Interlock Architectures – Pt. 2: Category 1

This entry is part 2 of 8 in the series Circuit Architectures Explored

This art­icle expands on the first in the series “Interlock Architectures – Pt. 1: What do those cat­egor­ies really mean?”. Learn about the basic cir­cuit archi­tec­tures that under­lie all safety inter­lock sys­tems under ISO 13849 – 1, and CSA Z432 and ANSI RIA R15.06.

This entry is part 2 of 8 in the series Circuit Architectures Explored

In Part 1 of this series we explored Category B, the Basic Category that under­pins all the oth­er Categories. This post builds on Part 1 by tak­ing a look at Category 1. Let’s start by explor­ing the dif­fer­ence as defined in ISO 13849 – 1. When you are read­ing, remem­ber that “SRP/​CS” stands for “Safety Related Parts of Control Systems”.

SRP/​CS of Category 1 shall be designed and con­struc­ted using well-​tried com­pon­ents and well-​tried safety prin­ciples (see ISO 13849 – 2).

Well-​Tried Components

So what, exactly, is a “Well-​Tried Component”?? Let’s go back to the stand­ard for that:

A “well-​tried com­pon­ent” for a safety-​related applic­a­tion is a com­pon­ent which has been either

a) widely used in the past with suc­cess­ful res­ults in sim­il­ar applic­a­tions, or
b) made and veri­fied using prin­ciples which demon­strate its suit­ab­il­ity and reli­ab­il­ity for safety-​related applic­a­tions.

Newly developed com­pon­ents and safety prin­ciples may be con­sidered as equi­val­ent to “well-​tried” if they ful­fil the con­di­tions of b).

The decision to accept a par­tic­u­lar com­pon­ent as being “well-​tried” depends on the applic­a­tion.

NOTE 1 Complex elec­tron­ic com­pon­ents (e.g. PLC, micro­pro­cessor, application-​specific integ­rated cir­cuit) can­not be con­sidered as equi­val­ent to “well tried”.

[1, 6.2.4]

Lets look at what this all means by refer­ring to ISO 13849 – 2:

Table 1 — Well-​Tried Components [2]
Well-​Tried Components Conditions for “well – tried” Standard or spe­cific­a­tion
Screw All factors influ­en­cing the screw con­nec­tion and the applic­a­tion are to be con­sidered. See Table A.2 “List of well – tried safety prin­ciples”. Mechanical joint­ing such as screws, nuts, wash­ers, riv­ets, pins, bolts etc. are stand­ard­ised.
Spring See Table A.2 “Use of a well – tried spring”. Technical spe­cific­a­tions for spring steels and oth­er spe­cial applic­a­tions are giv­en in ISO 4960.
Cam All factors influ­en­cing the cam arrange­ment (e. g. part of an inter­lock­ing device) are to be con­sidered. See Table A.2 “List of well – tried safety prin­ciples”. See EN 1088 (ISO 14119) (Interlocking devices).
Break – pin All factors influ­en­cing the applic­a­tion are to be con­sidered. See Table A.2 “List of well-​tried safety prin­ciples”.

Now we have a few ideas about what might con­sti­tute a ‘well-​tried com­pon­ent’. Unfortunately, you will notice that ‘con­tact­or’ or ‘relay’ or ‘lim­it switch’ appear nowhere on the list. This is a chal­lenge, but one that can be over­come. The key to deal­ing with this is to look at how the com­pon­ents that you are choos­ing to use are con­struc­ted. If they use these com­pon­ents and tech­niques, you are on your way to con­sid­er­ing them to be well-​tried.

Another approach is to let the com­pon­ent man­u­fac­turer worry about the details of the con­struc­tion of the device, and simply ensure that com­pon­ents selec­ted for use in the SRP/​CS are ‘safety rated’ by the man­u­fac­turer. This can work in 80 – 90% of cases, with a small per­cent­age of com­pon­ents, such as large motor starters, some servo and step­per drives and oth­er sim­il­ar com­pon­ents unavail­able with a safety rat­ing. It’s worth not­ing that many drive man­u­fac­tur­ers are start­ing to pro­duce drives with built-​in safety com­pon­ents that are inten­ded to be integ­rated into your SRP/​CS.

