Presentation on theme: "EMC & Functional Safety Workshop 23: EMV ‘01 (Augsburg) 14 march 2001 Prof. ir. J. Catrysse, KHBO."— Presentation transcript:
EMC & Functional Safety Workshop 23: EMV ‘01 (Augsburg) 14 march 2001 Prof. ir. J. Catrysse, KHBO
EMC & Functional Safety 1 INTRODUCTION All electronic technologies can suffer from degraded functionality due to disturbances. Modern technologies are more susceptible than other ones. This discipline is known as EMC.
EMC & Functional Safety 1 INTRODUCTION Electronic technology is increasingly used in safety- related applications. Consequently, errors and misoperations of electronic devices due to inadequate EMC can result in hazardous situations with an increased risk of harm people’s health and safety.
EMC & Functional Safety 1 INTRODUCTION Companies who are well versed in the safety of their traditional technologies may not be aware of the possibilities for increased risks associated with the use of electronic technologies. For example, a machinery manufacturer may use a programmable logic controller (PLC) to control a machine.
EMC & Functional Safety 1 INTRODUCTION When the PLC is interfered with, for example by EM disturbances from a nearby walkie-talkie, or by a voltage transient on its mains supply, it is possible that the machine could make an unintended movement-possible putting nearby workers at increased risk or injury or even death.
EMC & Functional Safety 1 INTRODUCTION The EMC and safety divisions within an organisation tend to use different skills and disciplines and may operate largely independent of each other. Important issues of EMC-related functional safety may not be correctly addressed. Compliance with the EMC Directive (or its harmonised standards) may not ensure that EMC-related functional safety issues have been correctly addressed and relevant safety legislation met.
EMC & Functional Safety 1 INTRODUCTION To correctly control EMC-related functional safety, hazard and risk assessments are needed. The following should be considered: 1.1 What electromagnetic (EM) disturbances, however infrequent, might the apparatus be exposed to? 1.2 What are the reasonably foreseeable effects of such disturbances on the apparatus?
EMC & Functional Safety 1 INTRODUCTION 1.3 How might the EM disturbances emitted by the apparatus affect other apparatus (existing or planned)? 1.4 What could be the reasonably foreseeable safety implications of the above mentioned disturbances (what is the severity of the hazard, the scale of the risk, the safety integrity level required?
EMC & Functional Safety 1 INTRODUCTION 1.5 What level of confidence (verification? proof?) is required that the above have been fully considered and all necessary action taken to achieve the desired level of safety?
EMC & Functional Safety 1 INTRODUCTION Safety Related Systems (SRS) are systems (a part of) which affect safety in some way. Normally, the term is used to describe systems that perform a specific function to reduce risks to a level which is considered to be tolerable. SRS are more and more implemented in E/E/PE technologies.
EMC & Functional Safety 2 EXAMPLES Controlled by µP ESD and mains-interference (EFT) switched on the machine, while the interlock-switch was in a “safe” position. 2.1 Failure of a safety-interlock
EMC & Functional Safety 2 EXAMPLES Gas-detector switched itself “off” by operation of a walkie-talkie in a nearby position (1m). 2.2 Gas-detector disabled by handheld VHF radio
EMC & Functional Safety 2 EXAMPLES “ Optical” control of doors was disturbed (cabling) due to an amateur-radio (antenna on top of the machine-roof, on the roof of a building). 2.3 Lift stops due to amateur-radio
EMC & Functional Safety 2 EXAMPLES Operation of a CNC machine was affected by a nearby arc-welding machine. Attention must be paid to welders, heaters, sealers and especially those using RF energy. 2.4 CNC machine affected by arc-welding
EMC & Functional Safety 2 EXAMPLES Mains - disturbances affects the good control of a milk-cooler, since a “new” batch of components was used. “Cooling” works at wrong temperature- detection. Affecting the end-quality of the milk (and health-risks for consumers). (E/EP)ROM changes have been observed. 2.5 Milk-coolers affected by mains
EMC & Functional Safety 2 EXAMPLES Wheelchairs seem to be susceptible to RF fields of 5 to 15 V/m. Brake release and self-start are repeated. 50 V/m should be requested. 2.6 Wheelchair EM immunity
