How to Design And Certify Functionally Safe Resistance Temperature Detector (RTD) Systems
Temperature is a key measurement in process control systems. One can measure directly, for example the temperature of a chemical reaction, or one can compensate for the measurement, for example through temperature compensation of a pressure sensor. As with any system design, accurate, reliable, and robust temperature measurement is often critical. For some terminal designs, it is critical to detect system failures and transition to a safe state if a system failure occurs. Functional safety designs should therefore be used in these environments, with certification levels indicating the level of diagnostic coverage of the design.
What is functional safety
In a functional safety design, the system must account for any faults being detected. For example, in an oil refinery, one of the storage tanks is loading oil. If the liquid level sensor fails, the system must detect this failure before it can actively close the tank valve to prevent the tank from overflowing and avoid a potentially dangerous explosion. Another option is redundancy, where two level sensors can be used in the design so that if one of the level sensors fails, the system can continue to operate using the other level sensor.
Once the design is certified, it will receive a SIL rating. This level represents the diagnostic coverage provided by the design. The higher the SIL level, the more robust the solution. SIL 2 level means that more than 90% of faults in the system can be diagnosed. In order to certify a design, system designers must provide the certification body with evidence of potential failures—whether safe or dangerous—and how they were diagnosed. Data such as FIT must be obtained, as well as failure mode effects and diagnostic analysis (FMEDA) of different components in the system.
Temperature system design
The following focuses on introducing RTD. However, there are many different types of temperature sensors – RTDs, thermistors, thermocouples, etc. The sensor used in the design depends on the accuracy required and the temperature range of the measurement. Each type of sensor has its own requirements:
Thermocouple Bias
Excitation current to energize the RTD
The absolute reference for thermocouples and thermistors
Therefore, in addition to the ADC, other building blocks are needed to excite the sensor and condition the sensor on the front end. To achieve functional safety, all these modules must be reliable and robust. Furthermore, any faults in different modules must be detectable. Traditionally, system designers have used a replication approach, using two signal chains that check against each other to ensure:
Sensor is connected
No open or short circuit
The reference voltage is at the correct level
PGA is still running normally
To prove the robustness of the design, the certification process requires documentation. This is a time-consuming process and sometimes it is difficult to obtain certain information from the IC manufacturer.
However, the AD7124-4/AD7124-8 integrated analog front end now includes all the building blocks needed for RTD design. Additionally, embedded diagnostics eliminate the need for designers to duplicate the signal chain for diagnostic purposes. In addition to chip enhancements, ADI will provide documentation that includes all information required by certification authorities (FIT pin FMEDA, die FMEDA). As a result, the certification process for functional safety is simplified.
IEC 61508 is a specification for functional safety design. This specification documents the design process required to develop SIL certified products. Documentation is required for every step from concept, definition, design, layout to manufacturing, assembly, and testing. This is called Route 1S. Another option is to use the Route 2S process. This is a route proven by actual use. When large quantities of products are introduced into the end customer's system and used in the field for thousands of hours, the product can still be certified by providing the following evidence to the certification body:
Quantity used on site
Analysis of on-site returns and detailed explanation that the return is not due to failure of the component itself
Safety data sheet detailing the diagnostics and the coverage they provide
Pins and Die FMEDA
3-wire RTD design
RTD
RTDs are suitable for measuring temperatures from –200°C to +850°C, with a nearly linear response over this temperature range. Typical elements used in RTDs are nickel, copper and platinum. 100Ω and 1000Ω platinum RTDs are more common. RTDs are available in two-wire, three-wire or four-wire forms, with 3-wire and 4-wire forms being the more commonly used. RTDs are passive sensors that require an excitation current to produce an output voltage. RTD output levels vary from tens to hundreds of millivolts, depending on the RTD selected.
