Open Circulation
Deep Life Open Revolution
Submission
Correction of Safety Noncompliance for the Rebreather
Control Electronics
DOCUMENT:
[Filename]
ORIGINATOR:
DEPARTMENT:
LAST UPDATED:
REVISION:
GreenB_61508_NConf1_070315.doc
Marat Yevtukhov
Engineering
15th March 2007
A1
APPROVALS
_______________________________
Hardware Architect
________________________
Date
_______________________________
Software Architect
________________________
Date
_______________________________
Project Manager
________________________
Date
_______________________________
________________________
Date
Quality Officer
Controlled Document
Classified Document
Unclassified if blank
Revision History
Revision
Date
Description
A
12th February 2007
Initial issue of Green Book covering low power
issues, updated 21st Feb 2007 with approval to
proceed. A1 approved for publication 15th Mar
2007.
Copyright © 2007 Deep Life Ltd
All rights reserved. No circuit may be reproduced without a licence for the topographical
rights contained therein from Deep Life Ltd. This document does not constitute a licence to
Page
1
Deep Life Ltd - For when technology really must be dependable
Open Circulation
use and patent, patent application or topographical right of Deep Life Ltd.
Table of
Contents
1
PURPOSE AND SCOPE .................................................................................. 3
2
REQUIREMENT SPECIFICATION .............................................................. 3
3
DIVISION OF FPGA AND MCU FUNCTIONS............................................. 5
4
FPGA SAFETY PROPOSALS .................................................................... 6
5
MCU SELECTION ....................................................................................... 7
6
BASE UNIT AND HANDSET CLOCKING................................................... 8
7
POWER SUPPLIES PROPOSALS ............................................................. 9
8
AUTO TURN ON/OFF ............................................................................... 10
9
BASE UNIT PROGRAMMING................................................................... 11
10
ADCS AND VOLTAGE REFERENCES. ................................................ 12
10.1
Voltage References ..................................................................................................... 14
11
OXYGEN CELL VERIFICATION DAC ................................................... 14
12
EFFECT ON PROJECT SCHEDULES ................................................... 15
13
REFERENCES ....................................................................................... 16
Page
2
Deep Life Ltd - For when technology really must be dependable
Open Circulation
1 PURPOSE AND SCOPE
The EN61508 compliance reviews of the Deep Life Open Revolution Rebreather Project
have identified the following problems with the electronics, currently Rev C, which have to
be resolved before the product can be manufactured or sold. These are:
1. Neither the FPGA nor the MCU in the existing design meets the requirements for a
SIL 4 system: both need to be replaced because the complexity of these has
gradually crept up during the project and is now such that they can no longer be
verified on a Black Box principle. It is necessary to carry out White Box verification.
This requires changes to the MCU selection and change to the FPGA load
sequence.
2. The Xilinx Spartan FPGAs load from memory on power up: this is a long power up
sequence and any corruption of the data will result in incorrect functionality being
loaded.
3. The MCU in the existing design is a Microchip PIC processor, which has not been
formally verified and for which there are no formally verified or open source code.
The objective is to eliminate dynamic FPGA loads, and switch to a processor for
which a formal verification route exists.
4. The existing electronics cannot power on automatically with low PPO2, without
consuming large amounts of power. The objective is to reduce the quiescent power
to a few tens of microamps.
5. The O2 cells go to each ADC. Therefore one faulty O2 cell can destroy all ADCs: a
single point failure that must be removed.
This document sets out how these non-compliance issues are being resolved.
The scope of this document is the Green Book in the quality control system of Deep Life
Ltd, as set down in QP05 and QP20, namely this document describes a specific
engineering implementation for a design change to correct for this non-compliance.
2
REQUIREMENT SPECIFICATION
The requirement specifications are contained in Micropore_OR_051222.pdf for the Sports
configuration, and BlueB_ORTONOR_060320C.pdf and GreenB_ORTONOR_070105.pdf
for the umbilical diving configuration.
The requirement of this work is to identify and implement corrections for the four issues
listed above.