EMC & Functional Safety 2 EXAMPLES Permanent change in the calibration ROM due to nearby operated walkie-talkie have been observed. Safety-critical systems must always be designed to possible extreme interference. 2.7 Safe-load indication and hand-held radio
EMC & Functional Safety 2 EXAMPLES µP based valve controller, and a temperature sensor. Two failures were observed: RF induced signals on the temperature-sensor wiring, causing wrong values (too low). And mains interference affecting a badly designed watch-dog in the µP circuitry. 2.8 Failure of a valve in a steam-generator
EMC & Functional Safety 2 EXAMPLES Laptops (and other electronic games) easily interfere with the aircraft navigation systems (and their cabling). EMI is part of the safety-instructions on an aeroplane! 2.9 Aeroplanes and laptops
EMC & Functional Safety 2 EXAMPLES One of a number computers controlling a chemical plant failed, resulting in the appropriate setting of a number of process valves. Operating staff were potentially put at risk. Investigation revealed than an integrated circuit had failed in the microprocessor which controlled the operation of an input/output interface 2.10 Computer failure
EMC & Functional Safety 2 EXAMPLES The failure meant that the processor set all signals for the output devices to logic 1 (all valves open). Failure of a microprocessor had been anticipated in the original design of the computer system, but the failure detection mechanism contained a design flaw Computer failure (Cont’d)
EMC & Functional Safety 2 EXAMPLES Fault detection was by a “watchdog” circuit configured to trip when a status “bit” flipped to zero- thereby indicating a physical failure of the processor. However when the integrated circuit failed it set all bits, including the status bit, to logic 1-the opposite to the state needed to trip the watchdog, so the failure was not recognised Computer failure (Cont’d)
EMC & Functional Safety 2 EXAMPLES The root cause of this incident was that computer control had been superimposed upon an existing plant previously controlled by traditional technology. No hazard and risk analysis had been carried out before this change, and no safety integrity requirements specification had been developed Computer failure (Cont’d)
EMC & Functional Safety 2 EXAMPLES Functional Safety is NOT covered by the EMC Directive and the related harmonised standards, Immunity levels and specified performance criteria are NOT intended to guarantee proper operation of SRS. Remarks
EMC & Functional Safety 2 EXAMPLES Examples of immunity problems for SRS are: ESD levels in reality: easily into 15 KV and still requiring fail safe operation. (EN : 8 KV and performance B) RF systems: high power and near-by operated RF communication systems, giving 15 V/m and more. (EN : 10 V/m) Remarks (Cont’d)
EMC & Functional Safety 2 EXAMPLES EFT: some main supplies are ‘polluted’ with higher levels of transient than would normally be expected, and these may be higher than are covered by EMC standards harmonised under the EMC Directive and used when CE marking. (EN : 2 KV pulses in CM) Remarks (Cont’d)
EMC & Functional Safety 2 EXAMPLES Users need to make sure that their supplies are not excessively polluted and manufacturers need to make sure that mains-powered equipment used for safety-related functions will withstand atypical mains transient as much as is reasonable, and when damaged by a transient (or suffer any other failure) will fail to a safe state. Conclusions
EMC & Functional Safety 2 EXAMPLES It is not always recognised that a control system is safety-related. Microprocessor watchdog circuits are difficult to design for safety-critical applications, and should be supported by hardware and software EMC design techniques, and an appropriated risk-analysis. Conclusions (Cont’d)
EMC & Functional Safety 2 EXAMPLES Careful analysis of the EM environment must be performed, in order to know the possible “extreme” conditions. And an appropriated risk-analysis - and consequent design - must be performed from component level into system level. Conclusions (Cont’d)
EMC & Functional Safety 3 EMC DIRECTIVE & FUNCTIONAL SAFETY EMC Directive 89/336 and the related harmonised standards are not dealing with safety at all: 3.1 “Safety” is NOT used in the text, and the EMC Directive is only addressing “normal operation” under “normal” EM environment.
