       |                    |                    |                     |
| Trim EEPROM space CRC fault                    | FTECRC        |                       | hi-Z/High          | On                 |                     |
| SPI communication fault                        | SPI_ERR       |                       | Ŭ                  |                    |                     |
| Analog BIST fault                              | ABISTF        |                       |                    | Off <sup>(2)</sup> | ENDIOTE             |
| Logic BIST fault                               | LBISTF        |                       |                    | UII -              | ENBISTF             |
| Oscillator fault                               | (RESET state) |                       | Low                | Off                |                     |
| FAULT pin read-back missmatch error            | IOFAULT       |                       |                    | Off <sup>(2)</sup> | ENIOFAULT           |

#### Table 3. PGA411-Q1 Fault Reporting Summary (continued)

<sup>(2)</sup> The exciter output can be kept enabled if the corresponding over drive bit is set.

## 5.1 Independent Bandgap for Monitoring Circuitry

To assist in the prevention of common-cause faults, the PGA411-Q1 device has a dual bandgap structure. The primary bandgap (BG1) is used for main functionality while a secondary bandgap (BG2) is used for monitoring and diagnostics. BG1 is supplied by  $V_{CC}$  pin and BG2 is supplied by QVCC pin. A failure of either bandgap will trigger several fault conditions in the device such as  $V_{DD}$  regulator overvoltage flag in the case where a fault causes BG1 to regulate higher than expected.





Figure 5. Two Bandgaps

#### 5.2 VCC Supply Undervoltage Reset

 $V_{cc}$  is the main power supply input to the PGA411-Q1 device. An undervoltage condition on the  $V_{cc}$  pin (VCCUV) causes the device to go into RESET state. VCCUV has a typical threshold of 4.41V with a 5.2µs deglitch time. Refer to the *Diagnostic Monitor* section of the datasheet for the specific values of these parameters. If  $V_{cc}$  falls below the VCCUV threshold, the PGA411-Q1 device will transition to the RESET state. See Section 4.1 for more information on the RESET state.

#### 5.3 V<sub>DD</sub> Regulator Output Undervoltage Reset

 $V_{DD}$  is the internal, linear drop-out (LDO) regulator output inside the PGA411-Q1 device. The  $V_{DD}$  regulator receives a 5-V input supply voltage form the  $V_{CC}$  pin and generated a stabile 1.8-V supply for internal digital logic circuits. The reference for the  $V_{DD}$  regulator is generated by the PGA411-Q1 internal bandgap circuit. An undervoltage condition on the  $V_{DD}$  pin (VDDUV) causes the device to go into RESET state. VDDUV has a typical threshold of 1.35 V with a 5.2µs deglitch time. Refer to the *Diagnostic Monitor* section of the data sheet for the specific values of these parameters. If  $V_{DD}$  falls below the VDDUV threshold, the PGA411-Q1 device will transition to the RESET state. See Section 4.1 for more information on the RESET state.

#### 5.4 V<sub>DD</sub> Regulator Output Overvoltage Fault

 $V_{DD}$  is the internal linear (LDO) drop-out regulator output inside the PGA411-Q1 device. The  $V_{DD}$  regulator receives a 5-V input supply voltage form the  $V_{CC}$  pin and generated a stabile 1.8-V supply for internal digital logic circuits. The reference for the  $V_{DD}$  regulator is generated by the PGA411-Q1 internal bandgap circuit. An overvoltage condition on the  $V_{DD}$  pin (VDDOV) will cause the FVDDOV (bit 5) in the DEV\_STAT4 register to be set to 1 and the FAULT pin will go hi-Z. The device will then transition to the FAULT state with the exciter output off. VDDOV has a typical threshold of 2.2 V with a 5.2µs deglitch time. Refer to the *Diagnostic Monitor* section of the data sheet for the specific values of these parameters.

#### 5.5 V<sub>DD</sub> Regulator Output Over Current Fault

 $V_{DD}$  is the internal linear drop-out (LDO) regulator output inside the PGA411-Q1 device. If the current limit ( $I_{VDDLIM}$ ) detects an overcurrent condition on the  $V_{DD}$  pin (typical 100 mA), it will cause the FVDDOC (bit 11) in the DEV\_STAT4 register to be set to 1 and the FAULT pin will go hi-Z. The device will then transition to the FAULT state with the exciter output left on. Refer to the *Diagnostic Monitor* section of the data sheet for the specific values of these parameters.

#### 5.6 Thermal Warning Faults

The PGA411-Q1 has two integrated two temperature sensors. One sensor is located in the exciter powersupply (boost regulator) block and one is located in the exciter-amplifier block.

**Exciter Thermal Warning Fault** — A thermal event where the temperature exceeds the TSD<sub>EXC\_WR</sub> threshold between 125-°C and 155°C will cause the FTSD2 (bit 10) in the DEV\_STAT4 Register to be set to 1 and the FAULT pin will go hi-Z. The device will then transition to the FAULT state with the exciter output left on.



- Exciter Thermal Shutdown Additionally, this device has an exciter thermal shutdown when a thermal event causes the temperature to exceed TSD<sub>EXC\_SD</sub> threshold between 155-200°C will cause the PGA411-Q1 to shut down.
- V<sub>DD</sub> Regulator Thermal Warning Fault—A thermal event where the temperature exceeds the TSD<sub>VDD\_WR</sub> threshold between 125-155°C will cause the FTSD2 (bit 10) in the DEV\_STAT4 register to be set to 1 and the FAULT pin will go hi-Z. The device will then transition to the FAULT state with the exciter output left on.
- V<sub>DD</sub> Regulator Thermal Shutdown Additionally, this device has an exciter thermal shutdown when a thermal event causes the temperature to exceed TSD<sub>VDD\_SD</sub> threshold between 155°C to 200°C will cause the PGA411-Q1 device to shut down.



Figure 6. PGA411-Q1 Thermal Protection

## 5.7 Exciter Power Supply (Boost) Overvoltage

When the exciter power supply is greater than 115% the programmed V<sub>EXCPS</sub> voltage. The overvoltage condition of the exciter power supply (boost) will cause the SPI fault bit. FBSTOV (bit 12) in the DEV\_STAT4 register, to be set to 1 and the FAULT pin will go hi-Z with the exciter output off. SPI programmable deglitch from 1.2 to 15.2  $\mu$ s through the EXTOVT (bits 10-12) in the DEV\_OVUV3 register.

## 5.8 V<sub>cc</sub> Supply Overvoltage Fault

 $V_{cc}$  is the main power-supply input to the PGA411-Q1 device. An overvoltage condition on  $V_{cc}$  (VCCOV) will cause the SPI fault bit, FVCCOV (bit 6) in the DEV\_STAT4 register, to be set to 1 and the FAULT pin will go hi-Z with the exciter output off. VCCOV threshold is 5.75 V typical with a 5.2µs deglitch time.

## 5.9 Invalid Exciter Mode Selection Protection

When the device detects an invalid exciter mode selection of EXTMODE = 00 or 11, it will set the fault pin in the hi-Z state and turn off the exciter output. This protection mechanism was put in place to prevent against accidental or random bit errors.

