EMC & Functional Safety Workshop 23: EMV ‘01 (Augsburg) 14 march 2001 Prof. ir. J. Catrysse, KHBO.

EMC & Functional Safety

Workshop 23: EMV ‘01 (Augsburg)

14 march 2001

Prof. ir. J. Catrysse, KHBO


1 INTRODUCTION

All electronic technologies can suffer from degraded functionality due to disturbances. Modern technologies are more susceptible than other ones. This discipline is known as EMC.


1 INTRODUCTION

Electronic technology is increasingly used in safety-related applications. Consequently, errors and misoperations of electronic devices due to inadequate EMC can result in hazardous situations with an increased risk of harm people’s health and safety.


1 INTRODUCTION

Companies who are well versed in the safety of their traditional technologies may not be aware of the possibilities for increased risks associated with the use of electronic technologies. For example, a machinery manufacturer may use a programmable logic controller (PLC) to control a machine.


1 INTRODUCTION

When the PLC is interfered with, for example by EM disturbances from a nearby walkie-talkie, or by a voltage transient on its mains supply, it is possible that the machine could make an unintended movement-possible putting nearby workers at increased risk or injury or even death.


1 INTRODUCTION

The EMC and safety divisions within an organisation tend to use different skills and disciplines and may operate largely independent of each other. Important issues of EMC-related functional safety may not be correctly addressed. Compliance with the EMC Directive (or its harmonised standards) may not ensure that EMC-related functional safety issues have been correctly addressed and relevant safety legislation met.


1 INTRODUCTION

To correctly control EMC-related functional safety, hazard and risk assessments are needed. The following should be considered:

1.1 What electromagnetic (EM) disturbances, however infrequent, might the apparatus be exposed to?

1.2 What are the reasonably foreseeable effects of such disturbances on the apparatus?


1 INTRODUCTION

1.3 How might the EM disturbances emitted by the apparatus affect other apparatus (existing or planned)?

1.4 What could be the reasonably foreseeable safety implications of the above mentioned disturbances (what is the severity of the hazard, the scale of the risk, the safety integrity level required?


1 INTRODUCTION

1.5 What level of confidence (verification? proof?) is required that the above have been fully considered and all necessary action taken to achieve the desired level of safety?


1 INTRODUCTION

Safety Related Systems (SRS) are systems (a part of) which affect safety in some way. Normally, the term is used to describe systems that perform a specific function to reduce risks to a level which is considered to be tolerable. SRS are more and more implemented in E/E/PE technologies.


2 EXAMPLES

Controlled by µP ESD and mains-interference (EFT) switched on the machine, while the interlock-switch was in a “safe” position.

2.1 Failure of a safety-interlock


2 EXAMPLES

Gas-detector switched itself “off” by operation of a walkie-talkie in a nearby position (1m).

2.2 Gas-detector disabled by handheld VHF radio


2 EXAMPLES

“Optical” control of doors was disturbed (cabling) due to an amateur-radio (antenna on top of the machine-roof, on the roof of a building).

2.3 Lift stops due to amateur-radio


2 EXAMPLES

Operation of a CNC machine was affected by a nearby arc-welding machine.Attention must be paid to welders, heaters, sealers

and especially those using RF energy.

2.4 CNC machine affected by arc-welding


2 EXAMPLES

Mains-disturbances affects the good control of a milk-cooler, since a “new” batch of components was used. “Cooling” works at wrong temperature-detection. Affecting the end-quality of the milk (and health-risks for consumers).

(E/EP)ROM changes have been observed.

2.5 Milk-coolers affected by mains


2 EXAMPLES

Wheelchairs seem to be susceptible to RF fields of 5 to 15 V/m. Brake release and self-start are repeated. 50 V/m should be requested.

2.6 Wheelchair EM immunity


2 EXAMPLES

Permanent change in the calibration ROM due to nearby operated walkie-talkie have been observed. Safety-critical systems must always be designed to possible extreme interference.

2.7 Safe-load indication and hand-held radio


2 EXAMPLES

µP based valve controller, and a temperature sensor. Two failures were observed: RF induced signals on the temperature-sensor wiring, causing wrong values (too low). And mains interference affecting a badly designed watch-dog in the µP circuitry.

2.8 Failure of a valve in a steam-generator


2 EXAMPLES

Laptops (and other electronic games) easily interfere with the aircraft navigation systems (and their cabling).

