Sendyne SIM100 Isolation Monitors User Manual
- June 9, 2024
- Sendyne
Table of Contents
AN1118
Safety Manual for Sendyne SIM100 Isolation Monitors
This document describes how to use the Sendyne SIM100 family of isolation monitors in safety-related systems.
Introduction
The system and equipment manufacturer or designer intending to use this
product is responsible to ensure that their system incorporating Sendyne’s
SIM100 meet all applicable safety, regulatory and system level performance
requirements. All information presented in this document is for reference
only. Users understand and agree that their use of SIM100 in safety-critical
applications is entirely at their risk, and that user (as buyer) agrees to
defend, indemnify, and hold harmless Sendyne from any and all damages,
claims, suits, or expense resulting from such use.
This safety manual provides information to assist system developers in
creating safety-related systems incorporating the Sendyne SIM100 isolation
monitoring device. This document contains:
- Overview of the SIM100 architecture
- Overview of the safety architecture for management of hardware failures
- Assumptions of Use
Sendyne assumes that the user of this document has a general familiarity of the SIM100. This document is intended to be used in conjunction with the relevant datasheet and application notes.
Sendyne SIM100 overview
The SIM100 is an electrically isolated device that when connected properly to
an idle or active high voltage IT power system (floating ground) can estimate
the resistive and capacitive paths between each power rail of the IT system
and a third reference point. The SIM100 can communicate through CAN bus (250
or 500 kbits/s) and when interrogated by a host it can provide estimates on
the values of each resistive and capacitive path. The SIM100, based on
information programmed by the host for the designed maximum voltage of the IT
power system, will calculate a value for the minimum resistance path between
the two IT power system rails and the third voltage reference point, expressed
in Ohms/Volt (max designed voltage). In addition, it will estimate the total
energy that can be potentially stored in the IT power system capacitances. If
the CAN bus host fails to provide information on the maximum IT power system
voltage, the SIM100 will calculate these values based on the maximum voltage
observed during its operation.
The SIM100 power input accepts any supply voltage between 4.8 V and 53 V. The
input voltage is pre-regulated and then stepped down through a DC/DC converter
feeding through galvanically isolated inputs the +5 V IC supply and the 12.5 V
excitation voltage source supply.
The SIM100 safety architecture includes a watchdog timer, CRC check on
internal non-volatile program memory, diagnostics for proper connections of
chassis and IT power system terminals, monitoring of the unregulated power
supply voltage level for the main IC before local voltage regulator (LDO),
environment temperature monitoring and excitation pulse voltage monitoring. In
addition, the SIM100 safety architecture monitors the voltage divider values
for chassis, positive and negative voltage connections and provides a visual
heartbeat signal indicating proper IC operation.
All estimates of isolation resistances and capacitances are submitted along
with an uncertainty percentage value. This value defines the interval within
which the actual value lies with a probability of 95%.
Safety functions and diagnostics overview
The SIM100 is intended for use in automotive and industrial safety-relevant
applications. All components used are automotive rated.
Hardware
The following list of monitoring functions are implemented in the SIM100.
- VU, SUPPLY monitor
- VX, SUPPLY monitor
- VX1 connection monitor
- VX2 connection monitor
- VX1 voltage divider ratio monitor
- VX2 voltage divider ratio monitor
- VCH1 and VCH2 connections monitor
- VX_CH voltage divider ratio monitor
- VX_CH Excitation Voltage Source voltage value monitor
- VX_THR environment temperature monitor
Upon diagnosing a hardware error, the SIM100 will set the appropriate flags
and enter a SAFE state.
Software
On the RESET state the SIM100 performs CRC check on the non-volatile memory.
During active operation a watchdog timer ensures proper program flow. In
addition, every estimate on the isolation state of the monitored IT power
system is accompanied by the uncertainty value of this estimate.
Target applications
The Sendyne SIM100 has been designed to be used as an element for the
isolation safety system in applications such as:
- Automotive
- Charging stations
- Industrial high voltage ungrounded systems
Fig. 2 and Fig. 3 show the boundary diagram for the SIM100 as a SEooC (Safety Element out of Context) in two different applications.
**Assumptions
**
The following table lists the assumptions made for safe employment of the SIM100 is a safety critical system.
| ID | Type | Assumed Requirement |
|---|---|---|
| AR01 | Assumed Requirement | The SEooC is defined as the SIM100 playing a role |
as an isolation monitoring element as shown in Fig. 2 and Fig. 3
AR02| Assumed Requirement| Thermal environment is between -40 o C and +105 o C
(Temperature range is limited by connector thermal specifications.