RTD design
Figure 1 shows a 3-wire RTD system. The AD7124-4/AD7124-8 are integrated solutions for RTD measurements that contain all the building blocks required for the system. To fully optimize this system, 2 ideally matched current sources are required. These two current sources are used to offset the lead resistance error caused by RL1. An excitation current flows through precision reference resistors RREF and RTD. Another current flows through lead resistor RL2, and the resulting voltage cancels the voltage drop across RL1. The voltage developed on the precision reference resistor is used as the reference voltage REFIN1(±) for the ADC. Because only one excitation current is used to generate the reference voltage and the voltage on the RTD, the current source's accuracy, mismatch, and mismatch drift have minimal impact on the overall ADC transfer function. The AD7124-4/AD7124-8 allow the user to select the excitation current value, thereby adjusting the system to use the majority of the ADC's input range, improving performance.
The RTD's low-level output voltage needs to be amplified in order to utilize most of the ADC's input range. The PGA of the AD7124-4/AD7124-8 can set the gain from 1 to 128, allowing the user to choose the excitation current value and gain versus performance. For anti-aliasing and EMC purposes, filtering is required between the sensor and the ADC. The reference buffer supports unlimited filter R and C component values, which means that these components do not affect the measurement accuracy.
The system also requires calibration to eliminate gain and offset errors. Figure 1 shows the measured temperature error of this 3-wire Class B RTD after performing internal zero-scale and full-scale calibration. The total error is well less than ±1°C.
ADC requirements
Temperature measurement systems are dominated by low-speed measurements (the maximum speed is usually 100 samples per second), thus requiring low-bandwidth ADCs. However, the ADC must have high resolution. Σ-Δ ADCs are suitable for such applications because low-bandwidth, high-resolution ADCs can be developed using the Σ-Δ structure.
When using a Σ-Δ converter, the analog input is continuously sampled at a sampling frequency much higher than the target frequency band. It also uses noise shaping to further reduce noise within the target band by pushing the noise outside the target band into areas not used by the conversion process. Digital filters attenuate any signal outside the frequency band of interest.
Digital filters have images at the sampling frequency and multiples of the sampling frequency, so some external anti-aliasing filter is required. However, due to oversampling, a simple first-order RC filter is sufficient for most applications. The Σ-Δ architecture allows a 24-bit ADC to achieve up to 21.7 bits of peak-to-peak resolution (21.7 stable or flicker-free bits). Other advantages of the Σ-Δ architecture are:
Analog inputs with wide common-mode range
Wide range of reference input
Ability to support ratiometric configurations
Filtering (50Hz/60Hz suppression)
In addition to noise suppression as described above, digital filters are used to provide 50Hz/60Hz rejection. When the system is powered by the main power supply, 50Hz or 60Hz interference will occur. AC power sources produce noise at 50Hz and multiples thereof (Europe) and 60Hz and multiples (USA). Low-bandwidth ADCs primarily use sinc filters whose notch frequencies can be set at 50Hz and/or 60Hz and multiples thereof, thus providing rejection of 50Hz/60Hz and multiples thereof. There is an increasing requirement to provide 50Hz/60Hz rejection using filtering methods with shorter settling times. In a multi-channel system, the ADC processes all enabled channels sequentially, producing conversion results on each channel. Once a channel is selected, filter settling time is required to produce valid conversion results. If the settling time is shortened, the number of channels converted in a given time can be increased. The AD7124-4/AD7124-8 post filter or FIR filter provides simultaneous 50Hz/60Hz rejection and has a shorter settling time than a sinc3 or sinc4 filter. Figure 3 shows a digital filter option: this post filter has a settling time of 41.53ms and provides 62dB of simultaneous 50Hz/60Hz rejection.
Figure 2. Frequency response, post filter, 25SPS: (a) DC to 600Hz, (b) 40Hz to 70Hz.
Figure 3. Independent configuration of each channel
diagnosis
For functional safety design, all functions that make up the RTD system require diagnostics. The AD7124-4/AD7124-8 feature multiple embedded diagnostic features, simplifying design complexity and reducing design time. There is also no need to duplicate the signal chain for diagnostic coverage.
