Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMC & Functional Safety

Similar presentations


Presentation on theme: "EMC & Functional Safety"— Presentation transcript:

1 EMC & Functional Safety
Workshop 23: EMV ‘01 (Augsburg) 14 march 2001 Prof. ir. J. Catrysse, KHBO

2 EMC & Functional Safety
1 INTRODUCTION All electronic technologies can suffer from degraded functionality due to disturbances. Modern technologies are more susceptible than other ones. This discipline is known as EMC.

3 EMC & Functional Safety
1 INTRODUCTION Electronic technology is increasingly used in safety-related applications. Consequently, errors and misoperations of electronic devices due to inadequate EMC can result in hazardous situations with an increased risk of harm people’s health and safety.

4 EMC & Functional Safety
1 INTRODUCTION Companies who are well versed in the safety of their traditional technologies may not be aware of the possibilities for increased risks associated with the use of electronic technologies. For example, a machinery manufacturer may use a programmable logic controller (PLC) to control a machine.

5 EMC & Functional Safety
1 INTRODUCTION When the PLC is interfered with, for example by EM disturbances from a nearby walkie-talkie, or by a voltage transient on its mains supply, it is possible that the machine could make an unintended movement-possible putting nearby workers at increased risk or injury or even death.

6 EMC & Functional Safety
1 INTRODUCTION The EMC and safety divisions within an organisation tend to use different skills and disciplines and may operate largely independent of each other. Important issues of EMC-related functional safety may not be correctly addressed. Compliance with the EMC Directive (or its harmonised standards) may not ensure that EMC-related functional safety issues have been correctly addressed and relevant safety legislation met.

7 EMC & Functional Safety
1 INTRODUCTION To correctly control EMC-related functional safety, hazard and risk assessments are needed. The following should be considered: 1.1 What electromagnetic (EM) disturbances, however infrequent, might the apparatus be exposed to? 1.2 What are the reasonably foreseeable effects of such disturbances on the apparatus?

8 EMC & Functional Safety
1 INTRODUCTION 1.3 How might the EM disturbances emitted by the apparatus affect other apparatus (existing or planned)? 1.4 What could be the reasonably foreseeable safety implications of the above mentioned disturbances (what is the severity of the hazard, the scale of the risk, the safety integrity level required?

9 EMC & Functional Safety
1 INTRODUCTION 1.5 What level of confidence (verification? proof?) is required that the above have been fully considered and all necessary action taken to achieve the desired level of safety?

10 EMC & Functional Safety
1 INTRODUCTION Safety Related Systems (SRS) are systems (a part of) which affect safety in some way. Normally, the term is used to describe systems that perform a specific function to reduce risks to a level which is considered to be tolerable. SRS are more and more implemented in E/E/PE technologies.

11 EMC & Functional Safety
2 EXAMPLES 2.1 Failure of a safety-interlock Controlled by µP ESD and mains-interference (EFT) switched on the machine, while the interlock-switch was in a “safe” position.

12 EMC & Functional Safety
2 EXAMPLES 2.2 Gas-detector disabled by handheld VHF radio Gas-detector switched itself “off” by operation of a walkie-talkie in a nearby position (1m).

13 EMC & Functional Safety
2 EXAMPLES 2.3 Lift stops due to amateur-radio “Optical” control of doors was disturbed (cabling) due to an amateur-radio (antenna on top of the machine-roof, on the roof of a building).

14 EMC & Functional Safety
2 EXAMPLES 2.4 CNC machine affected by arc-welding Operation of a CNC machine was affected by a nearby arc-welding machine. Attention must be paid to welders, heaters, sealers and especially those using RF energy.

15 EMC & Functional Safety
2 EXAMPLES 2.5 Milk-coolers affected by mains Mains-disturbances affects the good control of a milk-cooler, since a “new” batch of components was used. “Cooling” works at wrong temperature-detection. Affecting the end-quality of the milk (and health-risks for consumers). (E/EP)ROM changes have been observed.

16 EMC & Functional Safety
2 EXAMPLES 2.6 Wheelchair EM immunity Wheelchairs seem to be susceptible to RF fields of 5 to 15 V/m. Brake release and self-start are repeated. 50 V/m should be requested.

