Transcript Geen diatitel
EMC & Functional Safety
Workshop 23: EMV ‘01 (Augsburg) 14 march 2001
Prof. ir. J. Catrysse, KHBO
EMC & Functional Safety
1 INTRODUCTION
All electronic technologies can suffer from degraded functionality due to disturbances. Modern technologies are more susceptible than other ones. This discipline is known as EMC.
EMC & Functional Safety
1 INTRODUCTION
Electronic technology is increasingly used in safety related applications. Consequently, errors and misoperations of electronic devices due to inadequate EMC can result in hazardous situations with an increased risk of harm people’s health and safety.
EMC & Functional Safety
1 INTRODUCTION
Companies who are well versed in the safety of their traditional technologies may not be aware of the possibilities for increased risks associated with the use of electronic technologies. For example, a machinery manufacturer may use a programmable logic controller (PLC) to control a machine.
EMC & Functional Safety
1 INTRODUCTION
When the PLC is interfered with, for example by EM disturbances from a nearby walkie-talkie, or by a voltage transient on its mains supply, it is possible that the machine could make an unintended movement-possible putting nearby workers at increased risk or injury or even death.
EMC & Functional Safety
1 INTRODUCTION
The EMC and safety divisions within an organisation tend to use different skills and disciplines and may operate largely independent of each other. Important issues of EMC-related functional safety may not be correctly addressed. Compliance with the EMC Directive (or its harmonised standards) may not ensure that EMC-related functional safety issues have been correctly addressed and relevant safety legislation met.
EMC & Functional Safety
1 INTRODUCTION
To correctly control EMC-related functional safety, hazard and risk assessments are needed. The following should be considered:
1.1
What electromagnetic (EM) disturbances, however infrequent, might the apparatus be exposed to?
1.2
What are the reasonably foreseeable effects of such disturbances on the apparatus?
EMC & Functional Safety
1 INTRODUCTION
1.3
How might the EM disturbances emitted by the apparatus affect other apparatus (existing or planned)?
1.4
What could be the reasonably foreseeable safety implications of the above mentioned disturbances (what is the severity of the hazard, the scale of the risk, the safety integrity level required?
EMC & Functional Safety
1 INTRODUCTION
1.5
What level of confidence (verification? proof?) is required that the above have been fully considered and all necessary action taken to achieve the desired level of safety?
EMC & Functional Safety
1 INTRODUCTION
Safety Related Systems (SRS) are systems (a part of) which affect safety in some way. Normally, the term is used to describe systems that perform a specific function to reduce risks to a level which is considered to be tolerable. SRS are more and more implemented in E/E/PE technologies.
EMC & Functional Safety
2 EXAMPLES 2.1 Failure of a safety-interlock
Controlled by µP ESD and mains-interference (EFT) switched on the machine, while the interlock-switch was in a “safe” position.
EMC & Functional Safety
2 EXAMPLES 2.2 Gas-detector disabled by handheld VHF radio
Gas detector switched itself “off” by operation of a walkie-talkie in a nearby position (1m).
EMC & Functional Safety
2 EXAMPLES
2.3 Lift stops due to amateur-radio
“
Optical” control of doors was disturbed (cabling) due to an amateur-radio (antenna on top of the machine-roof, on the roof of a building).
EMC & Functional Safety
2 EXAMPLES
2.4 CNC machine affected by arc-welding
Operation of a CNC machine was affected by a nearby arc-welding machine.
Attention must be paid to welders, heaters, sealers and especially those using RF energy.
EMC & Functional Safety
2 EXAMPLES
2.5 Milk-coolers affected by mains
Mains
-
disturbances affects the good control of a milk cooler, since a “new” batch of components was used. “Cooling” works at wrong temperature detection. Affecting the end-quality of the milk (and health-risks for consumers). (E/EP)ROM changes have been observed.
EMC & Functional Safety
2 EXAMPLES
2.6 Wheelchair EM immunity
Wheelchairs seem to be susceptible to RF fields of 5 to 15 V/m. Brake release and self-start are repeated. 50 V/m should be requested.
EMC & Functional Safety
2 EXAMPLES
2.7 Safe-load indication and hand-held radio
Permanent change in the calibration ROM due to nearby operated walkie-talkie have been observed. Safety-critical systems must always be designed to possible extreme interference.