Typical diagnostic requirements are as follows:
Power Supply/Reference Voltage/Analog Input Monitoring
Open circuit detection
Conversion/calibration check
Signal chain functionality check
Read/write monitoring
Register content monitoring
Embedded diagnostics are detailed below.
SPI diagnostics
The AD7124-4/AD7124-8 provide a CRC. When enabled, all read and write operations include CRC calculations. The checksum is 8 bits wide and is generated using the following polynomial:
Therefore, for each write operation to the AD7124-4/AD7124-8, the processor generates a CRC value that is appended to the information sent to the ADC. The ADC generates its own CRC value based on the received information and compares it with the CRC value received from the processor. If the two values match, the information is determined to be intact and written to the relevant on-chip register. If the CRC values are inconsistent, it indicates that bit corruption occurred during transmission. In this case, the AD7124-4/AD7124-8 sets an error flag indicating that data corruption has occurred. Corrupted information will not be written to the register, thus achieving self-protection. Likewise, when reading information from the AD7124-4/AD7124-8, a CRC value is generated along with the information. The processor will process this CRC value to determine whether the transfer was valid or corrupted.
The AD7124-4/AD7124-8 data sheet lists the registers that are accessible to the customer (user registers). The AD7124-4/AD7124-8 checks the address of the register being accessed. If the user attempts to read or write a register that is not documented in the data sheet, an error flag is set indicating that the processor is trying to access a non-user register. Likewise, any information accompanying this register access is not applied to the register.
The AD7124-4/AD7124-8 also has a SCLK counter. All read and write operations are multiples of 8. When used to enable frame read and write operations, the SCLK counter counts the number of SCLK pulses used in each read/write operation while being low. When going high, the number of SCLKs used in communication should be a multiple of 8. If a glitch occurs on SCLK, this will cause excessive SCLK pulses. If this occurs, the AD7124-4/AD7124-8 sets the error flag again and discards any information entered.
The status register indicates the channel being converted. When reading the data register, status bits can be appended to the conversion result. This further enhances the robustness of processor/ADC communication.
All the diagnostic functions mentioned above are to ensure that the communication between the ADC and the processor is robust and only valid information is accepted by the AD7124-4/AD7124-8. When used to enable frame read and write operations, the serial interface is reset each time it is pulled high. This ensures that all communications start from a defined or known state.
memory check
Each time an on-chip register is changed (e.g. changing gain), a CRC is performed on the register and the resulting CRC value is temporarily stored internally. The AD7124-4/AD7124-8 internally perform additional CRC checks on the registers at regular intervals. The resulting CRC value is compared with the stored value. If the values differ due to bit flips, a flag is set to indicate to the processor that the register setting is corrupted. The processor can then reset the ADC and reload the registers.
The on-chip ROM holds the default values of the registers. On power-up or after reset, the ROM contents are applied to the user registers. In the final production test, the CRC of the ROM content is calculated and the resulting CRC value is stored in the ROM. On power-up or reset, the CRC is performed again on the ROM contents, and the resulting CRC value is compared with the saved value. If they are different, the default register settings are different than expected and require a restart or reset.
Signal chain check
The device includes many signal chain checks. The power rails (AVDD, AVSS, and IOVDD) can be applied to the ADC input, allowing the power rails to be monitored. The AD7124-4/AD7124-8 contain an analog and a digital low dropout (LDO) regulator. These can also be applied to the ADC and monitored. The AD7124-4/AD7124-8 include x-way multiplexing. Additionally, AVSS can be used internally as AIN– so that the absolute voltage on the analog input pin can be checked. Customers can probe the pin that outputs the excitation current and probe the AIN+ and AIN- pins. This will check the connections and ensure the voltages on the various pins are at the correct levels.
For reference voltage checking, the reference voltage detection function indicates a low reference voltage condition. Customers can also select the internal reference voltage as an analog input, which can be used to monitor the voltage developed on an external reference resistor, provided that the voltage across the reference resistor is slightly above 2.5V (the magnitude of the internal reference voltage).