17 EMC & Functional Safety
2 EXAMPLES 2.7 Safe-load indication and hand-held radio Permanent change in the calibration ROM due to nearby operated walkie-talkie have been observed. Safety-critical systems must always be designed to possible extreme interference.

18 EMC & Functional Safety
2 EXAMPLES 2.8 Failure of a valve in a steam-generator µP based valve controller, and a temperature sensor. Two failures were observed: RF induced signals on the temperature-sensor wiring, causing wrong values (too low). And mains interference affecting a badly designed watch-dog in the µP circuitry.

19 EMC & Functional Safety
2 EXAMPLES 2.9 Aeroplanes and laptops Laptops (and other electronic games) easily interfere with the aircraft navigation systems (and their cabling). EMI is part of the safety-instructions on an aeroplane!

20 EMC & Functional Safety
2 EXAMPLES 2.10 Computer failure One of a number computers controlling a chemical plant failed, resulting in the appropriate setting of a number of process valves. Operating staff were potentially put at risk. Investigation revealed than an integrated circuit had failed in the microprocessor which controlled the operation of an input/output interface

21 EMC & Functional Safety
2 EXAMPLES 2.10 Computer failure (Cont’d) The failure meant that the processor set all signals for the output devices to logic 1 (all valves open). Failure of a microprocessor had been anticipated in the original design of the computer system, but the failure detection mechanism contained a design flaw.

22 EMC & Functional Safety
2 EXAMPLES 2.10 Computer failure (Cont’d) Fault detection was by a “watchdog” circuit configured to trip when a status “bit” flipped to zero-thereby indicating a physical failure of the processor. However when the integrated circuit failed it set all bits, including the status bit, to logic 1-the opposite to the state needed to trip the watchdog, so the failure was not recognised.

23 EMC & Functional Safety
2 EXAMPLES 2.10 Computer failure (Cont’d) The root cause of this incident was that computer control had been superimposed upon an existing plant previously controlled by traditional technology. No hazard and risk analysis had been carried out before this change, and no safety integrity requirements specification had been developed.

24 EMC & Functional Safety
2 EXAMPLES Remarks Functional Safety is NOT covered by the EMC Directive and the related harmonised standards, Immunity levels and specified performance criteria are NOT intended to guarantee proper operation of SRS.

25 EMC & Functional Safety
2 EXAMPLES Remarks (Cont’d) Examples of immunity problems for SRS are: ESD levels in reality: easily into 15 KV and still requiring fail safe operation. (EN : 8 KV and performance B) RF systems: high power and near-by operated RF communication systems, giving 15 V/m and more. (EN : 10 V/m)

26 EMC & Functional Safety
2 EXAMPLES Remarks (Cont’d) EFT: some main supplies are ‘polluted’ with higher levels of transient than would normally be expected, and these may be higher than are covered by EMC standards harmonised under the EMC Directive and used when CE marking. (EN : 2 KV pulses in CM)

27 EMC & Functional Safety
2 EXAMPLES Conclusions Users need to make sure that their supplies are not excessively polluted and manufacturers need to make sure that mains-powered equipment used for safety-related functions will withstand atypical mains transient as much as is reasonable, and when damaged by a transient (or suffer any other failure) will fail to a safe state.

28 EMC & Functional Safety
2 EXAMPLES Conclusions (Cont’d) It is not always recognised that a control system is safety-related. Microprocessor watchdog circuits are difficult to design for safety-critical applications, and should be supported by hardware and software EMC design techniques, and an appropriated risk-analysis.

29 EMC & Functional Safety
2 EXAMPLES Conclusions (Cont’d) Careful analysis of the EM environment must be performed, in order to know the possible “extreme” conditions. And an appropriated risk-analysis - and consequent design - must be performed from component level into system level.

30 EMC & Functional Safety
3 EMC DIRECTIVE & FUNCTIONAL SAFETY EMC Directive 89/336 and the related harmonised standards are not dealing with safety at all: 3.1 “Safety” is NOT used in the text, and the EMC Directive is only addressing “normal operation” under “normal” EM environment.