Page
3
Deep Life Ltd - For when technology really must be dependable
Open Circulation
FIBRE TO HANDSET
DATA OVER MAIN AUX BATTERY
OXYGEN CYLLINDER
PRESSURE SENSOR
SENSORS CARD
O2 INJECTOR 1
DILUENT CYLLINDER
PRESSURE SENSOR
CHARGER POWER
FPGA OUT
FPGA IN
STEPPER MOTOR 1
LINEAR HALL
SENSOR 2
MCU IN
CHARGER
SHUT OF VALVE
FPGA OUT
STEPPER MOTOR 3
MCU OUT
OXYGEN CYLLINDER PRESSURE
DILUENT CYLLINDER PRESSURE
FPGA OUT
OXYGEN
OXYGEN
OXYGEN
OXYGEN
FPGA
SENSOR
SENSOR
SENSOR
SENSOR
TWO END HALLS
FPGA IN
1
2
3
4
MCU IN
O2 INJECTOR 2
LINEAR HALL 1
LINEAR HALL 2
HUMIDITY SENSOR
SCRUBBER STICK TEMPERATURE SENSORS MUX
ADC 1
MCU OUT
STEPPER MOTOR 2
LINEAR HALL
SENSOR 2
CO2, REFERENCE, HC, CO MUX
CURRENT SENSOR
O2 SENSOR 1
O2 SENSOR 2
O2 SENSOR 3
MAIN BATTERY
MONITOR
MCU IN
FPGA
IN
MCU OUT
FPGA OUT
MCU IN
FPGA
IN
REFERENCE 1
CLOCKS
SYNTHESIZER
AND
CLOCKS
MONITOR
O2 SENSOR 4
HUMIDITY
SENSOR
I2C: FPGA - MASTER,
MCU SLAVE
MAIN BATTERY VOLTAGE
FPGA OUT
MUX 1
AUX BATTERY VOLTAGE
FPGA OUT
HANDSET BATTERY VOLTAGE
MCU OUT
PRESSURE
SENSOR 1
POWER
FPGA IN
MUX 2
MAIN BATTERY VOLTAGE
MCU IN
FPGA
IN
MCU OUT
MCU IN
FPGA OUT
MCU IN
FPGA
IN
AUX BATTERY
MONITOR
FPGA IN
AUX BATTERY VOLTAGE
HANDSET BATTERY VOLTAGE
MCU IN
SCRUBBER STICK
REFERENCE 2
FPGA OUT
FPGA OUT
MCU
MCU OUT
DILUENT CYLLINDER PRESSURE
OXYGEN SENSOR 1
OXYGEN SENSOR 2
MCU IN
FPGA
IN
MCU OUT
FPGA OUT
MCU IN
FPGA OUT
OXYGEN CYLLINDER PRESSURE
ADC 2
OXYGEN SENSOR 3
OXYGEN SENSOR 4
LINEAR HALL 1
LINEAR HALL 2
HUMIDITY SENSOR
SCRUBBER STICK TEMPERATURE SENSORS MUX
CO2, REFERENCE, HC, CO MUX
PRESSURE
SENSOR 2
TEMPERATURE
SENSOR
MCU IN
HANDSET
BATTERY
MONITOR
FPGA
IN
MCU OUT
FPGA IN
CO2 SENSOR
HE SENSOR
FPGA IN
MCU IN
MUX
TEMPERATURE
SENSOR 1
FPGA IN
MCU IN
FPGA OUT
DATA OVER HANDSET BATTERY
MCU OUT
FPGA OUT
FPGA IN
FPGA OUT
MCU OUT
STEP UP CONVERTER 1
FPGA IN
MCU OUT
STEP UP CONVERTER 2
MCU IN
Figure 1: Block structure of the Rev C Base Unit.
Page
4
Deep Life Ltd - For when technology really must be dependable
MCU IN
TEMPERATURE
SENSOR 12
Open Circulation
3
DIVISION OF FPGA AND MCU FUNCTIONS
The FPGA and Microcontroller (MCU) provide the processing in the Base Unit on the basis of
dual redundancy, with two different implementations for each processing section (FPGA vs
MCU).
The FPGA and MCU each have a 24-bit analog to digital converter (ADC) to read sensors
values.
The common peripherals such as batteries, switches, shut off valve, step up converters, digital
pressure sensors, and scrubber stick sensor multiplexers are controlled through XOR logic
gates to enable them to be accessed from both the FPGA and MCU, regardless of the state of
the second processor.
The FPGA has a major monitoring role, and gives to the MCU predefined time room to execute
control actions. Each common control line has return path to the both FPGA and MCU.
