Frederik Dostal from Analog Devices talks to PSD about functional safety.
Functional safety is an area that is growing in importance, not just for experts in the subject, but for all engineers. This was the main reason behind Frederik Dostal suggesting the subject for the TechTalk column this week. Explaining, he said, “We see customers in meetings that never spoke about functional safety preciously, now asking about updates. Almost every industrial customer is interested, just because everyone realizes that the subject is getting more relevant in all aspect of design. Previously, an Analog Devices’ safety expert would talk to a safety expert on our customer’s side, but a lot of regular engineers are finding out that they need to know, at least the basic concepts, behind functional safety. One of the main reasons for this interest is because of the growth of applications, such as factory automation. As these systems become more autonomous and work closer to humans, they must be extremely safe to protect equipment and users”.
Functional safety is protecting users from technology and vice versa. According to TÜV SÜD, a more technical definition of functional safety is, “Systems that lead to the freedom from unacceptable risk of injury or damage to the health of people by the proper implementation of one or more automatic protection functions (often called safety functions). A safety system consists of one or more safety functions.”
Together, these safety functions are implemented in the system in a way that they could be classified to a certain Safety Integrity Level (SIL), or Automotive SIL (ASIL) for the automotive industry. The safety functions are intended to reduce the risk of a specific hazard automatically and then take the process to a safe state when a condition is violated. These functional safe systems are based on IEC 61508, and there are different special cases for different equipment.
For the readership of PSD, the most relevant part of functional safety concerns the power supply. It is important to make sure that the power supply is within its specification, as if it's too high, it could damage the system, and if too low, the system might not work correctly. Included in the specification the IEC 61508, there is a requirement to monitor the power supply. For that purpose a supervisory IC is normally used, which can help detect anomalies, such as under-voltage or over-voltage. It can include a windowed watchdog to monitor the digital communications to and from a microcontroller to ensure it is working and operating correctly, as well as discovering non-latched outputs. It can also perform on chip diagnostics, to ensure the supervisory circuit is always safe and reliable with glitch-free operation. Different applications need different levels of safety and supervision. For example, Analog Devices has a functional safety portfolio that the company splits into four categories.
Dostal describes the four categories, “The one with the least protection is functional safe FS-Enabled. It is implemented at a system level. We provide a safety application note which shows data that includes reliability predictions and failure mode distribution. It gives information that allows customers to develop a functional safe system. The next category up is the FS-Evaluated category, which is also on a system level. Here, safety is enabled and also evaluated. We provide the same safety data sheet to serve as a manual for non compliant products. The third category is FS-Compliance, which shows compliance at a device level, and not just how a system using that device could be functional safe. In this category, we have a functional safety process in accordance with the IEC 61508, which includes a safety manual as required in IEC 601508-2. The final or highest safety category is the FS-certified. It is also compliant at a device level, with a complete certification for the part undertaken by a known functional safety assessor, such as TÜV NORD.”
To give an example of a product in the highest level FS-Certified category, Dostal chooses the recently introduced MAX42500 IC - a 4 to 7-input voltage industrial power system monitor. It has been certified by TÜV NORD at SIL3 to IEC 61508. He expands, “To reach that level of safety, we implemented many features. For example, under-voltage and over-voltage threshold accuracy needs to be very accurate and precise over a wide temperature range for industrial applications. The I2C interface provides a watchdog function that allows the microcontroller to communicate with the supervisory, and if a fault state is detected, take action, such as perform a safety compliant reset. Power sequencing recording is done to ensure that the sequencing actually went correctly when the device starts. And then there is a simple or challenge response windowed watchdog that looks at the digital signals to ensure the system communications are correct. We’ve also included fault recording and built-in self-test. You could build functional safe systems with a legacy supervisory IC, but then you might have to use redundancy to ensure that the monitoring of your system is always accurate. Using a device that is SIL3 certified with built-in self-test, makes things a lot easier, and it saves components and space on the board”.