EMC & Functional Safety 3 EMC DIRECTIVE & FUNCTIONAL SAFETY 3.2 The EMC Directive does not cover reasonable foreseeable faults, environmental extremes, operator errors, maintenance situations, or misuse-all considerations which are essential for functional safety. 3.3 Almost all the EMC standards harmonised under the EMC Directive either explicitly or implicitly exclude safety considerations
EMC & Functional Safety 3 EMC DIRECTIVE & FUNCTIONAL SAFETY 3.4 All the EMC standards harmonised under the EMC Directive (or used for radio-communication Type Examination) cover a restricted number of EM disturbances, and their limits allow a finite probability of incompatibilities.
EMC & Functional Safety 3 EMC DIRECTIVE & FUNCTIONAL SAFETY 3.5 EMC Technical Construction Files (TCFs) can include significantly lower EMC performance (or lower confidence of performance) than would have been achieved had the harmonised standards been applied in full.
EMC & Functional Safety 3 EMC DIRECTIVE & FUNCTIONAL SAFETY 3.6 Safety may, in real life, depend upon correct operation of electronic apparatus when it is subjected to low-probability EM disturbances which are not covered by harmonised standards. Or a combination of EM disturbances (which is not foreseen in the harmonised standards).
EMC & Functional Safety 3 EMC DIRECTIVE & FUNCTIONAL SAFETY 3.7 The EM environment is continually changing the use of new technologies, and so harmonised standards often lag behind real needs. For example, there is increasingly common use of cellphones, wireless LANs and other RF transmitters, and ever- faster computers.
EMC & Functional Safety 3 EMC DIRECTIVE & FUNCTIONAL SAFETY 3.7 (Cont’d) These frequently emit significant levels of disturbances at frequencies above 1 GHz, higher than the frequencies covered by even the latest issues of the harmonised immunity standards.
EMC & Functional Safety 4 SAFETY Key to the understanding of safety-related systems is the concept that a safety-related system carries out safety functions; and that a safety function should be specified both in terms of functionality (what the function does) and safety integrity (the probability of a safety function being performed satisfactorily when it is required).
EMC & Functional Safety 4 SAFETY (Cont’d) The specification for safety integrity is derived by undertaking a hazard & risk analysis and determining the extent of risk reduction which the particular safety function brings about. The general principle is that more rigour is required in the engineering of safety-related systems at higher levels of safety integrity in order to achieve the lower failure rates which are required to achieve tolerable risk.
EMC & Functional Safety 4 SAFETY Qualify and quantify the exposure of the apparatus to the EM disturbances present in its intended operational environment(s), taking into account likely (or possible) changes to the environment(s) in the future. This should include all reasonably foreseeable exposure to EM disturbances of whatever kind. EN can be a helpful guidance 4.1 EM environment
EMC & Functional Safety 4 SAFETY Determine the acceptable immunity and emissions performance criteria for each safety-related function of the apparatus, for each of the EM disturbances identified above, to achieve the desired “compatibility margins” for the appropriate safety integrity levels. 4.2 EM Specification
EMC & Functional Safety 4 SAFETY The results are often most conveniently expressed as a table (matrix) of function versus EM phenomenon, with the performance criteria in the cells. (This is a hazards and risks assessment, and may result in different functional performance criteria than are required for compliance with the EMC Directive ). 4.2 EM Specification (Cont’d)
EMC & Functional Safety 4 SAFETY The test procedure and performance criteria which will be used to validate the immunity levels should then be specified. Performance criteria for immunity testing should take into account the hazards and risks associated with the application. For example, even temporary degradation of performance or loss of function may not be acceptable in some applications. 4.3 Test Procedure
EMC & Functional Safety 4 SAFETY Ensure that all necessary steps are taken throughout the apparatus’ entire life-cycle (including maintenance, upgrade, or refurbishment) to meet the EM functional performance criteria specified above, and that appropriate validation occurs before supply and after maintenance, modification, upgrade, and refurbishment (especially software). 4.4 Design, build, verify, maintain
EMC & Functional Safety 4 SAFETY Validation should ensure that the product’s required functional performance is actually achieved in its intended operational environment(s), and that its safety is as required. 4.4 Design, build, verify, maintain (Cont’d)