The AD7124-4/AD7124-8 also have an internal 20mV voltage, which is useful for checking the gain stage. For example, using 20mV as the analog input, the gain can go from 1 to 2, 4, ... 128. Each time the gain is increased, the conversion result is amplified by a factor of 2, confirming that the gain stage is working properly.
X-way multiplexing is also useful when checking lock bits. It allows the AIN+ and AIN– pins to be swapped, causing the conversion results to be inverted. Therefore, when using 20mV and x-way multiplexing, the user can check the lock bit.
Select the same analog input pin for AIN+ and AIN– and bias this internal short in order to check the ADC noise and ensure it is operating within specifications. The embedded reference voltage (+2.5V) can be selected internally as the input of the ADC. Likewise, applying +VREF and –VREF confirms that the signal chain is functioning properly.
Programmable open circuit test current can be used to check sensor connections. The typical resistance of the PT100 is 18Ω at -200°C and 390.4Ω at +850°C.After the open circuit test current is enabled, conversions can be performed. If the RTD is shorted, the conversion result obtained will be close to 0. An open circuit between AIN+ and AIN– will cause the conversion result to be close to 0xFFFFFF. With the RTD connected correctly, you will never get a code close to 0 or all 1's.
Finally, the AD7124-4/AD7124-8 feature overvoltage and undervoltage detection. The absolute voltage on the AIN+ and AIN- pins being converted is continuously monitored via comparators. The flag is set when the voltage on AIN+ or AIN– exceeds the supply rails (AVDD and AVSS).
This high level of integration reduces the bill of materials (BOM) required to perform measurements and provide diagnostic coverage, and reduces design time and complexity.
Conversion/Calibration
Conversions on the AD7124-4/AD7124-8 are also monitored. A flag is set if (AIN+ – AIN–)/gain is greater than positive full scale or less than negative full scale. The ADC's conversion result becomes all 1s (analog input too high) or all 0s (analog input too low), so the customer knows a fault has occurred.
The bitstream from the modulator is monitored to ensure that the modulator does not saturate. If saturation occurs (the modulator outputs 20 1s or 20 0s in a row), a flag is set.
The AD7124-4/AD7124-8 include internal offset and calibration as well as system offset and gain calibration. If calibration fails, a flag is set to inform the user. Note that if calibration fails, the offset and gain registers are not updated.
power supply
In addition to the power supply checks discussed previously, the AD7124-4/AD7124-8 have comparators that continuously monitor the internal LDO regulator. Therefore, if the voltage of these LDO regulators drops below the trip point, an error will be reported immediately.
These LDO regulators require an external capacitor. The presence or absence of this capacitor can also be checked.
MCLK counter
The filter curve and output data rate are directly related to MCLK. The output data rate listed in the datasheet is correct when the master clock is 614.4kHz. If the master clock changes frequency, the output data rate and filter notch frequency will also change. For example, if a filter notch frequency is used to suppress 50Hz or 60Hz, the varying clock will reduce the attenuation obtained. Therefore, knowing the clock frequency is valuable to ensure optimal rejection. The AD7124-4/AD7124-8 contain an MCLK counter register. This register is incremented every 131 MCLK cycles. In order to measure the MCLK frequency, the processor needs a timer. This register can be read at time 0 and then again after the timer has expired. With this information, the frequency of the master clock can be determined.
Independent configuration of each channel
The AD7124-4/AD7124-8 allow per-channel configuration, that is, the device supports eight different settings, one consisting of the reference, gain setting, output data rate, and filter type. When the user configures a channel, one of eight settings can be assigned to the channel. Note that the channels can be analog input channels or diagnostic channels, such as measuring power supplies (AVDD-AVSS). Therefore, the customer can design a sequence consisting of analog inputs and diagnostics. Independent configuration of each channel allows diagnostics to be run at a different output data rate than the analog input conversion. Diagnostics do not require the same accuracy as the primary measurement, so customers can interleave diagnostics with measurements and run diagnostics at a higher output data rate. These embedded features reduce processor workload.
