Abstract
The core challenge in achieving high safety integrity levels (SILs) shifts from quantifying random hardware failures to eliminating systematic failures, which are deterministic design errors manifesting in safety systems such as during power-up and power-down sequences. Improper sequencing can cause catastrophic faults like CMOS latch-up or unpredictable system states, necessitating a fault-avoidance strategy. Analog Devices’ power sequencer products offer a robust solution by autonomously and deterministically managing the precise timing and order of multirail power supplies, thereby acting as a hardware-enforced barrier against these systematic sequencing faults. This architectural choice achieves physical independence, inherently satisfying the noninterference requirement of IEC 61508 by isolating the critical power control from the main microcontroller unit’s (MCU) complex, fault-prone software domain. Consequently, using an external ADI sequencer substantially reduces the scope and complexity of the safety-critical software that requires exhaustive validation and verification (V&V), streamlining functional safety compliance.
Introduction
This fifth installment in the series shifts focus from managing the quantitative metrics of functional safety, such as the safe failure fraction (SFF) and the average frequency of dangerous failure per hour (PFH), which primarily relate to random hardware failures, toward mastering the qualitative yet equally critical challenge: the elimination of systematic failures. Systematic failures are fundamentally deterministic faults that originate from shortcomings in the design process, procedural execution, or documentation throughout the safety lifecycle, from conception to commissioning. Unlike random failures, which can be quantified with metrics like failure in time (FIT), systematic flaws defy simple statistical prediction. Controlling these failures mandates a rigorous qualitative approach focused on fault avoidance through meticulous development, stringent verification, and comprehensive validation.1
The power-up and power-down sequences represent the most critical transient phases in any electrical/electronic/ programmable electronic (E/E/PE) system, particularly those designed for safety-related functions. During these phases, the timing, order, and synchronization of voltage rails and dependent logic must be executed flawlessly to prevent the system from entering an unknown or dangerous state.2 Failure to establish proper hardware initialization routines based on manufacturer specifications and component dependencies constitutes a systematic design error. A dedicated hardware sequencer IC is precisely engineered to manage these volatile transient states, providing a robust, hardware-enforced barrier against the systematic faults that often manifest during power transitions. This strategic architectural choice transforms the compliance methodology from one focused merely on fault detection or diagnostics to one centered on fault avoidance, a critical requirement for achieving high safety integrity levels (SILs).
Identifying Sequencing Failure Modes as Systematic Faults
Systematic failures arising from improper sequencing often result in catastrophic hardware damage or the corruption of critical system states, making their avoidance mandatory for functional safety. Modern high performance industrial controllers—which include microprocessors, field-programmable gate arrays (FPGA), and ASICs—rely on complex multirail power architectures, featuring separate supply voltages for core logic (VCORE) and input/output interfaces (VIO) stated in the respective data sheets.
A common systematic fault arises when the power-up sequence is incorrect, such as VIO rising before VCORE. This condition causes the parasitic internal diodes connecting the I/O pins to the internal rails to become forward biased. This unintentional biasing triggers a parasitic silicon-controlled rectifier (SCR) structure, which is inherent in the CMOS structure, as shown in Figure 1.3 This phenomenon is known as CMOS latch-up, resulting in a low impedance path that creates a short circuit between the power supply rails. Latch-up is a deterministic failure caused by a design oversight (a systematic fault) and, if not immediately mitigated, can draw excessive current, leading to component destruction, such as an overheated and damaged processor chip. The condition typically necessitates a full power cycle to be resolved. Sequencer circuits eliminate this systematic failure by strictly monitoring and enforcing the precise, manufacturer-mandated temporal order of voltage rails during both startup and shutdown, thereby preventing the conditions required for reverse biasing and latch-up.4
Beyond physical damage, sequencing errors introduce systematic functional failures within the control logic. Microcontroller units (MCUs) and FPGAs must initialize their internal peripherals, clocks, and memory cells in a precise order, contingent on the stability of their respective power supplies. Uncontrolled power transitions can result in systematic data corruption in storage cells such as registers and SRAM. If power instability during initialization violates the setup and hold-time requirements specified in component data sheets, sequential circuits can enter an unpredictable, nondeterministic metastable state. A system in a metastable state cannot guarantee a known logical output, compromising the ability of the safety function to achieve a safe state. As shown in Figure 2,5 sequencers mitigate these risks by incorporating precise dependency management. They continuously monitor voltages and manage delays, ensuring that power-good flags are achieved and stable before external ENABLE signals are asserted to release downstream safety-critical logic components, ensuring known and predictable initialization routines. The sequencer acts as a reliable supervisor, guaranteeing that safety-critical logic (like actuators) remains disabled until a valid, stable power state is achieved, thus preventing uncontrolled or dangerous output actuation during startup.
Enhancing Systematic Capability (SC) for IEC 61508 Compliance
The use of a dedicated, high performance hardware sequencer directly aids compliance with IEC 61508. Specifically, IEC 61508-2 Annex B is a normative annex, meaning compliance is required, detailing the necessary techniques and measures for avoiding systematic failures in the hardware design and development phases. For complex hardware (such as MCUs or FPGAs), rigorous standards apply (as detailed in Clause 7.4.2).
If power sequence and supervision are handled by software routines running on the main safety MCU as shown in Figure 3,6 the V&V effort must rigorously prove noninterference.2,7 The sequencing routines (initialization, timing loops, fault detection) must be isolated from all other code running on the chip, including nonsafety application logic. The difficulty lies in eliminating systematic interference pathways, which can occur via shared resources such as CPU time, interrupts, memory bandwidth, or peripherals. Proving timing independence and effective resource partitioning in software, especially within modern, complex multicore architectures, demands advanced V&V techniques and extensive documentation, substantially increasing the burden on the system developer to satisfy the noninterference requirement.
