AN1118
Safety Manual for Sendyne SIM100 Isolation Monitors
This document describes how to use the Sendyne SIM100 family of isolation monitors in safety-related systems.
Introduction
The system and equipment manufacturer or designer intending to use this product is responsible to ensure that their system incorporating Sendyne’s SIM100 meet all applicable safety, regulatory and system level performance requirements. All information presented in this document is for reference only. Users understand and agree that their use of SIM100 in safety-critical applications is entirely at their risk, and that user (as buyer) agrees to defend, indemnify, and hold harmless Sendyne from any and all damages, claims, suits, or expense resulting from such use.
This safety manual provides information to assist system developers in creating safety-related systems incorporating the Sendyne SIM100 isolation monitoring device. This document contains:
- Overview of the SIM100 architecture
- Overview of the safety architecture for management of hardware failures
- Assumptions of Use
Sendyne assumes that the user of this document has a general familiarity of the SIM100. This document is intended to be used in conjunction with the relevant datasheet and application notes.
Sendyne SIM100 overview
The SIM100 is an electrically isolated device that when connected properly to an idle or active high voltage IT power system (floating ground) can estimate the resistive and capacitive paths between each power rail of the IT system and a third reference point. The SIM100 can communicate through CAN bus (250 or 500 kbits/s) and when interrogated by a host it can provide estimates on the values of each resistive and capacitive path. The SIM100, based on information programmed by the host for the designed maximum voltage of the IT power system, will calculate a value for the minimum resistance path between the two IT power system rails and the third voltage reference point, expressed in Ohms/Volt (max designed voltage). In addition, it will estimate the total energy that can be potentially stored in the IT power system capacitances. If the CAN bus host fails to provide information on the maximum IT power system voltage, the SIM100 will calculate these values based on the maximum voltage observed during its operation.
The SIM100 power input accepts any supply voltage between 4.8 V and 53 V. The input voltage is pre-regulated and then stepped down through a DC/DC converter feeding through galvanically isolated inputs the +5 V IC supply and the 12.5 V excitation voltage source supply.
The SIM100 safety architecture includes a watchdog timer, CRC check on internal non-volatile program memory, diagnostics for proper connections of chassis and IT power system terminals, monitoring of the unregulated power supply voltage level for the main IC before local voltage regulator (LDO), environment temperature monitoring and excitation pulse voltage monitoring. In addition, the SIM100 safety architecture monitors the voltage divider values for chassis, positive and negative voltage connections and provides a visual heartbeat signal indicating proper IC operation.
All estimates of isolation resistances and capacitances are submitted along with an uncertainty percentage value. This value defines the interval within which the actual value lies with a probability of 95%.
Safety functions and diagnostics overview
The SIM100 is intended for use in automotive and industrial safety-relevant applications. All components used are automotive rated.
Hardware
The following list of monitoring functions are implemented in the SIM100.
- VU, SUPPLY monitor
- VX, SUPPLY monitor
- VX1 connection monitor
- VX2 connection monitor
- VX1 voltage divider ratio monitor
- VX2 voltage divider ratio monitor
- VCH1 and VCH2 connections monitor
- VX_CH voltage divider ratio monitor
- VX_CH Excitation Voltage Source voltage value monitor
- VX_THR environment temperature monitor
Upon diagnosing a hardware error, the SIM100 will set the appropriate flags and enter a SAFE state.
Software
On the RESET state the SIM100 performs CRC check on the non-volatile memory. During active operation a watchdog timer ensures proper program flow. In addition, every estimate on the isolation state of the monitored IT power system is accompanied by the uncertainty value of this estimate.
Target applications
The Sendyne SIM100 has been designed to be used as an element for the isolation safety system in applications such as:
- Automotive
- Charging stations
- Industrial high voltage ungrounded systems
Fig. 2 and Fig. 3 show the boundary diagram for the SIM100 as a SEooC (Safety Element out of Context) in two different applications.