## 5.10 Differential Exciter Overvoltage Fault

When the device detects a differential exciter overvoltage condition, it will set the fault pin in the hi-Z state, flip the EXTOV (bit 9) in the DEV\_STAT1 Register, and the output of the exciter amplifier will be off. This has a programmable deglitch time through EXTOVT (bit 10-12) in the DEV\_OVUV3 register. Additionally, this fault can be masked using MEXTOV (bit 6) in the DEV\_CONTROL1 register.



#### PGA411-Q1 Architecture Safety Mechanisms and Assumptions of Use

#### 5.11 Single Ended Exciter Overvoltage Fault

When the device detects a single exciter overvoltage condition, it will set the fault pin in the hi-Z state, flip the EXTOV (bit 9) in the DEV\_STAT1 register, and the output of the exciter amplifier will be off. This has a programmable deglitch time through EXTOVT (bit 10-12) in the DEV\_OVUV3 register. Additionally, this fault can be masked using MEXTOV (bit 6) in the DEV\_CONTROL1 register. Because of the implementation of the exciter amplifier in bridge-tied load topology, each output amplifier block is independently monitored for overvoltage condition at the output of the OE1 or OE2 pin in reference to GND. In case when the output signal at any of these pins is higher than 115% of the selected output value, the exciter amplifier will disable the outputs. The deglitch time for this diagnostic  $t_{DEGL}$  is fixed at 10.2 µs. This diagnostic covers fault conditions where the outputs of the exciter amplifier are shorted to an external high-voltage source.



Figure 7. PGA411-Q1 Single Ended Exciter Overvoltage

#### 5.12 Differential Exciter Undervoltage Fault

When the device detects a differential exciter undervoltage condition, it will set the fault pin in the hi-Z state, flip the EXTUV (bit 10) in DEV\_STAT1 Register, and the output of the exciter amplifier will be off. This has a programmable deglitch time through EXTUVT (bit 13-15) in the DEV\_OVUV3 register. Additionally, this fault can be masked using MEXTUV (bit 5) in the DEV\_CONTROL1 register.

ENEXTUV (bit 0) in DEV\_CONTROL2 register can be set to 1 to allow the exciter to remain on in the case of an exciter undervoltage fault.

EXTUVF\_CFG (bit 14-15) in the DEV\_PHASE\_CFG register can be used to select how the exciter UV1 and UV2 indicators are processed to form the exciter UV fault flag.

0x (00, 01) - UV1 OR UV2 with 55 to 405-µs deglitching on OR inputs

10 – UV1 AND UV2 with 1.2 to 15.2-µs deglitching on AND output

11 – UV1 OR UV2 OR (UV1 AND UV2) with deglitching as defined above

## 5.13 Exciter Current Limit Fault

The exciter-output current limit monitors the current output from each amplifier. The current limit for each amplifier is individually adjusted by setting the EXTILIMTH\_L1\_2 and EXTILIMITH\_H1\_2 bits in the DEV\_OVUV1 register between 150 mA and 300 mA. The maximum setting (bits set to 111) current limit of these registers is higher than the linear step size of the other bit settings; EXTILIMTH\_H1\_2 max is 370mA and EXTILIMTH\_L1\_2 max is 600mA. The deglitch period is fixed at 5.2 µs. In the fault condition where any of the current-limit thresholds is crossed for longer than the deglitch time, the EXTILIM fault flag in the DEV\_STAT1 register is set and the device reacts according to exciter current-limit policy described



in the Fault Reporting section. Figure 20 shows the currents through the resolver exciter coil. The exciter amplifier current limits implementation. Under some conditions, the current limiting feature may come into effect before the overcurrent flag EXTILIM can be set. In these cases other fault flags such as EXTUV can be used for detection. The following figure shows the current through the Resolver exciter coil and the Exciter Amplifier current limit implementation.



Figure 8. Exciter Amplifier Current Limit Diagnostic

## 5.14 Configuration and Control Registers CRC Fault

This CRC calculation compares the user input CRC value in RCRC bits in the DEV\_CRC register with the PGA411-Q1 calculated CRCRC bits in the CRCCALC register. Make sure that the CRCCTL bit in DEV\_CRC\_CTRL\_1 is set to 1 to enable continuous update of the CRCRC bits. If there is a difference in these two registers the FRCRC fault flag in the DEV\_STAT\_1 register will be set. It is recommended to run the configuration and control register CRC at least once every power-up. It should be run more frequently if the configuration and control registers are changed during operation.

A CRC-check algorithm is implemented to verify that the contents of the SPI register are programmed correctly. The CRC controller is a diagnostic module that performs a CRC calculation to verify the integrity of the SPI-mapped register space. A checksum representing the content of the diagnostic registers is obtained when the content is read into the CRC controller. The CRC controller must calculate the checksum for a set of data and then compare the calculated checksum value against a predetermined, *good* checksum value calculated by the system MCU.

The CRC check uses a standard CRC-8 (ATM HEC) polynomial, X8 + X2 + X + 1, with an initial seed value 0xFF. The calculation is broken up into 8-bit chunks to optimize implementation with the ordering convention from LS Byte to MS Byte going from LS bit to MS bit. The calculation of a 192-bit string protected by the CRC occurs in a byte-wise order. For example, if the 192-bit register value (in hex) is 8F C0 00 C0 AA AA 07 F2 1C 00 03 8F 05 14 00 00 20 00 00 00 00 then the CRC calculation would be done on the following rearranged string 00 00 00 00 00 00 00 14 05 00 14 05 8F 03 00 1C F2 07 AA AA C0 00 C0 8F.

Table 4 lists the registers that are protected by CRC protection.

| Re        | gister            | - 192-Bit Bus Ordering |  |  |  |
|-----------|-------------------|------------------------|--|--|--|
| Name      | Data Split        |                        |  |  |  |
| DEV_OVUV1 | DEV_OVUV1 [15:0]  | [MSB] 191:176          |  |  |  |
|           | 0s pad [15:9]     | 175:169                |  |  |  |
| DEV_OVUV2 | DEV_OVUV2 [8:0]   | 168:160                |  |  |  |
| DEV_OVUV3 | DEV_OVUV3 [15:0]  | 159:144                |  |  |  |
|           | 0s pad [15:11]    | 143:139                |  |  |  |
| DEV_OVUV4 | DEV_OVUV4 [10:0]  | 138:128                |  |  |  |
|           | 0s pad [15:13]    | 127:125                |  |  |  |
| DEV_OVUV5 | DEV_OVUV5 [12:10] | 124:122                |  |  |  |
|           | 0s pad [9:0]      | 121:112                |  |  |  |