There are two 8Mhz clock crystals for redundancy. FPGA and MCU have separate 8Mhz clock
paths from the monitoring circuitry.
The FPGA has an internal full speed USB 1.1 module. It is clocked by a 48Mhz clock signal
produced by a DCM in the FPGA.
The focus here is the Base Unit. The handset has the same FPGA and MCU structure. It is
intended to implement changes made in the base unit to the handset also.
Sensors are divided amongst ADCs such that if one power supply is shorted out, the unit
continues to function. For example, if the MCU power supply is shorted, all safety critical
functions are maintained by the FPGA.
Table 1: Division of sensor functions between FPGA and MCU
FPGA
O2 Sensor1
O2 Sensor2
O2 Sensor3
O2 Sensor4
O2 Injector1 Linear Hall sensor
Main Battery Voltage
Auxiliary Battery Voltage
External Battery Voltage
(i.e. Handset or umbilical power)
Current Consumption
Oxygen Cylinder Pressure
Diluent Cylinder Pressure
Ambient Pressure
MCU
O2 Sensor1
O2 Sensor2
O2 Sensor3
O2 Sensor4
O2 Injector2 Linear Hall sensor
Main Battery Voltage
Auxiliary Battery Voltage
External Battery Voltage
(i.e. Handset or umbilical power)
Humidity Sensor
Scrubber Stick Multiplexer
Differential Pressure Sensor on the Scrubber
stick/ or Digital Pressure Sensor
Scrubber Stick has on board ADC to sample
CO2, CO, HC, and He readings
Ambient Temperature
Four Shut off Valve Sensors
Wet Sensor
Page
5
Deep Life Ltd - For when technology really must be dependable
Open Circulation
4
FPGA SAFETY PROPOSALS
The existing design uses a XC3S400-PQ208 Spartan-3 family FPGA. This provides 400K
system gates, which is equivalent of 8064 logic cells and there is 70% utilisation. Each logic
cell consist of 4-input Look-Up Table (LUT) plus a ‘D’ flip-flop. The part has 288Kbits of RAM.
The package is a Pb-free PQG208 - Quad Flat Pack with 208 pins, providing 141 available user
I/Os.
The XC3S400 requires three power sources for normal operation:


1.2V core power supply, consumption measured at 15mA
2.5V auxiliary power supply, current consumption measured at 29mA. This power supply
is used also for the Digital Clock Manager (DCM).

3.3V output driver supply.
The FPGA has several internal clocks. The Input clock is 8MHz, processing unit clock 500KHZ,
I2C and USARTs clock 250KHz. The USB 48MHz clock is produced by a DCM block in the
FPGA.
It was suggested to change FPGA manufacturer from Xilinx to Actel Corporation to comply with
EN61508 for the Software Safety Compliance team, as the transfer of configuration data from
Flash memory to the FPGA every time it switches on is deemed to too hazardous for the
purposes of an EN61508 SIL 4 system. The change is made to use Actel parts, as these are
used almost universally for aircraft control and other critical applications. The Actel FPGAs
incorporate the Flash memory into the FPGA itself.
One time programmable parts were considered, particularly low power Quicklogic FPGAs, but
the difficulties of performing hardware upgrades and risks that these do not configure correctly
eliminated them during the safety review process.
Actel manufacture three low power FPGA families:
 ProASIC3 Flash
 IGLOO Low Power Flash
 Fusion Family of Mixed-Signal Flash
The main criteria for the FPGA selection are:
1. The lowest power consumption.
2. Not Ball Grid Array due to risk of stress cracks during pressure cycling
3. ROHS compliant, Pb-free
4. Number of logic gates should be at least 400k.
5. The available user should the same or greater than XC3S400 (this is especially
important in the handset design where a numeric custom display with large pin count is
used).
6. Availability.
The Actel IGLOO Low Power Flash FPGAs are very attractive in terms of current consumption,
but there are no FPGAs in Quad Flat Pack packages. The AGL600 looks ideal, and has 600k
system gates, but is packed only in BGAs packages. They are not available from stock.
The Fusion Family of Mixed-Signal Flash has the AFS600 chip with a sufficient number of the
system gates but is packed in a PQ208 package with insufficient user I/Os. It has also
excessive internal analog circuitry and is not available from stock.