AR03| Assumed Requirement| The IT Power System voltage monitored by the SIM100
will vary between 15 V and its maximum operational voltage – see SIM100
datasheet
AR04| Assumed Requirement| The IT Power System is connected to chassis through
Y-Capacitors of at least 100 nF on each side of the power supply
AR05| Assumed Requirement| The SIM100 is supplied with proper power according
to the specifications of the relevant SIM100 datasheet
AR06| Assumed Requirement| No other isolation monitoring device is active in
the monitored system
Table 1: Assumed Requirements for SIM100 as a SEooC
Custom development
The SIM100 has been developed as a safety element out of context and is
offered as a commercial off-the-shelf product. Safety requirements used were
based on Sendyne’s understanding of the safety requirements of potential
applications.
Safety documentation
Verification and validation of the SIM100 safety features was performed
through testing and computer simulation. Results of SIM100 testing following
guidelines of different standards as well as the model used for SIM100 safety
function testing can be made available at Sendyne’s discretion under an NDA
(non-disclosure agreement)
Audits and certification
Sendyne has no plans to perform an external audit of the SIM100 to ISO 26262
or other standards. Documentation, including this manual can be made available
to support customer system audit and certification. Forward any request for an
independent audit to your sales contact.
Device operating states
Fig. 3 shows an overview of the operating states of SIM100. Refer to the
product datasheet and other documentation for details. 
Appendix
Proper connection to the target system
Connection to the IT power system
Connector J3 should connect to the higher potential conductor in the system.
J4 should connect to the lower. Connection to chassis
The SIM100 should connect through J1 at two separate chassis points. The
SIM100 relies on this type of connection to detect proper connection to the
chassis. If both leads from J1 are connected to the same point there is a
possibility of an undetected disconnection. Such an event will jeopardize the
SIM100 safety function.
Y-capacitance in un-earthed DC systems
The Y-capacitances in an IT DC system are the total capacitances that exist
between the high voltage conductors (+/-) and the chassis (or protected earth)
of that system. The values in a given system are the total of the parasitic
capacitances associated with the particular system design, including loads,
conductor routing, etc, as well as the physical Y-capacitor components
designed into such systems for EMI and converter noise suppression.
Presence of Y-capacitors
The SIM100 relies on the presence of the ubiquitous Y-capacitors in the
application system to perform its safety function, namely, to diagnose its
proper connections to the HV system. Absence of Y-capacitors with a minimum
value of 100 nF will flag a connection error and lead the SIM100 into the SAFE
state.
Figure 7:
Presence of Y-capacitors is a requirement for proper function of the SIM100.
The capacitors should be connected directly to the power lines. Connecting
them on the SIM100 board instead would impair the ability of the monitor to
detect disconnection from the monitored IT power lines.
Revision history
| Date | Revision | Changes |
|---|---|---|
| 11/15/2018 | 0.1 | Initial release |
| 1/17/2019 | 0.2 | Added image for proper connection of Y capacitors |
| 2/11/2019 | 0.2a | Added image for isolation monitoring in charging stations. |
Added assumed requirement for no other active isolation monitoring device in
the IT power
system
3/10/23| 0.3| Revised to encompass SIM100 family
Information contained in this publication regarding device applications and
the like, is provided only for your convenience and may be superseded by
updates. It is your responsibility to ensure that your application meets with
your specifications.
SENDYNE SENSATA TECHNOLOGIES MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY
KIND WHETHER EXPRESSED OR IMPLIED, WRITTEN OR ORAL, STATUTORY OR OTHERWISE,
RELATED TO THE INFORMATION, INCLUDING BUT NOT LIMITED TO ITS CONDITION,
QUALITY, PERFORMANCE, MERCHANTABILITY OR FITNESS FOR PURPOSE. Sendyne
disclaims all liability arising from this in-formation and its use. Use of
Sendyne devices in life support and/or safety applications is entirely at the
buyer’s risk, and the buyer agrees to defend, indemni-fy and hold harmless
Sendyne from any and all damages, claims, suits, or expenses resulting from
such use. No licenses are conveyed, implicitly or otherwise, under any Sendyne
intellectual property rights.
DocIDAN1118 Rev 0.3
© 2023 Sendyne Sensata Technologies
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>