3.1 Practical Implementation

The following diagram shows a reactive implementation of a high-voltage, high-current and high-safety integrity level bidirectional e-Fuse. The major system components have assigned identification numbers. As general rule, application-specific components are marked in pink, while general components are marked in green.

Figure 3-1. High SIL e-Fuse Practical Architecture

To avoid any common mode of failure, galvanic insulation was implemented between the two subsystems using safety components. The red island indicates the separation between the main circuitry that executes safety function (short circuit management, overcurrent or overtemperature), and the reactive side that monitors the main subsystem and its operating conditions, and disconnects the load in the event of main system permanent failure.

The general system components (green) are:

  1. Microchip dsPIC33A DSC: This is the main MCU, and its processing power capability allows it to run the safety function and additional checkbacks on the reactive side.
  2. AVR SD: This is the core of the reactive subsystem, responsible for monitoring the operating conditions of the main MCU and indirectly verifying if the safety function is performed by a healthy (main) subsystem.
  3. Push-Pull Driver: The reactive side can drive the DC-DC converter using the PWM port, which delivers power to the main controller circuitry through isolation.
  4. Power Block: Regulates and monitors the DC-DC voltages that power the main system.
  5. DC-DC Converter Isolation Transformer: This transformer is used to transfer power from the reactive subsystem to the floating main subsystem.
  6. Two Ports Isolator: Ensures insulation of the Advanced Watchdog port (PWM for health check and sGPIO for remote Reset).
  7. Two Ports Isolator: Ensures insulation of the Main-Reactive telemetry data exchange port.
  8. OR Logic Block: Collects all main subsystems faults including power, temperature, overcurrent and driver faults, into a singular digital channel. This channel feeds a safety GPIO (fault flag) on the reactive side.
  9. Environmental Temperature Monitor: The environmental temperature is monitored on the reactive side to ensure that nominal working conditions are maintained during system operation.
  10. Power Input Monitoring: The input rail is monitored for marginal undervoltage and overvoltage conditions.
  11. Power Supply: Ensures regulated power to all reactive circuitries. The power supply input is protected for overvoltage and undervoltage conditions and is monitored by the MCU.
  12. Air Gap Disconnect Device: This device has intrinsic safety characteristics and is capable of temporarily or permanently disconnecting the power bus once a fault is detected (pyrofuse or safety relay). By disconnecting the load (removing the power), the system is placed in a safe state.
  13. Air Gap Disconnect Driver: This driver controls the disconnection device and check its health. This circuitry has safety characteristics and usually ensures a floating control (double-cut, for both power lines) of the main relay/fuse.
  14. Power Port: The primary power port for the system.
  15. Host System Interfaces: The PHYs that interface the reactive subsystem with the real world.
  16. Host System Interfaces: The PHYs that interface the main subsystem with the real world. All signals going to the main MCU are isolated. A floating ground topology was chosen for the main system to simplify the high-speed circuitry design.

The application specific system components (pink) are:

  1. HALL Isolated Current Sensor: This sensor is the secondary element that evaluates the current. The sensor is not fast enough to do short circuit mitigation but is sufficient for monitoring the average current evolution and disconnecting the load in the event of a permanent main system failure.
  2. Module Temperature Monitor: This is the SIC module temperature monitor. It is used in the third step of overcurrent mitigation.
  3. Shunt: A low temperature coefficient metallic shunt is used as bidirectional current sensing element.
  4. Leakage Detection Circuit: This circuit detects power SiC FETs leakage when the circuit turns ON or OFF. This circuit also detects the current flow direction (patent protected).
  5. SIC Module: This bidirectional solid-state switch incorporates two SiC power FETs, a temperature sensor, a metallic shunt for current measurement and leakage detection circuitry.
  6. Current Preprocessor: This is the analog circuitry chain designed for current processing. The current mitigation is performed in two steps: an extremely fast response (ns) using comparators with programmable thresholds, and a slightly slower response using fast ADCs (hundreds of ns and µs). An extra temperature monitoring step is performed in parallel to fulfill the complete current protection algorithm.
  7. Multistage FET Driver: This driver provides multistage SiC gate voltage control to allow safe pass-through detection, validation and disconnection, during the short circuit mitigation.

To achieve the safety goal of placing the system in a safe state within the Process Safety Time (PST) in the event of a short, and if the short cannot be mitigated, the two subsystems shall perform the following tasks:

  1. Main Subsystem Principal Functions:
    1. Bidirectional short detection and mitigation attempt Hard Switching Fault (HSF) and Fault Under Load (FUL)
    2. Bidirectional overcurrent detection and mitigation
    3. Overtemperature detection and mitigation
    4. Current measurement and overcurrent validation based on reactive subsystem telemetry report
    5. Solid-State Relay (SSR) leakage detection
    6. System status reporting via LIN/CANBUS or Single pair Ethernet (100BASE-T1S)
  2. Main Subsystem Auxiliary Functions:
    1. Power rails voltage monitoring
    2. Internal temperature monitoring
    3. Latent failure detection (LFD)
    4. Reactive side crosschecking (subsystem status data exchange using a safety related data exchange protocol, like Autosar E2E)
    5. Load current value and quality monitoring (with redundancy and diversity)
    6. Arc-flash detection or other additional functions based on the current quality monitoring
  3. Reactive Subsystem Functions:
    1. Power rail voltage monitoring
    2. Internal temperature monitoring
    3. Dual paths overcurrent check validation
    4. Dual-Cut safe load disconnects
    5. Latent failure detection (LFD)
    6. Advanced watchdog to mitigate a non-responsive main system or main software malfunctions
    7. Main side crosschecking (subsystem status data exchange using a safety related data exchange protocol, like Autosar E2E)
    8. Performs the function of isolated (no feedback) push-pull power supply controller
    9. System status reporting (LIN/CANBUS)
Table 3-1. Item Function
Item1A1B1C1D1E1F2A2B2C2D2E2F3A3B3C3D3E3F3H3I
Functional-Specific
General