A power supply unit is one of the most crucial components in an electronics system, as its operation can affect the entire system’s functionality. In the context of industrial functional safety, as in IEC 61508, power supplies are considered elements and supporting services to electrical/electronic/programmable electronic (E/E/PE) safety-related systems (SRS) as well as other subsystems. With the IEC 61508’s three key requirements for functional safety (FS) compliance alongside recommended diagnostic measures, developing power supplies for industrial FS can be tiresome. For this reason, this first part of the series discusses what the basic functional safety standard states about power supplies.
The first part of this series on functional safety in power supply design focuses on insights about the safety requirements for such elements of E/E/PE SRS. This is accomplished by showing what the basic functional safety standard requires from power supplies.
Power Supplies in E/E/PE Safety-Related Systems
The IEC 61508-4 defines E/E/PE systems as systems used for control, protection, or monitoring based on one or more E/E/PE devices. This includes all elements of the system, such as power supplies, sensors, and other input devices, data highways and other communication paths, and actuators and other output devices.
Meanwhile, an SRS is defined as a designated system that both implements the required safety functions necessary to achieve or maintain a safe state for the equipment under control (EUC) and is intended to achieve—on its own or with other E/E/PE SRS and other risk reduction measures—the necessary safety integrity for the required safety functions. This is shown in Figure 1, where power supplies also serve as an example of supporting services to an E/E/PE SRS aside from the hardware and software required to carry out the specified safety function.
Figure 1 E/E/PE system—structure and terminology showing that power supplies serve as a supporting service to an E/E/PE SRS device. Source: Analog Devices
Common cause failures
The basic functional safety standard defines common cause failure (CCF) as a failure resulting from one or more events that cause concurrent failures of two or more separate channels in a multiple-channel system, ultimately leading to system failure. One example is a power supply failure that can result in multiple dangerous failures of the SRS. This is shown in Figure 2 where a failure in the 24-V supply, assuming the 24 V input becomes shorted to its outputs 12 VCC and 5 VCC, will result in a dangerous failure of the succeeding circuits.
Figure 2 Example of a power supply CCF scenario showing how a shorting of the 24-V supply input and the 12-V or 5-V outputs would result in a dangerous failure of the downstream systems. Source: Analog Devices
CCFs are important to consider when complying with functional safety, as they affect compliance with the IEC 61508’s three key requirements: systematic safety integrity, hardware safety integrity, and architectural constraints. These standard-cited requirements regarding CCF and power supplies in certain circumstances are shown here:
- IEC 61508-1 Section 7.6.2.7 takes the possibility of CCF into account when allocating overall safety requirements. This section also requires that the EUC control system, E/E/PE SRS, and other risk reduction measures, when treated as independent for the allocation, shall not share common power supplies whose failure could result in a dangerous mode of failure of all systems.
- Similarly, under synthesis of elements to achieve the required systematic capability (SC), IEC 61508-2 Section 7.4.3.4 Note 1 cites ensuring that there’s no common power supply failure that will cause a dangerous mode of failure of all systems is a possible approach to achieve sufficient independence.
- For integrated circuits with on-chip redundancy, IEC 61508-2 Annex E also cites several normative requirements, including the separation of input and outputs, such as power supply, among others, and the use of measures to avoid dangerous failures caused by power supply faults.
While these clauses prohibit sharing common power supplies whose failure could cause a dangerous mode of failure for all systems, implementing such a practice when designing a system will result in an increased footprint, with greater board size and cost. One way to still use common power supplies is by employing sufficient power supply monitoring. By doing this, dangerous failures brought by the power supply to an E/E/PE SRS can be reduced to a tolerable level, if not eliminated, in accordance with the safety requirements. More discussion about how effective power supply monitoring can solve common cause failures can be found in the blog post “Functional Safety for Power.”
Power supply failures and diagnostics
To detect failures in the power supply, the basic functional safety standard specifies requirements and recommendations that address both systematic and random hardware failures.
In terms of the requirements for control of systematic faults, IEC 61508-2 Section 7.4.7.1 requires the design of E/E/PE SRS to be tolerant against environmental stresses including electromagnetic disturbances. This clause is cited in IEC 61508-2 Table A.16, which describes some measures against defects in power supplies—voltage breakdown, voltage variations, overvoltage (OV), low voltage, and other phenomena—as mandatory regardless of safety integrity level (SIL), Table 1.
Technique/Measure | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
Measures against voltage breakdowns, voltage variations, overvoltage, low voltage, and other phenomena such as AC power supply frequency variation that can lead to dangerous failure | M low | M medium | M medium | M high |
Table 1 Power Supply Monitoring Requirement from IEC 61508-2 Table A.16.
IEC 61508-2 Table A.1, under the discrete hardware component, shows the faults and failures that can be assumed for a power supply when quantifying the effect of random hardware failures; this is shown in Table 2. Meanwhile, IEC 61508-2 Table A.9 shows the diagnostic measures recommended for a power supply along with the respective maximum claimable diagnostic coverage.
Component | Low (60%) | Medium (90%) | High (99%) |
Power supply | Stuck-at | DC fault model Drift and oscillation | DC fault model Drift and oscillation |
Table 2 Power supply faults and failures to be assumed according to IEC 61508-2 Table A.1.
Table 3 shows this with more details from IEC 61508-7 Section A.8. Both Table 2 and Table 3 are useful when doing a safety analysis as failure modes per component and diagnostic coverage of diagnostic techniques employed are inputs to the calculation of lambda values, thus the SIL metric: probability of dangerous failure and safe failure fraction (SFF).
