

# Know Your Safety Application Notes (Part 3): Pin FMEA

This article provides insights into the importance of an IC's pin failure mode and effects analysis (FMEA) to comply with functional-safety standards such as IEC 61508 and ISO 13849.

art 3 is the last part in this article series discussing how Analog Devices' safety application notes provide critical information needed for technical safety analysis by system integrators designing safety-related systems (SRS). Part 1 showed how such application notes contain an IC's failure rate based on Arrhenius high temperature operating life (HTOL), SN 29500, and IEC 62380. Part 2 revealed how relevant failure modes can be captured in a failure-mode distribution (FMD).

This final part offers insights into an IC's pin failure mode and effects analysis (FMEA) when designing a safety-related system. It also gets into how such pin FMEA information is available in ADI's safety application notes.

## What is a Pin FMEA?

A pin FMEA focuses on the analysis of potential failure modes of an IC package and their effects on the system function. This can be used along with the package failure rate calculated, for example, via IEC 62380, to determine the failure rate distribution of the IC. This can be seen in *Figure 1*.

The failure-rate allocation can then be classified into either safe, dangerous, no-effect, or no-part. Such failure-rate identification is essential to derive the safe failure fraction (SFF) and the probability of dangerous failure of the SRS.

This IC's pin FMEA is another piece of safety information already provided by ADI's safety application notes to help system integrators in their technical safety analysis. *Figure 2* shows the pin FMEA of the LTC2933, which can be found in its safety application note. With such an application note, one will know whether a pin fault will cause damage or just operational issues to the system.

# What Does IEC 61508 Say?

Table A.1 of the basic functional-safety (FS) standard<sup>2</sup> shows the failures to be assumed when quantifying the effect of random hardware failures or to be considered to derive the SFF. Notably, to assume the DC fault model, failure modes such as stuck-at faults, stuck-open, open or high-impedance outputs, short circuits between signal lines, and for ICs, short circuits between any two connections (pins), need to be considered.

A pin FMEA shows these assumed failures: stuck-at faults



1. Failure-rate distribution illustration. 1

(short-to-supply and short-to-ground), open or high impedance, and short circuit between any two adjacent connections (short-to-adjacent pin).

# What Do Other Standards Say?

Compliance with functional safety often requires compliance with more than one standard. Aside from IEC 61508, system integrators designing an SRS also comply with other standards applicable to them. This may be due to national law, national directive, or sector-specific, product-specific, or application-specific standard. Often, standards have their own set of normative (required) and informative (not required) sections.

An example of an informative requirement found in ISO 13849-2 Annex D regards the failures to be assumed for different components. Table 1 shows this, indicating the assumed failures for programmable and/or complex ICs, while nonprogrammable or noncomplex ICs don't consider the first and last assumed failures. System integrators can utilize this if they're the ones doing the analysis for the IC to derive the FMD. Otherwise, they can utilize what's provided by the component manufacturer, such as in ADI's safety ap-

Table 4-1 Application Circuit 1 Pin FMEA for the LTC2933 Pins Short-Circuited to Supply

| Pin no. Pin Name |       | Effect of Failure Mode                                                                       |  |  |  |
|------------------|-------|----------------------------------------------------------------------------------------------|--|--|--|
| 1                | V4    | OV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                         |  |  |  |
| 2                | V3    | OV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                         |  |  |  |
| 3                | V2    | OV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                         |  |  |  |
| 4                | V1    | No effect. V1 is the chip supply.                                                            |  |  |  |
| 5                | VDD33 | Internal regulator shorted to supply. Part damaged.                                          |  |  |  |
| 6                | GND   | Part not functional.                                                                         |  |  |  |
| 7                | GPIO3 | GPIO3 always HIGH.                                                                           |  |  |  |
| 8                | ASEL  | Part will not respond to I2C but can still monitor voltages. No effect to supply monitoring. |  |  |  |
| 9                | GPIO2 | Only GPIO2 always HIGH.                                                                      |  |  |  |
| 10               | GPIO1 | Only GPIO1 always HIGH.                                                                      |  |  |  |
| 11               | SDA   | Cannot configure device but part can still monitor voltages. No effect to supply monitoring. |  |  |  |
| 12               | SCL   | Cannot configure device but part can still monitor voltages. No effect to supply monitoring. |  |  |  |
| 13               | GPI2  | Manual reset will not be detected. No effect in supply monitoring.                           |  |  |  |
| 14               | GPI1  | Manual reset will not be detected. No effect in supply monitoring.                           |  |  |  |
| 15               | V6    | OV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                         |  |  |  |
| 16               | V5    | OV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                         |  |  |  |