#### Table 4. Configuration CRC Data Bus Order

| Re            | gister               | 400 Dit Due Ordening |  |  |
|---------------|----------------------|----------------------|--|--|
| Name          | Data Split           | 192-Bit Bus Orderin  |  |  |
|               | 0s pad [15:10]       | 111:106              |  |  |
| DEV_OVUV6     | DEV_OVUV6 [9:0]      | 105:96               |  |  |
|               | 0s pad [15:11]       | 95:91                |  |  |
| DEV_TLOOP_CFG | DEV_TLOOP_CFG [10:0] | 90:80                |  |  |
|               | 0s pad [15:4]        | 79:68                |  |  |
| DEV_AFE_CFG   | DEV_AFE_CFG [3:0]    | 67:64                |  |  |
| DEV_PHASE_CFG | DEV_PHASE_CFG [15:0] | 63:48                |  |  |
|               | 0s pad [15:9]        | 47:41                |  |  |
|               | DEV_CONFIG1 [8:7]    | 40:39                |  |  |
| DEV_CONFIG1   | 0s pad [6]           | 38                   |  |  |
|               | DEV_CONFIG1 [5:0]    | 37:32                |  |  |
|               | 0s pad [15:14]       | 31:30                |  |  |
|               | DEV_CONTROL1 [13]    | 29                   |  |  |
| DEV_CONTROL1  | 0s pad [12]          | 28                   |  |  |
|               | DEV_CONTROL1 [11:0]  | 27:16                |  |  |
|               | 0s pad [15:6]        | 15:6                 |  |  |
| DEV_CONTROL2  | DEV_CONTROL2 [5:0]   | 5:0 [LSB]            |  |  |

Table 4. Configuration CRC Data Bus Order (continued)

The following procedure lists steps for a successful configuration CRC calculation:

- The MCU writes the desired data to the configuration and control registers when the PGA411-Q1 device is in the DIAGNOSTICS state. If the DEV\_CONTROL1 and DEV\_CONTROL2 registers are updated with new data, the device requires unlocking by entering a SPI unlock sequence in the DEV\_UNLK\_CTRL1 register. See the PGA411-Q1 datasheet for details on unlocking the SPI.
- 2. The MCU calculates the correct configuration CRC and applies the final value at the RCRC bit-field in the DEV\_CRC register.
- 3. The CRC check is enabled by setting the CRCCTL bit in the DEV\_CRC\_CTRL1 register.
- 4. A CRC check result can be monitored by the FRCRC bit in the DEV\_STAT1 register.
- 5. In case of a CRC mismatch, the fault FRCRC bit is set while the MCU checks the internally calculated CRC result of the device by reading the CRCRC bits in the CRCCALC register. When the value in the CRCRC bit-field matches the value of the RCRC bit-field, the CRC check ends with a satisfactory result.

Table 5 lists a few CRC-8 examples when applied to a 192-bit string.

#### Table 5. CRC-8 Calculation Examples

| 192-Bit Bus Ordering Value                   | CRC-8 |
|----------------------------------------------|-------|
| 0 x 050505050505050505050505050505050505     | 0xBD  |
| 0 x 0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A     | 0xA9  |
| 0 x 53E53E53E53E53E53E53E53E53E53E53E53E53E5 | 0x2C  |
| 0 x 4AC4AC4AC4AC4AC4AC4AC4AC4AC4AC4AAC4AAC4  | 0xAE  |
| 0 x 78F78F78F78F78F78F78F78F78F78F78F78F78F7 | 0x5E  |



## 5.15 User EEPROM Space CRC Fault

The EEPROM memory space in the PGA411-Q1 device is split into two functional blocks: a User EEPROM space and a reserved, Texas Instruments internal-use EEPROM space used for device trim and manufacturing data values. The user EEPROM-memory space is directly accessed through the SPI registers. The internal digital logic of the device ports the data into the EEPROM shadow registers for the EEPROM memory fields. Table 6 lists of all SPI memory locations that are a part of the user EEPROM space.

| SPI<br>Register   | Bit 15                       | Bit 14        | Bit 13 | Bit 12 | Bit 11 | Bit 10       | Bit 9   | Bit 8                  | Bit 7     | Bit 6                   | Bit 5    | Bit 4         | Bit 3          | Bit 2       | Bit 1 | Bit 0 | Factory<br>Settings |
|-------------------|------------------------------|---------------|--------|--------|--------|--------------|---------|------------------------|-----------|-------------------------|----------|---------------|----------------|-------------|-------|-------|---------------------|
| DEV_OVU<br>V1     | EXTOUT_GL EXTILIMTH_L1_2     |               |        |        |        |              | EX      | EXTILIMTH_H1_2 OSHORTL |           |                         | OSHORTH  |               |                | 8FC0h       |       |       |                     |
| DEV_OVU<br>V2     | _                            |               |        |        |        | XEXT_AM<br>P | TRI     | OHL                    | L DVMSENH |                         |          | DVMSENL       |                |             | 00EDh |       |                     |
| DEV_OVU<br>V3     |                              | EXTUVT EXTOVT |        |        |        | OV           | IZL     | OV                     | IZH       |                         | OOPENTHL |               | OOPENTHH       |             |       | FCFFh |                     |
| DEV_OVU<br>V4     | - TSHORT                     |               |        | TSHORT |        |              | TEXTMON |                        | AUTOPH    | ASE_CFG                 | VEXT_CFG | nBOOST_F<br>F | FSHORT_<br>CFG | 07F2h       |       |       |                     |
| DEV_OVU<br>V5     | - TOPEN                      |               |        |        |        | —            |         |                        |           |                         |          | 1C00h         |                |             |       |       |                     |
| DEV_OVU<br>V6     |                              | _             |        |        |        |              |         | IZTHL                  |           | BOOST_V<br>EXT_MAS<br>K | — LP     |               | LPE            | ETHL LPETHH |       | ТНН   | 038Fh               |
| DEV_TLO<br>OP_CFG |                              |               | _      |        |        | М            | KP      |                        | DKP       |                         | OF       | IYS           | SENCLK         |             | DKI   |       | 0514h               |
| DEV_AFE_<br>CFG   |                              |               |        |        |        | -            | _       |                        |           |                         |          |               | GAIN           | ICOS        | GAI   | NSIN  | 0005h               |
| DEV_PHA<br>SE_CFG | EXTUVF_CFG PDEN APEN EXTMODE |               |        |        |        | EXTO         | UT      |                        |           |                         | PHASE    | DEMOD         |                |             | 1400h |       |                     |
| DEV_CON<br>FIG1   | _                            |               |        |        |        | NPL          | E       | _                      |           | SELFEXT                 |          |               | MODEVEXT       |             | 0002h |       |                     |
| DEV_CLR<br>C      |                              | _             |        |        |        |              |         |                        |           |                         |          | EC            | CRC            |             |       |       | 003Fh               |

#### Table 6. User EEPROM Space SPI Mapping

All of the SPI locations listed in Table 6 and the functionality of each is described in the Register Map section of the PGA411-Q1 datasheet.

The PGA411-Q1 EEPROM controller implements a self-contained cyclic-redundancy-check (CRC) algorithm to verify the integrity of the EEPROM stored data. When an EEPROM operation is executed, the CRC controller automatically calculates the correct CRC value and places the value in the ECCRC bit-field in the DEV\_CLCRC register. Because the user EEPROM-memory locations are transparent to the SPI memory space, all of the user EEPROM values are listed in Table 7. Because the values are included in device memory, the MCU is required to provide a correct CRC value only according to the Section 5.14 section. Therefore no user interaction is required when calculating the ECCRC value. However, for increased protection, the MCU can self-calculate the user EEPROM CRC value and compare this value with the ECCRC value for correct CRC calculation and correct user EEPROM-data integrity.

The user EEPROM-CRC algorithm is same as the device-configuration CRC algorithm (ATM HEC poly X8 + X2 + X + 1 with an initial seed of 0xFF and MSB ordering) and is performed on a 136-bit concatenated string, byte-wise beginning with the most significant byte. Table 7 lists the data concatenation for the EEPROM CRC calculation.