31 EMC & Functional Safety
3 EMC DIRECTIVE & FUNCTIONAL SAFETY 3.2 The EMC Directive does not cover reasonable foreseeable faults, environmental extremes, operator errors, maintenance situations, or misuse-all considerations which are essential for functional safety. 3.3 Almost all the EMC standards harmonised under the EMC Directive either explicitly or implicitly exclude safety considerations

32 EMC & Functional Safety
3 EMC DIRECTIVE & FUNCTIONAL SAFETY 3.4 All the EMC standards harmonised under the EMC Directive (or used for radio-communication Type Examination) cover a restricted number of EM disturbances, and their limits allow a finite probability of incompatibilities.

33 EMC & Functional Safety
3 EMC DIRECTIVE & FUNCTIONAL SAFETY 3.5 EMC Technical Construction Files (TCFs) can include significantly lower EMC performance (or lower confidence of performance) than would have been achieved had the harmonised standards been applied in full.

34 EMC & Functional Safety
3 EMC DIRECTIVE & FUNCTIONAL SAFETY 3.6 Safety may, in real life, depend upon correct operation of electronic apparatus when it is subjected to low-probability EM disturbances which are not covered by harmonised standards. Or a combination of EM disturbances (which is not foreseen in the harmonised standards).

35 EMC & Functional Safety
3 EMC DIRECTIVE & FUNCTIONAL SAFETY 3.7 The EM environment is continually changing the use of new technologies, and so harmonised standards often lag behind real needs. For example, there is increasingly common use of cellphones, wireless LANs and other RF transmitters, and ever-faster computers.

36 EMC & Functional Safety
3 EMC DIRECTIVE & FUNCTIONAL SAFETY 3.7 (Cont’d) These frequently emit significant levels of disturbances at frequencies above 1 GHz, higher than the frequencies covered by even the latest issues of the harmonised immunity standards.

37 EMC & Functional Safety
Key to the understanding of safety-related systems is the concept that a safety-related system carries out safety functions; and that a safety function should be specified both in terms of functionality (what the function does) and safety integrity (the probability of a safety function being performed satisfactorily when it is required).

38 EMC & Functional Safety
(Cont’d) The specification for safety integrity is derived by undertaking a hazard & risk analysis and determining the extent of risk reduction which the particular safety function brings about. The general principle is that more rigour is required in the engineering of safety-related systems at higher levels of safety integrity in order to achieve the lower failure rates which are required to achieve tolerable risk.

39 EMC & Functional Safety
4.1 EM environment Qualify and quantify the exposure of the apparatus to the EM disturbances present in its intended operational environment(s), taking into account likely (or possible) changes to the environment(s) in the future. This should include all reasonably foreseeable exposure to EM disturbances of whatever kind. EN can be a helpful guidance

40 EMC & Functional Safety
4.2 EM Specification Determine the acceptable immunity and emissions performance criteria for each safety-related function of the apparatus, for each of the EM disturbances identified above, to achieve the desired “compatibility margins” for the appropriate safety integrity levels.

41 EMC & Functional Safety
4.2 EM Specification (Cont’d) The results are often most conveniently expressed as a table (matrix) of function versus EM phenomenon, with the performance criteria in the cells. (This is a hazards and risks assessment, and may result in different functional performance criteria than are required for compliance with the EMC Directive).

42 EMC & Functional Safety
4.3 Test Procedure The test procedure and performance criteria which will be used to validate the immunity levels should then be specified. Performance criteria for immunity testing should take into account the hazards and risks associated with the application. For example, even temporary degradation of performance or loss of function may not be acceptable in some applications.

43 EMC & Functional Safety
4.4 Design, build, verify, maintain Ensure that all necessary steps are taken throughout the apparatus’ entire life-cycle (including maintenance, upgrade, or refurbishment) to meet the EM functional performance criteria specified above, and that appropriate validation occurs before supply and after maintenance, modification, upgrade, and refurbishment (especially software).

44 EMC & Functional Safety
4.4 Design, build, verify, maintain (Cont’d) Validation should ensure that the product’s required functional performance is actually achieved in its intended operational environment(s), and that its safety is as required.

45 EMC & Functional Safety
4.4 User Instructions Provide all the installation, use, and maintenance instructions necessary to define the EM environment that the apparatus is intended for, and achieve and maintain the required EM performance.

46 EMC & Functional Safety
4.5 User Instructions (Cont’d) It is also recommended that a description of how EM interference may appear to the user, and the simple mitigation measures that the user can take, be included. IEC and IEC are recommended for guidance on good EMC build and installation practices.