This leaves the Actel ProASIC3 Flash Family. The A3P400 from this FPGA family does seem
suitable, though the gate count is the minimum required:
1. A3P400 – quiescent supply current 3mA,
I/O Input Buffer Power (Per Pin) – 16.69uW/MHz,
I/O Output Buffer maximum Power (Per Pin) – 468.67uW/MHz.
Page
6
Deep Life Ltd - For when technology really must be dependable
Open Circulation
2.
3.
4.
5.
6.
Packed in PQG208 – Quad Flat package, RoHS compliant.
A3P400 is an in-application reprogrammable FPGA.
400k system logic gates.
151 single-ended users I/Os available.
In stock at Mouser, order code 892-A3P400-PQG208. Price for 1 - $46.80,
from 24 - $38.84.
The A3P400 supports the LVCMOS 3.3 V single-ended I/O standard, inputs are LVCMOS 5.0V
compliant.
The A3P400 can be programmed via IEEE1149.1 (JTAG) and does not require any external
ROM. Programming this will require the MCU to have the USB interface to the PC, and will be
an additional MCU resource load.
A3P400 requires 1.5V for core power supply, and 3.3V for pin drivers.
As the USB interface will be part of the MCU there will be no need for a 48MHz clock in the
FPGA. The main FPGA clock can be 500Khz, this also will reduce FPGA current consumption.
The Input clock will remain at 8MHz using a SG-310-CGF 3.3V@1.5mA crystal oscillator
available from Farnell (order code 127-8051). For redundancy the FPGA should have an
additional crystal oscillator instead of the existing clock monitoring circuitry.
5
MCU SELECTION
The existing design uses a Microchip PIC18F8722 operating in parallel with an FPGA, where
either can perform the entire function.
The main disadvantage of this MCU is that this processor core is not verified, and the compilers
for it are neither verified nor Open Source. The reason for adopting the PIC was that it is
inexpensive and could be verified on a Black Box basis, however, since then the design has
grown in function.
The safety review of the design concluded that the functionality is now too complex to be fully
verified as a Black Box, and as a White Box without open tools and formal verification of the
core, the PIC processors do not meet the requirements on EN61508 and EN12207 for Safety
Integrity Level 1 or above. A formally verified processor is required with Open Source or
verified compilers.
By formal verification, it is meant that the core has been extracted and the logic compared
automatically with an RTL description, using mathematical equivalence proof tools, and the RTL
has been formally verified to express the instruction set and other operations, again using
mathematical theorem proving methods.
The following processors have been formally verified and are available:
 RSC Viper Processor.
 VAMP Processor
 ARM6 Processor
 ARM7 Processor, verified using the AMBA 3 AXI protocol platform. .
The design focuses on ARM7, because ARM6 is obsolete, VAMP requires synthesis and layout
and is likely to require a high power budget, and the Viper too is an old design that is power
hungry.
Many different ARM7 MCUs are available. From these the selection criteria are:
1. Low power.
2. Single power supply to avoid dependency on multiple supplies.
3. Internal and redundant system clocks.
4. Internal real time clock (RTC) to enable to processor to have a watch dog.
Page
7
Deep Life Ltd - For when technology really must be dependable
Open Circulation
5. Low current power down mode.
6. Integrated brown-out detection.
7. USB 2.0 interface.
8. Integrated I2C, USARTs.
9. Sufficient number of I/O pins.
10. Must not use BGA or flip chip packaging as these would fail when pressurised.
11. Availability in RoHS compliant form.
12. Open source C compiler, or other compiler in a language listed in EN61508 for SIL 4
systems.
The LPC2368 was selected: this is from NXP, originally Philips.
The LPC2368 microcontrollers is based on a 16-bit/32-bit ARM7TDMI-S CPU with real-time
emulation that combines the microcontroller with 512kB of embedded high-speed flash memory.
It has In-System Programming (ISP) and In-Application Programming (IAP) capabilities. Flash
program memory is on the ARM local bus for high performance CPU access.
The device operates from a single 3.3 V power supply (3.0V to 3.6V). It has Brownout detect
with separate thresholds for interrupt and forced reset.
Current consumption of the LPC2368 is 21mA at 10MHz when all peripherals enabled. When
the device is in deep power-down mode it consumes just 15uA.
