Session 1 Starts: 8 AM PDT | 11 AM EDT | 5 PM CEST Session 2 Starts: 11 AM PDT | 2 PM EDT | 8 PM CEST

# Ensuring Safety for Autonomous Vehicles with Advanced Voltage Supervision

Charlotte (Xiaodan) Wang, Technical Marketing Engineer, MPS

June 2024



## Charlotte (Xiaodan) Wang

- From Tangshan City, Hebei Province, China
- Ph.D. degree from the Ohio State University, 2022
- Joined MPS in 2021 as an intern
- Currently a Technical Marketing Engineer (Product Definer) for the Automotive product line
- Focus on advanced driver-assistance system (ADAS) products including voltage monitors, power sequencers, and system-on-chip (SoC) power management ICs (PMICs)



### Agenda

#### Background

Autonomous Driving (AD) Statistics

Autonomous Driving (AD): Enabled by Advanced Driver-Assistance Systems (ADAS)

Autonomous Driving (AD): High-Performance Computer Block Diagram

#### **Traditional vs. Advanced Voltage Supervision**

Voltage Supervision Overview

Limitations of Traditional Voltage Supervisors

Advanced Voltage Supervision

#### Advanced Voltage Supervision Design

Functional Safety Capability

Voltage Monitoring (Drift)

Voltage Monitoring (Noise)

Voltage Threshold Setting

Sequence Recording

### **Test Results**

Summary

## **Autonomous Driving (AD) Statistics**



Level 2 ADAS Crashes by Month

#### Source: National Highway Traffic Safety Administration (NHTSA), "Summary Report: Standing General Order on Crash Reporting for Level 2 Advanced Driver Assistance Systems." June 2022.

#### **Consumer Concerns About Self-Driving Cars**

% of respondents naming the following reasons for their reluctance to use self-driving cars



Source: BCG and World Economic Forum Base: 1,260 consumers from 10 countries

#### The safety of autonomous driving systems is mission critical



## AD: Enabled by Advanced Driver-Assistance Systems (ADAS)

### Long-Range Radar and LiDAR

Adaptive cruise control

#### Ultrasound

Parking assistance

### Short-/Medium-Range Radar

- Emergency braking
- Pedestrian detection
- Cross-traffic alert
- Collision warning/avoidance
- Blind spot detection

### **High-Performance Computers**

- Sensor fusion
- Al learning
- Computation tasks required for perception, cruising, and parking

### Cameras

- Traffic sign recognition
- Lane departure warning
- Parking assistance
- Surround view

Supervision is mandatory to ensure the functionality of each ADAS subsystem

## **AD: High-Performance Computer Block Diagram**



### SoC Powered by PMIC





## **Voltage Supervision Overview**

- Voltage supervision plays a key role in meeting stringent functional safety requirements
- Supply voltages out of tolerance can cause the SoC/processor in the system to malfunction, resulting in system failure
- Voltage supervisors/monitors are responsible for over-voltage/under-voltage (OV/UV) event supervision for a voltage rail
- In addition to supervising the system voltage, voltage monitors should report diagnostic information in systems requiring functional safety





### **Limitations of Traditional Voltage Supervisors**

### Lacking Functional Safety Capability

No on-chip diagnostics to implement functional safety features. Lacks compliance with automotive safety integrity level (ASIL).

#### **No Safety Reporting**

Traditional supervisors have an analog reset pin to indicate a fault condition. ASIL-compliant systems require fault conditions to be stored to the memory (e.g. time of event, voltage level, type of fault) and read back by a safety MCU.

### Limitations

#### **Restricted Voltage Monitoring Range**

The voltage monitoring range is restricted to the preset choices. There is no flexibility for user configuration.

#### Restricted Voltage Threshold Configurability

The threshold values are preset and fixed to limited options. The over-/under-voltage thresholds are not configurable.