47 EMC & Functional Safety
4.6 Remarks 4.6.1 Testing is unlikely to reveal all the potential modes of functional degradation which may result from EM disturbances. In this respect, the achievement of EMC in the context of safety should be approached in a similar way to that necessary for safety-related software.

48 EMC & Functional Safety
4.6 Remarks 4.6.1 (Cont’d)That is, it is important that a systematic approach is adopted at all stages of the safety-lifecycle in order to avoid, as far as possible, the introduction of systematic faults.

49 EMC & Functional Safety
4.6 Remarks 4.6.1 (Cont’d) It is particularly important that EMC is considered at an early stage during the design of equipment as it is often then that the most effective measures can be taken (this is also likely to be the most cost-effective way to ensure EMC).

50 EMC & Functional Safety
4.6 Remarks 4.6.2 EM disturbances may be the cause of “common-cause faults”. These are identical faults which occur at the same time in different parts of a system due to a common cause. It is particularly important to consider these in safety-related system which employ redundant architectures as a means of protecting against random failures of hardware components.

51 EMC & Functional Safety
4.6 Remarks 4.6.2 (Cont’d) Estimates of hardware reliability should take into account the possibility of such common-cause faults because they can significantly increase the likelihood of failure from that which results from consideration of random failures only.

52 EMC & Functional Safety
4.6 Remarks 4.6.3 (Cont’d) Even during servicing and maintenance procedures, safety is still required, so maintenance and modification procedures should consider EMC. In particular, the use of mobile radiocommunications close to equipment which has had covers removed should be carefully controlled, particularly when equipment is being maintained “on-line”.

53 EMC & Functional Safety
4.6 Remarks 4.6.4 Where protective devices (e.g. varistor transient suppressers) are used to achieve a level of immunity and where failure of such a device could cause a reduction in immunity level which could lead to danger, then the failure of such devices should either be detected automatically (for example by the action of diagnostic tests) or the devices should be tested on a regular basis to reveal any failures.

54 EMC & Functional Safety
4.6 Remarks 4.6.4 (Cont’d) The periodicity of such tests would need to be determined on the basis of the acceptable probability of failure in a particularly application.

55 EMC & Functional Safety
4.6 Remarks 4.6.5 (Cont’d) The same acts for the design of watch-dogs: the observation-cycle and the bit-patterns to be observed must be carefully chosen, to ensure a fail-safe “reset” of the µP systems.

56 EMC & Functional Safety
4.6 Remarks 4.6.6 (Cont’d) The above has dealt with the immunity of a product, system, or installation to its EM environment, but it must not be overlooked that some equipment can emit EM disturbances which can markedly worsen their local EM environment, possible causing degraded functionality in other equipment.

57 EMC & Functional Safety
4.6 Remarks 4.6.6 (Cont’d) Audio or radio communication systems can be very susceptible to EM disturbances, which can lead to safety risks if they are used to communicate safety information.

58 EMC & Functional Safety
4.6 Remarks 4.6.6 (Cont’d) Some industrial, scientific, or medical equipment utilises radio frequency (RF) energy at high powers to perform its intended function (e.g. induction heating, plastic RF welding or sealing, RF-assisted metal welding), and emissions from these can cause errors in nearby instrumentation or control, with possible safety risks.

59 EMC & Functional Safety
4.6 Remarks 4.6.6 (Cont’d) So, when planning new equipment, steps need to be taken to ensure that its EM disturbances do not reduce the compatibility levels (safety margins) for the existing equipment below what is necessary for its functional safety.

60 EMC & Functional Safety
4.6 Remarks 4.6.7 Warning of a safety hazard is considered no substitute for guarding against it-where guarding is possible. Guarding is considered no substitute for designing the hazard out in the first place-where it is possible to design the hazard out.

61 EMC & Functional Safety
4.7 Safety management Set-up of safety programme plan, dealing with the mile-stones on design phase, production, … Reference to procedures and standards: include techniques as FTA, FMEA, … EMC hazards to be identified and to be applied

62 EMC & Functional Safety
4.7 Safety management (Cont’d) Two standards are involved: EN : Methodology for the achievement of functional safety of electrical and electronic equipment.