EMI is part of the safety-instructions on an aeroplane!

2.9 Aeroplanes and laptops


2 EXAMPLES

One of a number computers controlling a chemical plant failed, resulting in the appropriate setting of a number of process valves. Operating staff were potentially put at risk. Investigation revealed than an integrated circuit had failed in the microprocessor which controlled the

operation of an input/output interface

2.10 Computer failure


2 EXAMPLES

The failure meant that the processor set all signals for the output devices to logic 1 (all valves open). Failure of a microprocessor had been anticipated in the original design of the computer system, but the failure detection mechanism contained a design flaw.

2.10 Computer failure (Cont’d)


2 EXAMPLES

Fault detection was by a “watchdog” circuit configured to trip when a status “bit” flipped to zero-thereby indicating a physical failure of the processor. However when the integrated circuit failed it set all bits, including the status bit, to logic 1-the opposite to the state needed to trip the watchdog, so the

failure was not recognised.



2 EXAMPLES

The root cause of this incident was that computer control had been superimposed upon an existing plant previously controlled by traditional technology. No hazard and risk analysis had been carried out before this change, and no safety integrity requirements specification had been developed.



2 EXAMPLES

Functional Safety is NOT covered by the EMC Directive and the related harmonised standards, Immunity levels and specified performance criteria are NOT intended to guarantee proper operation of SRS.

Remarks


2 EXAMPLES

Examples of immunity problems for SRS are:

• ESD levels in reality: easily into 15 KV and still requiring fail safe operation. (EN 61000-4-2: 8 KV and performance B)

• RF systems: high power and near-by operated RF communication systems, giving 15 V/m and more. (EN 61000-4-3: 10 V/m)

Remarks (Cont’d)


2 EXAMPLES

• EFT: some main supplies are ‘polluted’ with higher levels of transient than would normally be expected, and these may be higher than are covered by EMC standards harmonised under the EMC Directive and used when CE marking. (EN 61000-4-4: 2 KV pulses in CM)

Remarks (Cont’d)


2 EXAMPLES

Users need to make sure that their supplies are not excessively polluted and manufacturers need to make sure that mains-powered equipment used for safety-related functions will withstand atypical mains transient as much as is reasonable, and when damaged by a transient (or suffer any other failure) will fail to a safe state.

Conclusions


2 EXAMPLES

It is not always recognised that a control system is safety-related. Microprocessor watchdog circuits are difficult to design for safety-critical applications, and should be supported by hardware and software EMC design techniques, and an appropriated risk-analysis.

Conclusions (Cont’d)


2 EXAMPLES

Careful analysis of the EM environment must be performed, in order to know the possible “extreme” conditions.

And an appropriated risk-analysis - and consequent design - must be performed from component level into system level.

Conclusions (Cont’d)


3 EMC DIRECTIVE & FUNCTIONAL SAFETY

EMC Directive 89/336 and the related harmonised standards are not dealing with safety at all:

3.1 “Safety” is NOT used in the text, and the EMC Directive is only addressing “normal operation” under “normal” EM environment.



3.2 The EMC Directive does not cover reasonable foreseeable faults, environmental extremes, operator errors, maintenance situations, or misuse-all considerations which are essential for functional safety.

3.3 Almost all the EMC standards harmonised under the EMC Directive either explicitly or implicitly exclude safety considerations



3.4 All the EMC standards harmonised under the EMC Directive (or used for radio-communication Type Examination) cover a restricted number of EM disturbances, and their limits allow a finite probability

of incompatibilities.



3.5 EMC Technical Construction Files (TCFs) can include significantly lower EMC performance (or lower confidence of performance) than would have been achieved had the harmonised standards been applied in full.



3.6 Safety may, in real life, depend upon correct operation of electronic apparatus when it is subjected to low-probability EM disturbances which are not covered by harmonised standards. Or a combination of EM disturbances (which is not foreseen in the harmonised standards).



3.7 The EM environment is continually changing the use of new technologies, and so harmonised standards often lag behind real needs. For example, there is increasingly common use of cellphones, wireless LANs and other RF transmitters, and ever-

faster computers.



3.7 (Cont’d) These frequently emit significant levels of disturbances at frequencies above 1 GHz, higher than the frequencies covered by even the latest

issues of the harmonised immunity standards.


