Presentation on theme: "EMC & Functional Safety"— Presentation transcript:
1EMC & Functional Safety Workshop 23: EMV ‘01 (Augsburg)14 march 2001Prof. ir. J. Catrysse, KHBO
2EMC & Functional Safety 1 INTRODUCTIONAll electronic technologies can suffer from degraded functionality due to disturbances. Modern technologies are more susceptible than other ones. This discipline is known as EMC.
3EMC & Functional Safety 1 INTRODUCTIONElectronic technology is increasingly used in safety-related applications. Consequently, errors and misoperations of electronic devices due to inadequate EMC can result in hazardous situations with an increased risk of harm people’s health and safety.
4EMC & Functional Safety 1 INTRODUCTIONCompanies who are well versed in the safety of their traditional technologies may not be aware of the possibilities for increased risks associated with the use of electronic technologies. For example, a machinery manufacturer may use a programmable logic controller (PLC) to control a machine.
5EMC & Functional Safety 1 INTRODUCTIONWhen the PLC is interfered with, for example by EM disturbances from a nearby walkie-talkie, or by a voltage transient on its mains supply, it is possible that the machine could make an unintended movement-possible putting nearby workers at increased risk or injury or even death.
6EMC & Functional Safety 1 INTRODUCTIONThe EMC and safety divisions within an organisation tend to use different skills and disciplines and may operate largely independent of each other. Important issues of EMC-related functional safety may not be correctly addressed. Compliance with the EMC Directive (or its harmonised standards) may not ensure that EMC-related functional safety issues have been correctly addressed and relevant safety legislation met.
7EMC & Functional Safety 1 INTRODUCTIONTo correctly control EMC-related functional safety, hazard and risk assessments are needed. The following should be considered:1.1 What electromagnetic (EM) disturbances, however infrequent, might the apparatus be exposed to?1.2 What are the reasonably foreseeable effects of such disturbances on the apparatus?
8EMC & Functional Safety 1 INTRODUCTION1.3 How might the EM disturbances emitted by the apparatus affect other apparatus (existing or planned)?1.4 What could be the reasonably foreseeable safety implications of the above mentioned disturbances (what is the severity of the hazard, the scale of the risk, the safety integrity level required?
9EMC & Functional Safety 1 INTRODUCTION1.5 What level of confidence (verification? proof?) is required that the above have been fully considered and all necessary action taken to achieve the desired level of safety?
10EMC & Functional Safety 1 INTRODUCTIONSafety Related Systems (SRS) are systems (a part of) which affect safety in some way. Normally, the term is used to describe systems that perform a specific function to reduce risks to a level which is considered to be tolerable. SRS are more and more implemented in E/E/PE technologies.
11EMC & Functional Safety 2 EXAMPLES2.1 Failure of a safety-interlockControlled by µP ESD and mains-interference (EFT) switched on the machine, while the interlock-switch was in a “safe” position.
12EMC & Functional Safety 2 EXAMPLES2.2 Gas-detector disabled by handheld VHF radioGas-detector switched itself “off” by operation of a walkie-talkie in a nearby position (1m).
13EMC & Functional Safety 2 EXAMPLES2.3 Lift stops due to amateur-radio“Optical” control of doors was disturbed (cabling) due to an amateur-radio (antenna on top of the machine-roof, on the roof of a building).
14EMC & Functional Safety 2 EXAMPLES2.4 CNC machine affected by arc-weldingOperation of a CNC machine was affected by a nearby arc-welding machine. Attention must be paid to welders, heaters, sealers and especially those using RF energy.
15EMC & Functional Safety 2 EXAMPLES2.5 Milk-coolers affected by mainsMains-disturbances affects the good control of a milk-cooler, since a “new” batch of components was used. “Cooling” works at wrong temperature-detection. Affecting the end-quality of the milk (and health-risks for consumers). (E/EP)ROM changes have been observed.
16EMC & Functional Safety 2 EXAMPLES2.6 Wheelchair EM immunityWheelchairs seem to be susceptible to RF fields of 5 to 15 V/m. Brake release and self-start are repeated. 50 V/m should be requested.
