4 Reactive Approach Generalization

The approach generalization contains all the general components (depicted in green) to accomplish a reactive fail-safety topology and additional blocks that are application specific (depicted in blue).

Figure 4-1. Reactive Fail-Safe Architecture System Generalization

The general system components (green) are:

  1. Microchip dsPIC33A DSC: This is the main MCU, and its processing power capability allows it to run the safety function and additional checkbacks on the reactive side.
  2. AVR SD: This is the core of the reactive subsystem, responsible for monitoring the operating conditions of the main MCU and indirectly verifying if the safety function is performed by a healthy (main) subsystem.
  3. Push-Pull Driver: The reactive side can drive the DC-DC converter using the PWM port, which delivers power to the main controller circuitry through isolation.
  4. Power Block: Regulates and monitors the DC-DC voltages that power the main system.
  5. DC-DC Converter Isolation Transformer: This transformer is used to transfer power from the reactive subsystem to the floating main subsystem.
  6. Two Ports Isolator: Ensures insulation of the Advanced Watchdog port (PWM for health check and sGPIO for remote reset).
  7. Two Ports Isolator: Ensures insulation of the Main-Reactive telemetry data exchange port.
  8. OR Logic Block: Collects all main subsystems faults including the power, temperature, overcurrent, and driver faults, into a singular digital channel. This channel feeds a safety GPIO (fault flag) on the reactive side.
  9. Environmental Temperature Monitor: The environmental temperature is monitored on the reactive side to ensure that nominal working conditions are maintained during system operation.
  10. Power Input Monitoring: The input rail is monitored for marginal undervoltage and overvoltage conditions.
  11. Power Supply: Ensures regulated power to all reactive circuitries. The power supply input is protected for overvoltage and undervoltage conditions and is monitored by the MCU.
  12. Air Gap Disconnect Device: This device has intrinsic safety characteristics and is capable of temporarily or permanently disconnecting the power bus once a fault is detected (pyrofuse or safety relay). By disconnecting the load (removing the power), the system is placed in a Safe State.
  13. Air Gap Disconnect Driver: This driver controls the disconnection device and check its health. This circuitry has safety characteristics and usually ensures a floating control (double-cut, for both power lines) of the main relay/fuse.
  14. Power Port: The primary power port for the system.
  15. Host System Interfaces: The PHYs that interface the reactive subsystem with the real world.
  16. Host System Interfaces: The PHYs that interface the main subsystem with the real world. All signals going to the main MCU are isolated. A floating ground topology was chosen for the main system to simplify the high-speed circuitry design.

The application specific system components (blue) are:

  1. Time Relaxed Feedback Pre-Processing Interface: This interface connects the second set of slow sensors to the reactive MCU. For example, if the main interface control actuator positioning or speed for an actuator with a variable load, in a very fast manner, the reactive side needs to know just the average of this action (if the actuator moves from position A to position B) with the scope of verification. This technique usually uses integration to calculate the average response.
  2. Main Time Critical Function Interfacing Circuitry: This collection of circuitry is used by the main subsystem to accomplish the safety function through sensing and control. It also includes additional sensors that feed the reactive side with the scope of validation.
  3. Main Time Critical Sensing Feedback and Time Critical Control: This refers to the required circuitry that implements fast loop sensing and control to accomplish the safety function.
  4. Sensing-2 for Reactive Feedback: This is the second independent collection of sensors designed to acquire average data (integration) to feed the reactive check back.

This generalized topology can be applied for all designs that allows a temporary Permissive State within the SDT.