## Table 7. User EEPROM CRC Bus Order

| User EEPROM Register |                      | 420 Dit Due Ordening |  |
|----------------------|----------------------|----------------------|--|
| Name                 | Data Split           | 136-Bit Bus Ordering |  |
|                      | 0s Pad [31:0]        | [MSB] 135:104        |  |
| DEV_CONFIG1          | DEV_CONFIG1 [7:0]    | 103:96               |  |
| DEV_OVUV5            | DEV_OVUV5 [12:10]    | 95:93                |  |
| DEV_AFE_CFG          | DEV_AFE_CFG [3:0]    | 92:89                |  |
| DEV_OVUV2            | DEV_OVUV2 [8:0]      | 88:80                |  |
| DEV_OVUV4            | DEV_OVUV4 [10:5]     | 79:74                |  |
| DEV_OVUV6            | DEV_OVUV6 [9:0]      | 73:64                |  |
| DEV_OVUV4            | DEV_OVUV4 [4:0]      | 63:59                |  |
| DEV_TLOOP_CFG        | DEV_TLOOP_CFG [10:0] | 58:48                |  |
| DEV_PHASE_CFG        | DEV_PHASE_CFG [15:0] | 47:32                |  |
| DEV_OVUV1            | DEV_OVUV1 [15:0]     | 31:16                |  |
| DEV_OVUV3            | DEV_OVUV3 [15:0]     | 15:0 [LSB]           |  |

The flag is FCECRC (bit 13) in DEV\_STAT1 Register. Device configuration and control register data CRC error flag is FRCRC (bit 14) in DEV\_STAT1 Register and the FAULT pin will go hi-Z with the exciter output off.



## 5.16 Trim EEPROM Space CRC Fault

The Trim EEPROM space CRC fault is calculated in a similar way as the user EEPROM CRC. If a fault occurs in the TI internal trim EEPROM space, FTECRC (bit 12) in DEV\_STAT1 register will be set to 1 and the FAULT pin will go hi-Z with the exciter output off.

#### 5.17 SPI Communication Fault

Each SPI frame includes 6 bits for CRC. If an error is detected in the CRC, the SPI\_ERR (bit 13) in the DEV\_STAT4 register will be set to 1, the FAULT pin will be in hi-Z state but the exciter output will remain on. See the *Programming* section of the PGA411-Q1 data sheet for more details on the SPI Frame and communication.

The SPI slave frame also contains two bits that report the status of the SPI communication. Table 8 lists the error that is indicated by each SPI status value. The SPI\_ERR bit will be set to 1 if any SPI communication contains a nonzero value for the status/fault bits.

| Value (HEX) | Status Description                    | Priority |
|-------------|---------------------------------------|----------|
| 0x0         | No Error                              | 4        |
| 0x1         | SPI CRC Error or Invalid SPI<br>Clock | 1        |
| 0x2         | Data Output mismatch                  | 2        |
| 0x3         | Address Error                         | 3        |

| Table 8. SPI Status or Fa | ault Bits |
|---------------------------|-----------|
|---------------------------|-----------|

A higher priority fault always supersedes a lower priority fault.

**NOTE:** The data field value in a response frame which includes an error (0x1, 0x2, 0x3) may not be correct and should be discarded.

The DEV\_STAT4 register must be read before the DEV\_STAT1 register to see when the SPI\_ERR flag is set. Reading the DEV\_STAT1 register first clears the SPI STAT bits which clears the SPI\_ERR flag.

## 5.18 Output Pin Read-Back Missmatch Error Fault

In the case of a FAULT pin read-back mismatch error, IOFAULT (bit 4) in DEV\_STAT4 Register and the exciter will turn off. This fault monitors the output of the FAULT pin and compares it to the SFAULT register. If the state of the FAULT pin is different than the state of the SFAULT register, the IOFAULT bit will indicate this fault. If the FAULT pin is used as the main communications of faults to the MCU, it is recommended to occasionally poll this register to ensure the FAULT pin is working correctly.

The IOFAULT register monitors the OUTA, OUTB, OUTZ, ORDx, and PRD pins compared to the Sxxx registers (SOUTA, SOUTB, and others) as well.

## 5.19 Exciter Monitor High Fault

The Exciter Monitor diagnostic employs the exciter monitor the IE1 and IE2 inputs in the Analog Front End block to track the duty cycle of the exciter reference pulse. In a normal device operation the duty cycle of the reference pulse is to be 50% regardless of the exciter frequency. In the case where one of the OE1 or OE2 outputs is disconnected from the IE1 or IE2 inputs the reference pulse will change the duty in a way that if OE1 is disconnected for IE1 then the comparator output is stuck low meaning the duty cycle is 0% while if OE2 is disconnected from IE2 then the comparator is stuck high meaning 100% duty cycle. In order to make sure that noise does not affect the diagnostic the thresholds are chosen to be 20% for stuck low and 80% for stuck high signaling. The fault flags for this diagnostics are FEXTMONH for duty cycle



#### PGA411-Q1 Architecture Safety Mechanisms and Assumptions of Use

www.ti.com

higher than 80% and FEXTMONL for duty cycle lower than 20%, both in the DEV\_STAT4 register. The deglitch time for this fault is defined by the IZTHL (bits 7-9) setting in DEV\_OVUV6 register. These faults can be masked with the MEXTMON (bit 1) in the DEV\_CONTROL1 Register. Additionally, by setting the ENEXTMON (bit 1) in DEV\_CONTROL2 Register to 1, the exciter will remain enabled when a fault is detected.



Figure 9. Exciter Monitor Faults

FEXTMONH (bit 15) in DEV\_STAT4 register.

#### 5.20 Exciter Monitor Low Fault

FEXTMONL (bit 14) in DEV\_STAT4 register. See Section 5.19 for details.

# 5.21 FEXTMONL (bit 14) in DEV\_STAT4 Register. See Section 5.19 Exciter Monitor High Fault for details.

FAFECAL (bit 7) in the DEV\_STAT7 register. Masked with MAFECAL (bit 2) in the DEV\_CONTROL1 register. Exciter output will remain on.



Figure 10. FAFECAL Flow Diagram

## 5.22 Input Izx (x = 1...4) High Overvoltage Fault

Sine or cosine input short to battery is detected by independently monitoring the IZx (where x = 1 ... 4) inputs expressed as Positive and Negative Over-Voltage. FIZHx (bits 0-3) in the DEV\_STAT3 register. Threshold selection OVIZH (bits 6-7) in the DEV\_OVUV3 register. Deglitch IZTHL (bits 7-9) in the DEV\_OVUV6 register. Mask MIZOV (bit 4) in the DEV\_CONTROL1 register. Exciter override ENINFAULT (bit 4) in the DEV\_CONTROL2 register.



Figure 11. Analog Front End Input Diagnostics Diagrams

## 5.23 Input $I_{ZX}$ (x = 1...4) Low Overvoltage

Sine or cosine input short to ground is detected by independently monitoring the IZx (where  $x = 1 \dots 4$ ) inputs expressed as positive and negative overvoltage. FIZLx (bits 4-7) in the DEV\_STAT3 register. Threshold selection OVIZL (bits 8-9) in the DEV\_OVUV3 register. Mask MIZUV (bit 3) in the DEV\_CONTROL1 register. Deglitch IZTHL (bits 7-9) in the DEV\_OVUV6 register. Exciter Override ENINFAULT (bit 4) in the DEV\_CONTROL2 register.

