Functional Safety of 4/20mA Networks

Functional Safety of 4/20mA Networks

In my first blog of 2021, I will go back to a purely technical topic and discuss the functional safety of 4/20mA networks. I often make use of 4/20mA examples to explore functional safety questions due to their simplicity and the fact that most industrial functional safety people understand them due to the wide use of 4/20mA in temperature transmitters, pressure transmitters and similar equipment. If you don’t know how 4/20mA works I will give a brief introduction and even if you are working in automotive functional safety, you should still find something of interest in this blog.

One of the reasons to start 2021 with this blog is that in 2020 Analog Devices released the world’s first safety certified data converter the ADFS5758 4/20mA output DAC (digital to analog converter). I had been meaning to do this blog ever since. The ADFS5758 takes in a digital value from a uC and outputs a current in the range of 4/20mA.

In future blogs I might cover the advantages of using a certified IC or do in-depth look at the on-chip diagnostics of the ADFS5758 or even what goes into releasing a safety certified IC, but in this blog, I will concentrate on the functional safety of 4/20mA networks.

Let’s start with a typical safety function which consists of sensor, logic and actuator blocks. Such an example is found in many industrial functional safety standards and one such example is shown below from IEC 61784-3. In this picture 4/20mA would serve as the connection between the sensors and the PES and the PES and the actuators.

 Safety Function

Figure 1 - A figure from IEC 61784-3

In process control applications it is common for the sensors and actuators to be located up to 1km from the PES (programmable electronic system) and reliable communication is necessary to assure safety is maintained. 4/20mA networks have been used in such systems for well over well 30 years and perhaps even 50 years. Before that I believe the signals were transmitted using pneumatic and hydraulic signals (for anybody less than 50 years of age I kid you not). In fact, 4/20mA contains some throw backs to those earlier communication means e.g. live zero.

Two examples of a PES are a PLC (programmable logic controller) or a DCS (distributed control system). Typically, each of these contain analog input and output cards. A DAC (digital to analog converter) in the analog output card of the PLC will convert the digital value from the PLC into a current in the range of 4 to 20mA. In the analog input card a 250 ohm resistor is used to convert the 4/20mA current into a voltage which is then converted into a digital reading by an ADC(analog to digital converter) such as the AD7124. A PLC block diagram is shown below from IEC 61131-6.

Figure 2 - A block diagram of a PLC with external sensors and actuators from IEC 61131-6

In fact, IEC 61508-4:2010 has its own version of the above highlighting the ADC and DAC.

Figure 3 - Block diagram of a PES from IEC 61508-4:2010

Simplifying further we arrive at something like the below and as you can see each 4/20mA connection typically requires an ADC and a DAC.

Figure 4 - Two typical use cases of 4/20mA signaling in a PLC analog input card and a PLC analog output card

The voltage drops caused by the wiring resistance should not affect the measured values in either case. Other advantages of 4/20mA include good EMC robustness and the fact that if your sensor can run from < 3.6mA then the loop can also supply the power (microcontrollers designed for just such applications include the ADuCM360).

Let’s look at the transmitted current values in more details. The ranges below are from NAMUR NE-43 standard where the valid signal range is 3.8mA to 20.5mA with the intention that currents from 3.6mA to 3.8mA and 20.5mA to 21mA can be used to transmit diagnostic data but signals < 3.6mA and > 21mA indicate a failure. Particular significant is that fact that an open wire will give a current of 0mA and so is easily identified as a failure (dangerous detected). This is a key advantage of a live-zero signalling method (4mA rather than 0mA represents the zero signal).

Figure 5 - 4/20mA currents according to NAMUR standard NE-43

Other standards such as those from ISA 50, IEC 60381-1 and IEC 61131-2 define slightly different current ranges so let’s use 4/20mA from here on out. There used to be applications which used +/-20mA, I think for motor control, but you don’t see that much anymore.

Another (on top of checking current is in the range 4 to 20mA) diagnostic available for a PLC analog output card is to measure the returned current. If using only 2 wires all the current that goes out must come back again. If you expected to transmit 10mA and you receive any current other than 10mA on the return, then something is wrong. For instance, this could be due to a problem in the DAC used to generate the current. Measuring the return current requires an ADC in the analog output card along with the one in the analog input card this is great news for Analog Devices. The total error of the ADC and any sense resistor will dominate your claimed safety accuracy which is often in the range of a couple of %. If you buy the ADFS5758, ADI has already done all these calculations for you but that’s perhaps for another blog.

Figure 6 - On-chip ADC being used to digitize the return current as a diagnostic measure

The ADFS5758 DAC contains an on-chip ADC to measure the returned current. Having the ADC on-chip allows for a higher density analog output card and higher reliability (the ADC adds about 10% die area but still fits in the same package as the DAC so no added PCB area). Having such an on-chip diagnostic is great even for non-safety but if you want to claim credit for it in your safety case the IC needs to have been developed to IEC 61508. The ADFS5758 was developed in compliance to IEC 61508 including consideration of sufficient independence between the DAC and ADC to allow for this.

If you used a standard DAC rather than a DAC with an integrated ADC you could use an analog input card from the PLC in parallel with the analog output card to measure the return current but this is not very efficient in terms of resource usage. The analog input pins to allow monitoring of the loop current is one of the key features of the ADFS5758 over its non safety counterpart the AD5758. Both contain the ADC but on the standard part the on-chip ADC can only monitor on-chip temperature and run on-chip diagnostics.