4 SAFETY

Key to the understanding of safety-related systems is the concept that a safety-related system carries out safety functions; and that a safety function should be specified both in terms of functionality (what the function does) and safety integrity (the probability of a safety function being performed satisfactorily when it is required).


4 SAFETY

(Cont’d) The specification for safety integrity is derived by undertaking a hazard & risk analysis and determining the extent of risk reduction which the particular safety function brings about. The general principle is that more rigour is required in the engineering of safety-related systems at higher levels of safety integrity in order to achieve the lower failure rates which are required to achieve tolerable

risk.


4 SAFETY

Qualify and quantify the exposure of the apparatus to the EM disturbances present in its intended operational environment(s), taking into account likely (or possible) changes to the environment(s) in the future. This should include all reasonably foreseeable exposure to EM disturbances of whatever kind. EN 61000-2-5 can be a helpful guidance

4.1 EM environment


4 SAFETY

Determine the acceptable immunity and emissions performance criteria for each safety-related function of the apparatus, for each of the EM disturbances identified above, to achieve the desired “compatibility margins” for the appropriate safety

integrity levels.

4.2 EM Specification


4 SAFETY

The results are often most conveniently expressed as a table (matrix) of function versus EM phenomenon, with the performance criteria in the cells. (This is a hazards and risks assessment, and may result in different functional performance criteria than are

required for compliance with the EMC Directive).

4.2 EM Specification (Cont’d)


4 SAFETY

The test procedure and performance criteria which will be used to validate the immunity levels should then be specified.

Performance criteria for immunity testing should take into account the hazards and risks associated with the application. For example, even temporary degradation of performance or loss of function may

not be acceptable in some applications.

4.3 Test Procedure


4 SAFETY

Ensure that all necessary steps are taken throughout the apparatus’ entire life-cycle (including maintenance, upgrade, or refurbishment) to meet the EM functional performance criteria specified above, and that appropriate validation occurs before supply and after maintenance, modification, upgrade, and refurbishment (especially software).

4.4 Design, build, verify, maintain


4 SAFETY

Validation should ensure that the product’s required functional performance is actually achieved in its intended operational environment(s), and that its

safety is as required.

4.4 Design, build, verify, maintain (Cont’d)


4 SAFETY

Provide all the installation, use, and maintenance instructions necessary to define the EM environment that the apparatus is intended for, and achieve and maintain the required EM performance.

4.4 User Instructions


4 SAFETY

It is also recommended that a description of how EM interference may appear to the user, and the simple mitigation measures that the user can take, be included.

IEC 61000-5-2 and IEC 61000-5-6 are recommended for guidance on good EMC build and installation practices.

4.5 User Instructions (Cont’d)


4 SAFETY

4.6.1 Testing is unlikely to reveal all the potential modes of functional degradation which may result from EM disturbances. In this respect, the achievement of EMC in the context of safety should be approached in a similar way to that necessary for safety-related software.

4.6 Remarks


4 SAFETY

4.6.1 (Cont’d)That is, it is important that a systematic approach is adopted at all stages of the safety-lifecycle in order to avoid, as far as possible, the introduction of systematic faults.

4.6 Remarks


4 SAFETY

4.6.1 (Cont’d) It is particularly important that EMC is considered at an early stage during the design of equipment as it is often then that the most effective measures can be taken (this is also likely to be the most cost-effective way to ensure EMC).

4.6 Remarks


4 SAFETY

4.6.2 EM disturbances may be the cause of “common-cause faults”. These are identical faults which occur at the same time in different parts of a system due to a common cause.

It is particularly important to consider these in safety-related system which employ redundant architectures as a means of protecting against random failures of hardware components.

4.6 Remarks


4 SAFETY

4.6.2 (Cont’d) Estimates of hardware reliability should take into account the possibility of such common-cause faults because they can significantly increase the likelihood of failure from that which results from consideration of random failures only.

4.6 Remarks


4 SAFETY

4.6.3 (Cont’d) Even during servicing and maintenance procedures, safety is still required, so maintenance and modification procedures should consider EMC.

In particular, the use of mobile radiocommunications close to equipment which has had covers removed should be carefully controlled, particularly when equipment is being maintained “on-line”.

