SLYY242 November   2024

 

  1.   1
  2.   Overview
  3.   At a glance
  4.   Introduction
  5.   Safety considerations and potential failures in power-supply designs
  6.   Introduction to functional safety and standards in industrial systems
  7.   Voltage monitoring using voltage supervisor ICs
  8.   How voltage supervision affects functional safety ratings
  9.   Safe torque-off design example
  10.   Conclusion

How voltage supervision affects functional safety ratings

When designing for a target SIL or PL, it is important to consider the hardware fault tolerance or safe failure fraction, which refers to the redundancy of your design as well has how you’ve implemented voltage monitoring into your system. The two most common standards define a few different ways to establish or increase your functional safety rating. Voltage monitoring is an essential part of making this determination or increasing functional safety. See Figure 1 and Figure 2, which illustrate a SIL 2-capable design using a voltage monitor.

IEC 61800-5-2 implementation of a high-side safe power supply showing power supply and voltage monitoring. Figure 1 IEC 61800-5-2 implementation of a high-side safe power supply showing power supply and voltage monitoring.
Another option for the IEC 61800-5-2 implementation would be a low-side safe power supply showing power supply and voltage monitoring. Figure 2 Another option for the IEC 61800-5-2 implementation would be a low-side safe power supply showing power supply and voltage monitoring.

In the Figure 2, the voltage supervisor serves as one single channel that can monitor overvoltage and undervoltage, if that is also of interest. The output of the voltage supervisor can disconnect a power supply that is outside the safe range of operation, or notify the MCU of a fault condition. The circuits in Figure 1 and Figure 2 has a hardware fault tolerance of 0 and can provide a safe failure fraction or diagnostic coverage of up to 90%. For this reason, Figure 1 are capable of providing up to a SIL 2 or PL d rating.

Using this same logic, increasing the hardware fault tolerance of your circuit configuration would increase the level of functional safety. Figure 3 shows an example of how you would increase the hardware fault tolerance of a circuit configuration while using voltage monitoring.

Block diagram for an SIL 3-capable power supply using voltage monitoring. Figure 3 Block diagram for an SIL 3-capable power supply using voltage monitoring.

Using two voltage supervisors in parallel provides two channels for monitoring overvoltage or undervoltage conditions. Because these voltage monitors are each linked to their own method of disconnecting the power rail from the rest of the system, if one voltage supervisor fails, the other will still be able to correctly and safely take the prescribed steps if the supply voltage moves out of specifications, enabling your design to achieve a rating as high as SIL 3.

Another method of improving the functional safety of a circuit configuration, such as the one shown in Figure 3, is by using diversity in voltage supervisor implementation methods. Consider the instance of a common cause failure, as described in IEC61508 standards, between voltage supervisor devices. If two different voltage supervisor technologies are used to monitor the same supply rail, this would reduce the probability of a failure that is common mode.

For example, selecting two voltage supervisors with different voltage threshold values could provide increased diversity. For another example, in a circuit configuration such as the one shown in Figure 3, using the TPS3762 from TI for one of the voltage supervisor functionality blocks and TPS37 from TI for the other would also provide additional functional diversity. This is because they are two different devices with two different designs.

One question you may ask at this point is what you should do if your voltage monitoring method fails, or if the components that make up the voltage monitoring circuitry cease to function properly. This is another instance where a voltage supervisor IC is especially helpful. Some voltage supervisor ICs include BIST functionality. These supervisors are window voltage monitors that also have an input pin where a user can request that the device test its own functionality. Upon request, the voltage monitor will perform internal tests and provide a signal to show that it is still operating as expected.

Figure 4 shows such an implementation.

Voltage monitoring using a voltage supervisor IC with BIST features. Figure 4 Voltage monitoring using a voltage supervisor IC with BIST features.

Providing diagnostic coverage of the voltage monitoring methods themselves, in this case being done by a voltage supervisor IC with a BIST feature, can increase the diagnostic coverage of your system to as much as 99%, which is a very high level of coverage. This high diagnostic coverage can enable your system to reach SIL 3 or PL e levels of functional safety when implemented in circuits with the appropriate hardware fault tolerance. An example of a device that has such integrated functionality is the TPS3762 from TI.

Another benefit of using a voltage monitoring device is that they can monitor high voltages. The TPS3762, for example, can monitor up to 65V, which enables it and similar devices with a wide input voltage range to connect directly to power rails and provide monitoring and other diagnostics. For example, some designs need extra low voltage (ELV) which is a defined voltage range in the standard IEC 60449-1. Now ELV definition has been reused to also define a SELV definition in the IEC 62368 standard where some electrical energy source levels do not allow higher than a certain voltage on the output of the power supply. For example, the electrical energy source level ES1 does not allow higher than 60V on the output of the power supply.

With this in mind, for safety extra low voltage power supplies, a safe maximum voltage level is set at 60VDC maximum, and a safe power supply can only exceed this amount for a very short period before it does not meet safety extra low voltage standards. 60VDC is a very common maximum voltage for safety standards, including safety extra low voltage and protective extra low voltage. For this reason, wide input voltage devices such the TPS3762 have a maximum input voltage that can be monitored to 65V.