Figure 4. Assign settings to channels
Other functions
The AD7124-4/AD7124-8 include a temperature sensor that can also be used to monitor chip temperature. Both devices have an ESD rating of 4kV, enabling a robust solution. These devices are available in a 5×5mm LFCSP package, suitable for intrinsically safe designs.
FMEDA for typical temperature applications using these devices demonstrates a safe failure ratio (SFF) greater than 90% according to IEC 61508. Typically two traditional ADCs are needed to achieve this level.
Additional benefits of built-in diagnostics
In addition to BOM and cost savings, diagnostics can also save costs in other ways: avoiding design complexity, reducing resource usage, and accelerating customer product time to market. Please refer to the following cases to understand:
The AD7124-4/AD7124-8 have an MCLK counter that measures the master clock frequency and captures any inconsistencies in the supplied master clock. The master clock counter is an 8-bit register that increments every 131 MCLK cycles. This register is read by the SPI master to determine the frequency of the internal/external 614.4 kHz clock.
What if the MCLK frequency check must be implemented externally to the AD7124-4/AD7124-8? This will require the following hardware resources:
►Microcontrollers with peripherals such as counters and external interrupt controllers
►Schmitt trigger circuit
Also note that memory is required to store and run code, including interrupt service routines. In summary, the embodiment will be as shown in Figure 5.
Figure 5. MCLK frequency monitor implemented by microcontroller
Additionally, you must ensure that your code is checked and complies with coding guidelines and restrictions. In summary, implementing a separate diagnostic part incurs significant overhead. Therefore, built-in diagnostics have many benefits:
►Save space and BOM
►Improve system reliability; fewer components = higher reliability
►Accelerate product launch
►Software development - developing and running diagnostic programs
►Hardware testing
►System testing
►Save microcontroller memory
■No code required to run diagnostics
■Coding guidelines require extensive double memory code checking
►Ready-to-use security documentation saves time in system evaluation
Powering functional safety design
The AD7124-4/AD7124-8 are not designed and developed according to the development guidelines in the IEC 61508 standard and therefore do not have a SIL rating. However, by understanding the end application and use of the various diagnostics, the AD7124-4/AD7124-8 can be evaluated for suitability for SIL-rated designs.
Functional safety terminology
Let’s review some important concepts in the certification process:
►Faults: systematic and random
►Diagnostic coverage
►Hardware fault tolerance
►SIL level
Failures: Systematic and Random
A systemic failure is a deterministic (non-random) failure caused by a specific cause that can be eliminated by modifications to the design or manufacturing process, operating procedures, documentation, or other relevant factors. For example, systems can experience interrupts due to high noise due to a lack of filtering on the external interrupt pins.
Random failures are caused by physical causes acting on hardware components within the system. Such failures are caused by effects such as corrosion, thermal stress, wear, etc., and cannot be detected through a systematic process.
To handle random failures, methods such as reliability, diagnostics, and redundancy can be used.
In terms of reliability, ensure the use of reliable components, and through diagnostics, ensure that these faults can be detected and resolved. Another way to ensure reliability is to add redundancy to reduce the probability of failure, but doing so increases system cost and space.
There are four types of random faults, namely safe detection type, safe undetected type, dangerous detection type and dangerous undetected type.
Figure 6. Random failure types
For example, consider a system whose safety feature is to turn off the machine's power switch when the temperature reading is high. Any random fault that does not affect the safety function (i.e. opening the power switch) is called a safety-detected fault or a safety-undetected fault. Other faults that affect the safety function are dangerous faults. In fact, it is the dangerous undetected faults that matter. This type of fault is a fault that is not covered by diagnosis. The goal of ADI is to improve the diagnostic coverage to reduce dangerous and undetected faults as much as possible.
diagnostic coverage
Random faults can be detected through various built-in detection mechanisms in the form of software or hardware. For example, MOSFET switching faults can be detected by reading back the output, and random memory bit flips can be detected by running a CRC memory check at regular intervals.