17EMC & Functional Safety 2 EXAMPLES2.7 Safe-load indication and hand-held radioPermanent change in the calibration ROM due to nearby operated walkie-talkie have been observed. Safety-critical systems must always be designed to possible extreme interference.
18EMC & Functional Safety 2 EXAMPLES2.8 Failure of a valve in a steam-generatorµP based valve controller, and a temperature sensor. Two failures were observed: RF induced signals on the temperature-sensor wiring, causing wrong values (too low). And mains interference affecting a badly designed watch-dog in the µP circuitry.
19EMC & Functional Safety 2 EXAMPLES2.9 Aeroplanes and laptopsLaptops (and other electronic games) easily interfere with the aircraft navigation systems (and their cabling).EMI is part of the safety-instructions on an aeroplane!
20EMC & Functional Safety 2 EXAMPLES2.10 Computer failureOne of a number computers controlling a chemical plant failed, resulting in the appropriate setting of a number of process valves. Operating staff were potentially put at risk.Investigation revealed than an integrated circuit had failed in the microprocessor which controlled the operation of an input/output interface
21EMC & Functional Safety 2 EXAMPLES2.10 Computer failure (Cont’d)The failure meant that the processor set all signals for the output devices to logic 1 (all valves open). Failure of a microprocessor had been anticipated in the original design of the computer system, but the failure detection mechanism contained a design flaw.
22EMC & Functional Safety 2 EXAMPLES2.10 Computer failure (Cont’d)Fault detection was by a “watchdog” circuit configured to trip when a status “bit” flipped to zero-thereby indicating a physical failure of the processor. However when the integrated circuit failed it set all bits, including the status bit, to logic 1-the opposite to the state needed to trip the watchdog, so the failure was not recognised.
23EMC & Functional Safety 2 EXAMPLES2.10 Computer failure (Cont’d)The root cause of this incident was that computer control had been superimposed upon an existing plant previously controlled by traditional technology. No hazard and risk analysis had been carried out before this change, and no safety integrity requirements specification had been developed.
24EMC & Functional Safety 2 EXAMPLESRemarksFunctional Safety is NOT covered by the EMC Directive and the related harmonised standards, Immunity levels and specified performance criteria are NOT intended to guarantee proper operation of SRS.
25EMC & Functional Safety 2 EXAMPLESRemarks (Cont’d)Examples of immunity problems for SRS are:ESD levels in reality: easily into 15 KV and still requiring fail safe operation. (EN : 8 KV and performance B)RF systems: high power and near-by operated RF communication systems, giving 15 V/m and more. (EN : 10 V/m)
26EMC & Functional Safety 2 EXAMPLESRemarks (Cont’d)EFT: some main supplies are ‘polluted’ with higher levels of transient than would normally be expected, and these may be higher than are covered by EMC standards harmonised under the EMC Directive and used when CE marking. (EN : 2 KV pulses in CM)
27EMC & Functional Safety 2 EXAMPLESConclusionsUsers need to make sure that their supplies are not excessively polluted and manufacturers need to make sure that mains-powered equipment used for safety-related functions will withstand atypical mains transient as much as is reasonable, and when damaged by a transient (or suffer any other failure) will fail to a safe state.
28EMC & Functional Safety 2 EXAMPLESConclusions (Cont’d)It is not always recognised that a control system is safety-related. Microprocessor watchdog circuits are difficult to design for safety-critical applications, and should be supported by hardware and software EMC design techniques, and an appropriated risk-analysis.
29EMC & Functional Safety 2 EXAMPLESConclusions (Cont’d)Careful analysis of the EM environment must be performed, in order to know the possible “extreme” conditions.And an appropriated risk-analysis - and consequent design - must be performed from component level into system level.
30EMC & Functional Safety 3 EMC DIRECTIVE & FUNCTIONAL SAFETYEMC Directive 89/336 and the related harmonised standards are not dealing with safety at all:3.1 “Safety” is NOT used in the text, and the EMC Directive is only addressing “normal operation” under “normal” EM environment.