EMC & Functional Safety 4 SAFETY Provide all the installation, use, and maintenance instructions necessary to define the EM environment that the apparatus is intended for, and achieve and maintain the required EM performance. 4.4 User Instructions
EMC & Functional Safety 4 SAFETY It is also recommended that a description of how EM interference may appear to the user, and the simple mitigation measures that the user can take, be included. IEC and IEC are recommended for guidance on good EMC build and installation practices. 4.5 User Instructions (Cont’d)
EMC & Functional Safety 4 SAFETY Testing is unlikely to reveal all the potential modes of functional degradation which may result from EM disturbances. In this respect, the achievement of EMC in the context of safety should be approached in a similar way to that necessary for safety-related software. 4.6 Remarks
EMC & Functional Safety 4 SAFETY (Cont’d)That is, it is important that a systematic approach is adopted at all stages of the safety-lifecycle in order to avoid, as far as possible, the introduction of systematic faults. 4.6 Remarks
EMC & Functional Safety 4 SAFETY (Cont’d) It is particularly important that EMC is considered at an early stage during the design of equipment as it is often then that the most effective measures can be taken (this is also likely to be the most cost-effective way to ensure EMC). 4.6 Remarks
EMC & Functional Safety 4 SAFETY EM disturbances may be the cause of “common- cause faults”. These are identical faults which occur at the same time in different parts of a system due to a common cause. It is particularly important to consider these in safety- related system which employ redundant architectures as a means of protecting against random failures of hardware components. 4.6 Remarks
EMC & Functional Safety 4 SAFETY (Cont’d) Estimates of hardware reliability should take into account the possibility of such common-cause faults because they can significantly increase the likelihood of failure from that which results from consideration of random failures only. 4.6 Remarks
EMC & Functional Safety 4 SAFETY (Cont’d) Even during servicing and maintenance procedures, safety is still required, so maintenance and modification procedures should consider EMC. In particular, the use of mobile radiocommunications close to equipment which has had covers removed should be carefully controlled, particularly when equipment is being maintained “on-line”. 4.6 Remarks
EMC & Functional Safety 4 SAFETY Where protective devices (e.g. varistor transient suppressers) are used to achieve a level of immunity and where failure of such a device could cause a reduction in immunity level which could lead to danger, then the failure of such devices should either be detected automatically (for example by the action of diagnostic tests) or the devices should be tested on a regular basis to reveal any failures. 4.6 Remarks
EMC & Functional Safety 4 SAFETY (Cont’d) The periodicity of such tests would need to be determined on the basis of the acceptable probability of failure in a particularly application. 4.6 Remarks
EMC & Functional Safety 4 SAFETY (Cont’d) The same acts for the design of watch- dogs: the observation-cycle and the bit-patterns to be observed must be carefully chosen, to ensure a fail- safe “reset” of the µP systems. 4.6 Remarks
EMC & Functional Safety 4 SAFETY (Cont’d) The above has dealt with the immunity of a product, system, or installation to its EM environment, but it must not be overlooked that some equipment can emit EM disturbances which can markedly worsen their local EM environment, possible causing degraded functionality in other equipment. 4.6 Remarks
EMC & Functional Safety 4 SAFETY (Cont’d) Audio or radio communication systems can be very susceptible to EM disturbances, which can lead to safety risks if they are used to communicate safety information. 4.6 Remarks
EMC & Functional Safety 4 SAFETY (Cont’d) Some industrial, scientific, or medical equipment utilises radio frequency (RF) energy at high powers to perform its intended function (e.g. induction heating, plastic RF welding or sealing, RF-assisted metal welding), and emissions from these can cause errors in nearby instrumentation or control, with possible safety risks. 4.6 Remarks
EMC & Functional Safety 4 SAFETY (Cont’d) So, when planning new equipment, steps need to be taken to ensure that its EM disturbances do not reduce the compatibility levels (safety margins) for the existing equipment below what is necessary for its functional safety. 4.6 Remarks
