Restructure doc tree, factor out safety controller stuff

Signed-off-by: Michael Heimpold <michael.heimpold@chargebyte.com>

Author: mhei

docs/source/everest_bsp.rst

@@ -0,0 +1,14 @@
+.. _everest_bsp.rst:
+
+EVerest Board Support Package Module
+------------------------------------
+
+chargebyte developed a comprehensive hardware abstraction module (HAL, or also called BSP module - board support package)
+for EVerest charging stack to support the Charge SOM platform. The module is called ``CbChargeSOMDriver`` and is
+available in chargebyte's public EVerest repository as open-source code:
+https://github.com/chargebyte/everest-chargebyte/tree/main/modules/CbChargeSOMDriver
+
+This module already implements the required communication protocol to interact with the safety controller.
+
+All Charge SOM boards ship with a Linux system preinstalled on eMMC, which also includes EVerest, the mentioned
+BSP module and example configuration files.

docs/source/firmware.rst

@@ -4,7 +4,7 @@
 
 
 Partitioning
--------------
+------------
 
 The internal eMMC storage of a chargebyte device is divided into several partitions to support two independent systems: system A and system B. This setup enables firmware updates to run in the background while the device continues normal charging operations. Once the update is complete, the system can switch to the updated version with a reboot of the device. Additionally, this approach supports a rollback mechanism in case of update failures. In other words, during a firmware update, the active root file system switches from A to B (or vice versa), leaving the other partition available for rollback if needed.
 

docs/source/getting_started.rst

@@ -30,9 +30,9 @@ Hardware Overview
 The following figure shows the basic setup of the DC charger with the Charge SOM Evaluation Kit:
 
 .. figure:: _static/images/dc_charger_charge_som_setup.svg
-    :width: 900pt
+   :width: 900pt
 
-    Figure: Basic Setup of the DC charger with the Charge SOM
+   Basic Setup of the DC charger with the Charge SOM
 
 .. note::
    The pin assignment of the Charge SOM Evaluation Kit can be found in the datasheet.
@@ -128,10 +128,10 @@ other over the interfaces. The following figure illustrates how the EVerest modu
 to each other:
 
 .. figure:: _static/images/admin_panel_bsp_only.png
-    :width: 600pt
-    :name: admin_panel_bsp_only
+   :width: 600pt
+   :name: admin_panel_bsp_only
 
-    Figure: EVerest admin panel view of the bsp-only-dc.yaml configuration
+   EVerest admin panel view of the bsp-only-dc.yaml configuration
 
 However, not all configuration parameters of the modules are shown here. Only the configuration
 parameters that do not match the default configuration of the respective module need

docs/source/hardware.rst

@@ -1,4 +1,4 @@
-.. hardware.rst:
+.. _hardware.rst:
 
 ########
 Hardware
@@ -13,9 +13,9 @@ Wiring Overview
 ***************
 
 .. figure:: _static/images/charge_som_hw_wiring_diagram.svg
-    :width: 1000pt
+   :width: 1000pt
 
-    Figure: Wiring Overview Diagram for Charge SOM EVB
+   Wiring Overview Diagram for Charge SOM EVB
 
 This wiring diagram shows an overview of all components which are required at minimum
 to build a DC charging station:
@@ -43,9 +43,9 @@ The X19 connector provides signals to switch the high-voltage contactors,
 but also for the corresponding feedback signals to detect contactor welding.
 
 .. figure:: _static/images/charge_som_contactor_wiring.drawio.svg
-    :width: 1000pt
+   :width: 1000pt
 
-    Figure: Recommended Contactor Wiring
+   Recommended Contactor Wiring
 
 .. note::
    The precharge contactor might not be necessary in your setup.
@@ -63,171 +63,16 @@ via RS-485 bus to provide the insulation resistance values which are required
 by EVerest's IMD interface.
 
