QUESTION:
How can we use high performance supervisory circuits to improve compliance with industrial functional safety?
Answer:
Through their integrated safety features, high performance voltage supervisors help systems comply with the IEC 61508 functional safety standard by improving the system’s performance toward the standard’s requirements pertaining to quantitative reliability, architectural constraints, and systematic safety integrity.
Introduction
Compliance to functional safety is usually considered in safety-critical applications across various industries1 where failures can inflict harm to people, properties, and environment. Product designers certify their designs to functional safety standards to provide their customers the confidence to use their products, to market their products in countries with safety regulations, and to lead the functional safety market trend. This article highlights the value of high performance supervisory circuits2 in enhancing compliance with functional safety standards like IEC 61508.3 Additionally, it is the first in a series discussing industrial functional safety compliance in relation to these circuits.
Understanding the Functional Safety Standards
The IEC 61508 standard,3 otherwise known as the Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems, aims to provide the overall requirements for specification, design, and operation of all types of E/E/PE safety-related systems (SRS). It is applicable across all sorts of industries as it serves as the basis for development of several sector-specific standards such as IEC 615114 in the process industry, IEC 620615 in machinery, IEC 615136 in the nuclear power industry, ISO 262627 in the automotive industry, IEC 622798 in railway transport, IEC 623049 in medical devices,10 and others, as illustrated in Figure 1.
While a sector-specific standard will always take precedence over IEC 61508, it typically requires the use of components in the SRS that proves its compliance to functional safety standards. This can be achieved by developing components according to a sector-specific standard like ISO 262627, using a Proven-In-Use3 argument, following the basic safety standard IEC 61508, such as in IEC 6151111, or using standard components but taking additional architectural mitigations.
What Is a Safety Instrumented System?
IEC 61508’s E/E/PE SRS is termed as safety instrumented system (SIS) in the process industry sector, safety-related electrical control system (SRECS) in machinery, and instrumentation and control (I&C) system in the nuclear power industry. In this article, the term SIS will be used to generalize these systems.11
Figure 2 shows an illustration of a typical SIS that includes at least one safety instrumented function (SIF). SIF also refers to safety functions in IEC 61508 but, for the purpose of discussion, the term SIF will be used. A SIF consists of an input subsystem, logic solver subsystem, and final element subsystem, all aimed at placing the equipment under control (EUC) into a safe state when a demand occurs. The EUC refers to the system being protected by the SIS. Figure 3 shows a typical block diagram of a SIF as well as examples of the subsystems. The input subsystem, consisting of at least one sensor, acts as a monitoring system that can detect failures and sends a signal to the logic solver. The logic solver processes the received signals and then decides what the next step will be. This can demand the final element to place the SIS into a safe state through actuating devices such as circuit breakers, relays, or shutdown valves.11
Notably, supervisory circuits2 are useful in SISs. They can function in an input subsystem to detect abnormalities, in a logic solver subsystem to monitor the power supply or other microcontroller functions and signal failures, or as the SIF itself, bringing the system into a safe state through a reset signal. This can be seen in Figure 3.
How High Performance Supervisory Circuits Enable Compliance with Industrial Functional Safety
Compliance to IEC 61508 can be quantized through the safety integrity level (SIL). SILs are rated for each SIF and denote how well a SIF performs its job in managing the risk. IEC 61508 specifies four levels of SIL from SIL 1 to SIL 4, with SIL 4 being the most reliable. Typically, a hazard analysis and risk assessment is first done to know the required safety functions and subsequently, the risk-reduction factor, thus, SIL rating needed. One method of doing this is shown in the Process Safebook 112 with the risk-matrix calibration.
A specific SIL level has its own requirements affected by three factors3,11,13: Quantitative reliability requirements, architectural constraints, and systematic safety integrity. For each factor, the next subsection will show how supervisors can help achieve IEC 61508 compliance through its diagnostic requirements.