## **Advanced Voltage Supervision**





### **Advanced Voltage Supervision Design**

- Includes Functional Safety Capability:
  - Built-In Self-Testing (BIST)
  - Interrupt Output Pin (Fault Reporting)
  - I<sup>2</sup>C Interface with Cyclic Redundancy Check (CRC)
  - ASIL-D Compliant, ISO26262 Certified
- Multiple Monitoring Channels: 6 (2 Differential Remote Sensing)
- Wide Monitoring Range and Configurable Absolute OV and UV Thresholds:
  - 1x Scaling: 0.2V to 1.475V Range, 5mV/Step
  - 4x Scaling: 0.8V to 5.5V Range, 20mV/Step
- AEC-Q100 Qualified
- Sequence Recording (SYNC Pin for Sequence Recording by Synchronizing Multiple Devices)



6-Channel Voltage Monitor (MPQ79500FS) in a Typical Application Circuit



# 1

### **Built-In Self Testing (BIST)**

Logic BIST (LBIST), analog BIST (ABIST), and volatile memory (VM) BIST diagnostics from the non-volatile memory (NVM) ensure reliability for every drive cycle.

### NIRQ Fault Reporting Pin

An interrupt NIRQ pin is used for fault reporting to the higher-level safety microcontroller (MCU) for fault handling.



#### **Reference Voltage Monitor**

Use a redundant independent voltage reference to cross-check the reference voltage. If one voltage reference is out of range, the device should report reference voltage failures to the system and the system needs to take necessary actions.



### **System Clock Monitor**

Use independent clock sources to provide cross-check. If one clock is out of range, the device should report clock failures to system and the system needs to take necessary actions.

# Voltage Monitoring (Drift)

The monitored rails where voltages drift (low frequency, LF) are converted to digital signals by a high-accuracy **analog-to-digital converter (ADC)**. Over-voltage/under-voltage low-frequency (UVLF/OVLF) fault events are reported.



Over-Voltage/Under-Voltage Low-Frequency (UVLF/OVLF) Monitoring Structure

#### Enable/Disable UVLF/OVLF Monitoring via the I<sup>2</sup>C

| O IEN UVLF(0x14)Bank1 |         |   | ⊙ IEN OVLF(0x16)Bank1 |         |   |  |
|-----------------------|---------|---|-----------------------|---------|---|--|
| UVLF_VIN[1]           | Enable  | • | OVLF_VIN[1]           | Enable  | • |  |
| UVLF_VIN[2]           | Enable  | • | OVLF_VIN[2]           | Disable | • |  |
| UVLF_VIN[3]           | Enable  | • | OVLF_VIN[3]           | Enable  | • |  |
| UVLF_VIN[4]           | Enable  | • | OVLF_VIN[4]           | Disable | • |  |
| UVLF_VIN[5]           | Disable | • | OVLF_VIN[5]           | Disable | • |  |
| UVLF_VIN[6]           | Disable | • | OVLF_VIN[6]           | Enable  | • |  |

#### Monitoring Range, Threshold, and Cutoff Frequency Configuration via the I<sup>2</sup>C

| VRANGE MULT(0x1F)Bank1 |            |   | Monitor Registers-CH1(0x20-0x25)Bank1 |         |  |  |
|------------------------|------------|---|---------------------------------------|---------|--|--|
| VRANGE_MULT_VIN[1]     | 1x scaling | • | UV_HF[1]                              | 0.2 V   |  |  |
| VRANGE_MULT_VIN[2]     | 4x scaling | • | OV_HF[1]                              | 1.475 V |  |  |
| VRANGE_MULT_VIN[3]     | 4x scaling | • | UV_LF[1]                              | 0.2 V   |  |  |
| VRANGE_MULT_VIN[4]     | 1x scaling | • | OV_LF[1]                              | 1.475 V |  |  |
| VRANGE_MULT_VIN[5]     | 1x scaling | • | FLT_HF_UV[1]                          | 0.1 μs  |  |  |
| VRANGE_MULT_VIN[6]     | 1x scaling | • | FLT_HF_OV[1]                          | 0.1 μs  |  |  |
|                        |            |   | FC_LF_THREEDB[1]                      | 500 Hz  |  |  |



# Voltage Monitoring (Noise)

**High-accuracy comparators** monitor voltage noise (high frequency, HF) for over-voltage and under-voltage events, and include a debounce time that is configurable down to 100ns. Over-voltage/under-voltage high-frequency (UVHF/OVHF) fault events are reported.