Diagnostic coverage measures a system's ability to detect dangerous faults and is mathematically defined as the ratio of dangerous detecting faults to dangerous faults.
Hardware fault tolerance
Consider a programmable logic controller (PLC) system, such as that shown in Figure 7, whose safety function is to open a switch to stop the machine when the input exceeds a certain value. In the HFT=0 diagram, if there is a single random fault (X), the system will fail and the machine will not stop.
Figure 7.PLC system
Now, if there are redundant paths as shown in the figure with HFT=1, then a single random fault will no longer cause a failure and will be able to stop the machine.
Therefore, by adding redundant paths, the system can tolerate a single failure. This system is called an HFT 1 system, meaning that one fault will not cause the system to fail. HFT 0 indicates that a fault may cause the system to fail. Hardware fault tolerance is the ability of a component or subsystem to perform a safety function when one or more dangerous faults exist.
HFT can be calculated from 1oo1, 1oo2, 2oo3 and other architectures. If the architecture is expressed as MooN, the HFT calculation is N–M. In other words, the HFT of the 2oo4 architecture is 2. This means that it can tolerate two failures and continue to work, so it is a redundant architecture.
SIL level coverage
Table 1 shows SFF (i.e. diagnostic coverage) and hardware fault tolerance (i.e. redundancy). Rows represent diagnostic coverage and columns represent hardware fault tolerance. An HFT of 0 means that if a fault occurs in the system, the safety function will be lost (see Table 1).
Table 1. SIL level coverage
If redundancy is added to implement HFT 1, as shown in Figure 7, then the system can tolerate one failure without downtime. Customers who currently achieve SIL 3 through redundancy can achieve SIL 3 without redundancy if they use components with higher diagnostic coverage.
Therefore, a higher level of diagnostics can reduce the amount of system redundancy required, or, for the same amount of redundancy, increase the SIL rating of the solution (moving down in Table 1).
Now, reviewing the diagnostic capabilities in the AD7124-4/AD7124-8, it supports multiple built-in mechanisms such as supply/reference/AIN monitoring, open circuit detection, conversion/calibration check, signal chain functionality check, read/write monitoring, Register content monitoring, etc., these diagnostic functions can improve the diagnostic coverage of the AD7124-4/AD7124-8 system. Without these diagnostics, two ADCs would be needed to achieve the same level.
Therefore, an AD7124-4 or AD7124-8 provides the same level of coverage, with diagnostic coverage and features that enable the design of functionally safe systems. This saves 50% of BOM and PCB space.
Documentation supporting SIL level design
Documents required for SIL certification of auxiliary terminal systems include:
►Safety Data Sheet (Safety Data Sheet for SIL rated components)
► Pin FMEDA (Failure Mode, Effects and Analysis) and FMEDA (Failure Mode, Effects and Diagnostic Analysis)
►Appendix F Checklist
These documents consist of input primarily from four data sources, as shown in Figure 8. These data are diagnostic data, design data, FIT rates and data from fault insertion testing.
►The diagnostic data in the data sheet refers to all diagnostic features improved by the component.
►Design data refers to internal data—for example, die area and the impact of each internal module of the part.
►The data sheet provides the FIT rate (failure rate) of various components. A common example is the Siemens Databook SN 29500.
►Fault insertion testing should be performed on modules that cannot be analyzed using design and diagnostic data. These tests are planned according to the application requirements and the results of the fault insertion tests are used to enhance the FMEDA and FMEA documents.
Figure 8. Functional safety document information flow
AD7124-4/AD7124-8 FMEDA analyzes the main blocks in the application schematic, identifies failure modes and effects, and checks the diagnosis and analysis of specific safety functions. Let’s understand this mechanism through Figure 9.
For RTD type systems, the safety feature is to measure the temperature with an accuracy of ±x degrees. The application schematic is shown in Figure 9.
Figure 9. RTD application schematic diagram
A dangerous fault is defined as a fault that may cause an error in the ADC output or SPI communication, which may result in a dangerous fault if the error in the output is severe.