The LPC2368 includes three independent oscillators. These are the Main Oscillator, the Internal
4MHz RC oscillator, and the RTC oscillator. Each oscillator can be used for more than one
purpose as required in a particular application. Any of the three clock sources can be chosen
by software to drive the PLL and ultimately the CPU.
The Watchdog Clock source can be selected from the RTC clock, the Internal RC oscillator, or
the APB peripheral clock. This gives a wide range of potential timing choices of Watchdog
operation under different power reduction conditions. It also provides the ability to run the WDT
from an entirely internal source that is not dependent on an external crystal and its associated
components and wiring, for increased reliability. Finally, the internal Watchdog source can be
used to monitor the program, to force a recovery should anything hang.
The RTC has a separate power pin drawing 28uA. The device has the ability to wake up from
the RTC interrupt.
The LPC2368 has four general purpose timers/counters.
The chip has USB 2.0 full-speed (12Mbps) device with on-chip PHY and associated DMA
controller. Four UARTs all with FIFO, three I2C controllers.
The LPC2368 is packaged in a 100 lead plastic low profile quad flat package. It is RoHS
compatible.
GNU GCC compiler supports ARM core of the LPC2368.
For prototype purposes, chips are available from Digikey at cost £4.53 each.
6
BASE UNIT AND HANDSET CLOCKING
One of the current hungry modules in the Rev C design is the the clocks monitoring circuitry. It
is proposed to replace it by monitoring the clocks internally within the FPGA and MCU.
The digital pressure sensor requires a 32KHz master clock. This clock can be produced by the
MCU timer and further monitored by the FPGA.
ADCs will run using an external clock of 8MHz.
Page
8
Deep Life Ltd - For when technology really must be dependable
Open Circulation
Experiments showed that ADC running at the internal clock of 9MHz produces more noise than
the synchronous configuration. See Table 2.
OSR
32768 16384
8192
4096
2048
1024
512
256
128
64
External RMS, uV
clock
p-p, uV
2.36
3.38
3.47
4.78
7.1
10.61
16.88
18.36
27.17
42.9
20
31
21
27
41
66
102
90
174
280
Internal
Clock
5.16
6.9
9.38
13.55
17.56
27.24
41.04
55.58
40
45
58
85
89
206
297
334
RMS, uV
p-p, uV
73.36 118.17
550
670
Table 2: Noise level comparison for internal and external clocking of the ADCs.
7
POWER SUPPLIES PROPOSALS
Instead of the existing Li-Ion batteries it is proposed to use a standard Li-Ion batteries pack to
reduce the power consumption with the change in FPGA and microcontroller.
The battery pack has 2400mAh capacity, and will operate within voltages 5.5 V (cut-off), 7.4 V
(working), 8.4V (peak). It has internal protection PCB to protect batteries from the overcharge,
over discharge, over drain and short circuit. To protect batteries from the high pressure,
batteries will be assembled end to end (stick configuration), and put into hermetic tube at
pressure 1bar.
The tubes will be twice longer than for the existing design, but the existing ones for SCR
implementation can be used for the Sports eCCR configuration.
The suggested manufacturer is Abatel (http://www.abatel.com/), though explosion proof
batteries from Valence Technology are being assessed as a possible replacement. The
charging voltages and currents are different for the Valence batteries, than for normal Li-Ion
cells. The Valence cells have the following characteristics in the series configuration, i.e. two
batteries per assembly, and two assemblies per scrubber.
-
the nominal c/5 discharge voltage will be 6.4V,
-
discharge termination voltage 5.0V,
-
constant charge current 700mA,
-
constant voltage charge 7.3V..
Page
9
Deep Life Ltd - For when technology really must be dependable
Open Circulation
Figure 2: Battey pack configuration
There should be two battery packs on the base unit to provide redundancy in a case of one
pack fails. The third battery pack will be located on the handset. Any one pack can power the
entire system.
Careful consideration was given to use of intrinsically safe batteries, particularly the Valence
safe battery. These have a constant charge voltage of 3.65V versus 4.2V for normal Li-Ion, so
cannot use any standard charger which use constant voltage.
The capacity of the Valence battery is 1.1Ah, which is half that for the Prismatic batteries.
The existing safety measures using a explosion proof casing around the cells is considered
adequate protection. The Prismatic batteries have been tested in helium environments, and
under maximum changes in pressure.