Table 4-5 Application Circuit 1 Pin FMEA for the LTC2933 Pins Open-Circuited

| Pin no. Pin Name |       | Effect of Failure Mode                                                                       |  |  |  |
|------------------|-------|----------------------------------------------------------------------------------------------|--|--|--|
| 1                | V4    | Internal UV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                |  |  |  |
| 2                | V3    | Internal UV. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                         |  |  |  |
| 3                | V2    | Internal UV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                |  |  |  |
| 4                | V1    | IC supply. No power for internal circuit. Part not functional.                               |  |  |  |
| 5                | VDD33 | Damage to internal circuit. Part not functional.                                             |  |  |  |
| 6                | GND   | Part not functional.                                                                         |  |  |  |
| 7                | GPIO3 | GPIO3 pin unconnected to external pull-down. Can't pull HIGH. Always LOW.                    |  |  |  |
| 8                | ASEL  | Part will not respond to I2C but can still monitor voltages. No effect to supply monitoring. |  |  |  |
| 9                | GPIO2 | GPIO2 pin unconnected to external pull-up. Can't pull LOW. Always HIGH.                      |  |  |  |
| 10               | GPIO1 | GPIO1 pin unconnected to external pull-up. Can't pull LOW. Always HIGH.                      |  |  |  |
| 11               | SDA   | Cannot configure device but part can still monitor voltages. No effect to supply monitoring. |  |  |  |
| 12               | SCL   | Cannot configure device but part can still monitor voltages. No effect to supp monitoring.   |  |  |  |
| 13               | GPI2  | Manual reset will not be detected. No effect in supply monitoring.                           |  |  |  |
| 14               | GPI1  | Manual reset will not be detected. No effect in supply monitoring.                           |  |  |  |
| 15               | V6    | Internal UV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 alway HIGH.                 |  |  |  |
| 16               | V5    | Internal UV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                |  |  |  |

**Table 1: Faults for Programmable** and/or Complex ICs3

| Item | Fault Considered                                                                        |  |
|------|-----------------------------------------------------------------------------------------|--|
| 1    | Faults in all or part of the function, including software faults                        |  |
| 2    | Open circuit of each individual connection                                              |  |
| 3    | Short circuit between any two connections                                               |  |
| 4    | Stuck-at-fault                                                                          |  |
| 5    | Parasitic oscillation of outputs                                                        |  |
| 6    | Changing value                                                                          |  |
| 7    | Undetected faults in the hardware that go unnoticed because of the complexity of the IC |  |

plication notes, as discussed in Parts 1 and 2 of this series.

Printed circuit boards (PCBs) are also included in the technical safety analysis. ISO 13849-2:2012 has recommended fault (failure modes) and fault exclusions for PCBs wherein recommended assumed failure modes are allowed

Table 4-3 Application Circuit 1 Pin FMEA for the LTC2933 Pins Short-Circuited to GND

| Pin no. | Pin Name | Effect of Failure Mode                                                                       |  |  |  |
|---------|----------|----------------------------------------------------------------------------------------------|--|--|--|
| 1 V4    |          | UV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                         |  |  |  |
| 2       | V3       | UV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                         |  |  |  |
| 3       | V2       | UV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                         |  |  |  |
| 4       | V1       | No power for internal circuit. Part not functional.                                          |  |  |  |
| 5       | VDD33    | Internal regulator shorted to ground. Part not functional.                                   |  |  |  |
| 6       | GND      | No effect. Pin is GND.                                                                       |  |  |  |
| 7       | GPIO3    | GPIO3 always LOW.                                                                            |  |  |  |
| 8       | ASEL     | No effect. Pin is connected to GND.                                                          |  |  |  |
| 9       | GPI02    | Only GPIO2 always LOW.                                                                       |  |  |  |
| 10      | GPIO1    | Only GPIO1 always LOW.                                                                       |  |  |  |
| 11      | SDA      | Cannot configure device but part can still monitor voltages. No effect to supply monitoring. |  |  |  |
| 12      | SCL      | Cannot configure device but part can still monitor voltages. No effect to supply monitoring. |  |  |  |
| 13      | GPI2     | Forced reset. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                        |  |  |  |
| 14      | GPI1     | Forced reset. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                        |  |  |  |
| 15      | V6       | UV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                         |  |  |  |
| 16      | V5       | UV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.                         |  |  |  |