Assumptions
The following table lists the assumptions made for safe employment of the SIM100 is a safety critical system.
| ID | Type | Assumed Requirement |
| AR01 | Assumed Requirement | The SEooC is defined as the SIM100 playing a role as an isolation monitoring element as shown in Fig. 2 and Fig. 3 |
| AR02 | Assumed Requirement | Thermal environment is between -40 o C and +105 o C (Temperature range is limited by connector thermal specifications. |
| AR03 | Assumed Requirement | The IT Power System voltage monitored by the SIM100 will vary between 15 V and its maximum operational voltage – see SIM100 datasheet |
| AR04 | Assumed Requirement | The IT Power System is connected to chassis through Y-Capacitors of at least 100 nF on each side of the power supply |
| AR05 | Assumed Requirement | The SIM100 is supplied with proper power according to the specifications of the relevant SIM100 datasheet |
| AR06 | Assumed Requirement | No other isolation monitoring device is active in the monitored system |
Table 1: Assumed Requirements for SIM100 as a SEooC
Custom development
The SIM100 has been developed as a safety element out of context and is offered as a commercial off-the-shelf product. Safety requirements used were based on Sendyne’s understanding of the safety requirements of potential applications.
Safety documentation
Verification and validation of the SIM100 safety features was performed through testing and computer simulation. Results of SIM100 testing following guidelines of different standards as well as the model used for SIM100 safety function testing can be made available at Sendyne’s discretion under an NDA (non-disclosure agreement)
Audits and certification
Sendyne has no plans to perform an external audit of the SIM100 to ISO 26262 or other standards. Documentation, including this manual can be made available to support customer system audit and certification. Forward any request for an independent audit to your sales contact.
Device operating states
Fig. 3 shows an overview of the operating states of SIM100. Refer to the product datasheet and other documentation for details. 
Appendix
Proper connection to the target system
Connection to the IT power system
Connector J3 should connect to the higher potential conductor in the system. J4 should connect to the lower.
Connection to chassis
The SIM100 should connect through J1 at two separate chassis points. The SIM100 relies on this type of connection to detect proper connection to the chassis. If both leads from J1 are connected to the same point there is a possibility of an undetected disconnection. Such an event will jeopardize the SIM100 safety function.
Y-capacitance in un-earthed DC systems
The Y-capacitances in an IT DC system are the total capacitances that exist between the high voltage conductors (+/-) and the chassis (or protected earth) of that system. The values in a given system are the total of the parasitic capacitances associated with the particular system design, including loads, conductor routing, etc, as well as the physical Y-capacitor components designed into such systems for EMI and converter noise suppression.
Presence of Y-capacitors
The SIM100 relies on the presence of the ubiquitous Y-capacitors in the application system to perform its safety function, namely, to diagnose its proper connections to the HV system. Absence of Y-capacitors with a minimum value of 100 nF will flag a connection error and lead the SIM100 into the SAFE state.
Figure 7: Presence of Y-capacitors is a requirement for proper function of the SIM100. The capacitors should be connected directly to the power lines. Connecting them on the SIM100 board instead would impair the ability of the monitor to detect disconnection from the monitored IT power lines.
Revision history
| Date | Revision | Changes |
| 11/15/2018 | 0.1 | Initial release |
| 1/17/2019 | 0.2 | Added image for proper connection of Y capacitors |
| 2/11/2019 | 0.2a | Added image for isolation monitoring in charging stations. Added assumed requirement for no other active isolation monitoring device in the IT power system |
| 3/10/23 | 0.3 | Revised to encompass SIM100 family |
Information contained in this publication regarding device applications and the like, is provided only for your convenience and may be superseded by updates. It is your responsibility to ensure that your application meets with your specifications.
SENDYNE SENSATA TECHNOLOGIES MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WHETHER EXPRESSED OR IMPLIED, WRITTEN OR ORAL, STATUTORY OR OTHERWISE, RELATED TO THE INFORMATION, INCLUDING BUT NOT LIMITED TO ITS CONDITION, QUALITY, PERFORMANCE, MERCHANTABILITY OR FITNESS FOR PURPOSE. Sendyne disclaims all liability arising from this in-formation and its use. Use of Sendyne devices in life support and/or safety applications is entirely at the buyer’s risk, and the buyer agrees to defend, indemni-fy and hold harmless Sendyne from any and all damages, claims, suits, or expenses resulting from such use. No licenses are conveyed, implicitly or otherwise, under any Sendyne intellectual property rights.
DocIDAN1118 Rev 0.3
© 2023 Sendyne Sensata Technologies
Documents / Resources
 |
Sendyne SIM100 Isolation Monitors [pdf] User Manual SIM100 Isolation Monitors, SIM100, Isolation Monitors, Monitors |