4.6 Remarks


4 SAFETY

4.6.4 Where protective devices (e.g. varistor transient suppressers) are used to achieve a level of immunity and where failure of such a device could cause a reduction in immunity level which could lead to danger, then the failure of such devices should either be detected automatically (for example by the action of diagnostic tests) or the devices should be tested on a regular basis to reveal any failures.

4.6 Remarks


4 SAFETY

4.6.4 (Cont’d) The periodicity of such tests would need to be determined on the basis of the acceptable probability of failure in a particularly application.

4.6 Remarks


4 SAFETY

4.6.5 (Cont’d) The same acts for the design of watch-dogs:

the observation-cycle and the bit-patterns to be observed must be carefully chosen, to ensure a fail-safe “reset” of the µP systems.

4.6 Remarks


4 SAFETY

4.6.6 (Cont’d) The above has dealt with the immunity of a product, system, or installation to its EM environment, but it must not be overlooked that some equipment can emit EM disturbances which can markedly worsen their local EM environment, possible causing degraded functionality in other equipment.

4.6 Remarks


4 SAFETY

4.6.6 (Cont’d) Audio or radio communication systems can be very susceptible to EM disturbances, which can lead to safety risks if they are used to communicate safety information.

4.6 Remarks


4 SAFETY

4.6.6 (Cont’d) Some industrial, scientific, or medical equipment utilises radio frequency (RF) energy at high powers to perform its intended function (e.g. induction heating, plastic RF welding or sealing, RF-assisted metal welding), and emissions from these can cause errors in nearby instrumentation or control, with possible safety risks.

4.6 Remarks


4 SAFETY

4.6.6 (Cont’d) So, when planning new equipment, steps need to be taken to ensure that its EM disturbances do not reduce the compatibility levels (safety margins) for the existing equipment below what is necessary for its functional safety.

4.6 Remarks


4 SAFETY

4.6.7 Warning of a safety hazard is considered no substitute for guarding against it-where guarding is possible.

Guarding is considered no substitute for designing the hazard out in the first place-where it is possible to design the hazard out.

4.6 Remarks


4 SAFETY

• Set-up of safety programme plan, dealing with the mile-stones on design phase, production, …

• Reference to procedures and standards: include techniques as FTA, FMEA, …

• EMC hazards to be identified and to be applied

4.7 Safety management


4 SAFETY

Two standards are involved:

EN 61000-1-2:Methodology for the achievement of functional safety of electrical and electronic equipment.

4.7 Safety management (Cont’d)


4 SAFETY

EN 61508:Functional safety of electrical/electronic/ programmable electronic (E/E/PE) safety related systems (SRS)



4 SAFETY

Conclusion:

EMC and Functional Safety is NOT covered by the EMC Directive. Specific procedures and hazard analysis methods are needed, in order to ensure fail safe operation

over the complete life-cycle of a product.



5 EN 61000-1-2

The document is addressing the following items:

• safety description of the equipment

• safety requirements

• risk analysis tools

• check-list of measures and techniques

• design considerations


5 EN 61000-1-2

• define structure, design and intended functions of the equipment

• describe the relevant electromagnetic environment

• specify the safety requirements

• analysis to identify the hazards which can cause safety risks

General considerations


5 EN 61000-1-2

• EMC tests for safety

• produce operation and maintenance instructions to ensure safety in the course of time

General considerations (Cont’d)


5 EN 61000-1-2

The two most important items in the previous overview are:

• dependability analysis which confirms an appropriate design and/or the interpretation of test results

• the actual testing for safety which confirms that the requirements are effectively fulfilled

General considerations (Cont’d)


5 EN 61000-1-2

EMC inputs

EMC inputs

Functionalrequirements

Concept

Hazard and risk anaysis

Safety specifications

Fig. Lifecycle and functional safety for individual equipment


5 EN 61000-1-2EMC inputs

EMC inputs Validation

Design &development

Manufacture

Disposal

Fig. Lifecycle and functional safety for individual equipment

Use of equipment

Instructionsfor operationand maintenance

Return for modification

EMC inputsEMC inputs


5 EN 61000-1-2

The following disturbance phenomena must be considered and defined:

• conducted low frequency phenomena

• radiated low frequency phenomena

• conducted high frequency phenomena

• radiated high frequency phenomena

• electrostatic discharge

Electromagnetic environment


5 EN 61000-1-2

Conducted low frequency phenomena

• Harmonics, interharmonics

• Signalling systems

• Voltage fluctuations

• Voltage dips and interruptions

• Voltage unbalance

• Power frequency variations

• Induced low frequency voltages

• d.c. in a.c. networks

Table 1-Overview of disturbance phenomena


5 EN 61000-1-2

Radiated low frequency field phenomena

• Magnetic fields*

• Electrical fields* continuous or transient


Conducted high frequency phenomena

• Induced CW voltages or currents Unidirectional transient*

• Oscillatory transient** Single or repetitive (bursts)


5 EN 61000-1-2

Radiated high frequency field phenomena

• Magnetic fields

• Electrical fields

• Electromagnetic fields > continuous waves > transient**Single or repetitive


Electrostatic discharge phenomena (ESD)

High altitude electromagnetic pulse (HEMP)** to be considered under special conditions


5 EN 61000-1-2

• Safety integrity of the equipment against Emambient: this inquires that the level of immunity against EMC, combined with other causes, result in an overall acceptable risk

• Safety integrity of the equipment against internal EMC: typical examples are internal ESD (moving plastic parts) and/or internal EFT (switching on/off of motors, valves, actuators…)

Safety requirements & failure criteria


5 EN 61000-1-2

Assessment methodsThe dependability analysis can be based on two principles:

• Deductive methodology or top-down This method is event oriented: starting from a defined top event it will try to identify the responsible components Typical method used is Fault Tree Analysis (FTA)


5 EN 61000-1-2

Assessment methods (Cont’d)

• Inductive methodology or bottom-up This method will identify fault modes at component level, and will look for the corresponding performance at system level.


5 EN 61000-1-2

EMC TESTING with regard to SAFETY

For EMC testing against immunity, it was already proposed to specify two series of tests:

• for system parts not relevant for safety

• for system parts relevant for safety, with more severe immunity requirements if necessary


5 EN 61000-1-2

EMC TESTING with regard to SAFETY (Cont’d)

During testing, observable effects can be promoted by applying higher disturbance levels (higher repetition rates for transients, other modulation frequencies, signal shapes,…).Safety related elements should be tested separately.


5 EN 61000-1-2

Risk analysis techniquesGENERAL CONSIDERATIONS

• tracing possibilities of multiple faults and common causes

• probability of the EM disturbance (variation with time)

• properties of the EM disturbance

• dependence of the state of the machine for identical causes


5 EN 61000-1-2

Risk analysis techniquesGENERAL CONSIDERATIONS (Cont’d)

• effect of disturbances can depend on the way of installation

• many disturbances can be present at the same time

EMC will best fit with a TOP-DOWN analysis


5 EN 61000-1-2

Risk analysis techniquesANALYSIS METHODS

• Fault Tree Analysis (FTA) as in IEC 61025

• Failure Mode and Effect Analysis (FMEA) as in IEC 60812

• Reliability of block diagrams and components as in IEC 61078

• Markov Analysis as in IEC 61165


5 EN 61000-1-2

Risk analysis techniquesANALYSIS METHODS (Cont’d)

• Other techniques: > Event tree analysis > Hazard and operability study (HAZOP) > WHAT-IF method > Method organised for a systemic analysis of risks (MOSAR) > DELPHI


5 EN 61000-1-2

Check list of measures & techniques Specify the unwanted safety events

• no operation when operation required

• operation when no operation required

• wrong (and dangerous) operation


5 EN 61000-1-2

Check list of measures & techniques Specify to EM environments

• reference to standards to determine disturbance levels

• measurement of the EM environment to confirm assumptions


5 EN 61000-1-2

Check list of measures & techniques Design and development strategy

• structure reducing the probability of dangerous failures

• appropriate software development

• dependability analysis

• avoiding the use of susceptible components (if known)


5 EN 61000-1-2

Check list of measures & techniques Design and development strategy (Cont’d)

• testing of components and subsystems, cabling…

• use of appropriate CAD tools to reduce EMC

• use of consultancy and competence

• design reviews


5 EN 61000-1-2

Check list of measures & techniques Implementation and integration

• procedures to ensure the procurement of correct components

• procedures to ensure correct assembly of equipment

• verification and quality assurance procedures


5 EN 61000-1-2

Check list of measures & techniques Installation

• specification of constraints on length and routing of cables

• specification of types of cables

• specification of method of terminating screens

• specification of type of connectors


5 EN 61000-1-2

Check list of measures & techniques Installation (Cont’d)

