This article appeared in Planet Analog and has been published here with permission.
Galvanic isolation is common in industrial and automotive systems as a means of protecting against high voltages or to counteract ground potential differences. Designers traditionally used optocouplers for isolation, but in the last few years, digital isolators that use capacitive and magnetic isolation have become more popular. With any such isolators, understanding the importance of their safety-limiting values and how to utilize them is important to system design.
In systems using isolators it may be important to ensure that their insulation remains intact even under fault conditions. To achieve this goal, component standards governing optocouplers (such as IEC 60747-5-5) or capacitive and magnetic isolators (such as VDE 0884-11) specify safety-limiting values. These values specify the isolator’s operating condition boundaries within which the insulation is preserved, even if the functionality is not.
Isolator failure modes determine safety-limiting values
To understand what safety-limiting values specify, consider how isolators are designed. Figure 1 and Figure 2 illustrate the construction of an optocoupler and a capacitive digital isolator, respectively. In the case of the optocoupler, silicone material and insulating tape provide insulation between the two signal sides, while an LED and a photodetector provide the signal transfer. In the digital isolator, the series connection of two high-voltage capacitors on two separate silicon die provides insulation while electrical transmit and receive circuits coupled to the high-voltage capacitors provide the signal transfer.
Figure 1: A cross section shows how an optocoupler is constructed and the possible effect of fault conditions.
Figure 2: The digital isolator cross section shows how fault conditions can affect its insulating properties.
A high-voltage/high-current/high-power fault event on one side of the isolator can damage the circuits on that side. For example, events like short circuits, electrostatic discharge (ESD), and power transistor breakdown can force unintended high voltage and current into the isolator’s pins, damaging LEDs, photodetectors, transmit and receive circuits, and on-chip ESD protection. If there is enough power dissipated in the chip, there could also be significant structural damage to the circuits, such as fused silicone insulation, shorted high-voltage capacitor plates, or melted bond wires. Such structural damage can reduce the isolator’s insulation capability. The TI white paper, “Understanding failure modes in isolators,” discusses the effects of these fault events in more detail.
From the end-system perspective, isolation requirements may need to remain in force even after electrical and thermal stress events have impeded the isolator’s signal-transference operation. This is because damage to the isolation barrier can lead to secondary system failures, or the risk of an electrical hazard. For example, in Figure 3, a digital isolator protects the earthed control and communications module while the rest of the system floats. The effects of any faults in and around the digital isolator that may reduce the isolator’s insulation capability must be considered to avoid the effects of shorting DC- to earth.
Figure 3: Failure of the digital isolator providing protective isolation in an AC motor drive could compromise the entire system if the fault resulted in a short to earth.
The practice of safety limiting is designed to minimize potential damage to the isolation barrier should the isolator’s input or output circuitry fail. Isolator component standards define the safety-limiting values as the maximum input or output current (IS), the maximum input or output power (PS), and the maximum junction temperature (TS) the device can withstand in the event of a fault without compromising its isolation, even if the function of the coupling elements may be destroyed. Device manufacturers must specify these parameters, but it remains up to you to ensure that these values are not exceeded in the event of a fault or a failure so that there is no insulation breakdown.
As an example of manufacturer-supplied safety limits, Figure 4 shows the IS for different supply voltages and PS as a function of ambient temperature for TI’s ISO7741 digital isolator. These values are specified so that the device’s maximum safety junction temperature (TS = 150°C) is not exceeded. Based on these curves, for instance, at an ambient temperature of 100°C up to 600 mW of power may dissipate inside the device without any potential damage to the insulation.
Figure 4: The safety-limiting values for TI’s ISO7741 digital isolator show how much power dissipation a fault can impose without compromising the device’s isolation characteristics.
Circuits utilize safety-limiting parameters
The materials and circuit design parameters the manufacturer has adopted govern a device’s safety-limiting values. What the safety standards require is that optocoupler/digital isolator users provide adequate safety arrangements in their circuit design and ensure that the device’s application conditions not exceed the device’s safety-limiting values. Such safety arrangements might include current and voltage limiting that kicks in under fault conditions, or thermal management that prevents an operating temperature above a maximum value.
Let’s look at two example circuits for implementing safety limiting for a digital isolator. While these examples will not be exhaustive, identifying all possible faults and outcomes, they elucidate the principles of safety limiting and should provide a sense of how to approach safety limiting in your isolated-system designs.
For the first example, Figure 5 shows a digital isolator serving as the interface between an analog-to-digital converter (ADC) or analog front end (AFE) and a microcontroller (MCU). I’ll analyze this system for any one primary fault, including any secondary faults this single fault produces. (Additional circuits may be necessary to protect against multiple primary faults.) This analysis will focus on the MCU side for safety limiting, although you can apply the same principles for the ADC/AFE side as well.
In this example, a 24-V industrial power supply (variable up to 36 V) powers the MCU side (VIN24V). A DC/DC converter bucks this down to 5 V (VDC5V), followed by a low-dropout regulator (LDO) that creates a 3.3-V supply (VDC3P3V) for the MCU and the digital isolator. Current-limiting resistor RSUP is included in the supply path, and resistors ROUT and RIN are included in the input/output (I/O) path.
Figure 5: The digital isolator serves as an interface in this example, providing isolation between an ADC or AFE and an MCU.
Let’s examine some faults and their implications on safety limiting.
For the second example, an isolated digital input using the ISO1211 as shown in Figure 6.
Figure 6: In this example the isolated digital input circuit uses the TI ISO1211.
The isolated digital inputs receive signals from field sensors and interface them to a host programmable logic controller. The voltage input is nominally 24 V, but with variation can be as high as 36 V. The ISO1211 uses an external RSENSE resistor to provide a precise limit to the current drawn into the SENSE terminal. The external resistor RTHR can adjust the digital input’s voltage threshold. For an 11-V input threshold and a 2-mA current limit, the values of RSENSE and RTHR are 562 Ω and 1 kΩ, respectively (see the ISO1211 data sheet for details).
These two examples demonstrate how to analyze and mitigate different faults in the context of safety-limiting values. Based on the actual application and safety goals, though, you may need to take additional measures.
When using isolators it is important to understand their safety-limiting values, and to make provisions in your design to meet these values. Failure to design for safety limits could result in faults generating extensive system damage and possible fire and electrical hazards should the isolator’s barriers fail. The example circuits demonstrate ways to ensure the maintenance of safety-limiting values under fault conditions.
All content and materials on this site are provided "as is". TI and its respective suppliers and providers of content make no representations about the suitability of these materials for any purpose and disclaim all warranties and conditions with regard to these materials, including but not limited to all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement of any third party intellectual property right. No license, either express or implied, by estoppel or otherwise, is granted by TI. Use of the information on this site may require a license from a third party, or a license from TI.
TI is a global semiconductor design and manufacturing company. Innovate with 100,000+ analog ICs andembedded processors, along with software, tools and the industry’s largest sales/support staff.