EMC & Functional Safety
2 EXAMPLES
2.8 Failure of a valve in a steam-generator
µP based valve controller, and a temperature sensor. Two failures were observed: RF induced signals on the temperature-sensor wiring, causing wrong values (too low). And mains interference affecting a badly designed watch dog in the µP circuitry.
EMC & Functional Safety
2 EXAMPLES
2.9 Aeroplanes and laptops
Laptops (and other electronic games) easily interfere with the aircraft navigation systems (and their cabling).
EMI is part of the safety-instructions on an aeroplane!
EMC & Functional Safety
2 EXAMPLES
2.10 Computer failure
One of a number computers controlling a chemical plant failed, resulting in the appropriate setting of a number of process valves. Operating staff were potentially put at risk. Investigation revealed than an integrated circuit had failed in the microprocessor which controlled the operation of an input/output interface
EMC & Functional Safety
2 EXAMPLES
2.10 Computer failure
(Cont’d)
The failure meant that the processor set all signals for the output devices to logic 1 (all valves open). Failure of a microprocessor had been anticipated in the original design of the computer system, but the failure detection mechanism contained a design flaw.
EMC & Functional Safety
2 EXAMPLES
2.10 Computer failure
(Cont’d)
Fault detection was by a “watchdog” circuit configured to trip when a status “bit” flipped to zero thereby indicating a physical failure of the processor. However when the integrated circuit failed it set all bits, including the status bit, to logic 1-the opposite to the state needed to trip the watchdog, so the failure was not recognised
.
EMC & Functional Safety
2 EXAMPLES
2.10 Computer failure
(Cont’d)
The root cause of this incident was that computer control had been superimposed upon an existing plant previously controlled by traditional technology. No hazard and risk analysis had been carried out before this change, and no safety integrity requirements specification had been developed.
EMC & Functional Safety
2 EXAMPLES
Remarks
Functional Safety is NOT covered by the EMC Directive and the related harmonised standards, Immunity levels and specified performance criteria are NOT intended to guarantee proper operation of SRS.
EMC & Functional Safety
2 EXAMPLES
Remarks
(Cont’d)
Examples of immunity problems for SRS are: • ESD levels in reality: easily into 15 KV and still requiring fail safe operation.
(EN 61000-4-2: 8 KV and performance B) • RF systems: high power and near-by operated RF communication systems, giving 15 V/m and more.
(EN 61000-4-3: 10 V/m)
EMC & Functional Safety
2 EXAMPLES
Remarks
(Cont’d)
• EFT: some main supplies are ‘polluted’ with higher levels of transient than would normally be expected, and these may be higher than are covered by EMC standards harmonised under the EMC Directive and used when CE marking.
(EN 61000-4-4: 2 KV pulses in CM)
EMC & Functional Safety
2 EXAMPLES
Conclusions
Users need to make sure that their supplies are not excessively polluted and manufacturers need to make sure that mains-powered equipment used for safety-related functions will withstand atypical mains transient as much as is reasonable, and when damaged by a transient (or suffer any other failure) will fail to a safe state.
EMC & Functional Safety
2 EXAMPLES
Conclusions
(Cont’d)
It is not always recognised that a control system is safety-related. Microprocessor watchdog circuits are difficult to design for safety-critical applications, and should be supported by hardware and software EMC design techniques, and an appropriated risk-analysis.
EMC & Functional Safety
2 EXAMPLES
Conclusions
(Cont’d)
Careful analysis of the EM environment must be performed, in order to know the possible “extreme” conditions. And an appropriated risk-analysis - and consequent design - must be performed from component level into system level.
EMC & Functional Safety
3 EMC DIRECTIVE & FUNCTIONAL SAFETY
EMC Directive 89/336 and the related harmonised standards are not dealing with safety at all:
3.1
“Safety” is NOT used in the text, and the EMC Directive is only addressing “normal operation” under “normal” EM environment.
EMC & Functional Safety
3 EMC DIRECTIVE & FUNCTIONAL SAFETY
3.2
The EMC Directive does not cover reasonable foreseeable faults, environmental extremes, operator errors, maintenance situations, or misuse-all considerations which are essential for functional safety.