EMC & Functional Safety 4 SAFETY Warning of a safety hazard is considered no substitute for guarding against it-where guarding is possible. Guarding is considered no substitute for designing the hazard out in the first place-where it is possible to design the hazard out. 4.6 Remarks
EMC & Functional Safety 4 SAFETY Set-up of safety programme plan, dealing with the mile-stones on design phase, production, … Reference to procedures and standards: include techniques as FTA, FMEA, … EMC hazards to be identified and to be applied 4.7 Safety management
EMC & Functional Safety 4 SAFETY Two standards are involved: EN : Methodology for the achievement of functional safety of electrical and electronic equipment. 4.7 Safety management (Cont’d)
EMC & Functional Safety 4 SAFETY EN 61508: Functional safety of electrical/electronic/ programmable electronic (E/E/PE) safety related systems (SRS) 4.7 Safety management (Cont’d)
EMC & Functional Safety 4 SAFETY Conclusion: EMC and Functional Safety is NOT covered by the EMC Directive. Specific procedures and hazard analysis methods are needed, in order to ensure fail safe operation over the complete life-cycle of a product. 4.7 Safety management (Cont’d)
EMC & Functional Safety 5 EN The document is addressing the following items: safety description of the equipment safety requirements risk analysis tools check-list of measures and techniques design considerations
EMC & Functional Safety 5 EN define structure, design and intended functions of the equipment describe the relevant electromagnetic environment specify the safety requirements analysis to identify the hazards which can cause safety risks General considerations
EMC & Functional Safety 5 EN EMC tests for safety produce operation and maintenance instructions to ensure safety in the course of time General considerations (Cont’d)
EMC & Functional Safety 5 EN The two most important items in the previous overview are: dependability analysis which confirms an appropriate design and/or the interpretation of test results the actual testing for safety which confirms that the requirements are effectively fulfilled General considerations (Cont’d)
EMC & Functional Safety 5 EN EMC inputs Functional requirements Concept Hazard and risk anaysis Safety specifications Fig. Lifecycle and functional safety for individual equipment
EMC & Functional Safety 5 EN EMC inputs Validation Design & development Manufacture Disposal Fig. Lifecycle and functional safety for individual equipment Use of equipment Instructions for operation and maintenance Return for modification EMC inputs
EMC & Functional Safety 5 EN The following disturbance phenomena must be considered and defined: conducted low frequency phenomena radiated low frequency phenomena conducted high frequency phenomena radiated high frequency phenomena electrostatic discharge Electromagnetic environment
EMC & Functional Safety 5 EN Conducted low frequency phenomena Harmonics, interharmonics Signalling systems Voltage fluctuations Voltage dips and interruptions Voltage unbalance Power frequency variations Induced low frequency voltages d.c. in a.c. networks Table 1-Overview of disturbance phenomena
EMC & Functional Safety 5 EN Radiated low frequency field phenomena Magnetic fields* Electrical fields * continuous or transient Table 1-Overview of disturbance phenomena Conducted high frequency phenomena Induced CW voltages or currents Unidirectional transient* Oscillatory transient* * Single or repetitive (bursts)
EMC & Functional Safety 5 EN Radiated high frequency field phenomena Magnetic fields Electrical fields Electromagnetic fields > continuous waves > transient* *Single or repetitive Table 1-Overview of disturbance phenomena Electrostatic discharge phenomena (ESD) High altitude electromagnetic pulse (HEMP)* * to be considered under special conditions
EMC & Functional Safety 5 EN Safety integrity of the equipment against Emambient: this inquires that the level of immunity against EMC, combined with other causes, result in an overall acceptable risk Safety integrity of the equipment against internal EMC: typical examples are internal ESD (moving plastic parts) and/or internal EFT (switching on/off of motors, valves, actuators…) Safety requirements & failure criteria
EMC & Functional Safety 5 EN Assessment methods The dependability analysis can be based on two principles: Deductive methodology or top-down This method is event oriented: starting from a defined top event it will try to identify the responsible components Typical method used is Fault Tree Analysis (FTA)
EMC & Functional Safety 5 EN Assessment methods (Cont’d) Inductive methodology or bottom-up This method will identify fault modes at component level, and will look for the corresponding performance at system level.