Using the Prismatic battery pack, there will be no need for the step up converters. Step-up
converters will be replaced by the step-down converters. Together with 3.3V linear regulators
they will produce digital FPGA and MCU power supplies.
The LT1765 is proposed. It is a high efficiency 3A, step-down switching regulator. With a
regulator operating supply current of 1mA this improves efficiency, especially at lower output
currents. Shutdown reduces quiescent current to 15uA. Maximum switch current remains
constant at all duty cycles. Synchronization allows an external logic level signal to increase the
internal oscillator up to 2MHz. Full cycle-by-cycle current control and thermal shutdown are
provided. High frequency operation allows the reduction of input and output filtering
components: this is important because neither tantalum nor electrolytic capacitors can be used,
for safety reasons.
Analog circuitry will be powered from linear regulators, separated from the step-down
converters.
The replacement of the existing batteries will require mechanical changes for the batteries
compartments.
8
AUTO TURN ON/OFF
The Base Unit has the ability to be turned ON/OFF automatically with low quiescent power.
Page 10
dependable
Deep Life Ltd - For when technology really must be
Open Circulation
It is required that the Unit turns on if the PPO2 falls more than 0.1 in 10 minutes or if the PPO2
is below a set minimum. To provide this MCU part of the electronics turns ON for 100ms every
10s to measure this. If it detects a drop in PPO2 then it switches ON fully to maintain PPO2.
The only way to switch the unit off is to not breathe from the unit for 15 minutes.
To realize the proposed ON/OFF algorithm MCU goes into Deep Power Down mode. In this
mode, the FPGA will be switched off. The LPC2368 on-chip regulator that supplies power to
internal logic is shut off. This produces the lowest possible power consumption without actually
removing power from the entire system.
Current consumption in the Deep Power Down mode is 15uA.
MCU will be programmed to generate periodic interrupts from the Real Time Counter (RTC).
Wakeup will be caused by the RTC. The MCU has ALARM pin — RTC controlled output. This
is a 1.8 V pin. It goes HIGH when a RTC interrupt is generated thus powering device.
O2 sensor calibration data may be retained through Deep Power Down mode by storing data in
the 2k Battery RAM, as long as the external power to the VBAT pin is maintained.
If the Base Unit is connected to the Handset then the Base Unit can be switched on from the
Handset by the user, in addition to by the above process.
9
BASE UNIT PROGRAMMING
The Base Unit has the ability to be programmed through the USB port of the MCU for system
updates. This should occur very rarely, but may be required in the field so no additional
equipment should be needed: a user should be able to download an update file, plug the
Handset of Base Unit into a USB port, and simply send the file. The file is then checked to
ensure it is a valid configuration file with correct checksums, then is used to program the Flash
memories in the FPGA and MCU (MCU first, then FPGA).
To accomplish this, the USB communication firmware should be designed and loaded into the
Flash memory. The initial load of the MCU firmware will be done through MCU JTAG pins.
The first time this is done a JTAG programmer is required. Thereafter, it can be done through
the USB port.
To configure the system in the factory, the ARM-USB-OCD controller will be used: this
provides- USB to JTAG + RS232 + power supply for programming and debugging. It is priced at
$69.95. It has software supported by the OpenOCD (open source) debugger so can be
modified to perform the appropriate system checks also.
After the MCU is configured, the FPGA will be loaded though the MCU. All subsequent updates
of the MCU firmware and FPGA will be done further through the USB port.
MCU firmware will be compiled by the open source GNU gcc compiler using a subset of C in
accord with EN61508 for SIL 4 systems. On-chip debug will use OpenOCD.
The OpenOCD JTAG server is a free on-chip debug solution for targets based on the ARM7
and ARM9 family with Embedded-ICE (JTAG) facility. It enables source level debugging with
the standard GNU Debugger gdb compiled for the ARM architecture. In addition internal and
external FLASH memory programming is supported. Besides debugging, OpenOCD can control
any JTAG-based operation, e.g. programming FPGAs by an integrated XSVF player.
The JTAG is used for a complete system check on power up.
FPGA firmware will be designed in Verilog, and synthesized by Actel FPGA design tools.
Formal equivalence proving tools from Synopsis will provide the physical verification of the
synthesis (that is, proving the equivalence between the synthesized logic and the original RTL
description).