Quantitative Reliability Requirements
Table 1 shows the summary of the safety integrity requirements of IEC 61508-1 under section 7.6.2.9 specifying SIL with respect to the target failure measure of a SIF. PFDavg refers to the average probability of dangerous failure on demand of the safety function for a low demand mode of operation. PFH refers to the average frequency of a dangerous failure of the safety function per hour for a high demand mode or continuous mode of operation.
Safety Integrity Level (SIL) | Low Demand Mode of Operation (PFDavg) | High Demand or Continuous Mode of Operation (PFH) |
SIL 4 | ≥10-5 to <10-4 | ≥10-9 to <10-8 |
SIL 3 | ≥10-4 to <10-3 | ≥10-8 to <10-7 |
SIL 2 | ≥10-3 to <10-2 | ≥10-7 to <10-6 |
SIL 1 | ≥10-2 to <10-1 | ≥10-6 to <10-5 |
Among the several factors affecting the average probability of random hardware failures are the diagnostic test coverage, diagnostic test interval, and the dangerous undetected failure rate as denoted by λDU.3,14,15 Dangerous undetected failures are those that cannot be detected by a system’s diagnostics and can only be identified through a proof test as shown in Figure 4. This is where the importance of using supervisory circuits come into play as they aid in the detection of dangerous failures by acting as diagnostic measures to reduce the probability of such failures. Thus, they convert dangerous undetected failures into detected ones.
Architectural Constraints
Aside from the quantified reliability requirements, IEC 61508 provides requirements for the robustness and structure of the SIS. These architectural constraints add to the considerations needed by the designer when it comes to choosing the hardware architecture. Under IEC 61508-2 section 7.4.4, one of the routes that can be used to show compliance to SIL is Route 1H. This route is based on the hardware fault tolerance (HFT) and safe failure fraction (SFF) concepts.
Architectural constraints require considering the complexity and type of an element. A Type A element, or simple component, has well-defined failure modes, predictable behavior under fault conditions, and reliable failure data meeting the required dangerous undetected failure rate. Otherwise, it is considered a Type B element or complex component.
Table 2 shows the requirements for a Type B element, which takes electronic systems such as integrated circuits, as an example. SFF is a measure of the tendency of an element to fail towards a safe state whereas HFT of N means that N+1 is the minimum number of faults that could cause a loss of the safety function, in turn, requiring a certain amount of redundancy. This means that if a system has an HFT of 0, a single failure can cause a loss of the safety function whereas an HFT of 1 means it will take two failures to cause such loss.
Safe Failure Fraction | Hardware Fault Tolerance | ||
0 | 1 | 2 | |
< 60% | Not allowed | SIL 1 | SIL 2 |
60% to < 90% | SIL 1 | SIL 2 | SIL 3 |
90% to < 99% | SIL 2 | SIL 3 | SIL 4 |
≥ 99% | SIL 3 | SIL 4 | SIL 4 |
Mathematically, SFF can be expressed as:
Another term called the diagnostic coverage can be expressed as:
where λ is the failure rate, SD is for safe detected, SU is for safe undetected, DD is for dangerous detected, and DU is for dangerous undetected as seen in Figure 4.
This diagnostic coverage evaluates how well the diagnostic measures of a SIS perform in revealing dangerous failures. And this affects the quantified reliability of the system as previously discussed and is related to the SFF as seen in equations 1 and 2. IEC 61508-2 in its Annex A also has a way to determine the maximum allowable diagnostic coverage that can be claimed using different techniques and measures to detect random hardware failures.
Table 3 shows this with the diagnostic coverage classification with respect to the designation.
Diagnostic Coverage | Designation |
< 60% | None |
60% to < 90% | Low |
90% to < 99% | Medium |
≥ 99% | High |
Table 4 shows a section of the IEC 61508-2 Annex A Table A.1, specifying the faults or failures to be assumed when quantifying the effect of random hardware failures or to be considered in the derivation of SFF. It can be noted that the diagnostic coverage fault model is required to claim a high diagnostic coverage. The diagnostic coverage fault model includes failure modes such as stuck-at faults, stuck-open, open or high impedance outputs, and short circuits between signal lines—all of which can be detected by supervisory circuits such as overvoltage (OV) and undervoltage (UV) monitors.