3.3
Almost all the EMC standards harmonised under the EMC Directive either explicitly or implicitly exclude safety considerations
EMC & Functional Safety
3 EMC DIRECTIVE & FUNCTIONAL SAFETY
3.4
All the EMC standards harmonised under the EMC Directive (or used for radio-communication Type Examination) cover a restricted number of EM disturbances, and their limits allow a finite probability of incompatibilities
.
EMC & Functional Safety
3 EMC DIRECTIVE & FUNCTIONAL SAFETY
3.5
EMC Technical Construction Files (TCFs) can include significantly lower EMC performance (or lower confidence of performance) than would have been achieved had the harmonised standards been applied in full.
EMC & Functional Safety
3 EMC DIRECTIVE & FUNCTIONAL SAFETY
3.6
Safety may, in real life, depend upon correct operation of electronic apparatus when it is subjected to low-probability EM disturbances which are not covered by harmonised standards. Or a combination of EM disturbances (which is not foreseen in the harmonised standards).
EMC & Functional Safety
3 EMC DIRECTIVE & FUNCTIONAL SAFETY
3.7
The EM environment is continually changing the use of new technologies, and so harmonised standards often lag behind real needs. For example, there is increasingly common use of cellphones, wireless LANs and other RF transmitters, and ever faster computers.
EMC & Functional Safety
3 EMC DIRECTIVE & FUNCTIONAL SAFETY
3.7
(Cont’d)
These frequently emit significant levels of disturbances at frequencies above 1 GHz, higher than the frequencies covered by even the latest issues of the harmonised immunity standards.
4 SAFETY
EMC & Functional Safety Key to the understanding of safety-related systems is the concept that a safety-related system carries out safety functions; and that a safety function should be specified both in terms of functionality (what the function does) and safety integrity (the probability of a safety function being performed satisfactorily when it is required).
4 SAFETY
EMC & Functional Safety
(Cont’d)
The specification for safety integrity is derived by undertaking a hazard & risk analysis and determining the extent of risk reduction which the particular safety function brings about. The general principle is that more rigour is required in the engineering of safety-related systems at higher levels of safety integrity in order to achieve the lower failure rates which are required to achieve tolerable risk.
4 SAFETY
EMC & Functional Safety
4.1 EM environment
Qualify and quantify the exposure of the apparatus to the EM disturbances present in its intended operational environment(s), taking into account likely (or possible) changes to the environment(s) in the future. This should include all reasonably foreseeable exposure to EM disturbances
of whatever kind.
EN 61000-2-5 can be a helpful guidance
4 SAFETY
EMC & Functional Safety
4.2 EM Specification
Determine the acceptable immunity and emissions performance criteria for each safety-related function of the apparatus, for each of the EM disturbances identified above, to achieve the desired “compatibility margins” for the appropriate safety integrity levels.
4 SAFETY
EMC & Functional Safety
4.2 EM Specification
(Cont’d)
The results are often most conveniently expressed as a table (matrix) of function versus EM phenomenon, with the performance criteria in the cells. (This is a hazards and risks assessment, and may result in different functional performance criteria than are required for compliance with the EMC Directive
).
4 SAFETY
EMC & Functional Safety
4.3 Test Procedure
The test procedure and performance criteria which will be used to validate the immunity levels should then be specified. Performance criteria for immunity testing should take into account the hazards and risks associated with the application. For example, even temporary degradation of performance or loss of function may not be acceptable in some applications.
4 SAFETY
EMC & Functional Safety
4.4 Design, build, verify, maintain
Ensure that all necessary steps are taken throughout the apparatus’ entire life-cycle (including maintenance, upgrade, or refurbishment) to meet the EM functional performance criteria specified above, and that appropriate validation occurs before supply and after maintenance, modification, upgrade, and refurbishment (especially software).
4 SAFETY
EMC & Functional Safety
4.4 Design, build, verify, maintain
(Cont’d)
Validation should ensure that the product’s required functional performance is actually achieved in its intended operational environment(s), and that its safety is as required.
4 SAFETY
EMC & Functional Safety
4.4 User Instructions
Provide all the installation, use, and maintenance instructions necessary to define the EM environment that the apparatus is intended for, and achieve and maintain the required EM performance.