EMC & Functional Safety 5 EN EMC TESTING with regard to SAFETY For EMC testing against immunity, it was already proposed to specify two series of tests: for system parts not relevant for safety for system parts relevant for safety, with more severe immunity requirements if necessary
EMC & Functional Safety 5 EN EMC TESTING with regard to SAFETY (Cont’d) During testing, observable effects can be promoted by applying higher disturbance levels (higher repetition rates for transients, other modulation frequencies, signal shapes,…). Safety related elements should be tested separately.
EMC & Functional Safety 5 EN Risk analysis techniques GENERAL CONSIDERATIONS tracing possibilities of multiple faults and common causes probability of the EM disturbance (variation with time) properties of the EM disturbance dependence of the state of the machine for identical causes
EMC & Functional Safety 5 EN Risk analysis techniques GENERAL CONSIDERATIONS (Cont’d) effect of disturbances can depend on the way of installation many disturbances can be present at the same time EMC will best fit with a TOP-DOWN analysis
EMC & Functional Safety 5 EN Risk analysis techniques ANALYSIS METHODS Fault Tree Analysis (FTA) as in IEC Failure Mode and Effect Analysis (FMEA) as in IEC Reliability of block diagrams and components as in IEC Markov Analysis as in IEC 61165
EMC & Functional Safety 5 EN Risk analysis techniques ANALYSIS METHODS (Cont’d) Other techniques: > Event tree analysis > Hazard and operability study (HAZOP) > WHAT-IF method > Method organised for a systemic analysis of risks (MOSAR) > DELPHI
EMC & Functional Safety 5 EN Check list of measures & techniques Specify the unwanted safety events no operation when operation required operation when no operation required wrong (and dangerous) operation
EMC & Functional Safety 5 EN Check list of measures & techniques Specify to EM environments reference to standards to determine disturbance levels measurement of the EM environment to confirm assumptions
EMC & Functional Safety 5 EN Check list of measures & techniques Design and development strategy structure reducing the probability of dangerous failures appropriate software development dependability analysis avoiding the use of susceptible components (if known)
EMC & Functional Safety 5 EN Check list of measures & techniques Design and development strategy (Cont’d) testing of components and subsystems, cabling… use of appropriate CAD tools to reduce EMC use of consultancy and competence design reviews
EMC & Functional Safety 5 EN Check list of measures & techniques Implementation and integration procedures to ensure the procurement of correct components procedures to ensure correct assembly of equipment verification and quality assurance procedures
EMC & Functional Safety 5 EN Check list of measures & techniques Installation specification of constraints on length and routing of cables specification of types of cables specification of method of terminating screens specification of type of connectors
EMC & Functional Safety 5 EN Check list of measures & techniques Installation (Cont’d) specification of physical positioning to other equipment specification of power supply requirements specification of any screening/shielding in addition to unit itself
EMC & Functional Safety 5 EN Check list of measures & techniques Installation (Cont’d) specification of earthing and bonding requirements specification of installation procedure & use of special materials
EMC & Functional Safety 5 EN Check list of measures & techniques Safety Validation dependability analysis verification of correct implementation of safety requirements survey of actual EM environment to confirm assumptions
EMC & Functional Safety 5 EN Check list of measures & techniques Safety Validation (Cont’d) laboratory testing of safety behaviour and functions immunity testing using higher levels to determine margins use special conditions to exercise known sensitive states to EMC
EMC & Functional Safety 5 EN Check list of measures & techniques Safety Validation (Cont’d) in situ testing of safety behaviour and functions quantitative evaluation of failure rates based on statistics
