The electrical design requirements for industrial control systems are very strict, requiring equipment to ensure durability and reliability under the most challenging conditions, in order to extend its service life as much as possible and reduce downtime. At the same time, in certain special application scenarios, even in harsh working environments, the control system should be foolproof and accurately complete control tasks, such as in functional safety critical applications, such as highly robotic work environments, power plants, or air transportation. In these environments, if problems occur, they may pose serious risks to operators, corporate property, and even the entire ecosystem.
Functional safety is an advanced technical discipline in the field of industrial automation, and has been widely recognized by international certification bodies (mainly IEC 61508). However, in this article, we will not analyze its complex theoretical form, but focus on interesting technical challenges and specific application scenarios, which we need to pay close attention to in the design process. We will use a dual channel functional safety digital I/O evaluation board (STEVAL-FSM01M1) as a reference to analyze the architecture and principles of a functional safety I/O system. We will also point out some innovative features embedded on the board. This article discusses the technical challenges that every automation engineer should be aware of before starting the next project.
Functional safety and redundancy
The basic components of a functional safety system include the concept of system redundancy and diagnostic functions (monitoring the integrity of the system during operation). In the world of functional safety, the safety state is usually considered as the device being in a passive state (disabled, switch off, logic in zero state, etc.). Therefore, the basic principle of functional safety is that the control system can enter this safe state under any conditions (including possible faults). The functional block diagram of a secure digital I/O module is shown in Figure 1.
This module has two input channels (IN1 and IN2, redundant with each other) and two output channels (OUT1 and OUT2, redundant with each other). In addition, each PNP type output channel is actually connected in series with an intelligent high side switch (IPS) and a controlled P-channel power MOSFET (STL42P6LLF6). Most importantly, in order to eliminate cross channel consistency that may occur in the event of a fault, the control signal for each output channel is conducted through an independent digital isolator (STISO621).
Digital input section
The digital input function is implemented in the I/O module to access industrial sensor signals, convert 0V/24V process signals into lower voltage logic levels, and be recognized by microcontrollers or ASICs through digital isolators. The space inside the casing of the IO module is relatively small, and the internal circuit board needs to provide stable performance under EMC interference, while minimizing power consumption as much as possible to improve efficiency and reliability. Under such requirements, traditional solutions built with discrete components are difficult to implement, which inevitably has a negative impact on design work.
A faster and more convenient solution is to use an industry recognized solution – a dual channel digital input current limiter (CLT03-2Q3), which accommodates two independent input channels in a single ultra compact package chip. In addition to the digital input function, CLT03 also provides other useful features specifically designed for functional safety, such as the ability to function as an input signal current sensor without additional power supply, or a unique diagnostic mechanism that can monitor its working status during operation. Each channel inside this chip is equipped with a test pulse (TP) generator, which can superimpose heartbeat pulses in the output signal path when the connected input signal is at a high level (24V).
On the STEVAL-FSM01M1 evaluation board, a small signal transistor can be used to actively control this function during operation, as shown in waveform acquisition (Figure 4). The pulse width (and frequency) can be adjusted within a wide range based on the test pulse capacitance (CTP). By using this mechanism, the microcontroller can dynamically monitor whether the input front-end IC is working properly. Therefore, this unique feature provides an additional option to expand system security and diagnostic coverage.
Digital output section
Overvoltage and reverse polarity protection
Near the 24V power connector of the module, there is a bidirectional transient voltage suppressor (TVS1) directly connected to the power supply, in parallel with capacitor C1, for power protection. In fact, the PCB path length connecting the transient voltage suppressor must be as short as possible to minimize parasitic inductance. Otherwise, it may cause voltage transients during EMC overstress, exposing the circuit to voltages significantly higher than its clamp rating. The size of TVS1 should be as small as possible, and its clamping voltage should not exceed 36V. At the same time, it needs to absorb a large amount of energy when absorbing EMC surge currents. These requirements are met on the reference board through a transient voltage suppressor (SMC30J36CA) with a clamping voltage of 36V and a peak power of up to 3000 W (10/1000 μ s) and 40 kW (8/20 μ s pulse in accordance with IEC 61000-4-5). The circuit design behind the overvoltage protection section is used to prevent the reverse polarity of the power supply voltage. In practice, such errors may occur frequently due to wiring errors, but negative overvoltage pulses are also a mandatory part of typical EMC testing. The reverse current blocking circuit is based on a passive biased 60V P-channel transistor Q1 (STL42P6LLF6).