4 SAFETY
EMC & Functional Safety
4.5 User Instructions
(Cont’d)
It is also recommended that a description of how EM interference may appear to the user, and the simple mitigation measures that the user can take, be included. IEC 61000-5-2 and IEC 61000-5-6 are recommended for guidance on good EMC build and installation practices.
4 SAFETY
EMC & Functional Safety
4.6 Remarks
4.6.1 Testing is unlikely to reveal all the potential modes of functional degradation which may result from EM disturbances. In this respect, the achievement of EMC in the context of safety should be approached in a similar way to that necessary for safety-related software.
4 SAFETY
EMC & Functional Safety
4.6 Remarks
4.6.1
(Cont’d)
That is, it is important that a systematic approach is adopted at all stages of the safety-lifecycle in order to avoid, as far as possible, the introduction of systematic faults.
4 SAFETY
EMC & Functional Safety
4.6 Remarks
4.6.1
(Cont’d)
It is particularly important that EMC is considered at an early stage during the design of equipment as it is often then that the most effective measures can be taken (this is also likely to be the most cost-effective way to ensure EMC).
4 SAFETY
EMC & Functional Safety
4.6 Remarks
4.6.2
EM disturbances may be the cause of “common cause faults”. These are identical faults which occur at the same time in different parts of a system due to a common cause.
It is particularly important to consider these in safety related system which employ redundant architectures as a means of protecting against random failures of hardware components.
4 SAFETY
EMC & Functional Safety
4.6 Remarks
4.6.2
(Cont’d)
Estimates of hardware reliability should take into account the possibility of such common-cause faults because they can significantly increase the likelihood of failure from that which results from consideration of random failures only.
4 SAFETY
EMC & Functional Safety
4.6 Remarks
4.6.3
(Cont’d)
Even during servicing and maintenance procedures, safety is still required, so maintenance and modification procedures should consider EMC.
In particular, the use of mobile radiocommunications close to equipment which has had covers removed should be carefully controlled, particularly when equipment is being maintained “on-line”.
4 SAFETY
EMC & Functional Safety
4.6 Remarks
4.6.4 Where protective devices (e.g. varistor transient suppressers) are used to achieve a level of immunity and where failure of such a device could cause a reduction in immunity level which could lead to danger, then the failure of such devices should either be detected automatically (for example by the action of diagnostic tests) or the devices should be tested on a regular basis to reveal any failures.
4 SAFETY
EMC & Functional Safety
4.6 Remarks
4.6.4
(Cont’d)
The periodicity of such tests would need to be determined on the basis of the acceptable probability of failure in a particularly application.
4 SAFETY
EMC & Functional Safety
4.6 Remarks
4.6.5
(Cont’d)
dogs: The same acts for the design of watch the observation-cycle and the bit-patterns to be observed must be carefully chosen, to ensure a fail safe “reset” of the µP systems.
4 SAFETY
EMC & Functional Safety
4.6 Remarks
4.6.6
(Cont’d)
The above has dealt with the immunity of a product, system, or installation to its EM environment, but it must not be overlooked that some equipment can emit EM disturbances which can markedly worsen their local EM environment, possible causing degraded functionality in other equipment.
4 SAFETY
EMC & Functional Safety
4.6 Remarks
4.6.6
(Cont’d)
Audio or radio communication systems can be very susceptible to EM disturbances, which can lead to safety risks if they are used to communicate safety information.
4 SAFETY
EMC & Functional Safety
4.6 Remarks
4.6.6
(Cont’d)
Some industrial, scientific, or medical equipment utilises radio frequency (RF) energy at high powers to perform its intended function (e.g. induction heating, plastic RF welding or sealing, RF-assisted metal welding), and emissions from these can cause errors in nearby instrumentation or control, with possible safety risks.
4 SAFETY
EMC & Functional Safety
4.6 Remarks
4.6.6
(Cont’d)
So, when planning new equipment, steps need to be taken to ensure that its EM disturbances do not reduce the compatibility levels (safety margins) for the existing equipment below what is necessary for its functional safety.
4 SAFETY
EMC & Functional Safety
4.6 Remarks
4.6.7 Warning of a safety hazard is considered no substitute for guarding against it-where guarding is possible. Guarding is considered no substitute for designing the hazard out in the first place-where it is possible to design the hazard out.