• specification of physical positioning to other equipment

• specification of power supply requirements

• specification of any screening/shielding in addition to unit itself


5 EN 61000-1-2

Check list of measures & techniques Installation (Cont’d)

• specification of earthing and bonding requirements

• specification of installation procedure & use of special materials


5 EN 61000-1-2

Check list of measures & techniques Safety Validation

• dependability analysis

• verification of correct implementation of safety requirements

• survey of actual EM environment to confirm assumptions


5 EN 61000-1-2

Check list of measures & techniques Safety Validation (Cont’d)

• laboratory testing of safety behaviour and functions

• immunity testing using higher levels to determine margins

• use special conditions to exercise known sensitive states to EMC


5 EN 61000-1-2

Check list of measures & techniques Safety Validation (Cont’d)

• in situ testing of safety behaviour and functions

• quantitative evaluation of failure rates based on statistics


5 EN 61000-1-2

Check list of measures & techniques Operation and maintenance

• specification and use of operating procedures to preserve EMC

• specification of restrictions on operation, also other apparatus (ex. use of GSM, ...)

• specify disassembly/reassemble techniques to

preserve EMC


5 EN 61000-1-2

Check list of measures & techniques Operation and maintenance (Cont’d)

• periodic testing of EMC critical components

• periodic replacement of EMC critical components (ex. gaskets)

• periodic testing of safety related components & functions


5 EN 61000-1-2

Check list of measures & techniques Modifications

• assessment of the effect of any modification on EMC of both equipment under consideration and any other equipment which might be affected


6 EN 61508

Part 1 General requirementsPart 2 Requirements for E/E/PE safety related

systemsPart 3 Software requirementsPart 4 Definitions and abbreviationsPart 5 Examples of methods for the determination

of SIL’sPart 6 Guidelines on the application of parts 2

and 3Part 7 Overview of techniques and measures


6 EN 61508

1 Scope2 Conformance to this standards3 Documentation4 Management of functional safety

Part 1 General requirements


6 EN 61508

5 Overall safety lifecycle requirements5.1 General5.2 Concept5.3 Overall scope definition5.4 Hazard and risk analysis5.5 Overall safety requirements5.6 Safety requirements allocation5.7 Overall operation and maintenance planning5.8 Overall safety validation planning



6 EN 61508

5.9 Overall installation and commissioning planning5.10 Realisation: E/E/PE5.11 Overall installation and commissioning5.12 Overall safety validation5.13 Overall operation, maintenance and repair5.14 Overall modification and retrofit5.15 Decommissioning or disposal5.16 Verification



6 EN 61508

6 Functional safety assessment6.1 Objective6.2 Requirements



6 EN 61508

1 Scope2 E/E/PES safety lifecycle requirements2.1 General2.2 E/E/PE system safety requirements

specification2.3 E/E/PE system safety validation planning2.4 E/E/PE system design and development2.5 E/E/PE system integration

Part 2 Requirements for E/E/PE safety related systems


6 EN 61508

2.6 E/E/PE system operation and maintenance procedures2.7 E/E/PE system safety validation2.8 E/E/PE system modification2.9 E/E/PE system verification

Part 2 Requirements for E/E/PE safety related systems


6 EN 61508

1 Scope2 Software quality management system2.1 Objectives2.2 Requirements3 Software safety lifecycle requirements3.1 General3.2 Software safety requirements specification3.3 Software safety validation planning3.4 Software design and development

Part 3 Software requirements


6 EN 61508

3.5 Programmable electronics integration (hard- and software)3.6 Software operation and modification procedures3.7 Software safety validation3.8 Software modification3.9 Software verification4 Functional safety assessment

Part 3 Software requirements


6 EN 61508

Part 4 Definitions and abbreviations


6 EN 61508

Part 5 Examples of methods for the determination of SIL’s

1 Scope2 Annex A: General concepts2.1 General2.2 Necessary risk reduction2.3 Role of the E/E/PE SRS’s2.4 Safety integrity2.5 Risk and safety integrity2.6 Safety integrity levels and software SIL’s2.7 Allocation of safety requirements


