All electrical and electronic systems require power supplies, including safety systems. In this blog, I will examine the power supply example from Annex B of IEC 61800-5-2 (functional safety of variable speed drives). I have looked at this circuit before in the context of STO (safe torque off), but now I will concentrate on how it handles the power supply and monitoring. I have blogged previously on functional safety for power, see here and here.
Looking at the figure below, the first thing to notice is that the system is split into two sub-systems. One sub-system, A/B, contains the two channels to implement the STO functionality, and the other sub-system, PS/VM, is to handle the power supply (PS) and voltage monitoring (VM) functionality. The target for the entire safety function, including the A/B and PS/VM sub-systems, is SIL 2.
Figure 1. Safety function implemented by two sub-systems
A more detailed block diagram of the PS/VM sub-system is shown below.
The circuit contains:
- A series diode, to protect from reverse polarity connections, which could damage the power supply, the monitor, or the circuits implementing the STO functionality, all of which get their power through this diode.
- Clamp diodes to protect all of the circuits from over-voltage, and in particular to ensure that the power supply monitors maximum specified operating voltage is not exceeded, so we can rely on the monitor.
- A fuse that protects the clamp diodes so that they should only have to sink current in an over-voltage condition for a few seconds.
- A pass transistor controlled by the power supply monitor which is used to achieve the safe state by allowing the monitor to disconnect the input power to the power supply module if either the input power to the power supply or the output supplies from the monitor are out of specification (too high or low compared to what is allowed on the datasheets of those downstream components).
- A power supply monitor can monitor both the 24V DC nominal input supply and the 5V and 3.3V outputs of the power supply block and control the pass device if they are out of specification.
Figure 2. Block diagram of the power supply and monitor circuits from IEC 61800-5-2:2016 Annex B
IEC 61508:2010 requires each of the sub-systems meet the SFF requirement which for SIL 2 with a HFT of 0 means an SFF of 90%. If the voltage monitor above is windowed (monitors for over and under voltage) then based on IEC 61508-2:2010 table A.9 a claim for DC of high (up to 99%) seems very reasonable.
Figure 3. Extract from IEC 61508-2:2010 table A.9
IEC 61508-2:2010 Annex A defines low as 60%, medium as 90% and high as 90% maximum achievable coverage. There is a description of voltage control secondary in IEC 61508-7:2010 A.8.2 but it offers nothing new compared to what is in the table above.
Figure 4. A.8.2 from IEC 61508-7:2010
Given the failure modes for a power supply from IEC 61508-2:2010 table A.1 are:
- Stuck high
- Stuck low
- Drift high
- Drift low
- Oscillation
- Floating
I think the monitor as implemented would detect all of these failure modes so a diagnostic coverage of 99% is reasonable.
Figure 5. Extract from IEC 61508-2:2010 table A.1
Note being IEC 61508-2:2010 there is no requirement for diagnostics on your diagnostics so that the voltage monitor itself does not require any diagnostics. For IEC 61508 revision 3 this will be different (read the CDV published in early 2025). The power supply monitor is a diagnostic for the power supply so diagnostics on your diagnostics in the context of a power supply monitor is a monitor with built in diagnostics.
As well as meeting the SFF requirement for SIL 2 there is a second hardware requirement. The PFH of the safety function must be met. That is < 1e-6/h for SIL 2. There are two contributions to the PFH of the STO safety function – PFH = PFHA/B + PFHPS/VM.
For this blog, I am only concerned with the PFHPS/VM portion. Here, IEC 61800-5-2 goes all out using Markvov analysis to analyze the failure modes of the power supply and its monitor. I have blogged previously on Markov analysis, see here, so I won’t go into it further today, or the blog would be very long.
As I said at the start of this blog, every electronic or electric system needs power and monitoring. Each of them has different requirements in terms of the number of supplies to be monitored, the accuracy required, the voltage ranges of the supplies to be monitored, the input voltage, and so on. My power supply colleagues at ADI have some very nice power supply chips suitable for implementing monitoring. Some of these ICs are now FS-Enabled. FS-Enabled is an ADI term that means that reliability predictions and failure mode distributions are available for the components. This should make designing them into your design easier.
Figure 6. List of power supply monitors from Analog Devices available with reliability predictions and failure mode distributions
Taking one part in particular, I like the MAX6399 which operates with voltages from 5.75V to 72V and over a temperature of -40’C to +125’C and looks very similar to what is required by the IEC 61800-5-2 circuit. The 72V range makes it very suitable for 60V SELV systems, which I believe means you wouldn’t even require the clamp diodes and fuses shown in the figure above.
Figure 7. MAX6399 application circuit
Check back next month on the second Tuesday for the next blog in this series. Until then, I hope to post “mini blogs” on the other Tuesdays of the month directly from my LinkedIn account. Please follow me on LinkedIn if interested.
For previous blogs in this series, see here
For the full suite of ADI blogs on the EngineerZone platform, see here
For the full range of ADI products, see here