4 SAFETY
EMC & Functional Safety
4.7 Safety management
• Set-up of safety programme plan, dealing with the mile stones on design phase, production, … • Reference to procedures and standards: include techniques as FTA, FMEA, … • EMC hazards to be identified and to be applied
4 SAFETY
EMC & Functional Safety
4.7 Safety management
(Cont’d)
Two standards are involved:
EN 61000-1-2:
Methodology for the achievement of functional safety of electrical and electronic equipment.
4 SAFETY
EMC & Functional Safety
4.7 Safety management
(Cont’d)
EN 61508:
Functional safety of electrical/electronic/ programmable electronic (E/E/PE) safety related systems (SRS)
4 SAFETY
EMC & Functional Safety
4.7 Safety management
(Cont’d)
Conclusion:
EMC and Functional Safety is NOT covered by the EMC Directive. Specific procedures and hazard analysis methods are needed, in order to ensure fail safe operation over the complete life-cycle of a product.
EMC & Functional Safety
5 EN 61000-1-2
The document is addressing the following items: • safety description of the equipment • safety requirements • risk analysis tools • check-list of measures and techniques • design considerations
EMC & Functional Safety
5 EN 61000-1-2
General considerations
• define structure, design and intended functions of the equipment • describe the relevant electromagnetic environment • specify the safety requirements • analysis to identify the hazards which can cause safety risks
EMC & Functional Safety
5 EN 61000-1-2
General considerations
(Cont’d)
• EMC tests for safety • produce operation and maintenance instructions to ensure safety in the course of time
EMC & Functional Safety
5 EN 61000-1-2
General considerations
(Cont’d)
The two most important items in the previous overview are: • dependability analysis which confirms an appropriate design and/or the interpretation of test results • the actual testing for safety which confirms that the requirements are effectively fulfilled
EMC & Functional Safety
5 EN 61000-1-2
Concept EMC inputs Functional requirements EMC inputs Hazard and risk anaysis Safety specifications
Fig. Lifecycle and functional safety for individual equipment
EMC & Functional Safety
5 EN 61000-1-2
EMC inputs
Return for modification
Design & development EMC inputs Validation Manufacture Use of equipment EMC inputs EMC inputs Disposal
Instructions for operation and maintenance
Fig. Lifecycle and functional safety for individual equipment
EMC & Functional Safety
5 EN 61000-1-2
Electromagnetic environment
The following disturbance phenomena must be considered and defined: • conducted low frequency phenomena • radiated low frequency phenomena • conducted high frequency phenomena • radiated high frequency phenomena • electrostatic discharge
EMC & Functional Safety
5 EN 61000-1-2
Table 1-Overview of disturbance phenomena
Conducted low frequency phenomena
• Harmonics, interharmonics • Signalling systems • Voltage fluctuations • Voltage dips and interruptions • Voltage unbalance • Power frequency variations • Induced low frequency voltages • d.c. in a.c. networks
EMC & Functional Safety
5 EN 61000-1-2
Table 1-Overview of disturbance phenomena
Radiated low frequency field phenomena
• Magnetic fields* • Electrical fields *
continuous or transient
Conducted high frequency phenomena
• Induced CW voltages or currents Unidirectional transient* • Oscillatory transient* *
Single or repetitive (bursts)
EMC & Functional Safety
5 EN 61000-1-2
Table 1-Overview of disturbance phenomena
Radiated high frequency field phenomena
• Magnetic fields • Electrical fields • Electromagnetic fields > continuous waves > transient* *
Single or repetitive
Electrostatic discharge phenomena (ESD) High altitude electromagnetic pulse (HEMP)*
* to be considered under special conditions
EMC & Functional Safety
5 EN 61000-1-2
Safety requirements & failure criteria
• Safety integrity of the equipment against
Emambient
: this inquires that the level of immunity against EMC, combined with other causes, result in an overall acceptable risk • Safety integrity of the equipment against
internal
EMC: typical examples are internal ESD (moving plastic parts) and/or internal EFT (switching on/off of motors, valves, actuators…)
EMC & Functional Safety
5 EN 61000-1-2
Assessment methods
The dependability analysis can be based on two principles: •
Deductive methodology or top-down
This method is event oriented: starting from a defined top event it will try to identify the responsible components Typical method used is Fault Tree Analysis (FTA)
EMC & Functional Safety
5 EN 61000-1-2
Assessment methods
(Cont’d)
•
Inductive methodology or bottom-up
This method will identify fault modes at component level, and will look for the corresponding performance at system level.