63 EMC & Functional Safety
4.7 Safety management (Cont’d) EN 61508: Functional safety of electrical/electronic/ programmable electronic (E/E/PE) safety related systems (SRS)

64 EMC & Functional Safety
4.7 Safety management (Cont’d) Conclusion: EMC and Functional Safety is NOT covered by the EMC Directive. Specific procedures and hazard analysis methods are needed, in order to ensure fail safe operation over the complete life-cycle of a product.

65 EMC & Functional Safety
5 EN The document is addressing the following items: safety description of the equipment safety requirements risk analysis tools check-list of measures and techniques design considerations

66 EMC & Functional Safety
5 EN General considerations define structure, design and intended functions of the equipment describe the relevant electromagnetic environment specify the safety requirements analysis to identify the hazards which can cause safety risks

67 EMC & Functional Safety
5 EN General considerations (Cont’d) EMC tests for safety produce operation and maintenance instructions to ensure safety in the course of time

68 EMC & Functional Safety
5 EN General considerations (Cont’d) The two most important items in the previous overview are: dependability analysis which confirms an appropriate design and/or the interpretation of test results the actual testing for safety which confirms that the requirements are effectively fulfilled

69 Functional requirements EMC inputs
EMC & Functional Safety 5 EN Concept Functional requirements EMC inputs Hazard and risk anaysis EMC inputs Safety specifications Fig. Lifecycle and functional safety for individual equipment

70 Return for modification
EMC & Functional Safety 5 EN Design & development EMC inputs Return for modification EMC inputs Validation Manufacture EMC inputs EMC inputs Use of equipment Instructions for operation and maintenance Disposal Fig. Lifecycle and functional safety for individual equipment

71 EMC & Functional Safety
5 EN Electromagnetic environment The following disturbance phenomena must be considered and defined: conducted low frequency phenomena radiated low frequency phenomena conducted high frequency phenomena radiated high frequency phenomena electrostatic discharge

72 EMC & Functional Safety
5 EN Table 1-Overview of disturbance phenomena Conducted low frequency phenomena Harmonics, interharmonics Signalling systems Voltage fluctuations Voltage dips and interruptions Voltage unbalance Power frequency variations Induced low frequency voltages d.c. in a.c. networks

73 EMC & Functional Safety
5 EN Table 1-Overview of disturbance phenomena Radiated low frequency field phenomena Magnetic fields* Electrical fields * continuous or transient Conducted high frequency phenomena Induced CW voltages or currents Unidirectional transient* Oscillatory transient* * Single or repetitive (bursts)

74 EMC & Functional Safety
5 EN Table 1-Overview of disturbance phenomena Radiated high frequency field phenomena Magnetic fields Electrical fields Electromagnetic fields > continuous waves > transient* *Single or repetitive Electrostatic discharge phenomena (ESD) High altitude electromagnetic pulse (HEMP)* * to be considered under special conditions

75 EMC & Functional Safety
5 EN Safety requirements & failure criteria Safety integrity of the equipment against Emambient: this inquires that the level of immunity against EMC, combined with other causes, result in an overall acceptable risk Safety integrity of the equipment against internal EMC: typical examples are internal ESD (moving plastic parts) and/or internal EFT (switching on/off of motors, valves, actuators…)

76 EMC & Functional Safety
5 EN Assessment methods The dependability analysis can be based on two principles: Deductive methodology or top-down This method is event oriented: starting from a defined top event it will try to identify the responsible components Typical method used is Fault Tree Analysis (FTA)

77 EMC & Functional Safety
5 EN Assessment methods (Cont’d) Inductive methodology or bottom-up This method will identify fault modes at component level, and will look for the corresponding performance at system level.

78 EMC & Functional Safety
5 EN EMC TESTING with regard to SAFETY For EMC testing against immunity, it was already proposed to specify two series of tests: for system parts not relevant for safety for system parts relevant for safety, with more severe immunity requirements if necessary

79 EMC & Functional Safety
5 EN EMC TESTING with regard to SAFETY (Cont’d) During testing, observable effects can be promoted by applying higher disturbance levels (higher repetition rates for transients, other modulation frequencies, signal shapes,…). Safety related elements should be tested separately.