## 5.24 Input IZ1/IZ3 or IZ2/IZ4 Short Fault (or FOSHORT)

A mutual short fault is detected by monitoring OSIN and OCOS outputs independently. For input mutual short the threshold is set by the OSHORTH (bits 0-2) and OSHORTL (bits 3-5) in the DEV\_OVUV1 register while the deglitch time delay is defined by the TSHORT (bits 8-10) in the DEV\_OVUV4 register. The fault flag for this diagnostics is the FOSHORT (bit 0) in the DEV\_STAT1 register. This fault can be masked by setting the MFOSHORT (bit 13) in the DEV\_CONTROL1 register to 0. Exciter Override ENINFAULT (bit 4) in the DEV\_CONTROL2 register.

Figure 11 shows the OSHORTH, OSHORTL, OOPENTHH, OOPENTHL, OVIZH, and OVIZL diagnostics along with the SPI adjustable threshold levels for each of them. Figure 12 also shows a correct sine signal crossing all threshold levels with duration less than the specified deglitch limits therefore no fault condition is triggered





Figure 12. Open Input, Short Input, and Input Fault Diagnostics Threshold Levels

## 5.25 Sine Input (IZ2-IZ4) High Open Fault (or FOSINOPH)

Input open faults are detected by monitoring OSIN and OCOS outputs independently. For open input monitoring the threshold values are set by the OOPENTHH and OOPENTHL bits in register DEV\_OVUV3 and deglitch time defined by the TOPEN bits in DEV\_OVUV5 register. The fault flags for the open input diagnostic are FOSINOPH (bit 4), FOSINOPL (bit 6), FOCOSOPH (bit 5), and FOCOSOPL (bit 7) in the DEV\_STAT1 register.

The Open input diagnostic is possible only when the IZx inputs are externally DC biased as shown in the *Analog Front End* chapter of the PGA411-Q1 data sheet. This is due to the fact that in the case of open input the input pin stays unconnected and the pullup or pulldown resistor will set the pin state to either  $V_{CC}$  for IZ1 and IZ3 pins or GND for IZ2 and IZ4 pins. This will cause the OSIN and OCOS outputs which are monitored for open input detection to swing either to  $V_{CC}$  or GND while crossing the Open input threshold level for a period of time longer than the selected deglitch period. The deglitch period is programmable by changing the TOPEN (bits 10–12) in the DEV\_OVUV5 register. The top left image in Figure 11 shows the logic used to detect FOSINOPH, FOSINOPL, FOCOSOPH and FOCOSOPL faults.

Each of these faults can be masked with the MFOSINOPH (bit 11), MFOCOSOPH (bit 10), MFOSINOPL (bit 9), and MFOCOSOPL (bit 8) in the DEV\_CONTROL1 register. Additionally, by setting the ENINFAULT (bit 4) in DEV\_CONTROL2 Register to 1, the exciter will remain enabled when a fault is detected.

## 5.26 Cosine Input (IZ1-IZ3) High Open Fault (or FOCOSOPH)

See Section 5.25 for details.

### 5.27 Sine Input (IZ2-IZ4) Low Open Fault (or FOSINOPL)

See Section 5.25 for details.

## 5.28 Cosine Input (IZ1-IZ3) Low Open Fault (or FOCOSOPL)

See Section 5.25 for details.

## 5.29 Digital Tracking Loop Input Error Fault

Instability inside the tracking loop causes the analog VΦERR deviation signal to exceed a certain stability limit. The threshold is set by the LPETHH bit for the high threshold limit and the LPETHL bit for the low threshold limit. The deglitch time delay is determined by the TRDHL bit while the FLOOPE fault flag reports this fault. The bottom right image in Figure 11 shows the logic used to detect this fault.

#### 5.30 Passcode Testmode Prevention

Reserved Texas Instruments internal use only. This feature prevents accidental testmode activation.

#### 5.31 Analog Built in Self-Test (ABIST) Fault

BIST is the controller and monitor circuit for performing self-checking diagnostics on critical analog and logic functions:

- · Input Short, Open, High Overvoltage, Low Overvoltage and Signal Integrity Comparators
- Tracking Loop Comparator
- Main V<sub>cc</sub> supply Overvoltage and Undervoltage comparator
- Exciter Signal Monitor Comparator
- Exciter Amplifier Power Supply (PGA411-Q1)
- Clock Monitor Check

During the Analog BIST process on the implemented comparators the voltage signals themselves are left unchanged, therefore no real under or over voltage is caused in the system due to the BIST self-test. See . The clock monitor BIST is a self-test of the loss of clock function. The enabled diagnostics emulates clock failure that causes the clock monitor output to toggle. The clock monitor toggling pattern is checked by the ABIST during the self-test however the actual oscillator frequency (20 MHz) is not changed. In parallel to the analog BIST, the logical BIST runs stuck-at-fault patterns for logical integrity checking.







The analog and logical BIST are automatically run whenever the PGA411-Q1 device is in the DIAGNOSTICS state. The result of the analog BIST is monitored on ABISTF (bit 8) while the result of the logic BIST fault is monitored by LBISTF (bit 7) in the DEV\_STAT4 register.

The user has the ability to manually run the ABIST and LBIST checks by setting ABIST\_EN (bit 15) or LBIST\_EN (bit 14) in DEV\_CONTROL2 register. These bits are also used to monitor the BIST run procedure. During the ABIST or LBIST procedure, the ABIST\_EN or LBIST\_EN bits will be held set (logical 1) until the procedure is completed after which these will be reset (logical 0).

Once reset, the system can read the ABISTF and LBISTF flags for faults during the BIST process.





## 5.32 Logic Built in Self-Test (LBIST) Fault

Logical BIST runs stuck-at-fault patterns for Logical integrity checking. The result of the logic BIST Fault is monitored by LBISTF (bit 7) in the DEV\_STAT4 register. See Section 5.31 for details on how ABIST and LBIST are performing the self-checks.



#### 5.33 Oscillator Fault

When the ECLKSEL pin on the PGA411-Q1 device is set High (VIO) meaning the main system clock is referenced to an external clock generated by a crystal or resonator element, the internally generated clock is used to monitor for correct operation of the device system clock. This is done in the loss-of-clock monitor circuit designed to track the system clock and report a fault condition during two types of misbehavior:

- **Device System Clock stuck condition** A fault case where the main device clock is high or low for a longer period of time.
- **Clock Frequency Out-of-Range** A fault case where the main device clock drifts by –30 % or +40% from the specified clock frequency.

In the case of a fault a reset (nPOR) signal to the PGA411-Q1 device is asserted as long as the fault is present.

The loss-of-clock circuit is enabled in the DIAGNOSTICS state after the analog BIST Self-Test is completed.

It is important to note that when the main device clock is sourced only by the PGA411-Q1 device internally generated clock, this functionality is not possible and the loss-of-clock circuit is disabled.