The safe state is defined as:
►According to the security function, the output data represents the input
►The error status bit is set
►ADC output conversion result is all 0 or all 1
►No SPI communication
The AD7124-4/AD7124-8 are considered Class B systems according to IEC 61508. In order to explain FMEDA, the clock module is taken as an example to analyze its failure mode.
Table 2 shows what happens when the clock module faces the failure mode described in the first column, its impact on the output, diagnostic coverage, and finally the analysis.
Table 2. Main clock module failure mode, impact, diagnosis and analysis
Likewise, the remaining modules in the AD7124-4/AD7124-8 are then analyzed.
Note that there may be some faults that may not affect the safety functionality; for example, a fault on the AIN0 pin does not cause problems with the temperature measurement and therefore can be excluded from the safety calculations.
The results of FMEDA will be the failure rate of safe failures, hazardous detected failures, and hazardous undetected failures, used to calculate SFF.
Pin FMEDA
Pin FMEDA analyzes various types of faults on the AD7124-4/AD7124-8 pins and their consequences in this RTD application. Select each pin and analyze step by step the consequences of leaving the pin open, shorted to power/ground, or shorted to an adjacent pin.
Figure 10.32 Pin LFCSP pin configuration
For example, taking pin 29 (DIN) in Figure 10, refer to the application schematic shown in Figure 9 to examine the consequences of different faults. Table 3 shows the failure modes, effects and detection.
Table 3. Failure modes, effects and analysis of pin DIN
Note that the analysis was performed on the application schematic shown in Figure 9, so there will be no impact on the analysis of unused pins.
Appendix F Checklist
This is a list of design measures for ASICs to avoid systemic failures. Compliance requires a complete IEC 61508-2:2010 Appendix F checklist.
Safety manual or data sheet
A complete set of information culminates in a safety manual or data sheet, providing the necessary requirements to enable AD7124-4/AD7124-8 integration.
The safety data sheet collates all diagnostics and analysis from various documents when demonstrating compliance with the IEC 61508 functional safety standard. It will contain all information such as:
►Product overview
►Application information
►Safety concept
►Lifetime prediction
►FIT
►FMEDA calculation - SFF and DC
►Hardware security mechanism
►Diagnostic description
►EMC robustness
►Work in redundant configuration
►Attachment and document list
Route 2S, also known as "Proven in Use"
The above is the first evaluation method. Now let’s discuss another method called Proven or Route 2S. This method applies to released devices and is based on analysis of customer returns and shipped quantities. This enables SIL certification as if the part had been developed in full compliance with the IEC61508 standard. If the module/system designer has used an IC successfully in the past and knows the field failure rate, then he can declare it "proven in use" (Route 2S).
Note that Route 2S requires complete field return data, so it is much more difficult for an IC designer or manufacturer to make this claim, as they generally do not have a good understanding of the end application or have a comprehensive collection of field failed devices. Failure analysis process and data.
in conclusion
RTD measurement systems have very demanding requirements on ADCs and systems. The analog signals produced by these sensors are very small. These signals need to be amplified with a gain stage, and the noise of the amplifier must be very low so as not to drown out the sensor signal. The amplifier needs to be followed by a high-resolution ADC to convert the sensor's low-level signal into digital information. In addition to the ADC and gain stage, the temperature system requires other components such as excitation current. Again, these components must be low-drift, low-noise components that do not degrade system accuracy. Initial accuracy errors such as offset can be eliminated from the system through calibration, but the component's drift with temperature must be very low to avoid introducing errors. Integrated excitation and measurement modules simplify customer designs. When designing for functional safety, diagnostics are also required. Integrating diagnostics with excitation and measurement modules can simplify the overall system design, reduce BOM, shorten design time, and accelerate product launch.
Documents such as FMEDA contain all the information a customer needs to certify components in the final design. However, certifying the component itself can further simplify communication with certification bodies. The Route 2S process allows for certification of products after release, which is a useful path given that there are currently many released devices suitable for functional safety designs.