Sometimes I work as an independent internal assessor for functional safety but in a recent case I am working as a functional safety architect with a different group. In the architect role you get to decide on things like the necessary diagnostics to achieve your target SIL or PL and evaluate the architecture with an FMEDA. This project is interesting because it is also a system level design (a single PCB) as opposed to being just a single IC.
The FMEDA for the architecture is looking good but the power supply monitoring is proving somewhat difficult. In this design the supplies to be monitored are 1.8V, 3.3V, 5V, 9V, 14.7V and -5.7V. The range of the voltages to be monitored and the number of supplies adds some difficulties.
Ideally, I would like the monitor architecture to have the following properties:
My first choice for a monitor was the LTC4365 which is shown below as it fulfills many of the desired properties I listed above and is reasonably priced at just over $1 at 1K pieces. Another benefit is that it can gate off an external supply voltage and has an open collector output so several of them can be combined to generate a shutdown signal based on multiple supplies. An external MOSFET from the UV input to ground under control of an external uC can be used to test the circuit by pulling the UV node low.
Figure 1 - LTC 4365 from Analog Devices
If using multiple LTC4365, all of the LTC4365 could be powered by the same 12V supply rather than being powered from the supplies they are monitoring. This would allow them monitor lower voltage supplies.
But is this good enough? Table A.1 of IEC 61508-2:2010 is always a good place to start.
Figure 2 - a snapshot from IEC 61508-2:2010
In table A.1 it says that if you want to claim 60% DC for a power supply you need to check for the power stuck high (voltage > rated voltage of the supplied components) and stuck low (0V). But if you want to claim 90% or 99% you also need to consider drift and oscillation.
If the oscillation is of a high enough amplitude that it exceeds the UV or OV threshold of the LTC4365 it should be detected but what if the amplitude is not of that level. Depending on what you are powering oscillation might not be a problem (=> a no effect failure) or not. Suppose however you are powering an analog to digital converter with a 5V +/-10% supply requirement. That means you could have a 100kHz 1V sine wave on the supply voltage and not trip the UV or OV comparators. Depending on the power supply rejection of the ADC, this frequency might be a problem. Suitable decoupling on the supply should help here if necessary. What about drift? You could argue that drift is only a problem if it exceeds the values where the UV and OV will trip and catch the problem. Therefore, in many applications the LTC4365 will be sufficient.
Where it gets trickier is if you want to generate a CAT 4 system according to ISO 13849 and only want to implement a single supply for both channels. For a CAT 4 system you need to protect against an accumulation of faults (if you are from an automotive functional safety background think of the latent fault metric). Typically, the most sensitive area for an accumulation of faults is an item and its diagnostics.
Before we go further let’s look under the hood of the LTC4365.
Figure 3 - Under the hood on the LTC4365
The thing that jumps out at me is that there are two comparators and it is entirely possible that the trip point for one could drift high and the trip point for the other could drift low. Also testing with an external pulldown MOSFET on the UV comparator checks the functionality of that comparator but doesn’t check for drift due to offset error. Perhaps you could put a series resistor on the MOSFET to pull the UV voltage to just outside of the trip point, but you are now adding complexity.
Possible accumulations of faults for a power supply and its monitor include:
First fault – power supply monitor OV detection fails
Second fault – power supply fails high
Note: The order above is important because if the second fault occurs first, it will be detected and an accumulation of faults prevented
First fault – power supply UV detection fails
Second fault – UV test fails
Note: UV of the power supply is not a failure as it is a natural mode of the supply during power up.
First fault – OV detection drifts high
Second fault – power supply drifts high
None of the above scenarios are properly addressed using the LTC4365 so for CAT 4 according to ISO 13849 you might have an issue. At this point I wondered about putting an ADC in parallel with the LTC4365. One possible ADC is the AD7734 which has 4 channels capable of monitoring input voltages in the range of +/-11.6V and tolerates up to +/-50V on the inputs. It is rated to 105’c. Other than the +14.7V supply it could do the trick.
However I then came across another series of parts from Analog Devices in the ADM range and specifically the ADM1169. The ADM series are a bit more pricey at $6.49 at the 1k piece point but one device can monitor up to 8 channels with a UV and an OV comparator on each channel. In addition, there is no requirement for external resistors to program the thresholds as it can be done over the SPI bus by your uC. These thresholds are specified for an accuracy of +/-1% across temperature and voltages.
Figure 4 - typical application diagram for the ADP1169
Looking at the details of the UV and OV comparators below it also strikes me that there is no need for an external MOSFET to check the UV functionality (remember this needs to be tested as under voltage does not represent a failure of the power supply but rather a state of the supply during power up) as the testing can be done by the external uC programming different trip points until it forces a trip even with the nominal supply.
Figure 5 - one of the eight on-chip blocks of OV and UV comparators
None of the inputs can be used to monitor negative supplies but it can easily be done as set out in the application note available here.
While the VH pin can monitor a supply voltage up to 14.4V additional guidance to monitor even higher voltages is given here. The below example is for the VXx input pins which can only monitor up to 1.375V without the external resistors.
Figure 7 - monitoring a higher voltage supply
There are two more features of the ADM1169 I would like to draw your attention to. The first is that it also features an on-chip 12-bit ADC
Figure 8 - block diagram of the ADM1169
The ADC can be used to detect drift in the supplies and is a diverse monitor compared to comparators.
The last feature is just a bonus. The part powers itself from the highest of the voltages on either the VH or VP1 to VP4 pins. Some of the other features are not required for my design including the ability to control sequencing of the supplies and store fault events in non-volatile memory.
I will now modify my architecture to include an ADM1169 and redo my FMEDA and see if I am protected against an accumulation of faults but I am now hopeful I have found a suitable solution for the power supply monitoring of my type 3 design according to IEC 61496-3:2018.
Note: Generally for an IC an external power supply monitor is preferred even if the IC has on-chip power supply monitoring. This isn’t stated anywhere in any standard but given that a power supply monitor is a diagnostic of last resort you will have less arguments with your external assessor if you go with the external power supply monitor.
Note: I previously did a blog on functional safety for power – see here
For further reading see:
Power system manager and selection guide - https://www.analog.com/media/en/technical-documentation/product-selector-card/GPSMSS.PDF
Power by Linear homepage - https://www.analog.com/en/products/landing-pages/001/power-by-linear.html