 .. figure:: _static/images/charge_som_wiring_bender_imd.drawio.svg
-    :width: 1000pt
+   :width: 1000pt
 
-    Figure: Wiring for Bender's IMD to Charge SOM EVB
+   Wiring for Bender's IMD to Charge SOM EVB
 
 
-*****************
-Safety Controller
-*****************
-
-Overview
-========
-
-The Charge SOM platform is equipped with an additional MCU (aka Safety Controller) which is responsible for
-managing all low-level aspects which are critical for electrical safety. The firmware for this MCU is
-developed by chargebyte and is not open-source. The Charge SOM boards ship with the safety controller firmware
-preinstalled.
-
-The host controller firmware, e.g. the Linux system, communicates with the safety controller using an UART.
-On Linux side, this is UART interface ``/dev/ttyLP2``. The communication with the safety controller firmware
-over this UART requires a proprietary protocol, see the following chapter. The required UART settings are listed
-in the following table.
-
-+-----------------+-------------+
-| Setting         | Value       |
-+=================+=============+
-| Linux Interface | /dev/ttyLP2 |
-+-----------------+-------------+
-| Baudrate        | 115200      |
-+-----------------+-------------+
-| Databits        | 8           |
-+-----------------+-------------+
-| Parity          | none        |
-+-----------------+-------------+
-| Stopbits        | 1           |
-+-----------------+-------------+
-
-System Architecture
-===================
-.. figure:: _static/images/system_architecture.svg
-    :width: 1000pt
-
-    Figure: Simplified system architecture for the safety controller on the chargeSOM
-
-The safety controller manages the Control Pilot (CP) line, acting as a critical interface for monitoring and controlling the high-voltage (HV) system in accordance with EV safety standards. Its core function is to **enforce safe operating states** based on system diagnostics and environmental conditions.
-
-Fault Detection & Safety Response
----------------------------------
-
-When an error is detected—such as a fault in the system, a triggered emergency input, or a thermal violation—the controller transitions to **State F**, a fail-safe state that prevents further system operation to protect both the hardware and the user.
-
-HV Ready Enablement
--------------------
-
-The controller verifies that **no system errors are present** and that the CP line is in **State C**. Only under these safe conditions does it enable the HV Ready signal, which may be used to energize the HV interlock or permit charging/operation.
-
-Emergency  Inputs
-----------------------------------
-
-The simplified system architecture shows only one emergency input. In the real system, there are 3 independent emergency input signals available: SAFETY_ESTOP1, SAFETY_ESTOP2 and SAFETY_ESTOP3. The inputs are active low. This means an emergency stop needs to pull the input to Gnd. The emergency inputs can be parameterized out.
-
-
-Temperature Monitoring
-----------------------------------
-
-The simplified system architecture shows only one temperature input. In the real system, there are 4 independent temperature measurement circuits for PT1000 sensors. The safety software monitors the temperature circuit for hardware errors and for overtemperaure. The temperature threshold can be parameterized.
-
-HV Connector Control
---------------------
-
-If State C is confirmed and all safety criteria are met, the controller is also capable of closing HV connectors to complete the high-voltage path. Therefore it enables the 2 connectors SAFETY_HVSW1_HS and SAFETY_HVSW2_HS under the condition that State C is detected, the system is HV-ready and the host processor commands to close the contactors. 
-
-
-Reset Behaviour and Controller states
-=====================================
-The safety controller starts in an initialization state, to give the peripherals time to reach an defined state. It leaves the initialization state to a running state, after the reception of the first UART message from the host. Only periodic messages leaves the init state. With the reception of inquiriy messages, the safety controller stays in initialization. This gives the option to fetch version information in an init state. In running state, it monitors the peripherals and sends out UART messages. If any error occurs, the system goes into safe state. This state can only be left by a reset.
-
-.. figure:: _static/images/safety_controller_states.svg
-    :width: 1000pt
-
-
-
-Safety Controller Communication Protocol
-========================================