Discrete Hardware | Requirements for Diagnostic Coverage Element | ||
Low (60%) | Medium (90%) | High (99%) | |
Digital Input/Output | Stuck-at | Diagnostic coverage fault model |
Diagnostic coverage fault model drift and oscillation |
Analog Input/Output | Stuck-at | Diagnostic coverage fault model drift and oscillation |
Diagnostic coverage fault model drift and oscillation |
Power Supply | Stuck-at | Diagnostic coverage fault model drift and oscillation |
Diagnostic coverage fault model drift and oscillation |
In summary, IEC 61508 specifies a SIL requirement depending on the HFT and SFF of the SIF. With the SFF and diagnostic coverage parameters being significantly affected by the system’s ability to detect faults, improving the diagnostic measures such as adding supervisory circuits will also enhance the SIL rating of the SIF.
Systematic Safety Integrity
The requirements for systematic safety integrity are qualitative in nature and assess how good the development process of the system is in eliminating failures. With this, a thorough examination of the design, production, and test procedures for both hardware and software is needed. The higher the SIL, the more stringent the examination must be, and more documentation is required to prove compliance that shall be provided by component manufacturers.
IEC 61508 specifies several techniques and measures that designers shall implement whenever applicable to eliminate systematic failure in various phases of the SIS’s safety life cycle. With this, Table 5 shows some items in Table A.16 of IEC 61508-2. This table shows the techniques and measures needed to control systematic failures caused by environmental stress and influences where M means mandatory, HR means highly recommended, and R means recommended. Below these markings are the level of effort required to cover such diagnostic measures. For instance, it is mandatory for a SIL 3 rating to employ measures against voltage variations such as voltage monitors, while highly recommended to have program sequence monitoring such as watchdog timers, where the diagnostic coverage must be at least 90%.
Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
Measures against voltage breakdown, voltage variations, overvoltage, low voltage, and other phenomena such as AC power supply frequency variation that can lead to a dangerous failure | M low |
M medium |
M medium |
M high |
Program sequence monitoring | HR low |
HR low |
HR medium |
HR high |
Measures against temperature increase | HR low |
HR low |
HR medium |
HR high |
Measures to detect breaks and shorts in signal lines | R | R | R | R |
Code protection | R low |
R low |
R medium |
R high |
Another key for the systematic safety integrity requirement is a good quality management system (QMS). This can be demonstrated by having the organization certified with the ISO 9001:2015 Quality Management Systems.16 It can be noted that the bulk of the requirements of IEC 61508 regarding the overall safety life cycle and functional safety assessment coincides with ISO 9001’s requirements for the overall safety life cycle. Thus, having the QMS certificate can contribute to a faster certification process.17 This is alongside an organization’s strategy for functional safety, such as having its own adaptation of functional safety standards like IEC 61508.
Using Integrated Solutions to Improve Functional Safety Design
Designing systems with functional safety compliance requires careful consideration of the requirements discussed earlier. This involves implementing adequate safety measures to ensure reliable and safe operation in case of failure, which may lead to an increase in circuit components and, consequently, costs. For this reason, using components with integrated safety functions can simplify system-level implementation, improve system reliability due to reduced component count, and increase diagnostic coverage with lower diagnostic test intervals.13 This can be seen in Figure 5—showing how Analog Devices’ MAX42500 can provide enough diagnostic coverage to safety-critical circuits through its several safety features combined in one package instead of using separate supervisory circuits. This power system monitor helps with functional safety compliance by addressing the requirements regarding measures against voltage breakdown, voltage variations, overvoltage, low voltage, and other phenomena such as AC power supply frequency variation that can lead to a dangerous failure, and program sequence monitoring. The first requirement emphasizes the necessity of UV and OV detection for all safety-critical voltage rails. The second requirement highlights the need for a separate watchdog timer for standard microcontroller units in single-channel systems. Both needs are met by the MAX42500, which features seven power supply monitors and a watchdog timer via I2C communication.