31EMC & Functional Safety 3 EMC DIRECTIVE & FUNCTIONAL SAFETY3.2 The EMC Directive does not cover reasonable foreseeable faults, environmental extremes, operator errors, maintenance situations, or misuse-all considerations which are essential for functional safety.3.3 Almost all the EMC standards harmonised under the EMC Directive either explicitly or implicitly exclude safety considerations
32EMC & Functional Safety 3 EMC DIRECTIVE & FUNCTIONAL SAFETY3.4 All the EMC standards harmonised under the EMC Directive (or used for radio-communication Type Examination) cover a restricted number of EM disturbances, and their limits allow a finite probability of incompatibilities.
33EMC & Functional Safety 3 EMC DIRECTIVE & FUNCTIONAL SAFETY3.5 EMC Technical Construction Files (TCFs) can include significantly lower EMC performance (or lower confidence of performance) than would have been achieved had the harmonised standards been applied in full.
34EMC & Functional Safety 3 EMC DIRECTIVE & FUNCTIONAL SAFETY3.6 Safety may, in real life, depend upon correct operation of electronic apparatus when it is subjected to low-probability EM disturbances which are not covered by harmonised standards. Or a combination of EM disturbances (which is not foreseen in the harmonised standards).
35EMC & Functional Safety 3 EMC DIRECTIVE & FUNCTIONAL SAFETY3.7 The EM environment is continually changing the use of new technologies, and so harmonised standards often lag behind real needs. For example, there is increasingly common use of cellphones, wireless LANs and other RF transmitters, and ever-faster computers.
36EMC & Functional Safety 3 EMC DIRECTIVE & FUNCTIONAL SAFETY3.7 (Cont’d) These frequently emit significant levels of disturbances at frequencies above 1 GHz, higher than the frequencies covered by even the latest issues of the harmonised immunity standards.
37EMC & Functional Safety Key to the understanding of safety-related systems is the concept that a safety-related system carries out safety functions; and that a safety function should be specified both in terms of functionality (what the function does) and safety integrity (the probability of a safety function being performed satisfactorily when it is required).
38EMC & Functional Safety (Cont’d) The specification for safety integrity is derived by undertaking a hazard & risk analysis and determining the extent of risk reduction which the particular safety function brings about. The general principle is that more rigour is required in the engineering of safety-related systems at higher levels of safety integrity in order to achieve the lower failure rates which are required to achieve tolerable risk.
39EMC & Functional Safety 4.1 EM environmentQualify and quantify the exposure of the apparatus to the EM disturbances present in its intended operational environment(s), taking into account likely (or possible) changes to the environment(s) in the future. This should include all reasonably foreseeable exposure to EM disturbances of whatever kind. EN can be a helpful guidance
40EMC & Functional Safety 4.2 EM SpecificationDetermine the acceptable immunity and emissions performance criteria for each safety-related function of the apparatus, for each of the EM disturbances identified above, to achieve the desired “compatibility margins” for the appropriate safety integrity levels.
41EMC & Functional Safety 4.2 EM Specification (Cont’d)The results are often most conveniently expressed as a table (matrix) of function versus EM phenomenon, with the performance criteria in the cells. (This is a hazards and risks assessment, and may result in different functional performance criteria than are required for compliance with the EMC Directive).
42EMC & Functional Safety 4.3 Test ProcedureThe test procedure and performance criteria which will be used to validate the immunity levels should then be specified.Performance criteria for immunity testing should take into account the hazards and risks associated with the application. For example, even temporary degradation of performance or loss of function may not be acceptable in some applications.
43EMC & Functional Safety 4.4 Design, build, verify, maintainEnsure that all necessary steps are taken throughout the apparatus’ entire life-cycle (including maintenance, upgrade, or refurbishment) to meet the EM functional performance criteria specified above, and that appropriate validation occurs before supply and after maintenance, modification, upgrade, and refurbishment (especially software).
44EMC & Functional Safety 4.4 Design, build, verify, maintain (Cont’d)Validation should ensure that the product’s required functional performance is actually achieved in its intended operational environment(s), and that its safety is as required.
45EMC & Functional Safety 4.4 User InstructionsProvide all the installation, use, and maintenance instructions necessary to define the EM environment that the apparatus is intended for, and achieve and maintain the required EM performance.
