Open Circulation

Deep Life Open Revolution Submission
Correction of Safety Non-compliance for the Rebreather Control Electronics
DOCUMENT:
[Filename] / GreenB_61508_NConf1_070315.doc
ORIGINATOR: / Marat Yevtukhov
DEPARTMENT: / Engineering
LAST UPDATED: / 15th March 2007
REVISION: / A1
APPROVALS
______
Hardware Architect / ______
Date
______
Software Architect / ______
Date
______
Project Manager / ______
Date
______
Quality Officer / ______
Date
Controlled Document / Classified Document
Unclassified if blank

Revision History

Revision / Date / Description
A / 12th February 2007 / Initial issue of Green Book covering low power issues, updated 21st Feb 2007 with approval to proceed. A1 approved for publication 15th Mar 2007.

Copyright © 2007 Deep Life Ltd

All rights reserved. No circuit may be reproduced without a licence for the topographical rights contained therein from Deep Life Ltd. This document does not constitute a licence to use and patent, patent application or topographical right of Deep Life Ltd.

Table of Contents

Page1 Deep Life Ltd - For when technology really must be dependable

Open Circulation

1Purpose and Scope

2Requirement Specification

3Division of FPGA and MCU Functions

4FPGA Safety Proposals

5MCU selection

6Base Unit and Handset clocking

7Power supplies proposals

8Auto turn ON/OFF

9Base Unit programming

10ADCs and Voltage References.

10.1Voltage References

11Oxygen Cell Verification DAC

12Effect on project schedules

13References

Page1 Deep Life Ltd - For when technology really must be dependable

Open Circulation

1Purpose and Scope

The EN61508 compliance reviews of the Deep Life Open Revolution Rebreather Project have identified the following problems with the electronics, currently Rev C, which have to be resolved before the product can be manufactured or sold. These are:

  1. Neither the FPGA nor the MCU in the existing design meets the requirements for a SIL 4 system: both need to be replaced because the complexity of these has gradually crept up during the project and is now such that they can no longer be verified on a Black Box principle. It is necessary to carry out White Box verification. This requires changes to the MCU selection and change to the FPGA load sequence.
  2. The Xilinx Spartan FPGAs load from memory on power up: this is a long power up sequence and any corruption of the data will result in incorrect functionality being loaded.
  3. The MCU in the existing design is a Microchip PIC processor, which has not been formally verified and for which there are no formally verified or open source code. The objective is to eliminate dynamic FPGA loads, and switch to a processor for which a formal verification route exists.
  4. The existing electronics cannot power on automatically with low PPO2, without consuming large amounts of power. The objective is to reduce the quiescent power to a few tens of microamps.
  5. The O2 cells go to each ADC. Therefore one faulty O2 cell can destroy all ADCs: a single point failure that must be removed.

This document sets out how these non-compliance issues are being resolved.

The scope of this document is the Green Book in the quality control system of Deep Life Ltd, as set down in QP05 and QP20, namely this document describes a specific engineering implementation for a design change to correct for this non-compliance.

2Requirement Specification

The requirement specifications are contained in Micropore_OR_051222.pdf for the Sports configuration, and BlueB_ORTONOR_060320C.pdf and GreenB_ORTONOR_070105.pdf for the umbilical diving configuration.

The requirement of this work is to identify and implement corrections for the four issues listed above.

Page1 Deep Life Ltd - For when technology really must be dependable

Open Circulation


Figure 1: Block structure of the Rev C Base Unit.

Page1 Deep Life Ltd - For when technology really must be dependable

Open Circulation

3Division of FPGA and MCU Functions

The FPGA and Microcontroller (MCU) provide the processing in the Base Unit on the basis of dual redundancy, with two different implementations for each processing section (FPGA vs MCU).

The FPGA and MCU each have a 24-bit analog to digital converter (ADC) to read sensors values.

The common peripherals such as batteries, switches, shut off valve, step up converters, digital pressure sensors, and scrubber stick sensor multiplexers are controlled through XOR logic gates to enable them to be accessed from both the FPGA and MCU, regardless of the state of the second processor.

The FPGA has a major monitoring role, and gives to the MCU predefined time room to execute control actions. Each common control line has return path to the both FPGA and MCU.

There are two 8Mhz clock crystals for redundancy. FPGA and MCU have separate 8Mhz clock paths from the monitoring circuitry.