EMC & Functional Safety
5 EN 61000-1-2
EMC TESTING with regard to SAFETY
For EMC testing against immunity, it was already proposed to specify two series of tests: • for system parts not relevant for safety • for system parts relevant for safety,
with more severe immunity requirements if necessary
EMC & Functional Safety
5 EN 61000-1-2
EMC TESTING with regard to SAFETY
(Cont’d)
During testing, observable effects can be promoted by applying higher disturbance levels (higher repetition rates for transients, other modulation frequencies, signal shapes,…).
Safety related elements should be tested separately.
EMC & Functional Safety
5 EN 61000-1-2
Risk analysis techniques
GENERAL CONSIDERATIONS • tracing possibilities of multiple faults and common causes • probability of the EM disturbance (variation with time) • properties of the EM disturbance • dependence of the state of the machine for identical causes
EMC & Functional Safety
5 EN 61000-1-2
Risk analysis techniques
GENERAL CONSIDERATIONS
(Cont’d)
• effect of disturbances can depend on the way of installation • many disturbances can be present at the same time EMC will best fit with a TOP-DOWN analysis
EMC & Functional Safety
5 EN 61000-1-2
Risk analysis techniques
ANALYSIS METHODS • Fault Tree Analysis (FTA) as in IEC 61025 • Failure Mode and Effect Analysis (FMEA) as in IEC 60812 • Reliability of block diagrams and components as in IEC 61078 • Markov Analysis as in IEC 61165
EMC & Functional Safety
5 EN 61000-1-2
Risk analysis techniques
ANALYSIS METHODS
(Cont’d)
• Other techniques: > Event tree analysis > Hazard and operability study (HAZOP) > WHAT-IF method > Method organised for a systemic analysis of risks (MOSAR) > DELPHI
EMC & Functional Safety
5 EN 61000-1-2
Check list of measures & techniques
Specify the unwanted safety events
• no operation when operation required • operation when no operation required • wrong (and dangerous) operation
EMC & Functional Safety
5 EN 61000-1-2
Check list of measures & techniques
Specify to EM environments
• reference to standards to determine disturbance levels • measurement of the EM environment to confirm assumptions
EMC & Functional Safety
5 EN 61000-1-2
Check list of measures & techniques
Design and development strategy
• structure reducing the probability of dangerous failures • appropriate software development • dependability analysis • avoiding the use of susceptible components (if known)
EMC & Functional Safety
5 EN 61000-1-2
Check list of measures & techniques
Design and development strategy
(Cont’d)
• testing of components and subsystems, cabling… • use of appropriate CAD tools to reduce EMC • use of consultancy and competence • design reviews
EMC & Functional Safety
5 EN 61000-1-2
Check list of measures & techniques
Implementation and integration
• procedures to ensure the procurement of correct components • procedures to ensure correct assembly of equipment • verification and quality assurance procedures
EMC & Functional Safety
5 EN 61000-1-2
Check list of measures & techniques
Installation
• specification of constraints on length and routing of cables • specification of types of cables • specification of method of terminating screens • specification of type of connectors
EMC & Functional Safety
5 EN 61000-1-2
Check list of measures & techniques
Installation
(Cont’d)
• specification of physical positioning to other equipment • specification of power supply requirements • specification of any screening/shielding in addition to unit itself
EMC & Functional Safety
5 EN 61000-1-2
Check list of measures & techniques
Installation
(Cont’d)
• specification of earthing and bonding requirements • specification of installation procedure & use of special materials
EMC & Functional Safety
5 EN 61000-1-2
Check list of measures & techniques
Safety Validation
• dependability analysis • verification of correct implementation of safety requirements • survey of actual EM environment to confirm assumptions
EMC & Functional Safety
5 EN 61000-1-2
Check list of measures & techniques
Safety Validation
(Cont’d)
• laboratory testing of safety behaviour and functions • immunity testing using higher levels to determine margins • use special conditions to exercise known sensitive states to EMC
EMC & Functional Safety
5 EN 61000-1-2
Check list of measures & techniques
Safety Validation
(Cont’d)