Diagnostic Measure | Aim | Description | Max DC Considered Achievable |
OV protection with safety shut-off | To protect the SRS against OV. | OV is detected early enough that all outputs can be switched to a safe condition by the power-down routine or there is a switch-over to a second power unit. | Low (60%) |
Voltage control (secondary) | To monitor the secondary voltages and initiate a safe condition if the voltage is not in its specified range. | The secondary voltage is monitored and a power-down is initiated, or there is a switch-over to a second power unit, if it is not in its specified range. | High (99%) |
Power-down with safety shut-off | To shut off the power, with all safety-critical information stored. | OV or undervoltage (UV) is detected early enough so that the internal state can be saved in non-volatile memory if necessary, and so that all outputs can be set to a safe condition by the power-down routine, or there is a switch-over to a second power unit. | High (99%) |
Table 3 The recommended power supply diagnostic measures in IEC 61508-7 Section A.8.
Figure 3a shows an example of a voltage control diagnostic measure. In this example, the power supply of the logic controller subsystem, typically in the form of a post-regulator or LDO, is monitored by a voltage protection circuit, specifically the MAX16126.
Any out-of-range voltage detected by the supervisor, whether it be OV or UV, will result in the disconnection of the logic controller subsystem, composed of a microcontroller and other logic devices, from the power supply as well as assertion of the MAX16126’s FLAG pin. With this, the logic controller subsystem can be switched to a safe condition. Similarly, this circuit can also be used as an OV protection with a safety shut-off diagnostic measure if UV detection is not present.
On the other hand, Figure 3b shows an example of a power-down with a safety shut-off diagnostic measure. In this example, a hot-swappable system monitor, the LTC3351, connects the power supply to the logic controller subsystem while its synchronous switching controller operates in step-down mode, charging a stack of supercapacitors. If the power supply goes outside the OV or UV threshold voltages, the LTC3551 will disconnect the logic controller subsystem from the power supply, and the synchronous controller will run in reverse as a step-up converter to deliver power from the supercapacitor stack to the logic controller subsystem. This will give enough time to the logic controller subsystem to save the internal state to a nonvolatile memory, so that all outputs can be set to a safe condition by the power-down routine.
Figure 3 An illustration of the recommended diagnostic measures for a power supply. Source: Analog Devices
Power supply operation
Aside from CCF, power supply failures, and recommended diagnostic measures, the IEC 61508 also expresses the importance of power supply operation in the E/E/PE SRS. This can be seen in the sixth part of the standard, Annex B.3, discussing the use of the reliability block diagram approach to evaluate probabilities of hardware failure, assuming a constant failure rate. Aside from the scope of the sensor, logic, and final element subsystems, power supply operation is also included—this is shown in the following examples.
- When a power supply failure removes power from a de-energize-to-trip E/E/PE SRS and initiates a system trip to a safe state, the power supply does not affect the PFDavg of the
- If the system is energized-to-trip or the power supply has failure modes that can cause unsafe operation of the E/E/PE SRS, the power supply should be included in the evaluation.
Such assumptions make power supply operation in an E/E/PE SRS critical as it can determine whether the power supply can affect the calculation for the probability of a dangerous failure, which is one of the IEC 61508’s key requirements.
SRS’s power supply
This article provided insights regarding the basic functional safety standard’s normative and informative requirements for an E/E/PE SRS’s power supply. This was done by first tackling the role of the power supply in an E/E/PE SRS. A discussion of common cause failures, which prohibit the use of common power supplies, then demonstrated how the use of power supply monitoring eliminates CCFs. Requirements regarding systematic and random hardware failures related to power supplies were also presented, along with the recommended diagnostic measures for power supplies. Finally, depending on the power supply operation—de-energize-to-trip or energize-to-trip—the probability of a dangerous failure of the SRS can be affected by the power supply, which was also covered.
Bryan Angelo Borres is a TÜV-certified functional safety engineer who currently works on several industrial functional safety product development projects. As a senior power applications engineer, he helps system integrators design functionally safe power architectures which comply to industrial functional safety standards such as the IEC 61508. Recently, he became a member of the IEC National Committee of the Philippines to IEC TC65/SC65A and IEEE Functional Safety Standards Committee. Bryan has a postgraduate diploma in power electronics and around seven years of extensive experience in designing efficient and robust power electronics systems.
Noel Tenorio is a product applications manager under multimarket power handling high performance supervisory products at Analog Devices Philippines. He joined ADI in August 2016. Prior to ADI, he worked as a design engineer in a switch-mode power supply research and development company for six years. He holds a bachelor’s degree in electronics and communications engineering from Batangas State University, as well as a postgraduate degree in electrical engineering in power electronics and a Master of Science degree in electronics engineering from Mapua University. He also had a significant role in applications support for thermoelectric cooler controller products prior to handling supervisory products.
Related Content
- Attaining functional safety: Standards, certification, and the development process
- Functional safety in non-automotive BMS designs
- Overview of IEC61508 safety levels
- A first (lock) step into functional safety
- Redundancy for safety-compliant automotive & other devices
References
- Foord, Tony and Colin Howard. “Energise or De-Energise to Trip?” Measurement and Control, Vol. 41, No. 9, November 2008.
- IEC 61508 All Parts, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems. International Electrotechnical Commission, 2010.
- Meany, Tom. “Functional Safety for Power.” Analog Devices, Inc., March 2019.
The post Designing power supplies for industrial functional safety, Part 1 appeared first on EDN.