The FPGA has an internal full speed USB 1.1 module. It is clocked by a 48Mhz clock signal produced by a DCM in the FPGA.

The focus here is the Base Unit. The handset has the same FPGA and MCU structure. It is intended to implement changes made in the base unit to the handset also.

Sensors are divided amongst ADCs such that if one power supply is shorted out, the unit continues to function. For example, if the MCU power supply is shorted, all safety critical functions are maintained by the FPGA.

Table 1: Division of sensor functions between FPGA and MCU

FPGA / MCU
O2 Sensor1 / O2 Sensor1
O2 Sensor2 / O2 Sensor2
O2 Sensor3 / O2 Sensor3
O2 Sensor4 / O2 Sensor4
O2 Injector1 Linear Hall sensor / O2 Injector2 Linear Hall sensor
Main Battery Voltage / Main Battery Voltage
Auxiliary Battery Voltage / Auxiliary Battery Voltage
External Battery Voltage
(i.e. Handset or umbilical power) / External Battery Voltage
(i.e. Handset or umbilical power)
Current Consumption / Humidity Sensor
Oxygen Cylinder Pressure / Scrubber Stick Multiplexer
Diluent Cylinder Pressure / Differential Pressure Sensor on the Scrubber stick/ or Digital Pressure Sensor
Ambient Pressure
Ambient Temperature / Scrubber Stick has on board ADC to sample CO2, CO, HC, and He readings
Four Shut off Valve Sensors
Wet Sensor

4FPGA Safety Proposals

The existing design uses a XC3S400-PQ208 Spartan-3 family FPGA. This provides 400K system gates, which is equivalent of 8064 logic cells and there is 70% utilisation. Each logic cell consist of 4-input Look-Up Table (LUT) plus a ‘D’ flip-flop. The part has 288Kbits of RAM. The package is a Pb-free PQG208 - Quad Flat Pack with 208 pins, providing 141 available user I/Os.

The XC3S400 requires three power sources for normal operation:

  • 1.2V core power supply, consumption measured at 15mA
  • 2.5V auxiliary power supply, current consumption measured at 29mA. This power supply is used also for the Digital Clock Manager (DCM).
  • 3.3V output driver supply.

The FPGA has several internal clocks. The Input clock is 8MHz, processing unit clock 500KHZ, I2C and USARTs clock 250KHz. The USB 48MHz clock is produced by a DCM block in the FPGA.

It was suggested to change FPGA manufacturer from Xilinx to Actel Corporation to comply with EN61508 for the Software Safety Compliance team, as the transfer of configuration data from Flash memory to the FPGA every time it switches on is deemed to too hazardous for the purposes of an EN61508 SIL 4 system. The change is made to use Actel parts, as these are used almost universally for aircraft control and other critical applications. The Actel FPGAs incorporate the Flash memory into the FPGA itself.

One time programmable parts were considered, particularly low power Quicklogic FPGAs, but the difficulties of performing hardware upgrades and risks that these do not configure correctly eliminated them during the safety review process.

Actel manufacture three low power FPGA families:

  • ProASIC3 Flash
  • IGLOO Low Power Flash
  • Fusion Family of Mixed-Signal Flash

The main criteria for the FPGA selection are:

  1. The lowest power consumption.
  2. Not Ball Grid Array due to risk of stress cracks during pressure cycling
  3. ROHS compliant, Pb-free
  4. Number of logic gates should be at least 400k.
  5. The available user should the same or greater than XC3S400 (this is especially important in the handset design where a numeric custom display with large pin count is used).
  6. Availability.

The Actel IGLOO Low Power Flash FPGAs are very attractive in terms of current consumption, but there are no FPGAs in Quad Flat Pack packages. The AGL600 looks ideal, and has 600k system gates, but is packed only in BGAs packages. They are not available from stock.

The Fusion Family of Mixed-Signal Flash has the AFS600 chip with a sufficient number of the system gates but is packed in a PQ208 package with insufficient user I/Os. It has also excessive internal analog circuitry and is not available from stock.

This leaves the Actel ProASIC3 Flash Family. The A3P400 from this FPGA family does seem suitable, though the gate count is the minimum required:

  1. A3P400 – quiescent supply current 3mA,

I/O Input Buffer Power (Per Pin) – 16.69uW/MHz,

I/O Output Buffer maximum Power (Per Pin) – 468.67uW/MHz.

