This article looks at the safety standard that governs ADAS features and the challenge in designing power monitoring systems to comply with this standard while introducing an automotive power monitor that has been certified to meet this standard.
This article was co-authored by Warren Tsai, Director of Automotive Power product lines at Maxim Integrated.
“People are so bad at driving cars that computers don’t have to be that good to be much better,” glibly commented Marc Andreesen (creator of Mosaic, the first web browser). However, like the airline industry, the future success or failure of autonomous vehicle manufacturers will largely be determined by the degree of safety they afford to their customers. While mass-market, driverless automobiles are (for the time being) the realm of the future, safety is nonetheless of paramount importance to incumbent car manufacturers, as demonstrated by the wide array of Advanced Driver Assistance Systems (ADAS) in many present-day models (Figure 1).
Figure 1. Advanced Driver Assistance Systems are a primary safety feature in many new automobile models.
In this design solution, we consider the safety standard that governs ADAS features and the challenge in designing power monitoring systems to comply with this standard. We then introduce an automotive power monitor that has been certified to meet this standard, potentially accelerating the development of safe and reliable ADAS designs of the future.
ADAS/ASIL
With the increase of electronics in cars and the deployment of electrical/electronic functions in vehicles, functional safety is becoming a top consideration when developing for ADAS. Prevalent in consumer cars, it enables such features as automated parking, lane departure assistance, and collision avoidance systems. These systems require a large signal chain, incorporating power, sensors, and intelligence resulting in a final action that the car executes.
ISO-26262 is a regulation that drives the requirements for functional safety, addressing possible hazards caused by malfunctioning behavior of electrical safety-related systems including the interaction of these systems. The level of functional safety required for a system is categorized by the system’s ASIL (Automotive Safety Integrity Level) rating. ASIL ratings range from level A to level D, with level D requiring the most robust system. A system’s ASIL rating is determined by the severity of the potential injury, the controllability of the failure, and the exposure to risks if a failure occurs.
Designing for ASIL Compliance
ADAS designs require both voltage monitoring and execution monitoring of microcontroller and/or SoCs (system-on-chips) to ensure the system makes intelligent and coherent decisions. The central SoC uses complex algorithms to translate sensor data into a logical response. These complex algorithms require the integration of several functional blocks within the SoC, requiring different voltage rails to operate properly. These include the main processor peripheral voltage, processor core, memory, and any other references needed for the internal architecture such as ADCs or DACs.
Besides the main SoC, there may be several microcontrollers throughout the system, controlling the sensor data acquisition and actuation response, also requiring monitoring. Execution monitoring ensures that microcontrollers do not get caught in a loop, causing their programs to stall. Circuits which perform this function are referred to as “windowed watchdogs” as they look for an intermittent signal (within a defined time window) from the controller to indicate it is operating normally.
While voltage monitoring ICs are available, there are several drawbacks to their usage in ADAS designs. Firstly, as shown in Figure 2, reference voltage levels are set using discrete resistor-divider circuits, increasing overall solution size. Also, the accuracy of the reference voltages is significantly impacted by the tolerances of these resistors. Typically, these ICs can only monitor 4 to 6 different voltage levels.
Figure 2. Typical Voltage Monitor IC Circuit
Secondly, these ICs do not have watchdog functionality, meaning that this feature must be provided using a separate IC. When designed, the overall monitoring system must then undergo ASIL compliance verification.
Another suggested design approach might be to use an ADC with a microcontroller. However, this would present several challenges. Firstly, the microcontroller used (and the firmware running on it) would need to achieve ASIL compliance. Secondly, firmware that polls individual voltage rails may miss fast overvoltage and undervoltage transients. Finally, the microcontroller itself would require an ASIL-compliant power solution (chicken/egg scenario).
MAX20481's Integrated Solution
Figure 3 shows a power monitor IC that has several advantages over the previous design approaches.
Figure 3. MAX20481 Automotive Power Monitor IC
The main benefit of this part is that it is the only complete ASIL-B-compliant SoC power system monitor currently available. It has seven voltage monitor inputs, each has factory-programmable overvoltage and undervoltage thresholds of between 2.5% and 10%, with ±1% accuracy. This removes the need for external resistors.
Modern SoCs and processors can require a large amount of supply current, which may cause small offsets in ground voltages (even when using multiple large ground planes). To accommodate this, this IC has two inputs with a separate remote ground sense input. Conveniently, this part also contains a factory-programmable windowed watchdog with digital input pins to refresh and disable this function. The RESET pin of the device can also be set at the factory to assert under a variety of conditions, as required.
The footprint of this IC (3mm x 3mmTQFN) is at least 40% smaller than the voltage monitor ICs considered earlier (not including the additional watchdog circuit and external resistors they also require). Apart from use in ADAS designs, it is also suitable for application in autonomous driving processing systems, remote sensor modules as well as general-purpose power system supervision and MCU/SoC monitoring.
Utilizing the MAX20481 for ASIL Compliance
For an ADAS system to be ASIL compliant, voltage and execution monitoring of its SoC and microcontrollers is required. While voltage monitor ICs are available, they require additional discrete resistors along with a separate watchdog circuit. We can conclude that the quickest, smallest, and most accurate way to achieve ASIL-compliant automotive power monitoring is to use the MAX20481.
No comments:
Post a Comment