46EMC & Functional Safety 4.5 User Instructions (Cont’d)It is also recommended that a description of how EM interference may appear to the user, and the simple mitigation measures that the user can take, be included.IEC and IEC are recommended for guidance on good EMC build and installation practices.
47EMC & Functional Safety 4.6 Remarks4.6.1 Testing is unlikely to reveal all the potential modes of functional degradation which may result from EM disturbances. In this respect, the achievement of EMC in the context of safety should be approached in a similar way to that necessary for safety-related software.
48EMC & Functional Safety 4.6 Remarks4.6.1 (Cont’d)That is, it is important that a systematic approach is adopted at all stages of the safety-lifecycle in order to avoid, as far as possible, the introduction of systematic faults.
49EMC & Functional Safety 4.6 Remarks4.6.1 (Cont’d) It is particularly important that EMC is considered at an early stage during the design of equipment as it is often then that the most effective measures can be taken (this is also likely to be the most cost-effective way to ensure EMC).
50EMC & Functional Safety 4.6 Remarks4.6.2 EM disturbances may be the cause of “common-cause faults”. These are identical faults which occur at the same time in different parts of a system due to a common cause.It is particularly important to consider these in safety-related system which employ redundant architectures as a means of protecting against random failures of hardware components.
51EMC & Functional Safety 4.6 Remarks4.6.2 (Cont’d) Estimates of hardware reliability should take into account the possibility of such common-cause faults because they can significantly increase the likelihood of failure from that which results from consideration of random failures only.
52EMC & Functional Safety 4.6 Remarks4.6.3 (Cont’d) Even during servicing and maintenance procedures, safety is still required, so maintenance and modification procedures should consider EMC.In particular, the use of mobile radiocommunications close to equipment which has had covers removed should be carefully controlled, particularly when equipment is being maintained “on-line”.
53EMC & Functional Safety 4.6 Remarks4.6.4 Where protective devices (e.g. varistor transient suppressers) are used to achieve a level of immunity and where failure of such a device could cause a reduction in immunity level which could lead to danger, then the failure of such devices should either be detected automatically (for example by the action of diagnostic tests) or the devices should be tested on a regular basis to reveal any failures.
54EMC & Functional Safety 4.6 Remarks4.6.4 (Cont’d) The periodicity of such tests would need to be determined on the basis of the acceptable probability of failure in a particularly application.
55EMC & Functional Safety 4.6 Remarks4.6.5 (Cont’d) The same acts for the design of watch-dogs:the observation-cycle and the bit-patterns to be observed must be carefully chosen, to ensure a fail-safe “reset” of the µP systems.
56EMC & Functional Safety 4.6 Remarks4.6.6 (Cont’d) The above has dealt with the immunity of a product, system, or installation to its EM environment, but it must not be overlooked that some equipment can emit EM disturbances which can markedly worsen their local EM environment, possible causing degraded functionality in other equipment.
57EMC & Functional Safety 4.6 Remarks4.6.6 (Cont’d) Audio or radio communication systems can be very susceptible to EM disturbances, which can lead to safety risks if they are used to communicate safety information.
58EMC & Functional Safety 4.6 Remarks4.6.6 (Cont’d) Some industrial, scientific, or medical equipment utilises radio frequency (RF) energy at high powers to perform its intended function (e.g. induction heating, plastic RF welding or sealing, RF-assisted metal welding), and emissions from these can cause errors in nearby instrumentation or control, with possible safety risks.
59EMC & Functional Safety 4.6 Remarks4.6.6 (Cont’d) So, when planning new equipment, steps need to be taken to ensure that its EM disturbances do not reduce the compatibility levels (safety margins) for the existing equipment below what is necessary for its functional safety.
60EMC & Functional Safety 4.6 Remarks4.6.7 Warning of a safety hazard is considered no substitute for guarding against it-where guarding is possible.Guarding is considered no substitute for designing the hazard out in the first place-where it is possible to design the hazard out.