  1. Packed in PQG208 – Quad Flat package, RoHS compliant.
  2. A3P400 is an in-application reprogrammable FPGA.
  3. 400k system logic gates.
  4. 151 single-ended users I/Os available.
  5. In stock at Mouser, order code 892-A3P400-PQG208. Price for 1 - $46.80,

from 24 - $38.84.

The A3P400 supports the LVCMOS 3.3 V single-ended I/O standard, inputs are LVCMOS 5.0V compliant.

The A3P400 can be programmed via IEEE1149.1 (JTAG) and does not require any external ROM. Programming this will require the MCU to have the USB interface to the PC, and will be an additional MCU resource load.

A3P400 requires 1.5V for core power supply, and 3.3V for pin drivers.

As the USB interface will be part of the MCU there will be no need for a 48MHz clock in the FPGA. The main FPGA clock can be 500Khz, this also will reduce FPGA current consumption. The Input clock will remain at 8MHz using a SG-310-CGF mA crystal oscillator available from Farnell (order code 127-8051). For redundancy the FPGA should have an additional crystal oscillator instead of the existing clock monitoring circuitry.

5MCU selection

The existing design uses a Microchip PIC18F8722 operating in parallel with an FPGA, where either can perform the entire function.

The main disadvantage of this MCU is that this processor core is not verified, and the compilers for it are neither verified nor Open Source. The reason for adopting the PIC was that it is inexpensive and could be verified on a Black Box basis, however, since then the design has grown in function.

The safety review of the design concluded that the functionality is now too complex to be fully verified as a Black Box, and as a White Box without open tools and formal verification of the core, the PIC processors do not meet the requirements on EN61508 and EN12207 for Safety Integrity Level 1 or above. A formally verified processor is required with Open Source or verified compilers.

By formal verification, it is meant that the core has been extracted and the logic compared automatically with an RTL description, using mathematical equivalence proof tools, and the RTL has been formally verified to express the instruction set and other operations, again using mathematical theorem proving methods.

The following processors have been formally verified and are available:

  • RSC Viper Processor.
  • VAMP Processor
  • ARM6 Processor
  • ARM7 Processor, verified using the AMBA 3 AXI protocol platform. .

The design focuses on ARM7, because ARM6 is obsolete, VAMP requires synthesis and layout and is likely to require a high power budget, and the Viper too is an old design that is power hungry.

Many different ARM7 MCUs are available. From these the selection criteria are:

  1. Low power.
  2. Single power supply to avoid dependency on multiple supplies.
  3. Internal and redundant system clocks.
  4. Internal real time clock (RTC) to enable to processor to have a watch dog.
  5. Low current power down mode.
  6. Integrated brown-out detection.
  7. USB 2.0 interface.
  8. Integrated I2C, USARTs.
  9. Sufficient number of I/O pins.
  10. Must not use BGA or flip chip packaging as these would fail when pressurised.
  11. Availability in RoHS compliant form.
  12. Open source C compiler, or other compiler in a language listed in EN61508 for SIL 4 systems.

The LPC2368 was selected: this is from NXP, originally Philips.

The LPC2368 microcontrollers is based on a 16-bit/32-bit ARM7TDMI-S CPU with real-time emulation that combines the microcontroller with 512kB of embedded high-speed flash memory. It has In-System Programming (ISP) and In-Application Programming (IAP) capabilities. Flash program memory is on the ARM local bus for high performance CPU access.

The device operates from a single 3.3 V power supply (3.0V to 3.6V). It has Brownout detect with separate thresholds for interrupt and forced reset.

Current consumption of the LPC2368 is 21mA at 10MHz when all peripherals enabled. When the device is in deep power-down mode it consumes just 15uA.

The LPC2368 includes three independent oscillators. These are the Main Oscillator, the Internal 4MHz RC oscillator, and the RTC oscillator. Each oscillator can be used for more than one purpose as required in a particular application. Any of the three clock sources can be chosen by software to drive the PLL and ultimately the CPU.

The Watchdog Clock source can be selected from the RTC clock, the Internal RC oscillator, or the APB peripheral clock. This gives a wide range of potential timing choices of Watchdog operation under different power reduction conditions. It also provides the ability to run the WDT from an entirely internal source that is not dependent on an external crystal and its associated components and wiring, for increased reliability. Finally, the internal Watchdog source can be used to monitor the program, to force a recovery should anything hang.

The RTC has a separate power pin drawing 28uA. The device has the ability to wake up from the RTC interrupt.