Page 11
dependable
Deep Life Ltd - For when technology really must be
Open Circulation
10 ADCS AND VOLTAGE REFERENCES.
There are two 24 bits Delta-Sigma ADCs in the Rev C design. One ADC is controlled by the
FPGA, the next one is controlled by the MCU.
Each ADC is configured to accept 16 single ended signals from the several sensors. The
analog signals are routed as differential to the ADC, but are measured as single ended.
A plausible failure mode has been identified where if a cell has a load resistor go open circuit,
and is then plugged in, all ADCs it is connected to would be damaged: a single point of failure.
To increase reliability of the measurements channels it is proposed to change the design to use
4 eight channel ADCs. The optimum redundancy design appears to be to have two of the
ADCs will be controlled by the FPGA and the other two by the MCU. Each ADC in the pair will
measure two oxygen sensor values. The proposed structure of the ADCs is shown on the
Figure 3.
Full differential tracks to the ADC are used for most critical Oxygen Sensors and IR Sensor on
the scrubber stick. The rest are tracked as differential lines to the ADCs star point and
measured as single ended.
MCU controlled ADCs have an additional low power reference, that is, have two voltage
references, only one of which is used at any time. The low power reference will be switched ON
by the MCU after wake up to measure oxygen content.
Page 12
dependable
Deep Life Ltd - For when technology really must be
Open Circulation
O2 SENSOR1 DIFFERENTIAL
REFG+
REFG-
ADR441BRZ-2.5V
O2 SENSOR2 DIFFERENTIAL
IR SENSOR DIFFERENTIAL
O2 INJECTOR HALL1
LTC2447
O2 INJECTOR HALL2
FPGA CONTROL
REFG+
REFG-
O2 SENSOR3 DIFFERENTIAL
O2 SENSOR4 DIFFERENTIAL
ANALOG MUX
HUMIDITY SENSOR
LTC2447
DIFFERENTIAL PRESSURE SENSOR
AMBIENT PRESSURE SENSOR
FPGA CONTROL
O2 SENSOR1 DIFFERENTIAL
REFG+
REFG-
ADR441BRZ-2.5v
O2 SENSOR2 DIFFERENTIAL
IR SENSOR DIFFERENTIAL
O2 INJECTOR HALL1
LTC2447
O2 INJECTOR HALL2
MCU CONTROL
REF1+
REF1-
MCU ON REFERENCE
LM4040-2.5v
REFG+
REFG-
O2 SENSOR3 DIFFERENTIAL
O2 SENSOR4 DIFFERENTIAL
ANALOG MUX
HUMIDITY SENSOR
LTC2447
DIFFERENTIAL PRESSURE SENSOR
AMBIENT PRESSURE SENSOR
MCU CONTROL
REF1+
REF1-
Figure 3: ADCs structure to meet ESD protection.
Analog MUX signals are:

Main Battery voltage;

Auxiliary Battery voltage;

Handset Battery voltage;

Current consumption value;

Oxygen Cylinder pressure value;

Diluent Cylinder pressure value;

Precise reference 2.5V for the calibration;

AGND;
Total wires to the MUX – 8 wires
Page 13
dependable
Deep Life Ltd - For when technology really must be
Open Circulation
The ADC LT2449 requires external buffer to be inserted between the output of the ADC internal
multiplexer and the input to the internal ADC. This buffer buffers the input current from the input
source. An LT1368 dual bipolar operational amplifier is used for this purpose. This amplifier has
compensation that requires a 0.1uF output capacitor, which improves the amplifier’s supply
rejection. The output capacitor’s filtering action reduces high frequency noise, which is
beneficial when driving A/D converters. It has 400nV p-p noise at 0.1Hz to 10Hz and 29nV/√Hz
noise density at 1KHz. Supply current for each amplifier 520uA max. Guard ring across the
input pins on the PCB will be implemented.
Input channels of the ADC are ESD protected using series resistors, capacitors and a track
layout that has high inductance and distributed capacitance, to discharge ESD events of up to
10kv HBM. The sources of ESD discharge have also been addressed: Molex connectors on O2
sensors are replaced by SMB connectors where the ground always mates before the signal pin.
The DAC MUX connects the ground line to ground whenever the scrubber is open.