Figure 15. Oscillator Fault Diagram

## 6 PGA411-Q1 as Safety Element Out of Context (SEooC)

This section contains a Safety Element out of Context (SEooC) analysis of the PGA411-Q1 device. Texas Instruments have made assumptions on the typical safety system configurations using this device. System level safety analysis is the responsibility of the developer of these systems and not Texas Instruments. As such, this section is intended to be informative only to help explain how to use the features of PGA411-Q1 device to assist the system designer in achieving a given ASIL level. Customers are responsible for putting this device into the context of their system and analyze the ASIL coverage achieved therein. The PGA411-Q1 device has been designed to perform/function in the ways described in this safety manual presuming that they are in a system that uses and interconnects them with other components and elements as described. Please note that the system designer may choose to use this PGA411-Q1 device in other safety-relevant systems.

## 6.1 PGA411-Q1 used in an EV/HEV Inverter System

There are several system configurations that can be considered when using the PGA411-Q1 device. This SEooC discussion will focus on using the PGA411-Q1 in an Electric Vehicle (EV) or Hybrid-Electric Vehicle (HEV) inverter system. It is important to note that most motor control systems tend to have similar electrical structure including a main controller for decision making, motor drive circuitry, a motor, a position feedback sensor with associated signal conditioning, and some type of power supply. Because of this,



most of the analysis in this section can be applied to other motor control systems as well. One implementation of this EV/HEV inverter system is shown in Figure 16 where the PGA411-Q1 device interfaces with a resolver sensor, which acts as the only source of motor position feedback for the system. There are alternative system safety goals such as including a limp-home mode were alternative an safety concept and circuit connections may be needed.

This safety analysis of the inverter system will focus only on the PGA411-Q1 device and surrounding signals and communications. For the complete system functional safety analysis, faults of the other blocks such as the MCU, power management, and motor driver will need to be analyzed as well. Since the PGA411-Q1 device cannot directly impact the movement of the motor and it does not make any decisions at the system level, the top level safety goal for this analysis will be that the PGA411-Q1 device communicates, to a MCU, an angle and velocity that accurately represents the position of a rotating shaft or rotor (with respect to the stator). The main communication of the angle data will be through SPI. The FAULT pin of the PGA411-Q1 device will be an interrupt input to the MCU and the FAULTRES pin will be controllable by a GPIO pin of the MCU.

In this configuration, when the PGA411-Q1 detects a fault in the system, it will enter the FAULT state with the FAULT pin high. When this happens, an interrupt will trigger in the MCU forcing it to take action on the fault. The MCU can then read the DEV\_STAT registers and log the details of which fault occurred. Some faults will result is a loss of communication with the MCU. In either case, the MCU will then take an action to put the system in a safe state. This action could be shutting of the inverter system and notifying the user that service is required. It may be simply continuing operation without relying on angle/velocity information and notifying the user that service is required. Toggling the PGA411-Q1 FAULTRES pin (High-Low-High) will clear the FAULT pin and put the device back into the NORMAL mode of operation



Figure 16. EV/HEV Inverter System

#### Table 9. Example Fault Detection for the Assumed EV/HEV Inverter System

| Fault Impact                                                             |                                                 | Detection and Protection                                                                  |  |
|--------------------------------------------------------------------------|-------------------------------------------------|-------------------------------------------------------------------------------------------|--|
| Fault 1a                                                                 |                                                 |                                                                                           |  |
| SPI communication<br>between the PGA411-<br>Q1 and the MCU<br>Short/Open | Cannot read or write to the PGA411-Q1 registers | <ul><li>SPI Communication Fault will trigger</li><li>The FAULT pin will go high</li></ul> |  |

| Fault                                                                  | Impact                                                                                                                               | Detection and Protection                                                                                                                                                                                                         |
|------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Fault 1b                                                               | •                                                                                                                                    | 1                                                                                                                                                                                                                                |
| SPI communication error<br>resulting in a bad SPI<br>frame             | <ul> <li>Improper read or write to the PGA411-Q1 registers</li> </ul>                                                                | <ul> <li>SPI CRC calculation detects an error</li> <li>or SPI detects data output mismatch</li> <li>or SPI detects address error</li> <li>or SPI Communication Fault will trigger</li> <li>The FAULT pin will go high</li> </ul> |
| Fault 2                                                                |                                                                                                                                      |                                                                                                                                                                                                                                  |
| FAULT pin short/stuck                                                  | No warning to MCU when a fault occurs                                                                                                | <ul> <li>IOFAULT fault detection</li> <li>Exciter output disabled (optional EEPROM setting)</li> <li>MCU must occasionally poll the IOFAULT register via SPI</li> </ul>                                                          |
| Fault 3a                                                               |                                                                                                                                      |                                                                                                                                                                                                                                  |
| 5V supply input (VCC) is<br>overvoltage                                | Potential damage to PGA411-Q1                                                                                                        | <ul> <li>VCC Supply Overvoltage fault is triggered<br/>turning the exciter off</li> <li>The FAULT pin will go high</li> <li>MCU may turn of upstream regulator or<br/>perform other protection mechanism</li> </ul>              |
| Fault 3b                                                               |                                                                                                                                      |                                                                                                                                                                                                                                  |
| 5V supply input (VCC) is<br>undervoltage                               | May cause incorrect angle/velocity data                                                                                              | <ul> <li>PGA411-Q1 enters reset state with the exciter output off</li> <li>MCU detects this fault by a loss of communication with PGA411-Q1</li> </ul>                                                                           |
| Fault 4                                                                |                                                                                                                                      |                                                                                                                                                                                                                                  |
| VIO supply has an open or short circuit                                | Loss of I/O communication with PGA411-Q1                                                                                             | MCU detects this fault by a loss of<br>communication with PGA411-Q1                                                                                                                                                              |
| Fault 5                                                                |                                                                                                                                      |                                                                                                                                                                                                                                  |
| Exciter power supply (boost) overvoltage                               | <ul> <li>Potential damage to the downstream exciter<br/>amplifier</li> <li>Potential loss of angle or velocity data</li> </ul>       | <ul> <li>Exciter power supply overvoltage fault</li> <li>Exciter output will be disabled</li> <li>The FAULT pin will go high</li> </ul>                                                                                          |
| Fault 6a                                                               |                                                                                                                                      |                                                                                                                                                                                                                                  |
| Exciter amplifier output<br>overvoltage                                | <ul><li>Potential damage to resolver coil</li><li>Potential damage to AFE</li><li>Potential loss of angle or velocity data</li></ul> | <ul> <li>Differential exciter overvoltage fault</li> <li>or Single ended exciter overvoltage fault</li> <li>Exciter output disabled</li> <li>The FAULT pin will go high</li> </ul>                                               |
| Fault 6b                                                               |                                                                                                                                      |                                                                                                                                                                                                                                  |
| Exciter amplifier output<br>undervoltage                               | Potential loss of angle or velocity data                                                                                             | <ul> <li>Differential Exciter Undervoltage fault</li> <li>Exciter output disabled (optional EEPROM setting)</li> <li>The FAULT pin will go high</li> </ul>                                                                       |
| Fault 6c                                                               |                                                                                                                                      | •                                                                                                                                                                                                                                |
| Exciter coil short to ground                                           | <ul><li>Potential damage to exciter amplifier</li><li>Loss of angle or velocity data</li></ul>                                       | <ul><li>Exciter current limit fault</li><li>Exciter output disabled</li><li>The FAULT pin will go high</li></ul>                                                                                                                 |
| Fault 6d                                                               |                                                                                                                                      |                                                                                                                                                                                                                                  |
| Exciter coil<br>disconnected/shorted<br>together/loss of duty<br>cycle | Loss of angle or velocity data                                                                                                       | <ul> <li>Exciter monitor high fault</li> <li>Exciter monitor low fault</li> <li>Exciter output disabled</li> <li>The FAULT pin will go high</li> </ul>                                                                           |