61EMC & Functional Safety 4.7 Safety managementSet-up of safety programme plan, dealing with the mile-stones on design phase, production, …Reference to procedures and standards: include techniques as FTA, FMEA, …EMC hazards to be identified and to be applied
62EMC & Functional Safety 4.7 Safety management (Cont’d)Two standards are involved:EN : Methodology for the achievement of functional safety of electrical and electronic equipment.
63EMC & Functional Safety 4.7 Safety management (Cont’d)EN 61508: Functional safety of electrical/electronic/ programmable electronic (E/E/PE) safety related systems (SRS)
64EMC & Functional Safety 4.7 Safety management (Cont’d)Conclusion:EMC and Functional Safety is NOT covered by the EMC Directive. Specific procedures and hazard analysis methods are needed, in order to ensure fail safe operation over the complete life-cycle of a product.
65EMC & Functional Safety 5 ENThe document is addressing the following items:safety description of the equipmentsafety requirementsrisk analysis toolscheck-list of measures and techniquesdesign considerations
66EMC & Functional Safety 5 ENGeneral considerationsdefine structure, design and intended functions of the equipmentdescribe the relevant electromagnetic environmentspecify the safety requirementsanalysis to identify the hazards which can cause safety risks
67EMC & Functional Safety 5 ENGeneral considerations (Cont’d)EMC tests for safetyproduce operation and maintenance instructions to ensure safety in the course of time
68EMC & Functional Safety 5 ENGeneral considerations (Cont’d)The two most important items in the previous overview are:dependability analysis which confirms an appropriate design and/or the interpretation of test resultsthe actual testing for safety which confirms that the requirements are effectively fulfilled
69Functional requirements EMC inputs EMC & Functional Safety5 ENConceptFunctional requirementsEMC inputsHazard and risk anaysisEMC inputsSafety specificationsFig. Lifecycle and functional safety for individual equipment
70Return for modification EMC & Functional Safety5 ENDesign & developmentEMC inputsReturn for modificationEMC inputsValidationManufactureEMC inputsEMC inputsUse of equipmentInstructions for operation and maintenanceDisposalFig. Lifecycle and functional safety for individual equipment
71EMC & Functional Safety 5 ENElectromagnetic environmentThe following disturbance phenomena must be considered and defined:conducted low frequency phenomenaradiated low frequency phenomenaconducted high frequency phenomenaradiated high frequency phenomenaelectrostatic discharge
72EMC & Functional Safety 5 ENTable 1-Overview of disturbance phenomenaConducted low frequency phenomenaHarmonics, interharmonicsSignalling systemsVoltage fluctuationsVoltage dips and interruptionsVoltage unbalancePower frequency variationsInduced low frequency voltagesd.c. in a.c. networks
73EMC & Functional Safety 5 ENTable 1-Overview of disturbance phenomenaRadiated low frequency field phenomenaMagnetic fields*Electrical fields * continuous or transientConducted high frequency phenomenaInduced CW voltages or currents Unidirectional transient*Oscillatory transient* * Single or repetitive (bursts)
74EMC & Functional Safety 5 ENTable 1-Overview of disturbance phenomenaRadiated high frequency field phenomenaMagnetic fieldsElectrical fieldsElectromagnetic fields > continuous waves > transient* *Single or repetitiveElectrostatic discharge phenomena (ESD)High altitude electromagnetic pulse (HEMP)* * to be considered under special conditions
75EMC & Functional Safety 5 ENSafety requirements & failure criteriaSafety integrity of the equipment against Emambient: this inquires that the level of immunity against EMC, combined with other causes, result in an overall acceptable riskSafety integrity of the equipment against internal EMC: typical examples are internal ESD (moving plastic parts) and/or internal EFT (switching on/off of motors, valves, actuators…)
76EMC & Functional Safety 5 ENAssessment methods The dependability analysis can be based on two principles:Deductive methodology or top-down This method is event oriented: starting from a defined top event it will try to identify the responsible components Typical method used is Fault Tree Analysis (FTA)
77EMC & Functional Safety 5 ENAssessment methods (Cont’d)Inductive methodology or bottom-up This method will identify fault modes at component level, and will look for the corresponding performance at system level.
