PRO-SIL Useful Things To Know : Part 1

 

How to connect the CIC61508 to your XC2000.

 

There is a certain amount of confusion as to the best way connect the CIC61508 to an XC2000 that is running the SafeTCore-XC2000 (nee SC-II).   The basis of the PRO-SIL safety system is that the CIC and the host CPU, here the XC2000, must not share the same power supply.  This avoids the possibility of a common cause failure related to power.  The CIC is intended to monitor the operation of the XC2000 and take action in the event of a failure that will prevent a dangerous condition arising.  The action is best limited to disabling any IO device connected to the XC2000 so that a hazardous condition cannot arise.  For example, a fuel injector controlled by the XC2000 could potentially be left in the open state if the CPU failed.  In this case, one of the CIC61508’s SYSDIS pins would be connected to the injector driver enable pin so that if it determines that the XC2000 is no longer in control, it can shut off the fuel flow.

host Tricore or XC2000 CPU via SPI

To prevent a power supply failure that results in over-voltage in one CPU causing the other to fail, low value series resistors should be included in any signal line between the CIC and XC2000.

Contrary to popular belief, it is not recommended to allow the CIC61508 to control the reset of the XC2000, although this can be useful in some applications.  In the event of a permanent failure in either device, this could result in continual resetting and restarting of the system which could in itself give rise to a hazard.  The way to view this is that even if the XC2000 has permanently failed and may be sitting there with all its pins toggling randomly, the fact that the CIC has disconnected any critical hardware means that the system overall is safe.

Provided the pitfalls are understood, a more advanced scheme is given below that allows the CIC61508 to reset the XC2000.

Safety Bonitor

This configuration allows occasional random failures to cause a complete system restart. Here, SYSDIS_A acts as a reset into the XC2000’s ESR0 input. If the CIC61508 enters DISABLED mode, it resets XC2000 via ESR0.  The XC2000 then restarts and sends wake-up reset request to CIC61508 to restart it also.  The entire system restarts and then stabilises again in ACTIVE mode.  Further upsets cause the CIC61508 to enter DISABLED mode so cause XC2000 restarts. However the XC2000 software application design must avoid requesting continual resets and restarts. To this end, the XC2000 user code must handle reset requests from the CIC61508 and keep a record of how many reset events have occurred, ending the restarts after a certain number.

 

Some users require that the operation of the CIC is verified before the main SafeTcore-XC2000 system is launched on the XC2000.  This involves running the CIC through its main states (NOREADY/READY/ACTIVE/DISABLED) and checking the state of the SYSDIS pins in each state.  It is not feasible to do this using the SafeTcore.  However this can be done by writing a simple sequencer test (formerly “opcode sequence test”) based on the Hitex CIC SPI driver library that can get the CIC61508 into the ACTIVE state in 24-30ms.  This would finish with a wake-up timer fast reset command so that the CIC will restart, allowing the SafeTcore to then be initiated in the normal way.