#### Table 9. Example Fault Detection for the Assumed EV/HEV Inverter System (continued)



| Fault                                                                                                             | Impact                                                                                                                    | Detection and Protection                                                                                                                                                                                                                                                                                                                                                                                                                     |
|-------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Fault 6e                                                                                                          |                                                                                                                           |                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| Exciter amplifier overtemperature                                                                                 | <ul><li>Potential damage to exciter amplifier</li><li>Loss of angle or velocity data</li></ul>                            | <ul> <li>Exciter thermal warning fault</li> <li>Exciter thermal shutdown</li> <li>The FAULT pin will go high</li> </ul>                                                                                                                                                                                                                                                                                                                      |
| Fault 7&8                                                                                                         |                                                                                                                           |                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| Incorrect sine or cosine<br>output from resolver<br>sensor (various)                                              | <ul> <li>Loss of angle or velocity data</li> <li>Incorrect angle or velocity data</li> </ul>                              | <ul> <li>Input IZx high overvoltage fault</li> <li>or input IZx low overvoltage fault</li> <li>or input IZ1/IZ3 or IZ2/IZ4 high open fault</li> <li>or sine input high open fault</li> <li>or cosine input high open fault</li> <li>or sine input low open fault</li> <li>or cosine input low open fault</li> <li>exciter output disabled (optional EEPROM setting)</li> <li>The FAULT pin will go high (optional EEPROM setting)</li> </ul> |
| Fault 9                                                                                                           |                                                                                                                           |                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| AFE calibration error                                                                                             | <ul><li>Loss of angle or velocity data</li><li>Incorrect angle or velocity data</li></ul>                                 | <ul> <li>Analog front end zero offset calibration fault</li> <li>The FAULT pin will go high (optional EEPROM setting)</li> </ul>                                                                                                                                                                                                                                                                                                             |
| Fault 10                                                                                                          |                                                                                                                           |                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| Digital Tracking Loop<br>error                                                                                    | <ul><li>Loss of angle or velocity data</li><li>Incorrect angle or velocity data</li></ul>                                 | <ul> <li>Digital tracking loop input error fault</li> <li>The FAULT pin will go high (optional EEPROM setting)</li> </ul>                                                                                                                                                                                                                                                                                                                    |
| Fault 11                                                                                                          |                                                                                                                           |                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| Loss of External Clock<br>or Drift in External Clock                                                              | <ul><li>Loss of angle or velocity data</li><li>Incorrect angle or velocity data</li><li>Loss of fault detection</li></ul> | <ul> <li>Oscillator Fault</li> <li>PGA411-Q1 enters reset state with the exciter output off</li> <li>MCU detects this fault by a loss of communication with PGA411-Q1</li> </ul>                                                                                                                                                                                                                                                             |
| Fault 12                                                                                                          |                                                                                                                           |                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| Point Failure in the<br>Internal PGA411-Q1<br>Diagnostics                                                         | <ul><li>Faults not detected</li><li>Faults detected when no error is present</li></ul>                                    | <ul> <li>ABIST fault detection</li> <li>LBIST fault detection</li> <li>Exciter output disabled (optional EEPROM setting)</li> <li>The FAULT pin will go high</li> </ul>                                                                                                                                                                                                                                                                      |
| Fault 13                                                                                                          |                                                                                                                           |                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| Short circuit on the<br>ORDx pins or OUTx pins<br>that are used to<br>communicate angle or<br>velocity to the MCU | <ul><li>Loss of angle or velocity data</li><li>Incorrect angle or velocity data</li></ul>                                 | <ul> <li>IOFAULT fault detection</li> <li>Exciter output disabled (optional EEPROM setting)</li> </ul>                                                                                                                                                                                                                                                                                                                                       |

#### Table 9. Example Fault Detection for the Assumed EV/HEV Inverter System (continued)

#### IMPORTANT NOTICE FOR TI SAFETY DOCUMENTATION

Texas Instruments Incorporated ("TI") safety documentation is solely intended to assist designers ("Designers") who are developing systems that incorporate TI semiconductor products (also referred to herein as "components"). Designer understands and agrees that Designer remains responsible for using its independent analysis, evaluation and judgment in designing Designer's systems and products.

TI safety documentation has been created using standard laboratory conditions and engineering practices. TI has not conducted any testing other than that specifically described in the published documentation for a particular safety document. TI may make corrections, enhancements, improvements and other changes to its safety documentation.

Designers are authorized to use TI safety documentation with the TI component(s) identified in each particular reference design and to modify the safety documentation in the development of their end products. HOWEVER, NO OTHER LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE TO ANY OTHER TI INTELLECTUAL PROPERTY RIGHT, AND NO LICENSE TO ANY THIRD PARTY TECHNOLOGY OR INTELLECTUAL PROPERTY RIGHT, IS GRANTED HEREIN, including but not limited to any patent right, copyright, mask work right, or other intellectual property right relating to any combination, machine, or process in which TI components or services are used.

Information published by TI regarding third-party products or services does not constitute a license to use such products or services, or a warranty or endorsement thereof. Use of such information may require a license from a third party under the patents or other intellectual property of the third party, or a license from TI under the patents or other intellectual property of TI.

TI SAFETY DOCUMENTATION IS PROVIDED "AS IS". TI MAKES NO WARRANTIES OR REPRESENTATIONS WITH REGARD TO THE SAFETY DOCUMENTATION OR ITS USE, EXPRESS, IMPLIED OR STATUTORY, INCLUDING ACCURACY OR COMPLETENESS. TI DISCLAIMS ANY WARRANTY OF TITLE AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT, QUIET POSSESSION, AND NON-INFRINGEMENT OF ANY THIRD PARTY INTELLECTUAL PROPERTY RIGHTS WITH REGARD TO TI SAFETY DOCUMENTATION OR USE THEREOF. TI SHALL NOT BE LIABLE FOR AND SHALL NOT DEFEND OR INDEMNIFY BUYERS AGAINST ANY THIRD PARTY INFRINGEMENT CLAIM THAT RELATES TO OR IS BASED ON A COMBINATION OF COMPONENTS PROVIDED IN A TI SAFETY DOCUMENT. IN NO EVENT SHALL TI BE LIABLE FOR ANY ACTUAL, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR INDIRECT DAMAGES, HOWEVER CAUSED, ON ANY THEORY OF LIABILITY AND WHETHER OR NOT TI HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, ARISING IN ANY WAY OUT OF TI SAFETY DOCUMENTS OR BUYER'S USE OF TI REFSAFETY DOCUMENTS.

TI reserves the right to make corrections, enhancements, improvements and other changes to its semiconductor products and services per JESD46, latest issue, and to discontinue any product or service per JESD48, latest issue. Designers should obtain the latest relevant information before placing orders and should verify that such information is current and complete. All semiconductor products are sold subject to TI's terms and conditions of sale supplied at the time of order acknowledgment.