10.1 Voltage References
The existing design uses a 3V voltage reference, Linear Technology LT1461ACS8-3. It has a
3ppm/deg C temperature drift, 8 ppm p-p voltage noise 0.1Hz to 10Hz, and 9.6 ppm RMS 10Hz
to 1KHz. The cost of the reference is $12.88.
It is proposed to replace the reference with an Analog Devices ADR441BRZ. This reference has
1.2uV p-p noise 0.1Hz to 10Hz, and 1KHz – 48 nV/√Hz. This reference has better long term
stability of 50ppm at 1000 hours to compare with 60 ppm. The cost of the reference is $6.24. It
is available from the Farnell Catalogue (order code 127-4158) in RoHS package.
The ADR441BRZ has a 3mA quiescent supply current compared against 50uA for the
LT1461ACS8-3, but the lower noise, better long term stability, and lower price make it attractive
to be used as the reference for the ADCs.
The existing design has three references:

LT1461ACS8-3 - the reference for ADC controlled by the FPGA;

LT1009 2.5V - the reference for ADC controlled by the MCU;

LT1009 2.5V - the scrubber stick reference;
The LT1009 has 25ppm/°C temperature coefficient, 20 ppm/khr, app. 120nV/√Hz noise density
at 1KHZ, and over 200 nV/√Hz noise density at 10Hz, current supply is 400uA.
The ADR441BRZ will also be used as the reference for the scrubber stick and will be placed on
the scrubber stick.
11 OXYGEN CELL VERIFICATION DAC
To verify that the oxygen sensors are the correct type and do not have internal compensation
circuitry a 12-bit resolution DAC AD5320, in combination with ADG721 switches to provide
differential lines to the ADC, will be used. The structure of the one Oxygen channel is shown in
Figure 4. The ADG721switches will be placed as close as possible to the input of the ADCs.
The DAC provides enhanced ESD protection for the ADC when the sensors are replaced.
Page 14
dependable
Deep Life Ltd - For when technology really must be
Open Circulation
L1
100R
OXYGEN
SENSOR
ADC
LTC2447
L2
100R
10uF
10uF
100K
AGND
DAC
AD5320
ADG721
AGND
FPGA/MCU CONTROL
Figure 4: DAC to test O2 sensors and provide additional ESD protection when changing
sensors. The inductor has a significant capacitance to ground, due to edge effects and board
capacitance: the track is an inner layer with sharp turns to radiate and ESD into the board
dielectric.
L1 and L2 are the PCB trace inductance. Filter resistors are 100 Ohms. The ADCs has
maximum/minimum input leakages of ±15nA. This tends to a voltage drop across the 100 Ohms
filter resistors ±1.5uV. Value of the filter X5R capacitor is limited by the capacitor size –
10uF(6.3V, X5R) is the maximum for capacitor in 0603 package. Cutoff frequency for the
selected values will be 159Hz. Larger values are also undesirable, as the self resonant
frequency of the capacitor would also reduce.
12 EFFECT ON PROJECT SCHEDULES
Additional engineering resources have been allocated to the project to enable the issues here
to be implemented in parallel with the continuing compliance activity with the existing design.
It is expected that the CE Compliance will not be affected by this change: the items are outside
EN14143:2003, other than a non-compliance will be recorded in the EN61508 compliance that
is closed off by this action.
The changes here should catch up with the project before the NORSOK compliance testing is
finished, and become integral to the project from that point onwards.
The changes do not a major affect the logic and programming: the same languages are used,
and the design is simply re-synthesised and recompiled for the new target hardware. The ADC
driver would have to be modified, as would the power supply and USB interfaces.
These changes do not affect the MUX unit or Topside Unit, nor do they need to be migrated to
those units, because the MUX has a lower SIL rating than the rebreather controller itself.
Page 15
dependable
Deep Life Ltd - For when technology really must be
Open Circulation
13 REFERENCES
LPC2368 Data sheet:
FS:\Projects\1-Rebreather\DataSheets\ARM7_MCU\LPC2364_66_68_1.pdf
LPC2368 Manual:
FS:\Projects\1-Rebreather\DataSheets\ARM7_MCU\
user.manual.lpc2364.lpc2366.lpc2368.lpc2378.pdf
Page 16
dependable
Deep Life Ltd - For when technology really must be