Table 4-7 Application Circuit 1 Pin FMEA for the LTC2933 Pins Short-Circuited to Adjacent Pins

| Pin no. | Pin Name | Shorted to | Effect of Failure Mode                                                                           |  |
|---------|----------|------------|--------------------------------------------------------------------------------------------------|--|
| 1       | V4       | V3         | Inputs shorted together. OV/UV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH. |  |
| 2       | V3       | V2         | Inputs shorted together. OV/UV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH. |  |
| 3       | V2       | V1         | Inputs shorted together. OV/UV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH. |  |
| 4       | V1       | VDD33      | Internal regulator shorted to supply. Part damaged.                                              |  |
| 5       | VDD33    | GND        | Internal regulator shorted to ground. Part not functional.                                       |  |
| 6       | GND      | GPIO3      | Only GPIO3 always LOW.                                                                           |  |
| 7       | GPIO3    | ASEL       | GPIO3 always LOW.                                                                                |  |
| 8       | ASEL     | GPIO2      | Only GPIO2 always LOW.                                                                           |  |
| 9       | GPIO2    | GPIO1      | Outputs shorted together. GPIO1 and GPIO2 OR-ed together. No effect to supply monitoring.        |  |
| 10      | GPIO1    | SDA        | GPIO1 may trigger I2C communication. No effect to supply monitoring.                             |  |
| 11      | SDA      | SCL        | Cannot configure device but part can still monitor voltages. No effect to supply monitoring.     |  |
| 12      | SCL      | GPI2       | GPIO2 is triggered when SCL pulls LOW. No effect to supply monitoring,                           |  |
| 13      | GPI2     | GPI1       | Reset inputs shorted. Reset LOW in GPI2 will also trigger GPI1. No effect to supply monitoring.  |  |
| 14      | GPI1     | V6         | Shorted to input. OV detected at V6. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH.     |  |
| 15      | V6       | V5         | Inputs shorted together. OV/UV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH. |  |
| 16      | V5       | V4         | Inputs shorted together. OV/UV detected. Both GPIO1 and GPIO2 are always LOW. GPIO3 always HIGH. |  |

to be excluded if certain design considerations were made — for instance, those found in the Remarks column in Table 2.

With these assumed failures for PCBs, especially with the components mounted to them, system integrators will need information on the effect of such PCB failures on the IC operation, which may affect the safety function.

Note that short circuits between two adjacent tracks/pads can manifest as a form of short circuit between a pin and the supply, a pin and ground, and neighboring pins. Meanwhile, open tracks can translate to an open circuit for an IC. All of this is considered in the pin FMEA found in ADI's safety application notes, which is readily accessible for system integrators in an FS-enabled part's webpage.

#### Conclusion

This series has primarily provided guidance regarding the use of information embedded in ADI's safety application notes. The first two parts discussed failure rates and failure-mode distributions. This final part discussed pin FMEA in the context of the IEC 61508 and ISO 13849.

Furthermore, this series raises awareness on such application notes' existence with ADI components, especially those tagged as FS-enabled parts - standard ICs that, despite not being developed to a functional-safety standard, can still be used in safety-critical applications.

Bryan Angelo Borres a TÜV-certified functionalsafety engineer who focuses on industrial functional safety. As a senior power applications engineer, he helps component designers and system integrators design functionally safe power products that comply to industrial functional safety standards such as the IEC 61508. Bryan is a member of the IEC National Committee of the Philippines to IEC TC65/SC65A and IEEE Functional Safety Standards Committee. He also has a postgraduate diploma in power electronics and more than seven years of extensive experience in designing efficient and robust power electronics systems.

Table 2: Faults for PCBs3

| Fault<br>Considered                            | Fault<br>Exclusion                                                     | Remarks                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|------------------------------------------------|------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Short circuit between two adjacent tracks/pads | Short circuits between adjacent conductions in accordance with remarks | As base material, epoxy resin (EP) glass cloth reinforcement (GC) according to IEC 60893-1 is used as a minimum.  The clearances and creepage distances are dimensioned to at least IEC 60664-5 (IEC 60664-1 for distances greater than 2 mm) with pollution degree 2/overvoltage category III; if both tracks are powered by a safety extra low voltage/protective extra low voltage (SELV/PELV) power supply, pollution degree 2/overvoltage category II applies, with a minimum clearance of 0.1 mm.  The assembled board is mounted in an enclosure giving protection against conductive contamination, for example, an enclosure with a protection of at least IP54, and the printed side(s) is coated with an aging-resistant varnish or protective layer covering all conductor paths.  Note 1: Experience has shown that solder masks are satisfactory as a protective layer.  Note 2: A further protective layer covering according to IEC 60664-3 can reduce the creepage distances and clearance dimensions. |
| Open circuit of any track                      | None                                                                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |

### References

- 1. "ISO 26262. Road Vehicles-Functional Safety, Part 11: Guidelines on Application of ISO 26262 to Semiconductors." International Organization for Standardization, 2018. 2. "IEC 61508. All Parts. Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems." International Electrotechnical Commission, 2010.
- 3. "ISO 13849. Safety of Machinery-Safety-Related Parts of Control Systems, Part 2: Validation." International Organization for Standardization, 2012.