Exclusion of Complex Electronics

Note 1 from the first part of the defin­i­tion is very import­ant. So import­ant that I’m going to repeat it here:

NOTE 1 Complex elec­tron­ic com­pon­ents (e.g. PLC, micro­pro­cessor, application-​specific integ­rated cir­cuit) can­not be con­sidered as equi­val­ent to “well tried”.

I added the bold text to emphas­ize the import­ance of this state­ment. While this is included in a Note and is there­fore con­sidered to be explan­at­ory text and not part of the norm­at­ive body of the stand­ard, it illu­min­ates a key concept. This little note is what pre­vents a stand­ard PLC from being used in Category 1 sys­tems. It’s also import­ant to real­ize that this defin­i­tion is only con­sid­er­ing the hard­ware – no men­tion of soft­ware is made here, and soft­ware is not dealt with until later in the stand­ard.

Well-​Tried Safety Principles

Let’s have a look at what ‘Well-​Tried Safety Principles’ might be.

Table 2 — Well-​Tried Safety Principles [2, A.2]
Well-​tried Safety Principles Remarks
Use of care­fully selec­ted mater­i­als and man­u­fac­tur­ing Selection of suit­able mater­i­al, adequate man­u­fac­tur­ing meth­ods and treat­ments related to the applic­a­tion.
Use of com­pon­ents with ori­ented fail­ure mode The pre­dom­in­ant fail­ure mode of a com­pon­ent is known in advance and always the same, see EN 292 – 2:1991, (ISO/​TR 12100 – 2:1992), 3.7.4.
Over – dimensioning/​safety factor The safety factors are giv­en in stand­ards or by good exper­i­ence in safety-​related applic­a­tions.
Safe pos­i­tion The mov­ing part of the com­pon­ent is held in one of the pos­sible pos­i­tions by mech­an­ic­al means (fric­tion only is not enough). Force is needed for chan­ging the pos­i­tion.
Increased OFF force A safe position/​state is obtained by an increased OFF force in rela­tion to ON force.
Careful selec­tion, com­bin­a­tion, arrange­ment, assembly and install­a­tion of components/​system related to the applic­a­tion
Careful selec­tion of fasten­ing related to the applic­a­tion Avoid rely­ing only on fric­tion.
Positive mech­an­ic­al action Dependent oper­a­tion (e. g. par­al­lel oper­a­tion) between parts is obtained by pos­it­ive mech­an­ic­al link(s). Springs and sim­il­ar “flex­ible” ele­ments should not be part of the link(s) [see EN 292 – 2:1991 (ISO/​TR 12100 – 2:1992), 3.5].
Multiple parts Reducing the effect of faults by mul­tiply­ing parts, e. g. where a fault of one spring (of many springs) does not lead to a dan­ger­ous con­di­tion.
Use of well – tried spring (see also Table A.3) A well – tried spring requires:
  • use of care­fully selec­ted mater­i­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cyc­ling before use) and treat­ments (e. g. rolling and shot – peen­ing),
  • suf­fi­cient guid­ance of the spring, and
  • suf­fi­cient safety factor for fatigue stress (i. e. with high prob­ab­il­ity a frac­ture will not occur).

Well – tried pres­sure coil springs may also be designed by:

  • use of care­fully selec­ted mater­i­als, man­u­fac­tur­ing meth­ods (e. g. pre­set­ting and cyc­ling before use) and treat­ments (e. g. rolling and shot-​peening),
  • suf­fi­cient guid­ance of the spring, and
  • clear­ance between the turns less than the wire dia­met­er when unloaded, and
  • suf­fi­cient force after a fracture(s) is main­tained (i. e. a fracture(s) will not lead to a dan­ger­ous con­di­tion).
Limited range of force and sim­il­ar para­met­ers Decide the neces­sary lim­it­a­tion in rela­tion to the exper­i­ence and applic­a­tion. Examples for lim­it­a­tions are break pin, break plate, torque lim­it­ing clutch.
Limited range of speed and sim­il­ar para­met­ers Decide the neces­sary lim­it­a­tion in rela­tion to the exper­i­ence and applic­a­tion. Examples for lim­it­a­tions are cent­ri­fu­gal gov­ernor; safe mon­it­or­ing of speed or lim­ited dis­place­ment.
Limited range of envir­on­ment­al para­met­ers Decide the neces­sary lim­it­a­tions. Examples on para­met­ers are tem­per­at­ure, humid­ity, pol­lu­tion at the install­a­tion. See clause 8 and con­sider manufacturer’s applic­a­tion notes.
Limited range of reac­tion time, lim­ited hys­ter­esis Decide the neces­sary lim­it­a­tions.
Consider e. g. spring tired­ness, fric­tion, lub­ric­a­tion, tem­per­at­ure, iner­tia dur­ing accel­er­a­tion and decel­er­a­tion,
com­bin­a­tion of tol­er­ances.

Use of Positive-​Mode Operation

The use of these prin­ciples in the com­pon­ents, as well as in the over­all design of the safe­guards is import­ant. In devel­op­ing a sys­tem that uses ‘pos­it­ive mode oper­a­tion’, the mech­an­ic­al link­age that oper­ates the elec­tric­al con­tacts or the fluid-​power valve that con­trols the prime-mover(s) (i.e. motors, cyl­in­ders, etc.), must act to dir­ectly drive the con­trol ele­ment (con­tacts or valve spool) to the safe state. Springs can be used to return the sys­tem to the run state or dan­ger­ous state, since a fail­ure of the spring will res­ult in the inter­lock device stay­ing in the safe state (fail-​safe or fail-​to-​safety).

CSA Z432 [3] provides us with a nice dia­gram that illus­trates the idea of “positive-​action” or “positive-​mode” oper­a­tion:

CSA Z432 Fig B.10 - Positive Mode Operation
Figure 1 – Positive Mode Operation [3, B.10]

In Fig. 1, open­ing the guard door forces the roller to fol­low the cam attached to the door, driv­ing the switch con­tacts apart and open­ing the inter­lock. Even if the con­tacts were to weld, they would still be driv­en apart since the mech­an­ic­al advant­age provided by the width of the door and the cam are more than enough to force the con­tacts apart.

Here’s an example of a ‘neg­at­ive mode’ oper­a­tion:

CSA Z432-04 Fig B.11 - Negative Mode operation
Figure 2 – Negative Mode oper­a­tion [3, B.11]

In Fig. 2, the inter­lock switch relies on a spring to enter the safe state when the door is opened. If the spring in the inter­lock device fails, the sys­tem fails-​to-​danger. Also note that this design is very easy to defeat. A ‘zip-​tie’ or some tape is all that would be required to keep the inter­lock in the ‘RUN’ con­di­tion.

You should have a bet­ter idea of what is meant when you read about pos­it­ive and negative-​modes of oper­a­tion now. We’ll talk about defeat res­ist­ance in anoth­er art­icle.

Reliability

Combining what you’ve learned so far, you can see that cor­rectly spe­cified com­pon­ents, com­bined with over-​dimensioning and imple­ment­a­tion of design lim­its along with the use of well-​tried safety prin­ciples will go a long way to improv­ing the reli­ab­il­ity of the con­trol sys­tem. The next part of the defin­i­tion of Category 1 speaks to some addi­tion­al require­ments:

The MTTFd of each chan­nel shall be high.

The max­im­um PL achiev­able with cat­egory 1 is PL = c.

NOTE 2 There is no dia­gnost­ic cov­er­age (DCavg = none) with­in cat­egory 1 sys­tems. In such struc­tures (single-​channel sys­tems) the con­sid­er­a­tion of CCF is not rel­ev­ant.

NOTE 3 When a fault occurs it can lead to the loss of the safety func­tion. However, the MTTFd of each chan­nel in cat­egory 1 is high­er than in cat­egory B. Consequently, the loss of the safety func­tion is less likely.