80 EMC & Functional Safety
5 EN Risk analysis techniques GENERAL CONSIDERATIONS tracing possibilities of multiple faults and common causes probability of the EM disturbance (variation with time) properties of the EM disturbance dependence of the state of the machine for identical causes

81 EMC & Functional Safety
5 EN Risk analysis techniques GENERAL CONSIDERATIONS (Cont’d) effect of disturbances can depend on the way of installation many disturbances can be present at the same time EMC will best fit with a TOP-DOWN analysis

82 EMC & Functional Safety
5 EN Risk analysis techniques ANALYSIS METHODS Fault Tree Analysis (FTA) as in IEC 61025 Failure Mode and Effect Analysis (FMEA) as in IEC 60812 Reliability of block diagrams and components as in IEC 61078 Markov Analysis as in IEC 61165

83 EMC & Functional Safety
5 EN Risk analysis techniques ANALYSIS METHODS (Cont’d) Other techniques: > Event tree analysis > Hazard and operability study (HAZOP) > WHAT-IF method > Method organised for a systemic analysis of risks (MOSAR) > DELPHI

84 EMC & Functional Safety
5 EN Check list of measures & techniques  Specify the unwanted safety events no operation when operation required operation when no operation required wrong (and dangerous) operation

85 EMC & Functional Safety
5 EN Check list of measures & techniques  Specify to EM environments reference to standards to determine disturbance levels measurement of the EM environment to confirm assumptions

86 EMC & Functional Safety
5 EN Check list of measures & techniques  Design and development strategy structure reducing the probability of dangerous failures appropriate software development dependability analysis avoiding the use of susceptible components (if known)

87 EMC & Functional Safety
5 EN Check list of measures & techniques  Design and development strategy (Cont’d) testing of components and subsystems, cabling… use of appropriate CAD tools to reduce EMC use of consultancy and competence design reviews

88 EMC & Functional Safety
5 EN Check list of measures & techniques  Implementation and integration procedures to ensure the procurement of correct components procedures to ensure correct assembly of equipment verification and quality assurance procedures

89 EMC & Functional Safety
5 EN Check list of measures & techniques  Installation specification of constraints on length and routing of cables specification of types of cables specification of method of terminating screens specification of type of connectors

90 EMC & Functional Safety
5 EN Check list of measures & techniques  Installation (Cont’d) specification of physical positioning to other equipment specification of power supply requirements specification of any screening/shielding in addition to unit itself

91 EMC & Functional Safety
5 EN Check list of measures & techniques  Installation (Cont’d) specification of earthing and bonding requirements specification of installation procedure & use of special materials

92 EMC & Functional Safety
5 EN Check list of measures & techniques  Safety Validation dependability analysis verification of correct implementation of safety requirements survey of actual EM environment to confirm assumptions

93 EMC & Functional Safety
5 EN Check list of measures & techniques  Safety Validation (Cont’d) laboratory testing of safety behaviour and functions immunity testing using higher levels to determine margins use special conditions to exercise known sensitive states to EMC

94 EMC & Functional Safety
5 EN Check list of measures & techniques  Safety Validation (Cont’d) in situ testing of safety behaviour and functions quantitative evaluation of failure rates based on statistics

95 EMC & Functional Safety
5 EN Check list of measures & techniques  Operation and maintenance specification and use of operating procedures to preserve EMC specification of restrictions on operation, also other apparatus (ex. use of GSM, ...) specify disassembly/reassemble techniques to preserve EMC

96 EMC & Functional Safety
5 EN Check list of measures & techniques  Operation and maintenance (Cont’d) periodic testing of EMC critical components periodic replacement of EMC critical components (ex. gaskets) periodic testing of safety related components & functions

97 EMC & Functional Safety
5 EN Check list of measures & techniques  Modifications assessment of the effect of any modification on EMC of both equipment under consideration and any other equipment which might be affected

98 EMC & Functional Safety
6 EN 61508 Part 1 General requirements Part 2 Requirements for E/E/PE safety related systems Part 3 Software requirements Part 4 Definitions and abbreviations Part 5 Examples of methods for the determination of SIL’s Part 6 Guidelines on the application of parts 2 and 3 Part 7 Overview of techniques and measures

99 Part 1 General requirements
EMC & Functional Safety 6 EN 61508 Part 1 General requirements 1 Scope 2 Conformance to this standards 3 Documentation 4 Management of functional safety

