A while back (actually a long while back), when we were planning a new family of ultra-low power, high performance industrial DAC’s, we surveyed our customer base and one reoccurring theme we heard was “how can you make Functional Safety easier?”. Now this is an interesting question, because it has so many meanings. What does easier mean? Easier to design? Easier to work with? Easier to program? Easier to certify? Easier to package? Well several of these were already answered by the then current requirements for the DAC in terms of size, power, performance, integration etc but the biggy that stood out to us was “how do you make certification easier”.
Obtaining certification for your FS design can be a minefield in terms of gathering the correct information to justify your claims. Often the designer must be overly conservative in their system design and calculations as they are not aware of the internal device metrics of their selected components. External monitoring of the system is often required, along with writing complex SW to cycle through the safety testing which both increases the effort and design complexity and in addition bloats the BOM (Bill of Materials). Indeed, the SW task alone can be very costly as the standards require a pretty aggressive response time to get to a safe state if a failure is detected. Then there is the unknown, “What will (insert your chosen certification body here) say?” which makes the designer be overly conservative to give her/him margin for “just in case” – adding yet more cost and taking more time. Finally, there is the assessment itself, the documentation, evidence gathering, assembling of your case, presenting and answering the relevant questions in the hope of getting a clean cert. If this goes well then you can expect your certificate in the post a few weeks later, if it goes badly then it is back to Square 1 and a reworking of the design or hunting for additional data to justify you claims, all of which can be open ended.
So our question to ourselves was, “how can this be simplified?” how can we enable the customer to be less conservative, enable a smaller and more reliable FS solution, make the documenting and calculating tasks easier, how could we make the “judgement day” less fraught with risk and how could we avoid the fallout of a failed certification? The answer was pretty simple (well at least simple to say): “We will do the certification for the customer”.
As I said, it is simple to say, but what did it entail? well for starters, we wanted to be IEC61508 compliant, so a 61508 design flow was needed. Luckily, we already had developed the ADI61508 flow for previous customer Functional Safety ASIC developments. We knew that documentation for the requirements, responses and validation was needed, so a new requirements management tools were put in place to align on the V-model development flow. We knew that our design team would need to be IEC61508 savvy, so they were trained in house by our Functional Safety Manager (and some were even certified as FS engineers). The design was IEC61508 from the ground up, including a monitoring function to validate the output, so in went an independent ADC. We needed better/targeted diagnostics for fault coverage and SFF, including Internal and External Node Measurements, Watchdog Timers, Internal Clock Monitors, Internal State Monitoring and a whole host of others (please see the ADFS5758 Datasheet for more details) which simplifies the users SW development (Hint: the ADFS5758 self-monitors and flags registers when it sees faults). Alongside the HW and Diagnostic development, we had to document the safety metrics, so a Functional Safety Manual was written, capturing all of those really useful calculations needed for the FS justifications (Die FMEDA, Pin FMEDA, Fault coverage, FIT, Mission profile etc..), all the stuff a designer would need to conservatively assume. It was a heavy lift in terms of learning curve and effort, but ultimately the day (or actually many days) came for our certification interviews. The development teams had spent many months collating data and evidence, cross referencing, ensuring all requirements were accounted for and tested (with proof) and then writing a whole stack of documents to capture these and then presenting this to our assessors, answering any questions posed, providing documented evidence and inside views to justify our claims. For example, justifying our claim that the internal monitoring ADC was sufficiently separate to be classed as “Independent” to the DAC. The result – well the ADFS5758 is the first SIL certified Data Converter on the market.
What does this mean for users I hear you ask (well in my mind I do). To put it simply, it cut out all the pain of designing a FS Output Module by having a part that is recognised and certified by an assessment body. You don’t need to calculate FITs, SFF, Safety Functions, Monitoring circuits etc. You don’t need to write complex SW for implementing your Testing and Fault responses, you don’t need to pad your calculations just to be on the safe side and ultimately, you don’t need to spend excessive time and effort trying to get your products ready for certification, as we have done that for you. You could say “We made Functional Safety easier” – Job done!.
To see more about the ADFS5758, please visit the product page at: www.analog.com/ADFS5758
The Functional Safety Manual is available under NDA, a link to request this is on the home page.