We now know that the integ­rity of a Category 1 sys­tem is great­er than a Category B sys­tem, since the chan­nel MTTFd of the sys­tem has gone from “Low-​to-​Medium” in sys­tems exhib­it­ing PLa or PLb per­form­ance to “High” in sys­tems exhib­it­ing PLb or PLc per­form­ance. [1, Table 5] shows this dif­fer­ence in terms of pre­dicted years to fail­ure. As you can see, MTTFd “High” res­ults in a pre­dicted fail­ure rate between 30 and 100 years. This is a pretty good res­ult for simply improv­ing the com­pon­ents used in the sys­tem!

Table 3 – Mean time to dangerous failure  [1, Table 5]
Table 3 – Mean time to dan­ger­ous fail­ure

The oth­er bene­fit is the increase in the over­all PL. Where Category B archi­tec­ture can provide PLb per­form­ance at best, Category 1 takes this up a notch to PLc. To get a handle on what PLc means, let’s look at our single and three shift examples again. If we take a Canadian oper­a­tion with a single shift per day, and a 50 week work­ing year we get:

7.5 h/​shift x 5 d/​w x 50 w/​a = 1875 h/​a

Where

h = hours

d = days

w = weeks

a  = years

In this case, PLc is equi­val­ent to one fail­ure in 533.3 years of oper­a­tion to 1600 years of oper­a­tion.

Looking at three shifts per day in the same oper­a­tion gives us:

7.5 h/​shift x 3 shifts/​d x 5 d/​w x 50 w/​a = 5625 h/​a

In this case, PLc is equi­val­ent to one fail­ure in 177.8 years of oper­a­tion to 533.3 years of oper­a­tion.

When com­plet­ing the ana­lys­is of a sys­tem, [1] lim­its the sys­tem MTTFd to 100 years regard­less of what the indi­vidu­al chan­nel MTTFd may be. Where the actu­al MTTFd is import­ant relates to the need to replace com­pon­ents dur­ing the life­time of the product. If a com­pon­ent or a sub-​system has an MTTFd that is less than the mis­sion time of the sys­tem, then the com­pon­ent or sub­sys­tem must be replaced by the time the product reaches it’s MTTFd. 20 years is the default mis­sion time, but you can choose a short­er or longer time span if it makes sense.

Remember that these are prob­ab­il­it­ies, not guar­an­tees. A fail­ure could hap­pen in the first hour of oper­a­tion, the last hour of oper­a­tion or nev­er. These fig­ures simply provide a way for you as the design­er to gauge the rel­at­ive reli­ab­il­ity of the sys­tem.

Well-​Tried Components versus Fault Exclusions

The stand­ard goes on to out­line some key dis­tinc­tions between ‘well-​tried com­pon­ent’ and ‘fault exclu­sion’. We’ll talk more about fault exclu­sions later in the series.

It is import­ant that a clear dis­tinc­tion between “well-​tried com­pon­ent” and “fault exclu­sion” (see Clause 7) be made. The qual­i­fic­a­tion of a com­pon­ent as being well-​tried depends on its applic­a­tion. For example, a pos­i­tion switch with pos­it­ive open­ing con­tacts could be con­sidered as being well-​tried for a machine tool, while at the same time as being inap­pro­pri­ate for applic­a­tion in a food industry — in the milk industry, for instance, this switch would be des­troyed by the milk acid after a few months. A fault exclu­sion can lead to a very high PL, but the appro­pri­ate meas­ures to allow this fault exclu­sion should be applied dur­ing the whole life­time of the device. In order to ensure this, addi­tion­al meas­ures out­side the con­trol sys­tem may be neces­sary. In the case of a pos­i­tion switch, some examples of these kinds of meas­ures are

  • means to secure the fix­ing of the switch after its adjust­ment,
  • means to secure the fix­ing of the cam,
  • means to ensure the trans­verse sta­bil­ity of the cam,
  • means to avoid over travel of the pos­i­tion switch, e.g. adequate mount­ing strength of the shock absorber and any align­ment devices, and
  • means to pro­tect it against dam­age from out­side.

[1, 6.2.4]

System Block Diagram

Finally, let’s look at the block dia­gram for Category 1. You will notice that it looks the same as the Category B block dia­gram, since only the com­pon­ents used in the sys­tem have changed, and not the archi­tec­ture.