Inductive load demagnetization circuit
Many actuators have inductive characteristics (such as solenoid valves, valves, relays, etc.). This means that when it is turned off, the magnetic field energy of the load will be converted into electrical energy, which will be absorbed by the digital output circuit. For this reason, the IPS16xHF series intelligent high side switch has a fast demagnetization circuit inside, which maintains a certain voltage drop relative to VCC instead of 0V when the output is turned off. When using IPS16xHF, the voltage drop value is VDEMAG ≈ 70V
Sometimes, when optimizing the demagnetization energy of high inductive loads, a convenient approach is to achieve demagnetization through an external transient voltage suppressor connected between the output and ground. The reason for grounding connection is that transient voltage suppressors can be considered as short circuits before permanent breakdown. In this way, the safety principle of maintaining system passivation in the event of a malfunction is upheld. The selection of external output transient voltage suppressors should be designed so that their performance can completely replace the demagnetization performance integrated inside high side switches:
VTVS,CL,max < |VCC,max – VDEMAG,min |
Among them, VTVS, CL, max are the maximum clamping voltages of external transient voltage suppressors,
VCC, max is the maximum allowable power supply voltage,
VDEMAG, min is the minimum demagnetization voltage of the high side switch (specified in the data sheet).
Here, we need to further recognize that the clamping voltage of transient voltage suppressors fluctuates with temperature, and components with a certain clamping margin must be selected. On the evaluation board, the demagnetization transient voltage suppressor (SM6T33CA) meets these requirements.
diagnosis
The correct operation of the continuous monitoring system is a critical component of safe I/O. There are several mechanisms available on this evaluation board for this purpose. Firstly, IPS has its own diagnostic function, depending on its configuration, which alerts the microcontroller in case of overload to display overcurrent or chip overheating shutdown. There is also voltage monitoring for the power supply and output feedback on each output channel. This part of the circuit is implemented by a combination of voltage dividers R6 and R7 connected in series with protective diode D3, as shown in Figure 5. This is used to protect the subsequent A/D converter (ADC120) from negative overvoltage, such as during EMC interference or demagnetization. These diagnostic circuits monitor the integrity and operating conditions of the system in real-time.
Overcurrent and short circuit protection
In addition to controlling the output, the intelligent high edge switch (IPS) also provides various protection functions, such as preventing overcurrent and overheating protection. In the event of an output short circuit or any other overload that causes overcurrent, IPS limits its output current to a predetermined level ILIM (typical value on IPS1611HF is 1.2 A, or typical value on IPS160HF is 3.3 A).
During the current limitation period, the power switch operates in linear mode, which leads to an increase in power dissipation. Once the internal temperature of the IC reaches about 170 º C, the integrated thermal shutdown protection inside the chip will be triggered, automatically disabling the output for partial cooling with a hysteresis of 15 º C. This protective thermal shutdown is triggered by the diagnostic pin of the IC. The current shape is displayed in the waveform acquisition on the left side of Figure 7.
The IPS1600HF and IPS161HF chips provide an additional current protection mechanism called Cut off, which allows for minimizing power dissipation in case of overload. In this mode, IPS periodically activates the output and maintains it for a preset period of time, then shuts it off to prevent overheating. The duration of the cut-off is determined by the external capacitor. This allows for a reduction in the power consumption and heat of the chip, as we can clearly see when comparing the current waveforms (green) in two operating modes in Figure 7. The left image shows the inactive Cut off function, while the right image shows the activated Cut off function. This is particularly important in high-density output modules with multiple channels and limited internal power budget. It should be noted that after the Cut off is activated, it may not be able to drive loads with high starting currents (such as capacitive loads and lamps). In this case, the Cut off function may trigger protection before the load is fully charged. Considering this, the cut-off protection time or cut-off function should be set or disabled according to the actual application conditions.
This active cut-off control function can be flexibly set on the evaluation board (STEVAL-FSM01M1). Figure 9 illustrates the so-called ‘reactive cut off’, where the cut off function is disabled by default to allow for smooth charging of capacitive loads; But it also ultimately serves as a timely intervention and protection against thermal shutdown events in the event of long-term overload or malfunction.
summary
Industrial safety applies to all types of applications and industries, including automated manufacturing, transportation, smart buildings, or maritime and aviation systems. It is crucial to ensure that the safety of humans, equipment, and even our environment complies with applicable industrial safety standards.
At Yifa Semiconductor, our long-term engineering expertise in system design and rich experience in safety certification processes enable us to provide hardware designers with not only the most advanced integrated circuits, but also accurate knowledge and technical support.
In this white paper, we discuss the design of digital I/O systems for functional safety automation. After examining the structure of the secure digital I/O module, we explored specific design aspects of its electrical implementation using the example of the secure dual channel digital I/O evaluation board (STEVAL-FSM01M1). The robustness and reliability of the devices used are not only guaranteed through thorough validation in our laboratory, but also proven daily through 24/7 uninterrupted operation of countless industrial systems worldwide. At the same time, the devices used are rigorously tested and validated, providing reliability reports that can be used for FMEDA calculations required for functional safety certification.