The external sequencer IC, as shown in Figure 4,6 provides the ultimate assurance of independence by achieving physical diversity. The sequencer operates autonomously from the programmable logic core, utilizing its own dedicated monitoring circuits, timing logic, and control outputs. This architectural separation inherently satisfies noninterference because the critical power control function is physically removed from the systematic fault domain of the MCU. The sequencer handles precise power rail timing and initialization logic independently, only signaling discrete, simple statuses (for example, FAULTB, RSTB) back to the MCU. This segregation guarantees that systematic faults originating in the complex programmable domain, such as coding errors, memory pointer corruption, or operating system scheduling conflicts, cannot interfere with the deterministic, timing-critical management of the power transitions.
Reducing Software Requirements by Using an External Sequencer
Functional safety standards, particularly IEC 61508-3 (software requirements), impose the most extensive V&V, testing, and documentation requirements on safety-critical software. If the sequencing function is embedded within the MCU’s code, all related software components must be rigorously validated to the highest required SC. This compliance burden applies not only to the sequencing algorithm itself but potentially to the processor-interrupt software and scheduling mechanisms necessary to ensure the sequence executes reliably and deterministically in real time.
By utilizing an external hardware sequencer, the system architect offloads the complex logic governing rail dependencies, precise temporal delays (for example, 10 ms intervals), and inherent power fault handling entirely from the MCU’s safety-critical software core. The consequence is a substantial reduction in the safety-critical software scope. The MCU’s role shrinks to simpler, easily verifiable tasks, such as reading the global fault status pin or initiating a master reset (MR) command. This strategic architectural choice significantly decreases the volume and complexity of code that requires exhaustive V&V.
ADI delivers a comprehensive portfolio of sequencing circuits and power systems managers engineered to address FPGA and other complex digital controllers’ power management challenges. These solutions—ranging from simple, cascadable sequencers for basic rail sequencing to sophisticated, multichannel programmable devices—precisely orchestrate the power-up and power-down of voltage rails. By ensuring each rail achieves its target voltage in the correct order and timeframe, these circuits safeguard the integrity of your FPGA design.
Conclusion
The systematic failures inherent in complex power-up and power-down sequences, such as the potential for CMOS latch-up or the initiation of unpredictable metastable states, represent a critical qualitative challenge to functional safety that cannot be managed by focusing solely on random failure metrics. By architecturally relocating the timing-critical, multirail power management function from the main safety MCU’s complex software domain to a dedicated external hardware IC, system architects adopt a robust fault-avoidance strategy. This isolation ensures deterministic, hardware-enforced sequencing, effectively eliminating a primary source of systematic design errors before they can manifest in the safety-related system. This architectural choice is central to enhancing the overall SC of the design, transforming a complex software problem requiring exhaustive timing analysis into a simpler hardware solution.
Crucially, the physical separation provided by an external sequencer inherently satisfies the stringent noninterference requirements of functional safety standards such as the IEC 61508, a condition that is difficult and costly to prove within complex, multitasking software environments. By offloading complex timing, rail dependency logic, and inherent fault handling, the required scope of the safety-critical software is substantially reduced, streamlining the extensive validation and verification process and lowering the overall compliance burden. ADI’s power sequencing solutions provide the necessary reliability, precision, and functional independence to implement this architecture, offering a critical hardware enforcement mechanism that significantly simplifies and accelerates functional safety compliance.
References
1IEC 61508 All Parts, Functional Safety of Electrical/Electronic/ Programmable Electronic Safety-Related Systems. International Electrotechnical Commission, 2010.
2Philipp Kilian, Armin Köhler, Patrick Van Bergen, Carsten Gebauer, Bernd Pfeufer, and Oliver Koller. “Principle Guidelines for Safe Power Supply Systems Development.” IEEE Access, Vol. 9, July 2021.
3Catherine Redmond. “Winning the Battle Against Latchup in CMOS Analog Switches.” Analog Dialogue, Vol. 35, October 2001.
4“Avoid Catastrophic Power Failures with Proper Voltage Sequencing and Monitoring.” Maxim Integrated, April 2018.
5“Supervisory and Sequencing Devices for AMD and Intel FPGAs.” Analog Devices, Inc., 2024.
6“Design Considerations for Microcontroller-Based Fault Detection in Functional Safety Systems.” exida, June 2025.
7“Top Misunderstandings About Functional Safety.” TÜV SÜD.
About the Authors
Bryan Angelo Borres is a TÜV-certified functional safety engineer who focuses on industrial functional safety. As a senior power applications engineer, he helps component designers and system integrators design functionally safe power products that comply to industrial functional safety standards such as the IEC 61508. Bryan is a member of the IEC National Committee of the Philippines to IEC TC65/SC65A and IEEE Functional Safety Standards Committee. He also has a postgraduate diploma in power electronics and more than seven years of extensive experience in designing efficient and robust power electronics systems.
Noel Tenorio is a product applications manager in the Industrial, Power, and Precision Group handling high performance supervisory products at Analog Devices Philippines. He joined ADI in August 2016. Prior to ADI, he worked as a design engineer in a switch-mode power supply research and development company for six years. He has a bachelor’s degree of electronics and communications engineering from Batangas State University, as well as a postgraduate degree in electrical engineering major in power electronics and a Master of Science degree in electronics engineering from Mapua University. He also had a significant role in applications support for thermoelectric cooler controller products prior to handling supervisory products.