ISO 13849-1 Figure 9
Figure 3 – Category 1 Block Diagram [1, Fig. 9]

References

[1]       Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design. ISO Standard 13849 – 1, Ed. 2. 2006.

[2]       Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 2: Validation. ISO Standard 13849 – 2, Ed. 2. 2012.

[3]       Safeguarding of Machinery. CSA Standard Z432. 2004.

Add to your Library

If you are work­ing on imple­ment­ing these design stand­ards in your products, you need to buy cop­ies of the stand­ards for your lib­rary.

  • ISO 13849 – 1:2006 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design
  • ISO 13849 – 2:2003 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 2: Validation

Download IEC stand­ards, International Electrotechnical Commission stand­ards.

If you are work­ing in the EU, or are work­ing on CE Marking your product, you should hold the har­mon­ized ver­sion of this stand­ard, avail­able through the CEN resellers:

  • EN ISO 13849 – 1:2008 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design
  • EN ISO 13849 – 2:2012 Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 2: Validation

Next Installment

Watch for the next part of this series, “Interlock Architectures – Pt. 3: Category 2″ where we expand on the first two cat­egor­ies by adding some dia­gnost­ic cov­er­age to improve reli­ab­il­ity.

Have ques­tions? Email me!

EU changes direction on EN ISO 13849 – 1

Update on EN ISO 13849 – 1 man­dat­ory imple­ment­a­tion date.

In a post on 15-​Sep I repor­ted that the European Union had decided to delay the man­dat­ory imple­ment­a­tion date of  EN ISO 13849 – 1 for an addi­tion­al three years. This report was based on inform­a­tion obtained from an intern­al source at the European Commission and has since been reversed by that same source.

Mr. Glyn Garside provided the fol­low­ing update to this import­ant story:

It has been widely repor­ted, but nev­er con­firmed, that the EU com­mis­sion had accep­ted the CEN pro­pos­al to extend the date of ces­sa­tion of pre­sump­tion of con­form­ity of EN 954 – 1:1996 until the end of 2012. THESE REPORTS HAVE NOW BEEN AUTHORITATIVELY DENIED.

(By the way, this dis­cus­sion of dates of ces­sa­tion of pre­sump­tion of con­form­ity only affects the European stand­ards, EN 954 – 1 and EN ISO 13849 – 1. International stand­ard ISO 13849 – 1 is obvi­ously con­trolled by ISO and not by CEN or the EU. The cur­rent edi­tion of ISO 13849 – 1 is 2006, essen­tially identic­al to EN ISO 13849 – 1 : 2008.)

At this point the pos­sib­il­ity of an exten­sion of the trans­ition from EN 954 – 1 to EN ISO 13849 – 1 remains con­tro­ver­sial, con­fused and IMHO uncer­tain. (There’s been approx 3 years trans­ition peri­od already.) If I were still a man­u­fac­turer, I would not want to wait until Dec 29th to find out if I could still ship my product using EN 954 – 1!

The reports of an exten­sion were based on an email sent earli­er this month (3rd Sept) by a CEN employ­ee. However, the EU Commission nev­er con­firmed the report, and on September 24th the same CEN employ­ee, Marie Poidevin, has writ­ten,
— —  —  —  — –
> “We have been informed today by the European Commission […] that con­trary to what was expressed in
> my pre­vi­ous mes­sage sent on the 3rd of September, EN 954 – 1 will not give pre­sump­tion of con­form­ity
>  to the new MD 2006/​42/​EC until fur­ther notice.
> “Indeed, due to dis­cus­sions fol­low­ing the announce­ment made below, the EC wishes to gath­er experts’
> views and, there­fore, this issue will be dis­cussed at the next Machinery Working group to be held on
> the 7 – 8th December.”
— —  —  —  — –