EMC & Functional Safety 5 EN Check list of measures & techniques Operation and maintenance specification and use of operating procedures to preserve EMC specification of restrictions on operation, also other apparatus (ex. use of GSM,...) specify disassembly/reassemble techniques to preserve EMC
EMC & Functional Safety 5 EN Check list of measures & techniques Operation and maintenance (Cont’d) periodic testing of EMC critical components periodic replacement of EMC critical components (ex. gaskets) periodic testing of safety related components & functions
EMC & Functional Safety 5 EN Check list of measures & techniques Modifications assessment of the effect of any modification on EMC of both equipment under consideration and any other equipment which might be affected
EMC & Functional Safety 6 EN Part 1General requirements Part 2Requirements for E/E/PE safety related systems Part 3Software requirements Part 4Definitions and abbreviations Part 5Examples of methods for the determination of SIL’s Part 6Guidelines on the application of parts 2 and 3 Part 7Overview of techniques and measures
EMC & Functional Safety 6 EN Scope 2Conformance to this standards 3Documentation 4Management of functional safety Part 1 General requirements
EMC & Functional Safety 6 EN Overall safety lifecycle requirements 5.1General 5.2Concept 5.3Overall scope definition 5.4Hazard and risk analysis 5.5Overall safety requirements 5.6Safety requirements allocation 5.7Overall operation and maintenance planning 5.8Overall safety validation planning Part 1 General requirements
EMC & Functional Safety 6 EN Overall installation and commissioning planning 5.10Realisation: E/E/PE 5.11Overall installation and commissioning 5.12Overall safety validation 5.13Overall operation, maintenance and repair 5.14Overall modification and retrofit 5.15Decommissioning or disposal 5.16Verification Part 1 General requirements
EMC & Functional Safety 6 EN Functional safety assessment 6.1Objective 6.2Requirements Part 1 General requirements
EMC & Functional Safety 6 EN Scope 2E/E/PES safety lifecycle requirements 2.1General 2.2E/E/PE system safety requirements specification 2.3E/E/PE system safety validation planning 2.4E/E/PE system design and development 2.5E/E/PE system integration Part 2 Requirements for E/E/PE safety related systems
EMC & Functional Safety 6 EN E/E/PE system operation and maintenance procedures 2.7E/E/PE system safety validation 2.8E/E/PE system modification 2.9E/E/PE system verification Part 2 Requirements for E/E/PE safety related systems
EMC & Functional Safety 6 EN Scope 2Software quality management system 2.1Objectives 2.2Requirements 3Software safety lifecycle requirements 3.1General 3.2Software safety requirements specification 3.3Software safety validation planning 3.4Software design and development Part 3 Software requirements
EMC & Functional Safety 6 EN Programmable electronics integration (hard- and software) 3.6Software operation and modification procedures 3.7Software safety validation 3.8Software modification 3.9Software verification 4Functional safety assessment Part 3 Software requirements
EMC & Functional Safety 6 EN Part 4 Definitions and abbreviations
EMC & Functional Safety 6 EN Part 5 Examples of methods for the determination of SIL’s 1Scope 2Annex A: General concepts 2.1General 2.2Necessary risk reduction 2.3Role of the E/E/PE SRS’s 2.4Safety integrity 2.5Risk and safety integrity 2.6Safety integrity levels and software SIL’s 2.7Allocation of safety requirements
EMC & Functional Safety 6 EN Part 5 Examples of methods for the determination of SIL’s 3Annex B: ALARP and tolerable risk concepts 3.1General 3.2ALARP model (as low as reasonably practicable)
EMC & Functional Safety 6 EN Part 5 Examples of methods for the determination of SIL’s 4Annex C: determination of SIL’s: a qualitative method 4.1General 4.2General method 4.3Example calculation
EMC & Functional Safety 6 EN Part 5 Examples of methods for the determination of SIL’s 5Annex D: determination of SIL’s: a qualitative method: risk graph 5.1General 5.2Risk graph synthesis 5.3Other possible risk parameters 5.4Risk graph implementation: general scheme