100 Part 1 General requirements
EMC & Functional Safety 6 EN 61508 Part 1 General requirements 5 Overall safety lifecycle requirements 5.1 General 5.2 Concept 5.3 Overall scope definition 5.4 Hazard and risk analysis 5.5 Overall safety requirements 5.6 Safety requirements allocation 5.7 Overall operation and maintenance planning 5.8 Overall safety validation planning

101 Part 1 General requirements
EMC & Functional Safety 6 EN 61508 Part 1 General requirements 5.9 Overall installation and commissioning planning 5.10 Realisation: E/E/PE 5.11 Overall installation and commissioning 5.12 Overall safety validation 5.13 Overall operation, maintenance and repair 5.14 Overall modification and retrofit 5.15 Decommissioning or disposal 5.16 Verification

102 Part 1 General requirements
EMC & Functional Safety 6 EN 61508 Part 1 General requirements 6 Functional safety assessment 6.1 Objective 6.2 Requirements

103 Part 2 Requirements for E/E/PE safety related systems
EMC & Functional Safety 6 EN 61508 Part 2 Requirements for E/E/PE safety related systems 1 Scope 2 E/E/PES safety lifecycle requirements 2.1 General 2.2 E/E/PE system safety requirements specification 2.3 E/E/PE system safety validation planning 2.4 E/E/PE system design and development 2.5 E/E/PE system integration

104 Part 2 Requirements for E/E/PE safety related systems
EMC & Functional Safety 6 EN 61508 Part 2 Requirements for E/E/PE safety related systems 2.6 E/E/PE system operation and maintenance procedures 2.7 E/E/PE system safety validation 2.8 E/E/PE system modification 2.9 E/E/PE system verification

105 Part 3 Software requirements
EMC & Functional Safety 6 EN 61508 Part 3 Software requirements 1 Scope 2 Software quality management system 2.1 Objectives 2.2 Requirements 3 Software safety lifecycle requirements 3.1 General 3.2 Software safety requirements specification 3.3 Software safety validation planning 3.4 Software design and development

106 Part 3 Software requirements
EMC & Functional Safety 6 EN 61508 Part 3 Software requirements 3.5 Programmable electronics integration (hard- and software) 3.6 Software operation and modification procedures 3.7 Software safety validation 3.8 Software modification 3.9 Software verification 4 Functional safety assessment

107 Part 4 Definitions and abbreviations
EMC & Functional Safety 6 EN 61508 Part 4 Definitions and abbreviations

108 Part 5 Examples of methods for the determination of SIL’s
EMC & Functional Safety 6 EN 61508 Part 5 Examples of methods for the determination of SIL’s 1 Scope 2 Annex A: General concepts 2.1 General 2.2 Necessary risk reduction 2.3 Role of the E/E/PE SRS’s 2.4 Safety integrity 2.5 Risk and safety integrity 2.6 Safety integrity levels and software SIL’s 2.7 Allocation of safety requirements

109 Part 5 Examples of methods for the determination of SIL’s
EMC & Functional Safety 6 EN 61508 Part 5 Examples of methods for the determination of SIL’s 3 Annex B: ALARP and tolerable risk concepts 3.1 General 3.2 ALARP model (as low as reasonably practicable)

110 Part 5 Examples of methods for the determination of SIL’s
EMC & Functional Safety 6 EN 61508 Part 5 Examples of methods for the determination of SIL’s 4 Annex C: determination of SIL’s: a qualitative method 4.1 General 4.2 General method 4.3 Example calculation

111 Part 5 Examples of methods for the determination of SIL’s
EMC & Functional Safety 6 EN 61508 Part 5 Examples of methods for the determination of SIL’s 5 Annex D: determination of SIL’s: a qualitative method: risk graph 5.1 General 5.2 Risk graph synthesis 5.3 Other possible risk parameters 5.4 Risk graph implementation: general scheme

112 Part 5 Examples of methods for the determination of SIL’s
EMC & Functional Safety 6 EN 61508 Part 5 Examples of methods for the determination of SIL’s 6 Annex E: determination of SIL’s: a qualitative method: hazardous event severity matrix 6.1 General 6.2 Hazardous event severity matrix