#### Over-Voltage/Under-Voltage High-Frequency (UVHF/OVHF) Monitoring Structure

#### Enable/Disable UVHF/OVHF Monitoring via the I<sup>2</sup>C

| IEN UVHF(0x13)Bank1 |           | ○ IEN OVHF(0x15)Bank1 |           |  |  |
|---------------------|-----------|-----------------------|-----------|--|--|
| UVHF_VIN[1]         | Enable 🔻  | OVHF_VIN[1]           | Enable 🔻  |  |  |
| UVHF_VIN[2]         | Enable 🔻  | OVHF_VIN[2]           | Enable 🔻  |  |  |
| UVHF_VIN[3]         | Enable 🔻  | OVHF_VIN[3]           | Enable 🔻  |  |  |
| UVHF_VIN[4]         | Enable 🔹  | OVHF_VIN[4]           | Enable 🔻  |  |  |
| UVHF_VIN[5]         | Disable 🔹 | OVHF_VIN[5]           | Enable 🔻  |  |  |
| UVHF_VIN[6]         | Disable 🔹 | OVHF_VIN[6]           | Disable 🔻 |  |  |

#### Monitoring Range, Threshold, and Debounce Time Configuration via the I<sup>2</sup>C

| VRANGE MULT(0x1F)Bank1 |            |   | Monitor Registers-CH1(0x20-0x25)Bank1 |         |   |  |
|------------------------|------------|---|---------------------------------------|---------|---|--|
| VRANGE_MULT_VIN[1]     | 1x scaling | • | UV_HF[1]                              | 0.2 V   | • |  |
| VRANGE_MULT_VIN[2]     | 4x scaling | • | OV_HF[1]                              | 1.475 V | • |  |
| VRANGE_MULT_VIN[3]     | 4x scaling | • | UV_LF[1]                              | 0.2 V   | • |  |
| VRANGE_MULT_VIN[4]     | 1x scaling | • | OV_LF[1]                              | 1.475 V | • |  |
| VRANGE_MULT_VIN[5]     | 1x scaling | • | FLT_HF_UV[1]                          | 0.1 μs  | • |  |
| VRANGE_MULT_VIN[6]     | 1x scaling | • | FLT_HF_OV[1]                          | 0.1 μs  | • |  |
|                        |            |   | FC_LF_THREEDB[1]                      | 500 Hz  | • |  |



## **Normal Operation**

- OV/UV monitoring range: OV/UV threshold range with tolerance over temperature
- This is applicable for both DC (low frequency) and AC (high frequency) monitoring.



Voltage

## **Normal Operation**

Voltage

- OV/UV monitoring range: OV/UV threshold range with tolerance over temperature
- This is applicable for both DC (low frequency) and AC (high frequency) monitoring.



### Ideal Case

Voltage





### **Actual Case**



### **Actual Case**

Voltage



- MPS

Tim

## How to Correctly Setup Thresholds





- 2% system Lower limit

Higher accuracy buck regulator and more accurate voltage monitors are required to meet total system tolerance.



## How to Correctly Setup Thresholds

+ 3% system Upper limit

### OV max Actual OV Threshold ± 1% OV monitoring range OV min + 1% BUCK output range Nominal voltage -1% BUCK output range ± 1% UV monitoring range UV max Actual UV Threshold UV min

- 3% system Lower limit

• System tolerance must be loosened to accommodate tolerances of the Monitor and Buck regulator.



### **Sequence Recording**

The power-on, power-off, sleep entry, and sleep exit sequences can be recorded to monitor a correct and safe sequence. Sequence recording with more than one voltage (>6 rails) can be achieved via the /SYNC pin with all voltage rails sharing a synchronous domain.



#### Enable/Disable Sequence Monitoring via the I<sup>2</sup>C

| IEN SEQON(0x17)_Bank1 |         |   | IEN SEQOFF(0x18)_Bank1 |         |   |  |
|-----------------------|---------|---|------------------------|---------|---|--|
| ON_VIN[1]             | Disable | • | OFF_VIN[1]             | Disable | • |  |
| ON_VIN[2]             | Disable | • | OFF_VIN[2]             | Disable | • |  |
| ON_VIN[3]             | Disable | • | OFF_VIN[3]             | Disable | • |  |
| ON_VIN[4]             | Disable | • | OFF_VIN[4]             | Disable | • |  |
| ON_VIN[5]             | Disable | • | OFF_VIN[5]             | Disable | • |  |
| ON_VIN[6]             | Disable | • | OFF_VIN[6]             | Disable | • |  |