-
-Packet format descriptions
---------------------------
-
-Data packet format
-
-Data packets contain payload and can be sent out from host to safety controller or vice versa. Data packets from safety controller to host can be transmitted periodically or by request via an inquiry packet. Only one inquiry packet can be requested before requesting the next one.
-
-+--------+--------+--------+-------------------+
-| Symbol | Size   | Code   | Description       |
-+========+========+========+===================+
-| SOF    | 1 byte | 0xA5   | Start of frame    |
-+--------+--------+--------+-------------------+
-| ID     | 1 byte |        | Packet Identifier |
-+--------+--------+--------+-------------------+
-| Data   | 8 byte |        | Payload           |
-+--------+--------+--------+-------------------+
-| CRC    | 1 byte |        | CRC checksum      |
-+--------+--------+--------+-------------------+
-| EOF    | 1 byte | 0x03   | End of frame      |
-+--------+--------+--------+-------------------+
-
-
-Packet Identifier (ID)
-----------------------
-
-The values of the packet identifier (PacketId) are mapped to the messages as summarized below.
-
-+----------+---------------------------+---------------------+-------------------------------------------------------------+----------------------+
-| PacketId | Description               | Communication Dir.  | Periodicity                                                 | Triggered by Inquiry |
-+==========+===========================+=====================+=============================================================+======================+
-| 0x06     | Charge Control            | Host → Safety       | periodically, every 100ms OR immediately if changes occur   | No                   |
-+----------+---------------------------+---------------------+-------------------------------------------------------------+----------------------+
-| 0x07     | Charge State              | Safety → Host       | periodically, every 100ms                                   | No                   |
-+----------+---------------------------+---------------------+-------------------------------------------------------------+----------------------+
-| 0x08     | PT1000 State              | Safety → Host       | periodically, every 100ms                                   | No                   |
-+----------+---------------------------+---------------------+-------------------------------------------------------------+----------------------+
-| 0x0A     | Firmware Version          | Safety → Host       | no, only upon request via inquiry packet                    | Yes                  |
-+----------+---------------------------+---------------------+-------------------------------------------------------------+----------------------+
-| 0x0B     | GIT Hash                  | Safety → Host       | no, only upon request via inquiry packet                    | Yes                  |
-+----------+---------------------------+---------------------+-------------------------------------------------------------+----------------------+
-| 0xFF     | Inquiry packet            | Host → Safety       | no, only to trigger inquiries                               | No                   |
-+----------+---------------------------+---------------------+-------------------------------------------------------------+----------------------+
-
-CRC checksum field
-------------------
-
-The checksum is defined over:
-
-::
-
-    Width       = 8
-    Poly        = 0x1d
-    XorIn       = 0xff
-    ReflectIn   = False
-    XorOut      = 0xff
-    ReflectOut  = False
-    Algorithm   = table-driven
-    Name        = CRC8 SAE J1850
-
-.. include:: safety_protocol.rst
-
-
-************************************
-EVerest Board Support Package Module
-************************************
-
-chargebyte developed a comprehensive hardware abstraction module (HAL, or also called BSP module - board support package)
-for EVerest charging stack to support the Charge SOM platform. The module is called ``CbChargeSOMDriver`` and is
-available in chargebyte's public EVerest repository as open-source code:
-https://github.com/chargebyte/everest-chargebyte/tree/main/modules/CbChargeSOMDriver
-
-This module already implements the required communication protocol to interact with the safety controller.
-
-All Charge SOM boards ship with a Linux system preinstalled on eMMC, which also includes EVerest, the mentioned
-BSP module and example configuration files.
-
 **************
-I2C interfaces
+I²C Interfaces
 **************
 