A related email from Ian Fraser (“EC Policy Director for the Machinery Directive”), dated 2009-​09-​18 states,
— —  —  —  — –
“Following the dis­cus­sion at the meet­ing of the Machinery Working Group held on 7 and 8
July 2009, we have received a num­ber of ques­tions con­cern­ing the trans­ition from stand­ard
EN 954 – 1 to stand­ard EN ISO 13849 – 1 on safety-​related parts of con­trol sys­tems.
At the meet­ing of the Machinery Working Group, there was gen­er­al agree­ment on two
aspects:
1. Manufacturers who apply stand­ard EN ISO 13849 – 1 bene­fit from a pre­sump­tion of
con­form­ity, even if the har­mon­ised C-​type stand­ard relat­ing to the machinery con­cerned still
refers to the cat­egor­ies of EN 954 – 1;
2. Harmonised C-​type stand­ards that refer to the cat­egor­ies of EN 954 – 1 con­tin­ue to con­fer a
pre­sump­tion of con­form­ity until they are amended to refer to stand­ard EN ISO 13849 – 1.
These con­clu­sions will be recor­ded in the minutes of the meet­ing.

During the dis­cus­sion, sev­er­al par­ti­cipants indic­ated that more time was needed for the
industry, and in par­tic­u­lar for SMEs, to adapt to the new stand­ard. As Chairman of the
meet­ing, I asked wheth­er it might not be prefer­able to post­pone the date of ces­sa­tion of
pre­sump­tion of con­form­ity for EN 954 – 1.
In response to this sug­ges­tion, on 30 July 2009, Mr. Steiger wrote to the Commission, on
behalf of the CEN Machinery Sector, to request that the date of ces­sa­tion of pre­sump­tion of
con­form­ity for EN 954 – 1 be excep­tion­ally post­poned until 31 December 2012 […].
The Commission will reply to this request from CEN. However, giv­en the com­plex­ity of the
issues involved, the Commission intends to con­sult experts and to seek the opin­ion of the
Machinery Working Group to be held on 7 and 8 December 2009, before reach­ing a final
decision.
Kind regards,
Ian FRASER
— —  —  — —

Thanks again to Glyn Garside and the EMC-​PSTC List Server!

Why Conventional EMC Testing is Insufficient for Functional Safety

At the recent PSES Symposium, I atten­ded a couple of inter­est­ing work­shops on EMC and Functional Safety. One was called “Workshop on EMC & Functional Safety” presen­ted by Keith Armstrong, Bill Radasky and Jacques Delaballe. The oth­er was a paper present­a­tion called “Why Conventional EMC Testing is Insufficient for Functional Safety” presen­ted by Keith Armstrong. 

For read­ers who are new to the idea of Functional Safety, this field deals

At the recent PSES Symposium, I atten­ded a couple of inter­est­ing work­shops on EMC and Functional Safety. One was called “Workshop on EMC & Functional Safety” presen­ted by Keith Armstrong, Bill Radasky and Jacques Delaballe. The oth­er was a paper present­a­tion called “Why Conventional EMC Testing is Insufficient for Functional Safety” presen­ted by Keith Armstrong.

For read­ers who are new to the idea of Functional Safety, this field deals with the abil­ity of a product or sys­tem to func­tion in it’s inten­ded use envir­on­ment, or in any fore­see­able use envir­on­ments, while reli­ably provid­ing the pro­tec­tion required by the users. Here’s the form­al defin­i­tion taken from IEC 61508 – 4:1998:


3.1.9
func­tion­al safety
part of the over­all safety relat­ing to the EUC and the EUC con­trol sys­tem which depends on the cor­rect func­tion­ing of the E/​E/​PE safety-​related sys­tems, oth­er tech­no­logy safety-​related sys­tems and extern­al risk reduc­tion facil­it­ies

3.2.3
equip­ment under con­trol (EUC)
equip­ment, machinery, appar­at­us or plant used for man­u­fac­tur­ing, pro­cess, trans­port­a­tion, med­ic­al or oth­er activ­it­ies

NOTE – The EUC con­trol sys­tem is sep­ar­ate and dis­tinct from the EUC.

Table 1: (E/​E/​PE) elec­tric­al /​ elec­tron­ic /​ pro­gram­mable elec­tron­ic

Reliability require­ments are found in two key stand­ards, ISO 13849 and IEC 61508. These two stand­ards over­lap to some degree, and do not define reli­ab­il­ity cat­egor­ies in the same way, which fre­quently leads to con­fu­sion. In addi­tion there is a Machinery Sector Specific stand­ard based on IEC 61508, called IEC 62061, Safety of machinery – Functional safety of safety-​related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. These three stand­ards make ref­er­ence to EM effects on sys­tems but do not provide guid­ance on how to assess these phe­nom­ena. This is where IEC TS 61000−1−2 comes into play.