TI warrants performance of its components to the specifications applicable at the time of sale, in accordance with the warranty in TI's terms and conditions of sale of semiconductor products. Testing and other quality control techniques for TI components are used to the extent TI deems necessary to support this warranty. Except where mandated by applicable law, testing of all parameters of each component is not necessarily performed.

TI assumes no liability for applications assistance or the design of Designers' products. Designers are responsible for their products and applications using TI components. To minimize the risks associated with Designers' products and applications, Designers should provide adequate design and operating safeguards.

Reproduction of significant portions of TI information in TI data books, data sheets, reference designs or safety documents is permissible only if reproduction is without alteration and is accompanied by all associated warranties, conditions, limitations, and notices. TI is not responsible or liable for such altered documentation. Information of third parties may be subject to additional restrictions.

Designer acknowledges and agrees that it is solely responsible for compliance with all legal, regulatory and safety-related requirements concerning its products, and any use of TI components in its applications, notwithstanding any applications-related information or support that may be provided by TI. Designer represents and agrees that it has all the necessary expertise to create and implement safeguards that anticipate dangerous failures, monitor failures and their consequences, lessen the likelihood of dangerous failures and take appropriate remedial actions. Designer will fully indemnify TI and its representatives against any damages arising out of the use of any TI components in Designer's safety-critical applications.

In some cases, TI components may be promoted specifically to facilitate safety-related applications. With such components, TI's goal is to help enable customers to design and create their own end-product solutions that meet applicable functional safety standards and requirements. Nonetheless, such components are subject to these terms.

No TI components are authorized for use in FDA Class III (or similar life-critical medical equipment) unless authorized officers of the parties have executed an agreement specifically governing such use.

Only those TI components that TI has specifically designated as military grade or "enhanced plastic" are designed and intended for use in military/aerospace applications or environments. Designer acknowledges and agrees that any military or aerospace use of TI components that have not been so designated is solely at Designer's risk, and Designer is solely responsible for compliance with all legal and regulatory requirements in connection with such use.

TI has specifically designated certain components as meeting ISO/TS16949 requirements, mainly for automotive use. In any case of use of non-designated products, TI will not be responsible for any failure to meet ISO/TS16949.

Mailing Address: Texas Instruments, Post Office Box 655303, Dallas, Texas 75265 Copyright © 2016, Texas Instruments Incorporated

#### **IMPORTANT NOTICE**

Texas Instruments Incorporated and its subsidiaries (TI) reserve the right to make corrections, enhancements, improvements and other changes to its semiconductor products and services per JESD46, latest issue, and to discontinue any product or service per JESD48, latest issue. Buyers should obtain the latest relevant information before placing orders and should verify that such information is current and complete. All semiconductor products (also referred to herein as "components") are sold subject to TI's terms and conditions of sale supplied at the time of order acknowledgment.

TI warrants performance of its components to the specifications applicable at the time of sale, in accordance with the warranty in TI's terms and conditions of sale of semiconductor products. Testing and other quality control techniques are used to the extent TI deems necessary to support this warranty. Except where mandated by applicable law, testing of all parameters of each component is not necessarily performed.

TI assumes no liability for applications assistance or the design of Buyers' products. Buyers are responsible for their products and applications using TI components. To minimize the risks associated with Buyers' products and applications, Buyers should provide adequate design and operating safeguards.

TI does not warrant or represent that any license, either express or implied, is granted under any patent right, copyright, mask work right, or other intellectual property right relating to any combination, machine, or process in which TI components or services are used. Information published by TI regarding third-party products or services does not constitute a license to use such products or services or a warranty or endorsement thereof. Use of such information may require a license from a third party under the patents or other intellectual property of the third party, or a license from TI under the patents or other intellectual property of TI.

Reproduction of significant portions of TI information in TI data books or data sheets is permissible only if reproduction is without alteration and is accompanied by all associated warranties, conditions, limitations, and notices. TI is not responsible or liable for such altered documentation. Information of third parties may be subject to additional restrictions.

Resale of TI components or services with statements different from or beyond the parameters stated by TI for that component or service voids all express and any implied warranties for the associated TI component or service and is an unfair and deceptive business practice. TI is not responsible or liable for any such statements.

Buyer acknowledges and agrees that it is solely responsible for compliance with all legal, regulatory and safety-related requirements concerning its products, and any use of TI components in its applications, notwithstanding any applications-related information or support that may be provided by TI. Buyer represents and agrees that it has all the necessary expertise to create and implement safeguards which anticipate dangerous consequences of failures, monitor failures and their consequences, lessen the likelihood of failures that might cause harm and take appropriate remedial actions. Buyer will fully indemnify TI and its representatives against any damages arising out of the use of any TI components in safety-critical applications.

In some cases, TI components may be promoted specifically to facilitate safety-related applications. With such components, TI's goal is to help enable customers to design and create their own end-product solutions that meet applicable functional safety standards and requirements. Nonetheless, such components are subject to these terms.

No TI components are authorized for use in FDA Class III (or similar life-critical medical equipment) unless authorized officers of the parties have executed a special agreement specifically governing such use.

Only those TI components which TI has specifically designated as military grade or "enhanced plastic" are designed and intended for use in military/aerospace applications or environments. Buyer acknowledges and agrees that any military or aerospace use of TI components which have *not* been so designated is solely at the Buyer's risk, and that Buyer is solely responsible for compliance with all legal and regulatory requirements in connection with such use.

TI has specifically designated certain components as meeting ISO/TS16949 requirements, mainly for automotive use. In any case of use of non-designated products, TI will not be responsible for any failure to meet ISO/TS16949.

| Products                     |                          | Applications                  |                                   |
|------------------------------|--------------------------|-------------------------------|-----------------------------------|
| Audio                        | www.ti.com/audio         | Automotive and Transportation | www.ti.com/automotive             |
| Amplifiers                   | amplifier.ti.com         | Communications and Telecom    | www.ti.com/communications         |
| Data Converters              | dataconverter.ti.com     | Computers and Peripherals     | www.ti.com/computers              |
| DLP® Products                | www.dlp.com              | Consumer Electronics          | www.ti.com/consumer-apps          |
| DSP                          | dsp.ti.com               | Energy and Lighting           | www.ti.com/energy                 |
| Clocks and Timers            | www.ti.com/clocks        | Industrial                    | www.ti.com/industrial             |
| Interface                    | interface.ti.com         | Medical                       | www.ti.com/medical                |
| Logic                        | logic.ti.com             | Security                      | www.ti.com/security               |
| Power Mgmt                   | power.ti.com             | Space, Avionics and Defense   | www.ti.com/space-avionics-defense |
| Microcontrollers             | microcontroller.ti.com   | Video and Imaging             | www.ti.com/video                  |
| RFID                         | www.ti-rfid.com          |                               |                                   |
| OMAP Applications Processors | www.ti.com/omap          | TI E2E Community              | e2e.ti.com                        |
| Wireless Connectivity        | www.ti.com/wirelessconne | ctivity                       |                                   |

Mailing Address: Texas Instruments, Post Office Box 655303, Dallas, Texas 75265 Copyright © 2016, Texas Instruments Incorporated