An influence provide unit is likely one of the most important elements in an electronics system, as its operation can have an effect on your complete system’s performance. Within the context of commercial practical security, as in IEC 61508, energy provides are thought of components and supporting providers to electrical/digital/programmable digital (E/E/PE) safety-related techniques (SRS) in addition to different subsystems. With the IEC 61508’s three key necessities for practical security (FS) compliance alongside beneficial diagnostic measures, creating energy provides for industrial FS will be tiresome. For that reason, this primary a part of the collection discusses what the essential practical security customary states about energy provides.
The primary a part of this collection on practical security in energy provide design focuses on insights in regards to the security necessities for such components of E/E/PE SRS. That is completed by displaying what the essential practical security customary requires from energy provides.
Energy Provides in E/E/PE Security-Associated Techniques
The IEC 61508-4 defines E/E/PE techniques as techniques used for management, safety, or monitoring primarily based on a number of E/E/PE units. This contains all components of the system, resembling energy provides, sensors, and different enter units, information highways and different communication paths, and actuators and different output units.
In the meantime, an SRS is outlined as a chosen system that each implements the required security features crucial to realize or keep a secure state for the tools below management (EUC) and is meant to realize—by itself or with different E/E/PE SRS and different danger discount measures—the required security integrity for the required security features. That is proven in Determine 1, the place energy provides additionally serve for instance of supporting providers to an E/E/PE SRS except for the {hardware} and software program required to hold out the desired security operate.
Determine 1 E/E/PE system—construction and terminology displaying that energy provides function a supporting service to an E/E/PE SRS system. Supply: Analog Gadgets
Frequent trigger failures
The fundamental practical security customary defines frequent trigger failure (CCF) as a failure ensuing from a number of occasions that trigger concurrent failures of two or extra separate channels in a multiple-channel system, finally resulting in system failure. One instance is an influence provide failure that can lead to a number of harmful failures of the SRS. That is proven in Determine 2 the place a failure within the 24-V provide, assuming the 24 V enter turns into shorted to its outputs 12 VCC and 5 VCC, will lead to a harmful failure of the succeeding circuits.
Determine 2 Instance of an influence provide CCF state of affairs displaying how a shorting of the 24-V provide enter and the 12-V or 5-V outputs would lead to a harmful failure of the downstream techniques. Supply: Analog Gadgets
CCFs are necessary to think about when complying with practical security, as they have an effect on compliance with the IEC 61508’s three key necessities: systematic security integrity, {hardware} security integrity, and architectural constraints. These standard-cited necessities relating to CCF and energy provides in sure circumstances are proven right here:
- IEC 61508-1 Part 7.6.2.7 takes the potential of CCF into consideration when allocating total security necessities. This part additionally requires that the EUC management system, E/E/PE SRS, and different danger discount measures, when handled as impartial for the allocation, shall not share frequent energy provides whose failure may lead to a harmful mode of failure of all techniques.
- Equally, below synthesis of components to realize the required systematic functionality (SC), IEC 61508-2 Part 7.4.3.4 Word 1 cites making certain that there’s no frequent energy provide failure that may trigger a harmful mode of failure of all techniques is a potential strategy to realize adequate independence.
- For built-in circuits with on-chip redundancy, IEC 61508-2 Annex E additionally cites a number of normative necessities, together with the separation of enter and outputs, resembling energy provide, amongst others, and using measures to keep away from harmful failures brought on by energy provide faults.
Whereas these clauses prohibit sharing frequent energy provides whose failure may trigger a harmful mode of failure for all techniques, implementing such a apply when designing a system will lead to an elevated footprint, with larger board dimension and price. One option to nonetheless use frequent energy provides is by using adequate energy provide monitoring. By doing this, harmful failures introduced by the ability provide to an E/E/PE SRS will be lowered to a tolerable stage, if not eradicated, in accordance with the security necessities. Extra dialogue about how efficient energy provide monitoring can clear up frequent trigger failures will be discovered within the weblog submit “Purposeful Security for Energy.”