The LPC2368 has four general purpose timers/counters.

The chip has USB 2.0 full-speed (12Mbps) device with on-chip PHY and associated DMA controller. Four UARTs all with FIFO, three I2C controllers.

The LPC2368 is packaged in a 100 lead plastic low profile quad flat package. It is RoHS

compatible.

GNU GCC compiler supports ARM core of the LPC2368.

For prototype purposes, chips are available from Digikey at cost £4.53 each.

6Base Unit and Handset clocking

One of the current hungry modules in the Rev C design is the the clocks monitoring circuitry. It is proposed to replace it by monitoring the clocks internally within the FPGA and MCU.

The digital pressure sensor requires a 32KHz master clock. This clock can be produced by the MCU timer and further monitored by the FPGA.

ADCs will run using an external clock of 8MHz.

Experiments showed that ADC running at the internal clock of 9MHz produces more noise than the synchronous configuration. See Table 2.

OSR / 32768 / 16384 / 8192 / 4096 / 2048 / 1024 / 512 / 256 / 128 / 64
External clock / RMS, uV / 2.36 / 3.38 / 3.47 / 4.78 / 7.1 / 10.61 / 16.88 / 18.36 / 27.17 / 42.9
p-p, uV / 20 / 31 / 21 / 27 / 41 / 66 / 102 / 90 / 174 / 280
Internal Clock / RMS, uV / 5.16 / 6.9 / 9.38 / 13.55 / 17.56 / 27.24 / 41.04 / 55.58 / 73.36 / 118.17
p-p, uV / 40 / 45 / 58 / 85 / 89 / 206 / 297 / 334 / 550 / 670

Table 2: Noise level comparison for internal and external clocking of the ADCs.

7Power supplies proposals

Instead of the existing Li-Ion batteries it is proposed to use a standard Li-Ion batteries pack to reduce the power consumption with the change in FPGA and microcontroller.

The battery pack has 2400mAh capacity, and will operate within voltages5.5 V (cut-off),7.4 V (working),8.4V (peak). It has internal protection PCB to protect batteries from the overcharge, over discharge, over drain and short circuit. To protect batteries from the high pressure, batteries will be assembled end to end (stick configuration), and put into hermetic tube at pressure 1bar.

The tubes will be twice longer than for the existing design, but the existing ones for SCR implementation can be used for the Sports eCCR configuration.

The suggested manufacturer is Abatel ( though explosion proof batteries from Valence Technology are being assessed as a possible replacement. The charging voltages and currents are different for the Valence batteries, than for normal Li-Ion cells. The Valence cells have the following characteristics in the series configuration, i.e. two batteries per assembly, and two assemblies per scrubber.

-the nominal c/5 discharge voltage will be 6.4V,

-discharge termination voltage 5.0V,

-constant charge current 700mA,

-constant voltage charge 7.3V..

Figure 2: Battey pack configuration

There should be two battery packs on the base unit to provide redundancy in a case of one pack fails. The third battery pack will be located on the handset. Any one pack can power the entire system.

Careful consideration was given to use of intrinsically safe batteries, particularly the Valence safe battery. These have a constant charge voltage of 3.65V versus 4.2V for normal Li-Ion,so cannot use any standard charger which use constant voltage.

The capacity of the Valence battery is 1.1Ah, which is half that for the Prismatic batteries.

The existing safety measures using a explosion proof casing around the cells is considered adequate protection. The Prismatic batteries have been tested in helium environments, and under maximum changes in pressure.

Using the Prismatic battery pack, there will be no need for the step up converters. Step-up converters will be replaced by the step-down converters. Together with 3.3V linear regulators they will produce digital FPGA and MCU power supplies.

The LT1765 is proposed. It is a high efficiency 3A, step-down switching regulator. With a regulator operating supply current of 1mA this improves efficiency, especially at lower output currents. Shutdown reduces quiescent current to 15uA. Maximum switch current remains constant at all duty cycles. Synchronization allows an external logic level signal to increase the internal oscillator up to 2MHz. Full cycle-by-cycle current control and thermal shutdown are provided. High frequency operation allows the reduction of input and output filtering components: this is important because neither tantalum nor electrolytic capacitors can be used, for safety reasons.

Analog circuitry will be powered from linear regulators, separated from the step-down converters.

The replacement of the existing batteries will require mechanical changes for the batteries compartments.