78EMC & Functional Safety 5 ENEMC TESTING with regard to SAFETYFor EMC testing against immunity, it was already proposed to specify two series of tests:for system parts not relevant for safetyfor system parts relevant for safety, with more severe immunity requirements if necessary
79EMC & Functional Safety 5 ENEMC TESTING with regard to SAFETY (Cont’d)During testing, observable effects can be promoted by applying higher disturbance levels (higher repetition rates for transients, other modulation frequencies, signal shapes,…). Safety related elements should be tested separately.
80EMC & Functional Safety 5 ENRisk analysis techniques GENERAL CONSIDERATIONStracing possibilities of multiple faults and common causesprobability of the EM disturbance (variation with time)properties of the EM disturbancedependence of the state of the machine for identical causes
81EMC & Functional Safety 5 ENRisk analysis techniques GENERAL CONSIDERATIONS (Cont’d)effect of disturbances can depend on the way of installationmany disturbances can be present at the same timeEMC will best fit with a TOP-DOWN analysis
82EMC & Functional Safety 5 ENRisk analysis techniques ANALYSIS METHODSFault Tree Analysis (FTA) as in IEC 61025Failure Mode and Effect Analysis (FMEA) as in IEC 60812Reliability of block diagrams and components as in IEC 61078Markov Analysis as in IEC 61165
83EMC & Functional Safety 5 ENRisk analysis techniques ANALYSIS METHODS (Cont’d)Other techniques: > Event tree analysis > Hazard and operability study (HAZOP) > WHAT-IF method > Method organised for a systemic analysis of risks (MOSAR) > DELPHI
84EMC & Functional Safety 5 ENCheck list of measures & techniques Specify the unwanted safety eventsno operation when operation requiredoperation when no operation requiredwrong (and dangerous) operation
85EMC & Functional Safety 5 ENCheck list of measures & techniques Specify to EM environmentsreference to standards to determine disturbance levelsmeasurement of the EM environment to confirm assumptions
86EMC & Functional Safety 5 ENCheck list of measures & techniques Design and development strategystructure reducing the probability of dangerous failuresappropriate software developmentdependability analysisavoiding the use of susceptible components (if known)
87EMC & Functional Safety 5 ENCheck list of measures & techniques Design and development strategy (Cont’d)testing of components and subsystems, cabling…use of appropriate CAD tools to reduce EMCuse of consultancy and competencedesign reviews
88EMC & Functional Safety 5 ENCheck list of measures & techniques Implementation and integrationprocedures to ensure the procurement of correct componentsprocedures to ensure correct assembly of equipmentverification and quality assurance procedures
89EMC & Functional Safety 5 ENCheck list of measures & techniques Installationspecification of constraints on length and routing of cablesspecification of types of cablesspecification of method of terminating screensspecification of type of connectors
90EMC & Functional Safety 5 ENCheck list of measures & techniques Installation (Cont’d)specification of physical positioning to other equipmentspecification of power supply requirementsspecification of any screening/shielding in addition to unit itself
91EMC & Functional Safety 5 ENCheck list of measures & techniques Installation (Cont’d)specification of earthing and bonding requirementsspecification of installation procedure & use of special materials
92EMC & Functional Safety 5 ENCheck list of measures & techniques Safety Validationdependability analysisverification of correct implementation of safety requirementssurvey of actual EM environment to confirm assumptions
93EMC & Functional Safety 5 ENCheck list of measures & techniques Safety Validation (Cont’d)laboratory testing of safety behaviour and functionsimmunity testing using higher levels to determine marginsuse special conditions to exercise known sensitive states to EMC
94EMC & Functional Safety 5 ENCheck list of measures & techniques Safety Validation (Cont’d)in situ testing of safety behaviour and functionsquantitative evaluation of failure rates based on statistics