Another consideration is the availability of safety documentation to prove functional safety compliance, moreso required when certifying for a functional safety standard. Components compliant or certified to IEC 61508 such as the MAX42500, already support this by having the necessary safety documents—safety manual, failure modes effects and diagnostics analysis (FMEDA), good QMS, etc., available on-hand. Despite this, noncompliant products such as the LTC2965 and LTC4365 can still be utilized as seen in Figure 5 to improve diagnostic coverage and robustness of the system considering the IEC 61508’s current revision. However, system designers will need to acquire the necessary safety documentation for their functional safety compliance requirements.
Conclusion
This article has shed light on the crucial role of high performance voltage supervisors in facilitating industrial functional safety compliance. By exploring the foundational functional safety standard, IEC 61508, and its implications for sectorspecific standards, a groundwork for understanding has been laid. Additionally, key terms have been defined to provide clarity, such as safety instrumented system, safety instrumented function, and safety integrity level. Furthermore, we have delved into IEC 61508’s essential requirements, including quantified reliability, architectural constraints, and systematic safety integrity, with a particular emphasis on the impact of employing high performance supervisory circuits like power supply monitors and watchdog timers. The utilization of integrated safety features has been discussed, exemplified by the MAX42500, to consider broader aspects in system design beyond functional safety compliance. Through this exploration, the significance of high performance voltage supervisors in ensuring the safety and reliability of industrial systems has been underscored.
Stay tuned for the next article in the series where we will discuss the advantages of using SIL-rated voltage supervisors when designing functionally safe power systems for safety-critical applications.
References
1Tom Meany. “Functional Safety and Industry 4.0.” Analog Devices, Inc., March 2018.
2 Noel Tenorio and Anthony Serquiña. “High Performance Voltage Supervisors Explained–Part 1.” Analog Dialogue, Vol. 58, No. 2, April 2024.
3 IEC 61508 All Parts, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems. International Electrotechnical Commission, 2010.
4 IEC 61511 All Parts, Functional Safety–Safety Instrumented Systems for the Process Industry Sector. International Electrotechnical Commission, 2016.
5 IEC 62061–Safety of Machinery– Functional Safety of Safety-Related Electrical, Electronic, and Programmable Electronic Control Systems. International Electrotechnical Commission, 2005.
6 IEC 61513–Nuclear power plants-Instrumentation and control important to safety-General requirements for systems. International Electrotechnical Commission, 2011.
7 ISO 26262 All Parts, Road Vehicles Functional Safety. International Organization for Standardization, 2011.
8 “IEC 62279. Railway Applications-Communication, Signaling and Processing Systems: Software for Railway Control and Protection Systems.” International Electrotechnical Commission, 2015.
9 IEC 62304–Medical Device Software–Software life cycle processes. International Electrotechnical Commission, 2006.
10 FAQs: Functional Safety for Medical Devices. TÜV SÜD, 2024.
11 Marvin Rausand. Reliability of Safety Critical Systems: Theory and Applications. Wiley, January 2014.
12 Process Safebook 1: Functional Safety in the Process Industry. Rockwell Automation, March 2013.
13 Tom Meany. “Functional Safety for Integrated Circuits.” Analog Devices, Inc., February 2018.
14 Loren Stewart. “Back to Basics 16 PFDavg.” Exida, October 2019.
15 Loren Stewart. “Back to Basics 17 PFH.” Exida, November 2019.
16 ISO 9001:2015 Quality Management Systems—Requirements. 2015.
17 “Functional Safety: A Total Quality Approach.” RTP Corp., 2021.