Re: EMC-related safety issues

[CherryClough]

Yes, John, you are quite right in both your comments as far as you go:

1) You are not the only person who can dramatise an issue so as to encourage 
people to debate it;

2) If you sold a single electronic safety-related circuit with a failure 
probability of 10^ -9 to 100,000 customers the cumulative failure probability 
is indeed 10^ -4. As you correctly said, Olber's Paradox does not apply in 
this area.

But nevertheless this does not mean we need to make electronic circuits with 
failure rates equal to or better than 10^ -9. As you have said (and I agree) 
this would be a very difficult task indeed and likely to be very expensive, 
especially for any product using software.

So how do we square this particular circle?

Those members who are familiar with safety engineering techniques will be 
familiar with the idea of building very reliable systems up using a number of 
independent systems or devices each with lower reliability. These have 
various names, such as 'redundant channels' or 'duplicate channels' or 
'safety back-ups' or 'fail-safe circuits' and many others.

Some examples...
I understand that car braking systems have (by law in Europe and North 
America at least) an independent hydraulic back-up system in case the primary 
system fails - because it is practically impossible to make the primary 
system reliable enough at a cost anyone would want to pay.

The electronic flight-control systems in modern aircraft have two or three 
independent hardware 'channels'. Where software is involved they sometimes 
use three sets of independently-coded software each using 
architecturally-different operating systems and each running on an 
architecturally different hardware processor voting 2 out of 3 on every 
decision/output). 

I understand that the Space Shuttle launch control system uses 5 independent 
computers voting on each decision/output.

The pressure relief valve on most pressure systems does not have a very high 
reliability, but when combined with the statistical probability of the system 
pressure going out of control the whole system is considered to be reliable 
enough. 
(Of course, pressure system designers must remember to site the pressure 
relief valve so that if it operates it doesn't cause a hazard of its own.)

Three cheap and cheerful independent circuits, each achieving merely 10^ -3 
reliability, can easily be combined together to create a system with 10^ -9 
reliability – achieving very high levels of safety at low cost without any 
heartache in design or heart attacks from management. 

This is the way that high reliability is normally achieved at reasonable cost 
in practice (and has been achieved for many many years). 
IEC 61508 describes (or refers to) the necessary techniques.

(PS: My statistical maths is rusty, so don't rely on the above simple 
calculation for any designs. Refer to IEC 61508 for more detail).

Regards, Keith Armstrong

In a message dated 05/01/02 21:01:18 GMT Standard Time, j...@jmwa.demon.co.uk 
writes:

> Subj:Re: EMC-related safety issues
> Date:05/01/02 21:01:18 GMT Standard Time
> From:    j...@jmwa.demon.co.uk (John Woodgate)
> Sender:    owner-emc-p...@majordomo.ieee.org
> Reply-to: <A HREF="mailto:j...@jmwa.demon.co.uk";>j...@jmwa.demon.co.uk</A> 
> (John Woodgate)
> To:    emc-p...@majordomo.ieee.org
> 
> I read in !emc-pstc that cherryclo...@aol.com wrote (in
> <43.47bb025.29689...@aol.com>) about 'EMC-related safety issues', on
> Sat, 5 Jan 2002:
> >    The "one in a billion" John refers to sounds very dramatic and 
> difficult. 
> 
> More dramatic than you 'infant daughter' and '40 mph past a school'?
> 
> I explained in VERY GREAT DETAIL the effect of cumulative probability in
> requiring very low probability events to be taken into account. In
> principle, as the probability goes down, the  number of risk scenarios
> increases *combinatorially*. There is no Olber's Paradox in this area,
> the 'night sky is infinitely brighter than the Sun'!
> >
> >    So it may be helpful to refer to IEC 61508 which is a 
> recently-published 
> >    'basic safety publication' covering "The functional safety of 
> electrical / 
> >    electronic / programmable safety-related systems" 
> >
> >    IEC 61508 uses the concept of the Safety Integrity Level (or SIL) to 
> help 
> >    design safety-related systems which have quantified failure 
> probabilities. 
> >
> >    The SILs for 
average probability of failure to perform design 
> function on 
> >    demand
 are: 
> >    SIL level 1: up to 10^ -2 
> >    SIL level 2: 10^ -2 to 10^ -3 
> >    SIL level 3: 10^ -3 to 10^ -4 
> >    SIL level 4:  10^ -4 to 10^ -5 or even lower levels 
> >
> >    The SILs for 

average probability of dangerous failure per hour of 
> operation
 
> >    are: 
> >    SIL level 1: up to 10^ -6 
> >    SIL level 2: 10^ -6 to 10^ -7 
> >    SIL level 3: 10^ -7 to 10^ -8 
> >    SIL level 4:  10^ -8 to 10^ -9 or even lower levels 
> >
> >    The standard describes how to select the SIL level for a particular 
> >    safety-related application, and we find that SIL4 is required where a 
> >    failure of the safety system could result in the deaths or serious 
> injuries 
> >    of large numbers of people. 
> 
> Yes, my 10^-9 figure was in the context of your 'relatives sobbing all
> over the courtroom'. 
> >
> >    Most safety-related applications that most practising engineers will 
> be 
> >    involved in will be SIL1 or 2, maybe even SIL3, and hence require very 
> much 
> >    lower reliability than one in a billion. 
> 
> You are neglecting cumulative probability, in spite of quoting my whole
> text on it! SIL2, if it is applied to individual risk scenarios, is a
> recipe for disaster if you are putting many thousands of units, such as
> PCs or TVs, into the field. If is it applied, as it should be, to the
> cumulative probability of ALL risk scenarios, then *each one* needs to
> be constrained to that 10^-9 probability, preferably well below it. 100
> scenarios at 10^-9 each gives a cumulative of 10^-7, after all. 
> >
> 
> -- 
> Regards, John Woodgate, OOO - Own Opinions Only. 
> http://www.jmwa.demon.co.uk 
> After swimming across the Hellespont, I felt like a Hero. 
>