95EMC & Functional Safety 5 ENCheck list of measures & techniques Operation and maintenancespecification and use of operating procedures to preserve EMCspecification of restrictions on operation, also other apparatus (ex. use of GSM, ...)specify disassembly/reassemble techniques to preserve EMC
96EMC & Functional Safety 5 ENCheck list of measures & techniques Operation and maintenance (Cont’d)periodic testing of EMC critical componentsperiodic replacement of EMC critical components (ex. gaskets)periodic testing of safety related components & functions
97EMC & Functional Safety 5 ENCheck list of measures & techniques Modificationsassessment of the effect of any modification on EMC of both equipment under consideration and any other equipment which might be affected
98EMC & Functional Safety 6 EN 61508Part 1 General requirementsPart 2 Requirements for E/E/PE safety related systemsPart 3 Software requirementsPart 4 Definitions and abbreviationsPart 5 Examples of methods for the determination of SIL’sPart 6 Guidelines on the application of parts 2 and 3Part 7 Overview of techniques and measures
99Part 1 General requirements EMC & Functional Safety6 EN 61508Part 1 General requirements1 Scope2 Conformance to this standards3 Documentation4 Management of functional safety
100Part 1 General requirements EMC & Functional Safety6 EN 61508Part 1 General requirements5 Overall safety lifecycle requirements5.1 General5.2 Concept5.3 Overall scope definition5.4 Hazard and risk analysis5.5 Overall safety requirements5.6 Safety requirements allocation5.7 Overall operation and maintenance planning5.8 Overall safety validation planning
101Part 1 General requirements EMC & Functional Safety6 EN 61508Part 1 General requirements5.9 Overall installation and commissioning planning5.10 Realisation: E/E/PE5.11 Overall installation and commissioning5.12 Overall safety validation5.13 Overall operation, maintenance and repair5.14 Overall modification and retrofit5.15 Decommissioning or disposal5.16 Verification
102Part 1 General requirements EMC & Functional Safety6 EN 61508Part 1 General requirements6 Functional safety assessment6.1 Objective6.2 Requirements
103Part 2 Requirements for E/E/PE safety related systems EMC & Functional Safety6 EN 61508Part 2 Requirements for E/E/PE safety related systems1 Scope2 E/E/PES safety lifecycle requirements2.1 General2.2 E/E/PE system safety requirements specification2.3 E/E/PE system safety validation planning2.4 E/E/PE system design and development2.5 E/E/PE system integration
104Part 2 Requirements for E/E/PE safety related systems EMC & Functional Safety6 EN 61508Part 2 Requirements for E/E/PE safety related systems2.6 E/E/PE system operation and maintenance procedures2.7 E/E/PE system safety validation2.8 E/E/PE system modification2.9 E/E/PE system verification
107Part 4 Definitions and abbreviations EMC & Functional Safety6 EN 61508Part 4 Definitions and abbreviations
108Part 5 Examples of methods for the determination of SIL’s EMC & Functional Safety6 EN 61508Part 5 Examples of methods for the determination of SIL’s1 Scope2 Annex A: General concepts2.1 General2.2 Necessary risk reduction2.3 Role of the E/E/PE SRS’s2.4 Safety integrity2.5 Risk and safety integrity2.6 Safety integrity levels and software SIL’s2.7 Allocation of safety requirements
109Part 5 Examples of methods for the determination of SIL’s EMC & Functional Safety6 EN 61508Part 5 Examples of methods for the determination of SIL’s3 Annex B: ALARP and tolerable risk concepts3.1 General3.2 ALARP model (as low as reasonably practicable)
110Part 5 Examples of methods for the determination of SIL’s EMC & Functional Safety6 EN 61508Part 5 Examples of methods for the determination of SIL’s4 Annex C: determination of SIL’s: a qualitative method4.1 General4.2 General method4.3 Example calculation
111Part 5 Examples of methods for the determination of SIL’s EMC & Functional Safety6 EN 61508Part 5 Examples of methods for the determination of SIL’s5 Annex D: determination of SIL’s: a qualitative method: risk graph5.1 General5.2 Risk graph synthesis5.3 Other possible risk parameters5.4 Risk graph implementation: general scheme
112Part 5 Examples of methods for the determination of SIL’s EMC & Functional Safety6 EN 61508Part 5 Examples of methods for the determination of SIL’s6 Annex E: determination of SIL’s: a qualitative method: hazardous event severity matrix6.1 General6.2 Hazardous event severity matrix
