MOSFET Redundancy/Fail-Safe in Automotive System

[¡MR.AWESOME!]

Yohoho. I've got an N-MOSFET driving some relays that control the 'Run' circuit in a vehicle. If a FET fails, these relays must not cut off power while the car is running. The FET's I'm using are ON Semi's NCV8402. They are pretty heavy duty as it is, but I want to implement some sort of redundant or fail-safe system to make sure.

I have an MCU with CMOS output of 3.3V driving the gate. There is a series resistor on the gate as well as a pull-down resistor. I will probably include a diode to block any voltage to the MCU that may arise out of a Drain-Gate short failure. How does that sound to you guys? Did I miss anything so far?

I was thinking of using a logic gate to compare the state of the MCU's output pin with the state of the FET to determine if a fault occurred. I would a voltage divider from the drain-side of the FET to one of the inputs of the logic gate and the other side of the logic gate to the gate-side of the FET. Doing this would require me to clamp the voltage down to a lower level than what is provided by the MOSFET, so I would add an external TVS from Drain to Source as well. How does that sound?

Now the real trouble I'm having is deciding on whether to just wire up two FETs in parallel and monitor if one of them goes bad to alert the operator, or if i need a completely separate backup system that is unused in normal operation, but would kick in in case of the primary MOSFET failing. I feel like if there was some event large enough to take out one of the FETs, if they were in parallel, the event would take them both out. So I would need a separate system. Lemme know what you guyses think.

Thanks

 

[likephysics]

You could use latching relays. That way once they close, even if the driver ckt blows out, it does not affect them.

For the back up system, I would go with a "separate system".
Maybe use a PMOS as back up, which kicks in only when the primary mosfet fails.

 

[AlephZero]

I was thinking of using a logic gate to compare the state of the MCU's output pin with the state of the FET to determine if a fault occurred. I would a voltage divider from the drain-side of the FET to one of the inputs of the logic gate and the other side of the logic gate to the gate-side of the FET. Doing this would require me to clamp the voltage down to a lower level than what is provided by the MOSFET, so I would add an external TVS from Drain to Source as well. How does that sound?

Now the real trouble I'm having is deciding on whether to just wire up two FETs in parallel and monitor if one of them goes bad to alert the operator, or if i need a completely separate backup system that is unused in normal operation, but would kick in in case of the primary MOSFET failing. I feel like if there was some event large enough to take out one of the FETs, if they were in parallel, the event would take them both out. So I would need a separate system. Lemme know what you guyses think.

You need to stop and think what the real risks are. Risk has two parts, the probability of somethinig happening and the consequences of it happening.

You are right that "single point failures" are important. None of these complications will have any effect if your power supply fails, for example.

I would think that lilkelihood of electronic components failing if they are used within their correct operating parameters would be negligible compared with the chance of mechanical failure in an "average" automotive system, and the consequence of even complete engine failure is not necessarily serious, though obviously annoying!

Another thing to consider is "what are you going to do after you detect a failure". If the answer is "you can't do anything much", there was not much point trying to detect it.

 

[¡MR.AWESOME!]

Thanks for the replies.

Relay's are great, but then I would need some extra overcurrent/short circuit protection circuit. The FETs already have that built in. I was thinking of using a NC relay that, when all was functioning fine, would have power to it and be open, but as soon as something wasn't right, the power would be cut off and the circuit would close. The only problem with that is if the FET is short circuited and it's ovetemp shutdown kicks in, then whatever circuit I had to detect when the FET was 'Off' when it should be 'On' will close the relay's contacts and then the relay or the wires would burn up due to the short circuit. To get around that, I would need either a different (more expensive) FET with a diagnostic pin that would indicate that it shutdown due to overtemp or I would need another short circuit detection circuit.

None of these options are very appealing.

I'm curious as to what OEM's do. Do they just design to keep all electrical aspects within the devices parameters? Or do they also employ fail-safe redundant systems? I've never heard of an ECU needing to be replaced due to a situation that didn't involve a person fiddling around with it.

Thanks