Dear John Sorry to have taken so long to reply. We were talking about safety-related systems.
The general approach is to add additional back-ups to the safety related system to provide it with necessary reliability as far as safety is concerned, as I had hoped the examples in the full version of my original reply would help to make clear. Such reliability improvement exercises might have nothing to do with improving the EMC of a product or of making its functionality more reliable. Safety engineers are not usually concerned about whether a product is reliable, merely that if it fails to function correctly (e.g. due to interference) then it should not become unsafe. Another example that does not involve a dual (or triple) electronic system with voting is a gas boiler control. These days, large commercial and industrial gas boilers are controlled by microprocessors taking inputs from a lot of sensors. We don't want to add to the cost by duplicating the electronic control systems and transducers using diverse technologies - as you so rightly pointed should be done to avoid what are known as 'common-cause failures'. So what we can do is use some good old fashioned engineering to ensure that if the controller goes haywire, the boiler shuts down safely. For instance, we can use a simple and well-understood type of gas valve that cuts the gas supply off if the flame goes out. No electronics, nothing to interfere with, but it stops the microprocessor from erroneously pumping out gas when the flame isn't lit because (for instance) someone is standing too near by talking on their cellphone. If the microprocessor turns the flame up too high for too long and the boiler could overheat, our old friends the pressure relief valve and thermal trip come to the rescue. By using these additional components (and considering a few more failure scenarios) we can use an unreliable and cheap microprocessor with terrible EMC immunity performance and yet have great safety performance. The reliability of the system might be poor, and customers might be always complaining about their boilers cutting out, but as I said safety engineers (and safety test labs) don't care if you have a poor product that nobody will be pleased with, as long as it is safe. The mistake that many people make is to confuse functional reliability (sometimes called availability or uptime, the reciprocal of downtime) with functional safety. A very unreliable and low-cost system can be a perfectly safe one, with appropriate design techniques. Regards, Keith Armstrong PS: It will be another week before I can reply again to postings in this thread. In a message dated 06/01/02 19:34:49 GMT Standard Time, [email protected] writes: > Subj:Re: EMC-related safety issues > Date:06/01/02 19:34:49 GMT Standard Time > From: [email protected] (John Woodgate) > Sender: [email protected] > Reply-to: <A HREF="mailto:[email protected]";>[email protected]</A> > (John Woodgate) > To: [email protected] > > I read in !emc-pstc that [email protected] wrote (in <162.6b92ca5.296 > [email protected]>) about 'EMC-related safety issues', on Sun, 6 Jan 2002: > > Yes, John, you are quite right in both your comments as far as you go: > > > > 1) You are not the only person who can dramatise an issue so as to > encourage > > people to debate it; > > I don't know what you are referring to. I have 146 articles already read > in the thread: I don't see that the debate needs any encouragement. > > > > 2) If you sold a single electronic safety-related circuit with a > failure > > probability of 10^ -9 to 100,000 customers the cumulative failure > > probability is indeed 10^ -4. As you correctly said, Olber's Paradox > does > > not apply in this area. > > > > But nevertheless this does not mean we need to make electronic > circuits with > > failure rates equal to or better than 10^ -9. As you have said (and I > agree) > > this would be a very difficult task indeed and likely to be very > expensive, > > especially for any product using software. > > > > So how do we square this particular circle? > > > > Those members who are familiar with safety engineering techniques will > be > > familiar with the idea of building very reliable systems up using a > number > > of independent systems or devices each with lower reliability. These > have > > various names, such as 'redundant channels' or 'duplicate channels' or > > 'safety back-ups' or 'fail-safe circuits' and many others. > > > I don't see how this applies to the reduction of emissions or, > practicably, to the improvement of immunity. Do you envisage three > separate systems in every product, with majority voting? I suspect that > in terms of improving immunity, it would be ineffective, because a > disturbance that compromised one system would be very likely to > compromise at least one other. Consider you incubator, for example. > -- > Regards, John Woodgate, OOO - Own Opinions Only. > http://www.jmwa.demon.co.uk > After swimming across the Hellespont, I felt like a Hero.