All three experts are mem­bers of IEC TC 77 and are dir­ectly engaged in writ­ing the second edi­tion of IEC TS 61000−1−2 (more info on this at the bot­tom of this post). This IEC Technical Specification deals with elec­tro­mag­net­ic (EM) effects on equip­ment that res­ult in func­tion­al safety prob­lems, like fail­ures in guard­ing cir­cuits, or fail­ures in some of the new pro­gram­mable safety sys­tems. This is becom­ing an increas­ingly import­ant issue as pro­gram­mable con­trols migrate into the tra­di­tion­ally hard­wired safety world. In fact, Keith poin­ted out that EM effects are present even in many of our “tried and true” cir­cuits, but the fail­ures have been incor­rectly attrib­uted to oth­er phe­nom­ena because most elec­tric­al engin­eers have not been used to think­ing about these phe­nom­ena, espe­cially in 24Vdc relay-​based con­trol cir­cuits.

In the work­shop, the presenters dis­cussed a typ­ic­al product life cycle, then went on to explore the typ­ic­al envir­on­ments that a product may be exposed to, includ­ing the EM and phys­ic­al envir­on­ments. They went on to dis­cuss the need for an EMC-​related Risk Assessment and then fin­ished up by look­ing at Electromagnetic Safety Planning. The whole work­shop took the entire second day of the Symposium.

A key point in the work­shop is that con­ven­tion­al EMC test­ing can­not prac­tic­ally prove that sys­tems are safe. This is due to the struc­ture of the EMC tests that are nor­mally under­taken, includ­ing the use of fixed mod­u­la­tion fre­quen­cies dur­ing immunity test­ing, fail­ure to assess inter­mod­u­la­tion effects and many oth­er issues. In addi­tion, EMC test­ing does not and can­not test for aging effects on per­form­ance, wear & tear and oth­er use-​related con­di­tions. The presenters dis­cussed a num­ber of ways that these prob­lems could be addressed and ways that test­ing could be exten­ded in select­ive ways to attack pre­dicted vul­ner­ab­il­it­ies. EMC test­ing does not con­sider the reli­ab­il­ity require­ments of the tested product (i.e. IEC 61508 – 1 SIL-​3 or SIL-​4).

On the fol­low­ing morn­ing, Keith Armstrong presen­ted his paper. In this paper, Mr. Armstrong went into con­sid­er­able detail on the short­com­ings of con­ven­tion­al EMC test­ing when it comes to Functional Safety. He sug­ges­ted some approaches that could be used by man­u­fac­tur­ers to address these issues in safety crit­ic­al applic­a­tions.

The work­shop present­a­tions and Mr. Armstong’s paper can be pur­chased through IEEE Xplore for those that did not attend the Symposium.

The IET has pub­lished a new book, avail­able for free from their web site, entitled Electromagnetic Compatibility for Functional Safety. This guide will be reviewed in a future post, so keep read­ing!

Keith Armstrong, Bill Radasky and Jacques Delaballe are mem­bers of IEC Technical Committee 77, writ­ing IEC TS 61000−1−2 Ed 2.0, ELECTROMAGNETIC COMPATIBILITY (EMC) – PART 1 – 2: GENERALMETHODOLOGY FOR THE ACHIEVEMENT OF THE FUNCTIONAL SAFETY OF ELECTRICAL AND ELECTRONIC EQUIPMENT WITH REGARD TO ELECTROMAGNETIC PHENOMENA. Edition 2 of this stand­ard should be pub­lished by Mar-​2009 accord­ing to the IEC.

Keith Armstrong is Principal Consultant at Cherry Clough Consultants in Brocton, UK.

Bill Radasky works with Metatech Corporation from his office in Goleta, California.

Jacques Delaballe works for Schneider Electric Industries SAS in Grenoble, France.