Looking at the ADFS5758 schematic also brings up the issue of a safe state. If the diagnostics require the safety function to go to its safe state (fault reaction function) then you could program the output of the DAC to 0mA, but a safer means might be to use an SMOD (secondary means of disconnection). In the schematic given above there are two SMOD switches to allow testing of the SMOD. Both allow the current through a common 20 ohm resistor to be measured and one has an additional 20 ohms. This allows the SMOD switches to be tested without interrupting the current and further tests the ADC in situations where the return current might be set and then not changed for a long time.

Most of the above concentrated on the analog output card but what about the analog input cards used to measure 4/20mA signals. Here an interesting diagnostic is to put two sense resistors in series and put an ADC across each one and compare the outputs. Diagnostics by comparison is good for a diagnostic coverage claim of up to 99% ( see IEC 61508-2:2010 table A.7 and A.13 ) but issues related to synchronizing the ADCs, what happens if the 4/20mA signal is a fixed value and systematic capability will still remain. I might expand on these concerns in a future blog.

Figure 7 - Safety concept for diagnostics on an analog input card using two sense resistors and two ADC such as an AD7124 in parallel

Below is an implementation for a single isolated per channel solution based on the ADFS5758. This is from the ADFS5758 datasheet. Keeping the component count low means the complexity of the solution is low (everything in the ADFS5758 being covered by the ADFS5758’s certification) and the reliability high. The ADP1031 is a companion power supply chip suitable for use with the ADFS5758.

Figure 8 - An isolated per channel 4/20mA output showing uC, power and DAC

I’m with Analog Devices for over 30 years and even 20 years ago people were talking about the demise of 4/20mA. Analog Devices now have a range of ICs designed to allow Industrial Ethernet connections over a distance of 1km and I understand these might are able to operate over the same wires as used for 4/20mA and so can act as a higher bandwidth replacement without having to completely rewire you plant. However due to its wide user base I think the demise of 4/20mA will be slow and gradual and it will still be common even in another 20 years.

In this blog I didn’t get to cover HART(use to superimpose a second channel for non-safety data on top of the 4/20mA currents by superimposing a +/-200uA modulation on the 4/20mA signal), the history of field busses or redundant architectures for high safety and high availability, intrinsic safety, cyber security advantages of 4/20mA, synchronization advantages of 4/20mA, safety advantages of analog over digital but perhaps that will be for another day. Hopefully you still found enough in this blog to be interesting.

For more information, see the below:

  • Thanks Tom. Interesting article. I didn't understand this sentence: "Diagnostics by comparison is good for a diagnostic coverage claim of up to 99% ( see IEC 61508-2:2010 table A.7 and A.13 ) but issues related to synchronizing the ADCs, what happens if the 4/20mA signal is a fixed value and systematic capability will still remain." So, yes it might be good to expand on this later.

  • Thanks Tom. Interesting article. I didn't understand this sentence: "Diagnostics by comparison is good for a diagnostic coverage claim of up to 99% ( see IEC 61508-2:2010 table A.7 and A.13 ) but issues related to synchronizing the ADCs, what happens if the 4/20mA signal is a fixed value and systematic capability will still remain." So, yes it might be good to expand on this later.

  • Hi Joe,

    thanks for the comment. That sentence is badly worded. There are 3 parts to the sentence.

    1) IEC 61508 tables A.7 and A.13 allow a claim of up to 99% for diagnostics by comparison. In the drawn circuit there are two AD7124 and due to the architecture each AD7124 should report the same output current (to within the accuracy of the AD7124 and the sense resistor) if both AD7124 are operating correctly. Therefore a dangerous failure (something which gives a bad current measurement) is detectable.

    2) the next part of the sentence is that synchronization is an issue. This issue arises when there is a step change in current. A typical conversion time of the AD7124 is 20ms. If a step change in the input current occurs then if the the two AD7124 are not synchronized then they will complete their conversions at different times and it will look like a difference in their outputs and might cause the safety system to trip. Therefore synchronization of the ADCs or some other method is required. 

    3) The next part of the sentence talks about a fixed current. The concern here is that if the current is set to 10mA and never changes for 10 years then the outputs of the ADC could be stuck and we would never know. Diagnostics by comparison is more reliable/trustworthy when the input changes at least occasionally giving evidence that the outputs are not stuck. 

    4) The last part of the sentence refers to systematic capability. All that is being pointed out here is that diagnostics by comparison takes care of the random hardware aspects of functional safety but functional safety also needs to take care of the systematic safety integrity issues. If you use identical ADC then perhaps they will both suffer the same systematic failure at the same time e.g. if the ADC were only rated to 85'c and the temperature goes to 90'c the two ADC may fail at the same time in the same way. Two means to address this include a) use an ADC with IEC 61508 compliance to show that the risk of systematic errors is sufficiently low b) use diverse ADC so unlikely to have the same failure modes and if they do fail at the same time due to environmental or other factors they will fail in a different way making the failure detectable by comparison.

    Perhaps my explanation shows why the sentence was bad. It was an effort to summarize a complicated topic in a single sentence. There are many parts of this blog which would make good future blogs.

    I hope this helps.

  • ... thanks for the detailed reply Tom.

    Best Regards