113 Part 6 Guidelines on the application of parts 2 and 3
EMC & Functional Safety 6 EN 61508 Part 6 Guidelines on the application of parts 2 and 3 1 Scope 2 Annex A: Application of parts 2 and 3 2.1 General 2.2 Functional steps 3 Annex B: Example technique for evaluating probabilities of failure 4 Annex C: Calculation of the diagnostic coverage: worked example

114 Part 6 Guidelines on the application of parts 2 and 3
EMC & Functional Safety 6 EN 61508 Part 6 Guidelines on the application of parts 2 and 3 5 Annex D: A methodology for quantifying the effect of hardware-related common cause failures in multi-channel PE systems 5.1 General 5.2 Brief overview 5.3 Scope of the methodology

115 Part 6 Guidelines on the application of parts 2 and 3
EMC & Functional Safety 6 EN 61508 Part 6 Guidelines on the application of parts 2 and 3 5.4 Points taken into account in the methodology 5.5 Using ß to calculate the prob of failure in a E/E/PE SRS due to common cause failures 5.6 Using the tables to estimate ß 6 Annex E: Example of software safety integrity tables of part 3

116 Part 7 Overview of techniques and measures
EMC & Functional Safety 6 EN 61508 Part 7 Overview of techniques and measures 1 Scope

117 EMC & Functional Safety
7 RISK ANALYSIS METHODS Different methods are available, but only a few are commonly used and/or standardised: Fault Tree Analysis (FTA): IEC 61025 Failure Mode Effects Analysis (FMEA): IEC 60812 Reliability of block diagrams (RBD): IEC 61078 Markov analysis: IEC 61165 FTA and FMEA can “easily” be used for EMC events.

118 EMC & Functional Safety
7 RISK ANALYSIS METHODS FTA: Fault Tree Analysis (IEC 61025) (top down) deductive method can handle common causes failures can handle time varying failures events can also be degradation of performance only can be based on qualitative reasoning

119 EMC & Functional Safety
7 RISK ANALYSIS METHODS FMEA: Failure Mode and Effects Analysis (IEC 60812) (bottom up) inductive method hardware approach: consider failure of components not suitable for EMC analysis functional approach: consider in what ways a function deviate from specifications

120 EMC & Functional Safety
7 RISK ANALYSIS METHODS For the analysis of EMC related to functional safety, FTA analysis is the most suitable. Because it starts from the failing state, and goes down to the causes. An example is included in IEC FMEA is most suitable for the analysis, where components fail. The other methods are used for reliability and availability analysis of systems.

121 EMC & Functional Safety
8 Example of Safety Analysis related to IEC 61508: SAFECHECK The software package “SAFECHECK” is an electronic checklist related to the standards IEC 61508, and results in 2 listings of “DONE” and “TO DO” items. It has been developed due to a research grant by the Flemish Government: SAFESYS

122 EMC & Functional Safety
9 Example of risk analysis, related to FTA, FMEA, RBD and Markov: RELEX The software package “RELEX” is a commercially available package, including risk analysis following the FTA, FMEA, RBD and Markov methods. It also includes a database of reliability data of electronic components , so that for FMEA, priority can be given to these components with the highest failure rate.

123 EMC & Functional Safety
10 CONCLUSIONS EMC and Functional Safety is NOT covered by the EMC Directive. Specific procedures and hazard analysis methods are needed, in order to ensure fail safe operation over the complete life-cycle of a product.

124 EMC & Functional Safety
10 CONCLUSIONS System level: Power quality of the mains is a very important, and unknown issue Use of nearby intended RF (cellphones, power…) Software-platform that is used must deliver “tractable” actions

125 EMC & Functional Safety
10 CONCLUSIONS Component level: Careful use of “new” components and second source components over the life-cycle of a product Implementation of watch-dogs! Software must be checked for software AND for its hardware execution!

126 EMC & Functional Safety
10 CONCLUSIONS Management level: “Standards” are available as a guidance for fail-safe design Risk-analysis must be performed for SRS Mixed applications (normal control and SRS) need full compliance with functional safety

127 EMC & Functional Safety
Workshop 23: EMV ‘01 (Augsburg) 14 march 2001 Prof. ir. J. Catrysse, KHBO


Download ppt "EMC & Functional Safety"

Similar presentations


Ads by Google