An Interesting Part for Functional Safety Applications: AD7124

An Interesting Part for Functional Safety Applications: AD7124

The AD7124 is a 24 bit sigma-delta ADC including on-chip muxes, PGA (programmable gain amplifier), voltage references, buffers, a stable clock, voltage regulators and lots of diagnostics.

Figure 1 - block diagram of the AD7124-4

The AD7124 comes in 4 and 8 channel variants.

In a previous blog, I spoke of the 3 key requirements for functional safety. Looking at the AD7124 in the light of these requirements:

  • Requirement 1 – the AD7124 has good reliability as shown by the ADI reliability prediction tool at www.analog.com/ReliabilityData or indeed by SN29500 or IEC 62380 calculations.
  • Requirement 2 – Have good diagnostics. This is where the AD7124 really shines. The main diagnostic is that the internal mux can be used to generate zero and +/-full-scale (FS) inputs to exercise the full range of the mux, sigma-delta modulator and SINC filter. It also exercises the serial interface and the most of the signal chain except perhaps for the PGA. I think most people would accept that if in can convert 0, +/-FS the signal chain must be in reasonably good condition. An FMEDA indicates over 90% coverage and the special properties of a sigma-delta (effectively a 1 bit ADC) facilitate this.

Previously users might have bought the 8 channel part and made the 0, +/-FS connections externally, but adding 8 pins increases the area and adds routing difficulties.

To check the PGA the mux also allows +/-25mV inputs to be selected, but that is only the start of the diagnostics the part also features diagnostics to check for

  • Incorrect clock frequency or drift
  • Open ground pins
  • Fuse changes
  • Missing regulator capacitors
  • Configuration bits flipped (checked every 300uS)
  • An open on the input pins

An FMEA has shown an SFF of over 90%.

  • Requirement 3 – follow a good development process. The AD7124 was not developed to an IEC 61508 compliant development process but was developed using an ISO 9001 compliant development process which has been used to develop 100’s and possibly 1000’s of products.  IEC 61508 does not require that only certified components are used and allows the use of standard ICs to build a safety system. Annex F which gives guidance for the techniques to be used to develop new digital ASICs is relevant for new ICs without significant feedback from users (see note in IEC 61508-2:2010 clause 7.4.6.1).

If you don’t want to rely on the internal diagnostics for functional safety then there are other options.

One possible option is to put two AD7124 in parallel and compare their outputs in a uC. If there is a random hardware failure in either AD7124 it will show up as a difference in the ADC outputs. A diagnostic coverage claim of up to 99% is possible based on comparison (see tables A.2 and A.13 of IEC 61508-2:2010 among others). Care needs to be taken so that a step input does not appear like a difference in output if the two ADC are free running. The AD7124 features a number of options to address this including a SYNC (active low) pin. A simpler option if you can tolerate the delay is to only trigger a difference if four successive conversions are in error.

Figure 2 - cross comparison of ADC outputs as a diagnostic

The picture above shows two uC but if a single SIL 3 uC is available only a single uC with connections to both ADC might be sufficient. If high availability is important then the internal AD7124 diagnostics could be used to determine which of the AD7124 is giving the bad results and temporarily ignore the results from that ADC until the module can be replaced. Without the device level diagnostics it would be difficult to say which part was failing and the system would need to shut down.

At the system level an additional possible protection would be to invert the inputs to one of the ADC. Then if something like EMC caused a shift in the offset error it will be detectable if both ADC react in the same direction. The internal diagnostics on the clock, power supplies and the internal temperature sensor give good protections against the other common systematic failure modes.

Comparison is one means to implement diagnostics if you can’t stop converting on the input channel to convert on 0, +/-FS. Another option would be to use a part such as the AD7770 and this will be the topic of my next blog.

Hopefully you will find this video somewhat relevant in that long distance running has a lot of similarities with functional safety with both requiring lots of planning, good reliability and perseverance– in fact this video shows the back of the field from the famous Western States 100 mile race – see https://www.youtube.com/watch?v=5ZnZ4d-9lc0&t=303s