Functional safety has become an integral part of industry, whether it is the use of an STO (Safe Torque Off) function instead of an additional contactor or the safe use of robots and cobots in particular. It has also been recognized that the use of safety-certified equipment improves overall reliability and that diagnostic functions can increase throughput in many factories.

Difference between safety and safety function

Safety is understood to mean the absence of unacceptable risks and, to a certain extent, the protection of the environment from hazards emanating from the system in question. A safety function is an operation that must be performed in order to achieve or maintain functional safety. The purpose of a safety function is therefore to reduce the level of risk in a system. For example, if a rotating machine is equipped with a light curtain, the safety function consists of detecting the interruption of the light beam, for example by a hand, and bringing the machine to a standstill before it can be reached by the hand.

Safety functions are usually divided into three subsystems:

• An input subsystem detects the current value or status, e.g. with a sensor.
• A logic subsystem decides whether the current status is dangerous (programmable logic controller, PLC).
• An output subsystem can trigger an action to maintain safety (actuator).

Safety is about the confidence that a system will perform its intended safety function when required. In principle, functional safety is therefore a measure of how certain you can be that the light curtain and the motor's switch-off function will actually work if the light beam is interrupted.

A system is certified as being functionally safe if the hardware characteristics (random errors), systematic capability (SC) and common cause failures (CCF) do not lead to malfunctions of the safety system, injury or death to people, damage to the environment or production downtime.

Most of the numerous safety standards were derived from the IEC 61508 standard and 90 to 95 percent of the requirements contained therein are identical in all of these standards. This article focuses on the IEC 61508 standard for industrial applications and looks in particular at how a SIL 3 solution can be developed with SIL 2 components using identical redundancy.

Redundancy, high availability and hardware fault tolerance

Figure 1: All electronic systems fail at some point. A distinction is made between two types of failure: systematic and random failures.

© Analog Devices

Regardless of how reliable a system is, it will inevitably be affected by a failure at some point. A distinction must be made between systematic and random failures(Fig. 1).

Redundancy is understood to mean a (redundant) path serving as a fallback level that can perform the intended safety function if a fault occurs in the safety system. However, it should be emphasized that a system does not automatically have high availability if it has a certain degree of redundancy. Rather, it is only highly available if the redundant path can be switched on or activated automatically. Another term that is frequently used in connection with the IEC 61508 standard is hardware fault tolerance (HFT). An HFT of N means that the safety function can fail from a minimum of N+1 faults. It should be emphasized in this context that no further measures (e.g. diagnostic functions) are taken into account to control the effects of faults. HFT is effectively a way of guaranteeing the hardware's resistance to failure, whereby a distinction can be made between HFT and SFF(Table 1). The SFF (Safe Failure Fraction) is the fraction of safe failures.

Safety Integrity Level (SIL)

© Analog Devices

The SIL value describes the integrity of a safety function and the relative risk reduction achieved. The IEC 61508 standard specifies four SILs, with SIL 1 representing the lowest and SIL 4 the highest level of safety integrity. Table 2 compares the SILs of the IEC 61508 industry standard with the ASILs of the automotive industry (ISO 26262) and the safety levels of avionics, although the similarities are only approximate. The higher the SIL number, the lower the permissible FIT value (Failures In Time). An FIT value of '1' corresponds to one failure in a billion (109) operating hours - that is about 100,000 years. Of course, no device can survive a billion operating hours, but this value indicates, for example, that a random hardware failure is to be expected if 100,000 devices are in operation for one year. The SFF value (Safe Failure Fraction) indicates the total number of safe and dangerous faults detected for a safety function, divided by the total number of all faults (see formula).

Table 3 provides information on the relationship between SFF and SIL with a hardware fault tolerance of zero (HFT = 0).

The problem and the current solution

Particularly when designing with integrated circuits (ICs), the problem arises in the functional safety context that certification can be difficult and costly, and that the risk of failure is quite real. At system level, a procedure for the detailed determination of the causes of faults and their impact on the system, FMEDA for "Failure Modes Effects and Diagnostic Analysis", must therefore be carried out. ASICs must be treated as black boxes because the number of their transistors, their internal failure mechanisms, their layout block sizes and their reliability are not known.

The FIT calculations must therefore be carried out excessively conservatively, and additional safety cushioning is also required for the other parts of the safety system in order to achieve the overall target SIL value. As a rule, this means using external diagnostic functions such as an external A/D converter, which results in higher costs and space requirements, increased complexity, more complex system software and a longer development time. The situation is exacerbated by the fact that a new version of the IEC 61508 standard will be published with revision 3.

The changes currently planned in IEC 61508, Revision 3, include explicit warnings regarding the use of chip-internal diagnostic functions to detect failures in the same chip if the IC was not developed in accordance with IEC 61508. It is also planned to include the requirements of the ISO 26262 standard for latent faults. In addition to a type of SFF for diagnostic functions, the diagnostic circuits will also have to fulfill a certain SC specification.

Figure 2: Block diagram of the safety-certified ADFS5758 data converter.

© Analog Devices

The ADFS5758 is a single-channel 16-bit D/A converter (DAC) with current output, integrated DPC functionality (Dynamic Power Control) and built-in reference as well as numerous chip-integrated diagnostic functions(Fig. 2).

Diagnostic and safety features in the ADFS5758

The most important chip-internal diagnostic function is an ADC (A/D converter). As already mentioned, IEC 61508 revision 3 is expected to clarify that the use of on-chip diagnostic functions to detect internal failures is not generally permitted unless the IC has been developed in accordance with IEC 61508. In addition, valid write and read addresses are checked, and an ECC function (Error Correcting Code), a watchdog timer and the option to disable the configuration registers are also provided. The internal bias voltage is also monitored, as is the temperature.

The module is intended for industrial factory automation and process control applications and takes into account the limited space available on analog I/O cards of programmable logic controllers.