-The i.MX93 on the Charge SOM provides several I2C interfaces:
+The i.MX93 on the Charge SOM provides several I²C interfaces:
 
 +----------+------------+-------------------------------------+-----------------+
 | Hardware | Linux      | Usage                               | Clock frequency |

docs/source/index.rst

@@ -22,6 +22,7 @@ Charge SOM Evaluation Kit.
    getting_started
    peripheral_compat_list
    hardware
+   safety_controller
    firmware
    everest_charging_stack
    cb_energy

docs/source/safety_controller.rst

@@ -0,0 +1,104 @@
+.. _safety_controller.rst:
+
+Safety Controller
+=================
+
+
+Overview
+--------
+
+The Charge SOM platform is equipped with an additional MCU (aka Safety Controller) which is responsible for
+managing all low-level aspects which are critical for electrical safety. The firmware for this MCU is
+developed by chargebyte and is not open-source. The Charge SOM boards ship with the safety controller firmware
+preinstalled.
+
+The host controller firmware, e.g. the Linux system, communicates with the safety controller using an UART.
+On Linux side, this is UART interface ``/dev/ttyLP2``. The communication with the safety controller firmware
+over this UART requires a proprietary protocol, see the following chapter. The required UART settings are listed
+in the following table.
+
++-----------------+-------------+
+| Setting         | Value       |
++=================+=============+
+| Linux Interface | /dev/ttyLP2 |
++-----------------+-------------+
+| Baudrate        | 115200      |
++-----------------+-------------+
+| Databits        | 8           |
++-----------------+-------------+
+| Parity          | none        |
++-----------------+-------------+
+| Stopbits        | 1           |
++-----------------+-------------+
+
+
+System Architecture
+-------------------
+
+.. figure:: _static/images/system_architecture.svg
+   :width: 1000pt
+
+   Simplified System Architecture for the Safety Controller on the Charge SOM platform
+
+The safety controller manages the Control Pilot (CP) line, acting as a critical interface for monitoring and
+controlling the high-voltage (HV) system in accordance with EV safety standards.
+Its core function is to **enforce safe operating states** based on system diagnostics and environmental conditions.
+
+
+Fault Detection & Safety Response
+---------------------------------
+
+When an error is detected — such as a fault in the system, a triggered emergency input, or a thermal violation — the
+controller transitions to **State F**, a fail-safe state that prevents further system operation to protect both
+the hardware and the user.
+
+
+HV Ready Enablement
+-------------------
+
+The controller verifies that **no system errors are present** and that the CP line is in **State C**.
+Only under these safe conditions it does enable the HV Ready signal, which may be used to energize the HV interlock or
+permit charging/operation.
+
+
+Emergency Inputs
+----------------
+
+The simplified system architecture shows only one emergency input. In the real system, there are 3 independent
+emergency input signals available: SAFETY_ESTOP1, SAFETY_ESTOP2 and SAFETY_ESTOP3.
+The inputs are active low. This means an emergency stop needs to pull the input to Gnd.
+The emergency inputs can be parameterized out.
+
+
+Temperature Monitoring
+----------------------
+
+The simplified system architecture shows only one temperature input. In the real system, there are 4 independent
+temperature measurement circuits for PT1000 sensors. The safety software monitors the temperature circuit for
+hardware errors and for overtemperaure. The temperature threshold can be parameterized.
+
+
+HV Contactor Control
+--------------------
+
+If State C is confirmed and all safety criteria are met, the controller is also capable of closing HV connectors
+to complete the high-voltage path. Therefore it enables the 2 connectors SAFETY_HVSW1_HS and SAFETY_HVSW2_HS under
+the condition that State C is detected, the system is HV-ready and the host processor commands to close the contactors.
+
+
+Reset Behaviour and Controller States
+-------------------------------------
+
+The safety controller starts in an initialization state, to give the peripherals time to reach a defined state.
+It leaves the initialization state to a running state, after the reception of the first UART message from the host.
+Only periodic messages leave the init state. With the reception of inquiry messages, the safety controller stays in
+initialization. This gives the option to fetch version information in the init state. In running state, it monitors the
+peripherals and sends out UART messages. If any error occurs, the system goes into safe state.
+This state can only be left by a reset.
+
+.. figure:: _static/images/safety_controller_states.svg
+   :width: 1000pt
+
+.. include:: safety_controller_uart.rst
+
+.. include:: everest_bsp.rst