EMC & Functional Safety 6 EN Part 5 Examples of methods for the determination of SIL’s 6Annex E: determination of SIL’s: a qualitative method: hazardous event severity matrix 6.1General 6.2Hazardous event severity matrix
EMC & Functional Safety 6 EN Part 6 Guidelines on the application of parts 2 and 3 1Scope 2Annex A: Application of parts 2 and 3 2.1General 2.2Functional steps 3Annex B: Example technique for evaluating probabilities of failure 4Annex C: Calculation of the diagnostic coverage: worked example
EMC & Functional Safety 6 EN Part 6 Guidelines on the application of parts 2 and 3 5Annex D: A methodology for quantifying the effect of hardware-related common cause failures in multi-channel PE systems 5.1General 5.2Brief overview 5.3Scope of the methodology
EMC & Functional Safety 6 EN Part 6 Guidelines on the application of parts 2 and 3 5.4Points taken into account in the methodology 5.5 Using ß to calculate the prob of failure in a E/E/PE SRS due to common cause failures 5.6Using the tables to estimate ß 6Annex E: Example of software safety integrity tables of part 3
EMC & Functional Safety 6 EN Part 7 Overview of techniques and measures 1Scope
EMC & Functional Safety 7 RISK ANALYSIS METHODS Different methods are available, but only a few are commonly used and/or standardised: Fault Tree Analysis (FTA): IEC Failure Mode Effects Analysis (FMEA): IEC Reliability of block diagrams (RBD): IEC Markov analysis: IEC FTA and FMEA can “easily” be used for EMC events.
EMC & Functional Safety 7 RISK ANALYSIS METHODS FTA: Fault Tree Analysis (IEC 61025) (top down) deductive method can handle common causes failures can handle time varying failures events can also be degradation of performance only can be based on qualitative reasoning
EMC & Functional Safety 7 RISK ANALYSIS METHODS FMEA: Failure Mode and Effects Analysis (IEC 60812) (bottom up) inductive method hardware approach: consider failure of components not suitable for EMC analysis functional approach: consider in what ways a function deviate from specifications
EMC & Functional Safety 7 RISK ANALYSIS METHODS For the analysis of EMC related to functional safety, FTA analysis is the most suitable. Because it starts from the failing state, and goes down to the causes. An example is included in IEC FMEA is most suitable for the analysis, where components fail. The other methods are used for reliability and availability analysis of systems.
EMC & Functional Safety 8 Example of Safety Analysis related to IEC 61508: SAFECHECK The software package “SAFECHECK” is an electronic checklist related to the standards IEC 61508, and results in 2 listings of “DONE” and “TO DO” items. It has been developed due to a research grant by the Flemish Government: SAFESYS
EMC & Functional Safety 9 Example of risk analysis, related to FTA, FMEA, RBD and Markov: RELEX The software package “RELEX” is a commercially available package, including risk analysis following the FTA, FMEA, RBD and Markov methods. It also includes a database of reliability data of electronic components, so that for FMEA, priority can be given to these components with the highest failure rate.
EMC & Functional Safety 10 CONCLUSIONS EMC and Functional Safety is NOT covered by the EMC Directive. Specific procedures and hazard analysis methods are needed, in order to ensure fail safe operation over the complete life-cycle of a product.
EMC & Functional Safety 10 CONCLUSIONS System level: Power quality of the mains is a very important, and unknown issue Use of nearby intended RF (cellphones, power…) Software-platform that is used must deliver “tractable” actions
EMC & Functional Safety 10 CONCLUSIONS Component level: Careful use of “new” components and second source components over the life-cycle of a product Implementation of watch-dogs! Software must be checked for software AND for its hardware execution!
EMC & Functional Safety 10 CONCLUSIONS Management level: “Standards” are available as a guidance for fail-safe design Risk-analysis must be performed for SRS Mixed applications (normal control and SRS) need full compliance with functional safety
EMC & Functional Safety Workshop 23: EMV ‘01 (Augsburg) 14 march 2001 Prof. ir. J. Catrysse, KHBO