• in situ testing of safety behaviour and functions • quantitative evaluation of failure rates based on statistics
EMC & Functional Safety
5 EN 61000-1-2
Check list of measures & techniques
Operation and maintenance
• specification and use of operating procedures to preserve EMC • specification of restrictions on operation, also other apparatus (ex. use of GSM, ...) • specify disassembly/reassemble techniques to preserve EMC
EMC & Functional Safety
5 EN 61000-1-2
Check list of measures & techniques
Operation and maintenance
(Cont’d)
• periodic testing of EMC critical components • periodic replacement of EMC critical components (ex. gaskets) • periodic testing of safety related components & functions
EMC & Functional Safety
5 EN 61000-1-2
Check list of measures & techniques
Modifications
• assessment of the effect of any modification on EMC of both equipment under consideration and any other equipment which might be affected
EMC & Functional Safety
6 EN 61508
Part
1
Part
2
Part
3
Part
4
Part
5
Part
6
Part
7
General requirements Requirements for E/E/PE safety related systems Software requirements Definitions and abbreviations Examples of methods for the determination of SIL’s Guidelines on the application of parts 2 and 3 Overview of techniques and measures
1 2 3 4 EMC & Functional Safety
6 EN 61508
Part 1 General requirements
Scope Conformance to this standards Documentation Management of functional safety
5
5.1
5.2
5.3
5.4
5.5
5.6
5.7
5.8
EMC & Functional Safety
6 EN 61508
Part 1 General requirements
Overall safety lifecycle requirements
General Concept Overall scope definition Hazard and risk analysis Overall safety requirements Safety requirements allocation Overall operation and maintenance planning Overall safety validation planning
EMC & Functional Safety
6 EN 61508
5.9
5.10
5.11
5.12
5.13
5.14
5.15
5.16
Part 1 General requirements
Overall installation and commissioning planning Realisation: E/E/PE Overall installation and commissioning Overall safety validation Overall operation, maintenance and repair Overall modification and retrofit Decommissioning or disposal Verification
EMC & Functional Safety
6 EN 61508
6
6.1
6.2
Part 1 General requirements
Functional safety assessment
Objective Requirements
EMC & Functional Safety
6 EN 61508
1 2
2.1
2.2
2.3
2.4
2.5
Part 2 Requirements for E/E/PE safety related systems
Scope E/E/PES safety lifecycle requirements
General E/E/PE system safety requirements specification E/E/PE system safety validation planning E/E/PE system design and development E/E/PE system integration
EMC & Functional Safety
6 EN 61508
2.6
2.7
2.8
2.9
Part 2 Requirements for E/E/PE safety related systems
E/E/PE system operation and maintenance procedures E/E/PE system safety validation E/E/PE system modification E/E/PE system verification
1 2
2.1
2.2
3
3.1
3.2
3.3
3.4
EMC & Functional Safety
6 EN 61508
Part 3 Software requirements
Scope Software quality management system
Objectives Requirements
Software safety lifecycle requirements
General Software safety requirements specification Software safety validation planning Software design and development
3.5
3.6
3.7
3.8
3.9
4 EMC & Functional Safety
6 EN 61508
Part 3 Software requirements
Programmable electronics integration (hard- and software) Software operation and modification procedures Software safety validation Software modification Software verification
Functional safety assessment
EMC & Functional Safety
6 EN 61508
Part 4 Definitions and abbreviations
EMC & Functional Safety
6 EN 61508
1 2
2.1
2.2
2.3
2.4
2.5
2.6
2.7
Part 5 Examples of methods for the determination of SIL’s
Scope Annex A: General concepts
General Necessary risk reduction Role of the E/E/PE SRS’s Safety integrity Risk and safety integrity Safety integrity levels and software SIL’s Allocation of safety requirements
EMC & Functional Safety
6 EN 61508
3
3.1
3.2
Part 5 Examples of methods for the determination of SIL’s
Annex B: ALARP and tolerable risk concepts
General ALARP model (as low as reasonably practicable)
EMC & Functional Safety
6 EN 61508
4
4.1
4.2
4.3
Part 5 Examples of methods for the determination of SIL’s
Annex C: determination of SIL’s: a qualitative method
General General method Example calculation
5
5.1
5.2
5.3
5.4
EMC & Functional Safety
6 EN 61508
Part 5 Examples of methods for the determination of SIL’s
Annex D: determination of SIL’s: a qualitative method: risk graph