Energy provide failures and diagnostics
To detect failures within the energy provide, the essential practical security customary specifies necessities and proposals that tackle each systematic and random {hardware} failures.
When it comes to the necessities for management of systematic faults, IEC 61508-2 Part 7.4.7.1 requires the design of E/E/PE SRS to be tolerant in opposition to environmental stresses together with electromagnetic disturbances. This clause is cited in IEC 61508-2 Desk A.16, which describes some measures in opposition to defects in energy provides—voltage breakdown, voltage variations, overvoltage (OV), low voltage, and different phenomena—as necessary no matter security integrity stage (SIL), Desk 1.
|
Approach/Measure |
SIL 1 |
SIL 2 |
SIL 3 |
SIL 4 |
|
Measures in opposition to voltage breakdowns, voltage variations, overvoltage, low voltage, and different phenomena resembling AC energy provide frequency variation that may result in harmful failure |
M low |
M medium |
M medium |
M excessive |
Desk 1 Energy Provide Monitoring Requirement from IEC 61508-2 Desk A.16.
IEC 61508-2 Desk A.1, below the discrete {hardware} element, reveals the faults and failures that may be assumed for an influence provide when quantifying the impact of random {hardware} failures; that is proven in Desk 2. In the meantime, IEC 61508-2 Desk A.9 reveals the diagnostic measures beneficial for an influence provide together with the respective most claimable diagnostic protection.
|
Part |
Low (60%) |
Medium (90%) |
Excessive (99%) |
|
Energy provide |
Caught-at |
DC fault mannequin Drift and oscillation |
DC fault mannequin Drift and oscillation |
Desk 2 Energy provide faults and failures to be assumed in keeping with IEC 61508-2 Desk A.1.
Desk 3 reveals this with extra particulars from IEC 61508-7 Part A.8. Each Desk 2 and Desk 3 are helpful when doing a security evaluation as failure modes per element and diagnostic protection of diagnostic strategies employed are inputs to the calculation of lambda values, thus the SIL metric: chance of harmful failure and secure failure fraction (SFF).
|
Diagnostic Measure |
Intention |
Description |
Max DC Thought of Achievable |
|
OV safety with security shut-off |
To guard the SRS in opposition to OV. |
OV is detected early sufficient that each one outputs will be switched to a secure situation by the power-down routine or there’s a switch-over to a second energy unit. |
Low (60%) |
|
Voltage management (secondary) |
To watch the secondary voltages and provoke a secure situation if the voltage shouldn’t be in its specified vary. |
The secondary voltage is monitored and a power-down is initiated, or there’s a switch-over to a second energy unit, if it isn’t in its specified vary. |
Excessive (99%) |
|
Energy-down with security shut-off |
To close off the ability, with all safety-critical info saved. |
OV or undervoltage (UV) is detected early sufficient in order that the inner state will be saved in non-volatile reminiscence if crucial, and so that each one outputs will be set to a secure situation by the power-down routine, or there’s a switch-over to a second energy unit. |
Excessive (99%) |
Desk 3 The beneficial energy provide diagnostic measures in IEC 61508-7 Part A.8.
Determine 3a reveals an instance of a voltage management diagnostic measure. On this instance, the ability provide of the logic controller subsystem, usually within the type of a post-regulator or LDO, is monitored by a voltage safety circuit, particularly the MAX16126.
Any out-of-range voltage detected by the supervisor, whether or not or not it’s OV or UV, will outcome within the disconnection of the logic controller subsystem, composed of a microcontroller and different logic units, from the ability provide in addition to assertion of the MAX16126’s FLAG pin. With this, the logic controller subsystem will be switched to a secure situation. Equally, this circuit can be used as an OV safety with a security shut-off diagnostic measure if UV detection shouldn’t be current.
