De-rating: Advice from NASA & Irish Legend

De-rating: Advice from NASA & Irish Legend

For the second blog in a row I must advise you not to miss the video at the end even if your tire of the main topic before the end of the blog. It’s a good one and shows a man in action who really believes in safety. I do admit however it has nothing to do with the topic of de-rating.

Within IEC 61508 there is not a lot on de-rating. IEC 61508-2:2010 clause states “De-rating (see IEC 61508-7) should be considered for all hardware components. Justification for operating any hardware related elements at their limits shall be documented”. The accompanying note states “where de-rating is appropriate, a de-rating factor of approximately two-thirds is typical”. IEC 61508-7:2010 clarifies that de-rating is designed “to increase the reliability of hardware components”. While the goal sounds good, if the only purpose of de-rating was to increase reliability it would seem to be an added level of conservatism on top of what are already quite conservative reliability predictions based on standards such as IEC 62380 and SN29500 which some sources state as being at a 99% confidence level – “Perfect is the enemy of good”. However perhaps it has other goals such as realizing that while items will operate well away from the extremes once you get to the extremes they are more likely to fail.

For an IC de-rating might mean buying an IC rated to 125’c when the application really only needs an IC rated to 100’c. For a capacitor it might mean using a 50V capacitor when a 25V capacitor might do. It is based on the premise that if a device is used well below its maximum capabilities then it should be a lot less likely to fail. It is related to the term over-dimensioning from ISO 13849-2 where it is listed as one of the “Well-tried safety principles”. ISO 13849 advocates an over-dimensioning factor of 1.5.

Similar advice comes from no less a body than NASA.

 Figure 1 - De-rating advice from NASA practice No. PD-ED-1201

The above is somewhat typical when it comes to integrated circuits where the definition often involves a maximum junction temperature somewhere around 100’c with no reference to the expected operating temperature of the application. I would prefer an approach whereby if the application requires a maximum temperature of 85’c that the calculation would go as follows

  • Assume a nominal temperature of 25’c where most of the testing is done
  • Assuming an operating temperature of the difference from the normal is 85’c – 25’c=60’c
  • Calculate a de-rating factor of 66% 60’c/0.66 = 91’c
  • So, choose an IC rated to 116’c (25’c+91’c) or even 115’c (we won’t argue over the last ‘c)

An interesting question then is if the IC still needs to meet all the specifications up to 116’c. For instance, Analog Devices expends a lot of effort getting standby mode power down to levels of 10uW or even lower. Does it still need to meet that requirement of 116’c or is it sufficient to meet the requirements to 85’c with much looser safety-accuracy up to 116’c?

Another problem is how does a system designer comply with the requirement that “Justification for operating any hardware related elements at their limits shall be documented” if a part has typical specifications. Rather maximum/minimum specifications are required even if they are loose. The functional safety of machinery specification IEC 62061 where it states in sub-clause under the heading “Requirements for the avoidance of systematic failures” that “use of the subsystem and subsystem elements within the manufacturer’s specification”. This also recognizes that de-rating is important for systematic failure modes as well as being a tool to increase reliability.

While up-rating is not exactly the opposite of de-rating it is getting close to it. Uprating is more like the old Irish legends where Cuchulainn chose death and glory over long life and happiness. Up-rating I believe would be frowned upon for functional safety.

To read more on de-rating there is a very good section (section 9.7 to be exact) in the Exida book Functional Safety an IEC 61508 SIL 3 Compliant Development Process.

I felt it should be easy to come up with a video to highlight de-rating. Something perhaps old like a bridge designed for horses and carts that now carries a truck with a 30-ton load of sand. However, I went with the video on validation and verification that didn’t get selected for the last blog. I must say again this guy really knows his safety -