General Risk graph synthesis Other possible risk parameters Risk graph implementation: general scheme
EMC & Functional Safety
6 EN 61508
6
6.1
6.2
Part 5 Examples of methods for the determination of SIL’s
Annex E: determination of SIL’s: a qualitative method: hazardous event severity matrix
General Hazardous event severity matrix
EMC & Functional Safety
6 EN 61508
1 2
2.1
2.2
3 4
Part 6 Guidelines on the application of parts 2 and 3
Scope Annex A: Application of parts 2 and 3
General Functional steps
Annex B: Example technique for evaluating probabilities of failure Annex C: Calculation of the diagnostic coverage: worked example
EMC & Functional Safety
6 EN 61508
5
5.1
5.2
5.3
Part 6 Guidelines on the application of parts 2 and 3
Annex D: A methodology for quantifying the effect of hardware-related common cause failures in multi-channel PE systems
General Brief overview Scope of the methodology
EMC & Functional Safety
6 EN 61508
5.4
5.5 5.6
6
Part 6 Guidelines on the application of parts 2 and 3
Points taken into account in the methodology Using ß to calculate the prob of failure in a E/E/PE SRS due to common cause failures Using the tables to estimate ß
Annex E: Example of software safety integrity tables of part 3
EMC & Functional Safety
6 EN 61508
1
Part 7 Overview of techniques and measures
Scope
EMC & Functional Safety
7 RISK ANALYSIS METHODS
Different methods are available, but only a few are commonly used and/or standardised: • Fault Tree Analysis (FTA): IEC 61025 • Failure Mode Effects Analysis (FMEA): IEC 60812 • Reliability of block diagrams (RBD): IEC 61078 • Markov analysis: IEC 61165 FTA and FMEA can “easily” be used for EMC events.
EMC & Functional Safety
7 RISK ANALYSIS METHODS
FTA: Fault Tree Analysis (IEC 61025)
(top down)
• deductive method • can handle common causes failures • can handle time varying failures • events can also be degradation of performance only • can be based on qualitative reasoning
EMC & Functional Safety
7 RISK ANALYSIS METHODS
FMEA: Failure Mode and Effects Analysis (IEC 60812)
(bottom up)
• inductive method • hardware approach: consider
failure
of components not suitable for EMC analysis • functional approach: consider in what ways a function deviate from specifications
EMC & Functional Safety
7 RISK ANALYSIS METHODS
For the analysis of EMC related to functional safety, FTA analysis is the most suitable. Because it starts from the failing state, and goes down to the causes. An example is included in IEC 61000-1-2. FMEA is most suitable for the analysis, where components fail.
The other methods are used for reliability and availability analysis of systems.
EMC & Functional Safety
8 Example of Safety Analysis related to IEC 61508: SAFECHECK
The software package “SAFECHECK” is an electronic checklist related to the standards IEC 61508, and results in 2 listings of “DONE” and “TO DO” items. It has been developed due to a research grant by the Flemish Government: SAFESYS
EMC & Functional Safety
9 Example of risk analysis, related to FTA, FMEA, RBD and Markov: RELEX
The software package “RELEX” is a commercially available package, including risk analysis following the FTA, FMEA, RBD and Markov methods.
It also includes a database of reliability data of electronic components , so that for FMEA, priority can be given to these components with the highest failure rate
.
EMC & Functional Safety
10 CONCLUSIONS
EMC and Functional Safety is NOT covered by the EMC Directive. Specific procedures and hazard analysis methods are needed, in order to ensure fail safe operation over the complete life-cycle of a product.
EMC & Functional Safety
10 CONCLUSIONS
System level
:
• Power quality of the mains is a very important, and unknown issue • Use of nearby intended RF (cellphones, power…) • Software-platform that is used must deliver “tractable” actions
EMC & Functional Safety
10 CONCLUSIONS
Component level
:
• Careful use of “new” components and second source components over the life-cycle of a product • Implementation of watch-dogs!
• Software must be checked for software AND for its hardware execution!
EMC & Functional Safety
10 CONCLUSIONS
Management level
:
• “Standards” are available as a guidance for fail-safe design • Risk-analysis must be performed for SRS • Mixed applications (normal control and SRS) need full compliance with functional safety