However, Determine 3b reveals an instance of a power-down with a security shut-off diagnostic measure. On this instance, a hot-swappable system monitor, the LTC3351, connects the ability provide to the logic controller subsystem whereas its synchronous switching controller operates in step-down mode, charging a stack of supercapacitors. If the ability provide goes outdoors the OV or UV threshold voltages, the LTC3551 will disconnect the logic controller subsystem from the ability provide, and the synchronous controller will run in reverse as a step-up converter to ship energy from the supercapacitor stack to the logic controller subsystem. This may give sufficient time to the logic controller subsystem to avoid wasting the inner state to a nonvolatile reminiscence, so that each one outputs will be set to a secure situation by the power-down routine.
Determine 3 An illustration of the beneficial diagnostic measures for an influence provide. Supply: Analog Gadgets
Energy provide operation
Other than CCF, energy provide failures, and beneficial diagnostic measures, the IEC 61508 additionally expresses the significance of energy provide operation within the E/E/PE SRS. This may be seen within the sixth a part of the usual, Annex B.3, discussing using the reliability block diagram strategy to guage chances of {hardware} failure, assuming a relentless failure price. Other than the scope of the sensor, logic, and remaining ingredient subsystems, energy provide operation can be included—that is proven within the following examples.
- When an influence provide failure removes energy from a de-energize-to-trip E/E/PE SRS and initiates a system journey to a secure state, the ability provide doesn’t have an effect on the PFDavg of the
- If the system is energized-to-trip or the ability provide has failure modes that may trigger unsafe operation of the E/E/PE SRS, the ability provide needs to be included within the analysis.
Such assumptions make energy provide operation in an E/E/PE SRS crucial as it might probably decide whether or not the ability provide can have an effect on the calculation for the chance of a harmful failure, which is likely one of the IEC 61508’s key necessities.
SRS’s energy provide
This text supplied insights relating to the essential practical security customary’s normative and informative necessities for an E/E/PE SRS’s energy provide. This was completed by first tackling the position of the ability provide in an E/E/PE SRS. A dialogue of frequent trigger failures, which prohibit using frequent energy provides, then demonstrated how using energy provide monitoring eliminates CCFs. Necessities relating to systematic and random {hardware} failures associated to energy provides had been additionally offered, together with the beneficial diagnostic measures for energy provides. Lastly, relying on the ability provide operation—de-energize-to-trip or energize-to-trip—the chance of a harmful failure of the SRS will be affected by the ability provide, which was additionally lined.
Bryan Angelo Borres is a TÜV-certified practical security engineer who at present works on a number of industrial practical security product growth initiatives. As a senior energy functions engineer, he helps system integrators design functionally secure energy architectures which comply to industrial practical security requirements such because the IEC 61508. Not too long ago, he turned a member of the IEC Nationwide Committee of the Philippines to IEC TC65/SC65A and IEEE Purposeful Security Requirements Committee. Bryan has a postgraduate diploma in energy electronics and round seven years of intensive expertise in designing environment friendly and sturdy energy electronics techniques.
Noel Tenorio is a product functions supervisor below multimarket energy dealing with excessive efficiency supervisory merchandise at Analog Gadgets Philippines. He joined ADI in August 2016. Prior to ADI, he labored as a design engineer in a switch-mode energy provide analysis and growth firm for six years. He holds a bachelor’s diploma in electronics and communications engineering from Batangas State College, in addition to a postgraduate diploma in electrical engineering in energy electronics and a Grasp of Science diploma in electronics engineering from Mapua College. He additionally had a big position in functions assist for thermoelectric cooler controller merchandise previous to dealing with supervisory merchandise.
Associated Content material
- Attaining practical security: Requirements, certification, and the event course of
- Purposeful security in non-automotive BMS designs
- Overview of IEC61508 security ranges
- A primary (lock) step into practical security
- Redundancy for safety-compliant automotive & different units
References
- Foord, Tony and Colin Howard. “Energise or De-Energise to Journey?” Measurement and Management, Vol. 41, No. 9, November 2008.
- IEC 61508 All Components, Purposeful Security of Electrical/Digital/Programmable Digital Security-Associated Techniques. Worldwide Electrotechnical Fee, 2010.
- Meany, Tom. “Purposeful Security for Energy.” Analog Gadgets, Inc., March 2019.
The submit Designing energy provides for industrial practical security, Half 1 appeared first on EDN.
