In theory, you identify the required safety functions by doing a hazard analysis. But what if there are multiple safety functions that can address that hazard in different ways?
This blog covers:
- Identifying the safety function with two examples where you seem to have a choice
- Functional safety for power
- Functional safety for motor control
- Upcoming changes in IEC 61508 revision 3
When I first came across the functional safety standard for variable speed drives, IEC 61800-5-2, I was surprised to find most of the safety functions were monitoring functions instead of control functions. Instead of having a safety function to control the speed of a motor, IEC 61800-5-2 has a safety function to monitor the speed and stop the motor if that speed is exceeded.
Option 1 – a safety function to take a digital input value and spin the motor at a corresponding speed
Option 2 – a safety function to monitor the motor's speed and stop the motor if the speed is exceeded
IEC 61800-5-2 chooses option 2, and this makes sense as the hardware and software required to spin a motor are far more complicated than the hardware and software to measure a motor's speed and stop if that limit is exceeded.
For an introduction to IEC 61800-5-2, see my past blog here.
Figure 1: Safety functions from IEC 61800-5-2
Another interesting example is power supplies. Every safety function needs power. You could design your power supply to generate a 5V output with all the measures appropriate for SIL 3, or you could design a non-safety-rated 5V supply and then put a power supply monitor developed to SIL 3 requirements to monitor the 5V supply and shut it down if it goes too high or too low a voltage.
Option 1 – design the entire power supply to IEC 61508. Consider the failure modes of every capacitor, inductor, and IC.
Option 2 – design the power supply to your standard ISO 9001 process and implement power supply monitoring to IEC 61508.
Both options meet the requirements of a hazard analysis that says something bad can happen if the 5V supply deviates outside a range of 5V+/-10%.
But the choice is not without consequences. Let’s explore the implications of those two options, assuming the power supply is used to implement a SIL 3 safety function.
With option 1, you need to design the full power supply to SC (systematic capability) 3, and you need an SFF of 99% if you go with option 1. This could be implemented with a windowed power supply monitor, of which ADI has a large range, and I have spoken about them before, see here. If you wanted to HFT = 1, you would need two power supplies, with each having sufficient diagnostics for an SFF of 90%. Perhaps you could use a power prioritizer such as the LTC4417 to combine them!
Figure 2: A power prioritizer acting as a voter for redundant power supplies
However, issues arise – where does the power supply stop? I think most people would say it stops at the edge of their PCB, where the typical industrial 24V supply comes in. Perhaps the 24V supply is SELV or PELV and somehow single-fault-tolerant in its own right. But is that valid? Why not consider the 240V entering the building or the local nuclear power plant, solar panel, or wind turbine generating the original electrons? To stop at the 24V supply output seems somewhat arbitrary.
Figure 3: A typical power supply tree all the way back to the grid
With option 2, we go with monitoring, somewhat similar to what IEC 61800-5-2 does. Now, only the power supply monitor circuit needs to be designed to SC 3, but the monitor needs diagnostics. It’s a much simpler circuit than a full power supply, and you can easily draw a box around its scope on a schematic diagram. However, if the monitor is the safety function, the monitor will have to have diagnostics. This is not a diagnostic of your diagnostics; the monitor serves as a safety function. For SIL 3 you would need an SFF for the monitor circuit of 99%, i.e. you need diagnostics that test the monitor circuit rather than the power supply. A redundant safety function would now be to have two power supply monitors. This is a simpler and easier task than having two power supplies, and there is no source of common cause failures, such as the power prioritizer, with option 1.
Figure 4:Option 2 with a standard power supply and redundant power supply monitors to give HFT=1
An example of the SIL 3 power supply monitor is the MAX42500 from Analog Devices.
The situation becomes even more complicated with the proposed revision 3 of IEC 61508. This requires the SC of the diagnostics to be one less than the SC of the safety function, and if the safety function has an HFT of 0, then the DSFF (diagnostic function safe failure fraction) = 99% for a SIL 3 safety function or 90% if there are two monitors.
For option 1 and IEC 61508 revision 3, this means the power supply monitor needs an SC of 2 and a DSFF of 90%.
For option 2 and IEC 61508 revision 3, this means that the power supply monitor diagnostics need to be implemented to SC 2 and have a DSFF.
Let’s summarize all of this in a table:
|
|
Option 1 |
Option 2 |
|
SC of the power supply circuitry |
3 |
0 |
|
SC of the power supply monitor (IEC 61508 rev 3) |
2 |
3 |
|
SC of the power supply monitor diagnostics (IEC 61508-3) |
0 |
2 |
|
Diagnostic coverage of the power supply |
99 |
NA, but must detect all failures to be effective |
|
Diagnostic coverage of the power supply monitor |
90 |
99 |
|
Diagnostic coverage of the power supply monitor diagnostics for HFT=0 |
0 |
90 |
|
Number of power supply monitors required for HFT = 1 |
2 (redundant supplies each with their own monitor) |
2 (a single power supply with two monitors) |
I was tempted to add another example. I hope you found this useful.
Relevant Blogs in this Series Include
Check back next month on the second Tuesday of the month for the next blog in this series. Until then, I hope to post “mini blogs” on the other Tuesdays in the month directly from my LinkedIn account. Please follow me on LinkedIn if interested.
For previous blogs in this series, see here.
For the full suite of ADI blogs on the EngineerZone platform, see here.
For the full range of ADI products, see here.