The AD7124 is a 24 bit sigma-delta ADC including on-chip muxes, PGA (programmable gain amplifier), voltage references, buffers, a stable clock, voltage regulators and lots of diagnostics.
Figure 1 - block diagram of the AD7124-4
The AD7124 comes in 4 and 8 channel variants.
In a previous blog, I spoke of the 3 key requirements for functional safety. Looking at the AD7124 in the light of these requirements:
Previously users might have bought the 8 channel part and made the 0, +/-FS connections externally, but adding 8 pins increases the area and adds routing difficulties.
To check the PGA the mux also allows +/-25mV inputs to be selected, but that is only the start of the diagnostics the part also features diagnostics to check for
An FMEA has shown an SFF of over 90%.
If you don’t want to rely on the internal diagnostics for functional safety then there are other options.
One possible option is to put two AD7124 in parallel and compare their outputs in a uC. If there is a random hardware failure in either AD7124 it will show up as a difference in the ADC outputs. A diagnostic coverage claim of up to 99% is possible based on comparison (see tables A.2 and A.13 of IEC 61508-2:2010 among others). Care needs to be taken so that a step input does not appear like a difference in output if the two ADC are free running. The AD7124 features a number of options to address this including a SYNC (active low) pin. A simpler option if you can tolerate the delay is to only trigger a difference if four successive conversions are in error.
Figure 2 - cross comparison of ADC outputs as a diagnostic
The picture above shows two uC but if a single SIL 3 uC is available only a single uC with connections to both ADC might be sufficient. If high availability is important then the internal AD7124 diagnostics could be used to determine which of the AD7124 is giving the bad results and temporarily ignore the results from that ADC until the module can be replaced. Without the device level diagnostics it would be difficult to say which part was failing and the system would need to shut down.
At the system level an additional possible protection would be to invert the inputs to one of the ADC. Then if something like EMC caused a shift in the offset error it will be detectable if both ADC react in the same direction. The internal diagnostics on the clock, power supplies and the internal temperature sensor give good protections against the other common systematic failure modes.
Comparison is one means to implement diagnostics if you can’t stop converting on the input channel to convert on 0, +/-FS. Another option would be to use a part such as the AD7770 and this will be the topic of my next blog.
Hopefully you will find this video somewhat relevant in that long distance running has a lot of similarities with functional safety with both requiring lots of planning, good reliability and perseverance– in fact this video shows the back of the field from the famous Western States 100 mile race – see https://www.youtube.com/watch?v=5ZnZ4d-9lc0&t=303s