6 EN 61508


3 Annex B: ALARP and tolerable risk concepts3.1 General3.2 ALARP model (as low as reasonably

practicable)


6 EN 61508


4 Annex C: determination of SIL’s: a qualitativemethod

4.1 General4.2 General method4.3 Example calculation


6 EN 61508


5 Annex D: determination of SIL’s: a qualitativemethod: risk graph

5.1 General5.2 Risk graph synthesis5.3 Other possible risk parameters5.4 Risk graph implementation: general scheme


6 EN 61508


6 Annex E: determination of SIL’s: a qualitative method: hazardous event severity matrix

6.1 General6.2 Hazardous event severity matrix


6 EN 61508

Part 6 Guidelines on the application of parts 2 and 3

1 Scope2 Annex A: Application of parts 2 and 32.1 General2.2 Functional steps3 Annex B: Example technique for evaluating probabilities of failure4 Annex C: Calculation of the diagnostic coverage: worked example


6 EN 61508


5 Annex D: A methodology for quantifying the effect of hardware-related common cause failures in multi-channel PE systems

5.1 General5.2 Brief overview5.3 Scope of the methodology


6 EN 61508


5.4 Points taken into account in the methodology5.5 Using ß to calculate the prob of failure in a E/E/PE SRS due to common cause failures5.6 Using the tables to estimate ß6 Annex E: Example of software safety integrity

tables of part 3


6 EN 61508

Part 7 Overview of techniques and measures

1 Scope


7 RISK ANALYSIS METHODS

Different methods are available, but only a few are commonly used and/or standardised:

• Fault Tree Analysis (FTA): IEC 61025

• Failure Mode Effects Analysis (FMEA): IEC 60812

• Reliability of block diagrams (RBD): IEC 61078

• Markov analysis: IEC 61165

FTA and FMEA can “easily” be used for EMC events.



FTA: Fault Tree Analysis (IEC 61025) (top down)

• deductive method

• can handle common causes failures

• can handle time varying failures

• events can also be degradation of performance only

• can be based on qualitative reasoning



FMEA: Failure Mode and Effects Analysis (IEC 60812) (bottom up)

• inductive method

• hardware approach: consider failure of components not suitable for EMC analysis

• functional approach: consider in what ways a function deviate from specifications



For the analysis of EMC related to functional safety, FTA analysis is the most suitable. Because it starts from the failing state, and goes down to the causes. An example is included in IEC 61000-1-2. FMEA is most suitable for the analysis, where components fail.

The other methods are used for reliability and availability analysis of systems.


8 Example of Safety Analysis related to IEC 61508: SAFECHECK

The software package “SAFECHECK” is an electronic checklist related to the standards IEC 61508, and results in 2 listings of “DONE” and “TO DO” items.

It has been developed due to a research grant by the Flemish Government: SAFESYS


9 Example of risk analysis, related to FTA, FMEA, RBD and Markov: RELEX

The software package “RELEX” is a commercially available package, including risk analysis following the FTA, FMEA, RBD and Markov methods.

It also includes a database of reliability data of electronic components , so that for FMEA, priority can be given to these components with the highest failure

rate.


10 CONCLUSIONS

EMC and Functional Safety is NOT covered by the EMC Directive. Specific procedures and hazard analysis methods are needed, in order to ensure fail safe operation over the complete life-cycle of a product.


10 CONCLUSIONS

System level:

• Power quality of the mains is a very important, and unknown issue

• Use of nearby intended RF (cellphones, power…)

• Software-platform that is used must deliver “tractable” actions


10 CONCLUSIONS

Component level:

• Careful use of “new” components and second source components over the life-cycle of a product

• Implementation of watch-dogs!

• Software must be checked for software AND for its hardware execution!


10 CONCLUSIONS

Management level:

• “Standards” are available as a guidance for fail-safe design

• Risk-analysis must be performed for SRS

• Mixed applications (normal control and SRS) need

full compliance with functional safety


Workshop 23: EMV ‘01 (Augsburg)

14 march 2001

Prof. ir. J. Catrysse, KHBO

EMC & Functional Safety Workshop 23: EMV ‘01 (Augsburg) 14 march 2001 Prof. ir. J. Catrysse, KHBO.

Documents

emc functional safety

safety divisions

safetyinterlock slide

safety related applications

desired level of safety

safety integrity level

inadequate emc

emc directive