tl;dr: Power selection circuits present a unique analysis challenge: redundant input rails suggest inherent safety, yet component interdependencies create hidden failure propagation paths that can be easily missed. In this 24-component subsystem, what appeared to be monitoring-only current sense amplifiers created a critical SPOF through shared ground connections – a failure path that systematic analysis with Paitron revealed in under 30 minutes. This case study demonstrates both the initial discovery (setup and analysis in under 30 minutes) and rapid validation of the design fix (re-analysis in minutes, not hours).
Power selection circuits in safety-critical systems present inherent analysis challenges due to complex component interdependencies and hidden failure propagation paths. While engineers excel at identifying obvious single points of failure, the sheer complexity of modern circuits with hundreds of failure modes makes comprehensive manual analysis practically challenging within typical project timelines. These time and resource pressures often force difficult trade-offs between analysis thoroughness and delivery schedules, creating a need for systematic approaches that can reliably identify all potential failure modes without exception.
Use Case – Identifying Single Point of Failure (SPOF) in Safety-Critical Systems
Consider the following a power selection subsystem (Figure 1) typical for safety-critical applications in industries such as aerospace, automotive, and industrial automation. Serving as just one part of a larger design, it comprises 24 components, among them three integrated circuits (ICs), namely U1 (LTC4364-2), U2 & U3 (LT6100).
<Figure 1: Schematic of the power selector subsystem>
System Details:
- The power selection manages a power rail supplied by two independent power inputs: main battery (V_BAT) and secondary power (V_SEC)
- U1 serves as a surge stopper offering overvoltage, undervoltage, and reverse current protection. In conjunction with MOSFETs Q2 and Q3, U1 handles power transmission from V_BAT.
- The current sense amplifiers U2 and U3 (powered by a 5V power supply, 5V_CS) monitor the currents on each input rail, outputting signals that indicate which rail is feeding P28V_Combined. These signals are read by a separate logic controller in the periphery.
Safety Requirement:
- The primary requirement is that the output P28V_Combined must always remain powered.
The Analysis Challenge
PROJECT SCALE CONSTRAINTS: To perform a complete FMEDA, all potentially relevant failure modes must be evaluated for these 24 components, which amounts to a total of about 200 failure modes for this example. With a manual assessment time of 10 to 15 minutes on average, the cumulative effort spans approximately 50 hours for this single subsystem alone. When issues are discovered, validating design fixes requires re-running the entire analysis –a manual analysis of a similar effort – to confirm the design modifications address the failure modes without introducing new risks.
When scaled across typical safety-critical systems containing 300+ subsystems, comprehensive manual analysis becomes impractical within project timelines and budget constraints. This forces engineering teams to make difficult trade-offs between analysis thoroughness and project delivery schedules.
LOCALIZATION OF FAILURES & INTERCONNECTED COMPLEXITY: Even with extensive time investment, complex failure propagation paths can remain unidentified. But especially under time pressure, one might consider only localized failure effects, i.e. that a failure mode of the current sensor will affect only its immediate function. However, failure effects can propagate through overlooked pathways, such as when monitoring circuits share electrical connections with the systems they observe.
Analysis Results: Critical Discovery
The power selection example contains 24 components for which 200 failure modes are identified and analyzed in less than half an hour. This systematic evaluation revealed critical findings that highlight the value of comprehensive and reliable analysis coverage.
The FMEDA, according to the IEC 61508 standard, was performed by Paitron after setting it up. The built-in failure databases were used for the analysis – SN 29500 for failure rates and IEC 61709 as the failure modes source.
Want to see how this analysis was set up and executed? [5-minute, no signup Interactive guided demo]
The Results:
<Figure 2 – FMEDA result overview with emphasis on the components that contribute to the dangerous undetected (DU) failure rate>
Figure 2 displays Paitron’s FMEDA results. Paitron provides an overview of the most common safety KPIs according to IEC 61508, such as Safe Failure Fraction (SFF), Safety function failure rate, Safety Function and Device MTBF and Diagnostic Coverage (DC).
The comprehensive safety KPI overview demonstrates the depth of analysis possible with systematic automated approaches. From the results, it is clear and quick to see the 0.12 FIT dangerous undetected failure rate (λDU). It is also easy to discover the primary drivers of this risk, U2 and U3. Paitron also provides a detailed analysis for each component, enabling the requisite understanding for its resolution.
Single Point of Failure Identified:
<Figure 3 – Exemplary failure modes of the components U2 and U3 leading to the effect “Loss of combined power”, specifically shorting the IN- pins to GND.>
The systematic analysis revealed that current sense amplifiers U2 and U3 represent single points of failure for the entire power selection system through an unexpected failure propagation path. Shorting the “IN-” pins of U2 or U3 to ground effectively pulls the power output to ground, causing complete power loss despite redundant input rails.
The power selection subsystem is one block of a much larger system (300 blocks, +2k components). Due to the size and complexity of the underlying system, even methodical manual analysis faces practical limitations in covering all possible interaction paths within project timelines.
Design Resolution and Re-Analysis
<Figure 4: Updated power selector schematic with two additional diodes D2 and D3>
With the critical failure mode identified, the design was updated to prevent the dangerous undetected effect. One straightforward solution was to add two diodes: D2 and D3, one on each power rail. These ensure that a pin short to ground at U2 or U3 no longer pulls the output to ground.
After adjusting the system design, the analysis can be re-run to directly evaluate the impact of the design update. Whereas in the manual process, this would require effort on the same scale as the original analysis, with Paitron, re-analysis is a matter of just a few clicks and minutes rather than hours of manual analysis. In this case, the updated design was validated in under 10 minutes.
<Figure 5: Comparison of the FMEDA result overview before and after the design update>
The updated analysis (Figure 5) confirmed that the dangerous undetected failure rate λDU was reduced to 0 FIT, validating that the “Loss of combined power” effect has been prevented.
<Figure 6: Comparison of the excerpt from the FMEDA report for U3 before and after the design update>
The detailed FMEDA report excerpt for U3 (Figure 6) further confirms that any previous failure mode leading to “Loss of combined power”, such as shorting pins to ground, are now confined to the affected rail only. This allows an unprecedented peace of mind about the safety of the designed system pre-prototype.
Technical Implications
This systematic analysis capability reveals several key insights for power selection circuit design:
- Hidden Dependencies: Components that appear to be monitoring-only can create critical single points of failure through unexpected electrical pathways.
- Analysis Coverage: Comprehensive evaluation of all 200 failure modes ensures no interaction paths are missed due to time or cognitive constraints.
- Design Iteration: Rapid re-analysis enables design optimization cycles that integrate seamlessly into the development process. Design iterations that would take weeks manually can now be validated in minutes.
While demonstrated here on a power selection circuit, this systematic propagation analysis approach applies to any topology where component interdependencies create hidden failure paths, including sensor interfaces, communication buses, and control logic circuits.
Experience This Methodology
The systematic approach demonstrated here – finding critical single points of failure in complex circuits within 30 minutes rather than weeks, then validating design fixes in minutes rather than hours – represents a fundamental shift in how safety analysis can integrate into the design process.
Ready to see exactly how this systematic failure identification works?