113Part 6 Guidelines on the application of parts 2 and 3 EMC & Functional Safety6 EN 61508Part 6 Guidelines on the application of parts 2 and 31 Scope2 Annex A: Application of parts 2 and 32.1 General2.2 Functional steps3 Annex B: Example technique for evaluating probabilities of failure4 Annex C: Calculation of the diagnostic coverage: worked example
114Part 6 Guidelines on the application of parts 2 and 3 EMC & Functional Safety6 EN 61508Part 6 Guidelines on the application of parts 2 and 35 Annex D: A methodology for quantifying the effect of hardware-related common cause failures in multi-channel PE systems5.1 General5.2 Brief overview5.3 Scope of the methodology
115Part 6 Guidelines on the application of parts 2 and 3 EMC & Functional Safety6 EN 61508Part 6 Guidelines on the application of parts 2 and 35.4 Points taken into account in the methodology5.5 Using ß to calculate the prob of failure in a E/E/PE SRS due to common cause failures5.6 Using the tables to estimate ß6 Annex E: Example of software safety integrity tables of part 3
116Part 7 Overview of techniques and measures EMC & Functional Safety6 EN 61508Part 7 Overview of techniques and measures1 Scope
117EMC & Functional Safety 7 RISK ANALYSIS METHODSDifferent methods are available, but only a few are commonly used and/or standardised:Fault Tree Analysis (FTA): IEC 61025Failure Mode Effects Analysis (FMEA): IEC 60812Reliability of block diagrams (RBD): IEC 61078Markov analysis: IEC 61165FTA and FMEA can “easily” be used for EMC events.
118EMC & Functional Safety 7 RISK ANALYSIS METHODSFTA: Fault Tree Analysis (IEC 61025) (top down)deductive methodcan handle common causes failurescan handle time varying failuresevents can also be degradation of performance onlycan be based on qualitative reasoning
119EMC & Functional Safety 7 RISK ANALYSIS METHODSFMEA: Failure Mode and Effects Analysis (IEC 60812) (bottom up)inductive methodhardware approach: consider failure of components not suitable for EMC analysisfunctional approach: consider in what ways a function deviate from specifications
120EMC & Functional Safety 7 RISK ANALYSIS METHODSFor the analysis of EMC related to functional safety, FTA analysis is the most suitable. Because it starts from the failing state, and goes down to the causes. An example is included in IEC FMEA is most suitable for the analysis, where components fail.The other methods are used for reliability and availability analysis of systems.
121EMC & Functional Safety 8 Example of Safety Analysis related to IEC 61508: SAFECHECKThe software package “SAFECHECK” is an electronic checklist related to the standards IEC 61508, and results in 2 listings of “DONE” and “TO DO” items.It has been developed due to a research grant by the Flemish Government: SAFESYS
122EMC & Functional Safety 9 Example of risk analysis, related to FTA, FMEA, RBD and Markov: RELEXThe software package “RELEX” is a commercially available package, including risk analysis following the FTA, FMEA, RBD and Markov methods.It also includes a database of reliability data of electronic components , so that for FMEA, priority can be given to these components with the highest failure rate.
123EMC & Functional Safety 10 CONCLUSIONSEMC and Functional Safety is NOT covered by the EMC Directive. Specific procedures and hazard analysis methods are needed, in order to ensure fail safe operation over the complete life-cycle of a product.
124EMC & Functional Safety 10 CONCLUSIONSSystem level:Power quality of the mains is a very important, and unknown issueUse of nearby intended RF (cellphones, power…)Software-platform that is used must deliver “tractable” actions
125EMC & Functional Safety 10 CONCLUSIONSComponent level:Careful use of “new” components and second source components over the life-cycle of a productImplementation of watch-dogs!Software must be checked for software AND for its hardware execution!
126EMC & Functional Safety 10 CONCLUSIONSManagement level:“Standards” are available as a guidance for fail-safe designRisk-analysis must be performed for SRSMixed applications (normal control and SRS) need full compliance with functional safety
127EMC & Functional Safety Workshop 23: EMV ‘01 (Augsburg)14 march 2001Prof. ir. J. Catrysse, KHBO