#### User-Expected Sequence, Actual Logged Sequence, and Timestamp via the I<sup>2</sup>C

| SEQ_ONEXP(0xB0-0xB5)_Bank1 |   | SEQ ONLOG(0x50-0x55)_Bank0 |           | SEQ TIME(0x90 | SEQ TIME(0x90-0x9B)Bank0 |       |    |
|----------------------------|---|----------------------------|-----------|---------------|--------------------------|-------|----|
| ON_EXP[1]                  | 3 | •                          | ON_LOG[1] | 03            | SEQ_TIME[1]              | 14.8  | ms |
| ON_EXP[2]                  | 4 | •                          | ON_LOG[2] | 04            | SEQ_TIME[2]              | 23.9  | ms |
| ON_EXP[3]                  | 1 | •                          | ON_LOG[3] | 01            | SEQ_TIME[3]              | 1.3   | ms |
| ON_EXP[4]                  | 2 | •                          | ON_LOG[4] | 02            | SEQ_TIME[4]              | 6.1   | ms |
| ON_EXP[5]                  | 3 | •                          | ON_LOG[5] | 03            | SEQ_TIME[5]              | 13.95 | ms |
| ON_EXP[6]                  | 2 | -                          | ON_LOG[6] | 02            | SEQ_TIME[6]              | 5.7   | ms |



# Test Results: Voltage Monitoring (Drift) for OV/UV



- OVLF threshold = 1V (where the voltage increases from 0V to 5V)
- The fault pin (NIRQ) is pulled low, and the OVLF fault register is set (OVLF, bit[1]) after an OVLF fault occurs
- The fault bit cannot be written to 1 to be cleared until the fault condition is removed

- UVLF threshold = 1V (where the voltage falls from 5V to 0V)
- The NIRQ fault pin is pulled low, and the UVLF fault register is set (UVLF, bit[1]) after a UVLF fault occurs
- The fault bit cannot be written to 1 to be cleared until the fault condition is removed



# Test Results: Voltage Monitoring (Noise) for OV/UV



- UVHF threshold = 1V (where the input voltage falls from 1.4V to 0.6V for a short pulse)
- The NIRQ fault pin is pulled low, and the UVHF fault register is set (UVHF, bit[1]) after a UVHF fault occurs
- The fault bit cannot be written to 1 to be cleared until the fault condition is removed

- OVHF threshold = 1V (where the input voltage increases from 0.7V to 1.2V for a short pulse)
- The NIRQ fault pin is pulled low, and the OVHF fault register is set (OVHF, bit[1]) after a OVHF fault occurs
- The fault bit cannot be written to 1 to be cleared until the fault condition is removed

## **Test Results: Sequence Recording (Multiple Devices)**



Sequence Monitoring of Three Synchronized MPQ79500FS Devices



Power-Up Sequence Recording Using Two MPQ79500FS Voltage Monitors (SYNC Pin to Synchronize Both Devices to the Same Domain)



## **Test Results: Sequence Recording (Multiple Devices)**



Sequence Monitoring of Three Synchronized MPQ79500FS Devices

MPS

Ŧ

Ŧ

Ŧ

Ŧ

Ŧ

Ŧ

Ŧ

Ŧ

### Summary

- As ADAS technology achieves higher levels of vehicle autonomy, functional safety is mandatory
- Voltage supervision plays a critical role in achieving functional safety
- Advanced voltage supervision can target stringent voltage rail monitoring requirements in autonomous vehicle platforms with the following features:
  - Functional safety capability: On-chip diagnostics (e.g. LBIST, ABIST, CRC, ECC) to avoid malfunctions
  - Multiple channels monitored: Using a single chip to monitor up to 6 channels helps reduce overall cost and size
  - **Reporting** of safety faults (stored in the memory) via the I<sup>2</sup>C
  - Wide voltage monitoring range: Flexibility to monitor a wide voltage range with high-resolution steps
  - Configurable voltage thresholds: Flexibility to configure the OV/UV threshold on demand.
  - Sequence recording: Sequence monitoring via one or multiple voltage monitors can be achieved to supervise a safe power-on/-off sequence.
- Voltage monitor has tolerance. There are trade-offs (either early OV/UV faults or miss some OV/UV faults) when setting up thresholds for system voltage monitoring.



# **Thank You!**

Questions?

