search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
ELECTRICAL & ELECTRONIC COMPONENTS


FEATURE INDUSTRIAL FUNCTIONAL SAFETY


cited in IEC 61508-2 Table A.16, which describes some measures against defects in power supplies – voltage breakdown, voltage variations, overvoltage (OV), low voltage, and other phenomena – as mandatory regardless of SIL level. This is shown in Table 1. IEC 61508-2 Table A.1, under the discrete


hardware component, shows the faults and failures that can be assumed for a power supply when quantifying the effect of random hardware failures. This is shown in Table 2. Meanwhile, IEC 61508-2 Table A.9 shows the diagnostic measures recommended for a power supply along with the respective maximum claimable diagnostic coverage. Table 3 shows this with more details from IEC 61508-7 Section A.8. Both Table 2 and Table 3 are useful when doing


a safety analysis as failure modes per component and diagnostic coverage of diagnostic techniques employed are inputs to the calculation of lambda values, thus the SIL metric: probability of dangerous failure and safe failure fraction (SFF). Figure 3a shows an example of a voltage


control diagnostic measure. In this example, the power supply of the logic controller subsystem, typically in a form of a post-regulator or LDO, is monitored by the MAX16126. Any out-of-range voltage detected by the supervisor, whether it be OV or UV, will result in the disconnection of the logic controller subsystem, composed of microcontroller and other logic devices, from the power supply as well as assertion of the MAX16126’s FLAG pin. With this, the logic controller subsystem can be switched to a safe condition. Similarly, this circuit can also be used as an OV protection with safety shut-off diagnostic measure if UV detection is not present. On the other hand, Figure 3b shows an


Diagnostic measure


OV protection with safety shut-off


Aim


To protect the SRS against OV.


example of a power-down with safety shut-off diagnostic measure. In this example, the LTC3351’s hot swap controller connects the power supply to the logic controller subsystem while its synchronous switching controller operates in step-down mode, charging a stack of super-capacitors. If the power supply goes outside the OV or UV threshold voltages, the LTC3551 will disconnect the logic controller subsystem from the power supply and the synchronous controller will run in reverse as a step-up converter to deliver power from the super-capacitor stack to the logic controller subsystem. This will give enough time to the logic controller subsystem to save the internal state to a non-volatile memory, and so that all outputs can be set to a safe condition by the power-down routine.


POWER SUPPLY OPERATION Aside from CCF, power supply failures, and recommended diagnostic measures, the IEC 61508 also expressed the importance of power supply operation in the E/E/PE SRS. This can be seen in the sixth part of the standard, Annex B.3, discussing the use of the reliability block


Description


OV is detected early enough that all outputs can be switched to a safe condition by the power-down routine or there is a switch-over to a second power unit.


Voltage control (secondary)


To monitor the secondary voltages and initiate a safe condition if the voltage is not in its specified range.


Power-down with safety shut-off


The secondary voltage is monitored and a power-down is initiated, or there is a switch-over to a second power unit, if it is not in its specified range.


To shut off the power with all safety critical information stored.


OV or undervoltage (UV) is detected early enough so that the internal state can be saved in non-volatile memory if necessary, and so that all outputs can be set to a safe condition by the power-down routine, or there is a switch- over to a second power unit.


Table 3. Power Supply Recommended Diagnostic Measures


Max DC considered achieveable


Low (60%) High (99%)


IN CONCLUSION This article provided insights regarding the basic functional safety standard’s normative and informative requirements for an E/E/PE safety- related system’s power supply. We did this by first tackling the role of the power supply in an E/E/PE SRS. A discussion of common cause failures, which prohibit the use of common power supplies, then demonstrated how the use of power supply monitoring eliminates CCFs. Requirements regarding systematic and


High (99%)


random hardware failures pertaining to power supplies were also shown alongside the recommended diagnostic measures for power supplies. Finally, depending on the power supply operation – de-energise-to-trip or energise-to-trip – the probability of how a dangerous failure of the SRS can be affected by the power supply was also covered.


Analog Devices www.analog.com


JULY/AUGUST 2025 DESIGN SOLUTIONS 55


diagram approach to evaluate probabilities of hardware failure assuming constant failure rate. Aside from the scope of the sensor, logic, and final element subsystems, power supply operation is also included – this is shown in the following examples: • When a power supply failure removes power from a de-energise-to-trip E/E/PE SRS and initiates a system trip to a safe state, the power supply does not affect the PFDavg of the SRS.


• If the system is energised-to-trip or the power supply has failure modes that can cause unsafe operation of the E/E/PE SRS, the power supply should be included in the evaluation. Such assumptions make power supply


operation in an E/E/PE SRS critical as it can determine whether the power supply can affect the calculation for the probability of a dangerous failure – which is one of the IEC 61508’s key requirements.


Figure 3. Illustration of recommended diagnostic measures for a power supply


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64