|
Fault Modes for FMEA The fault-detection capability of a device must be validated, and a list of faults must be assigned to electronic components such as resistors, transistors, and integrated circuits. A very useful catalog of single faults to be employed in the failure mode effects analysis (FMEA) may be found in IEC 61496-1, Annex B. (No such list exists in any other standard relating to the safety of machinery.) Tests to evaluate the effects of single faults are to be carried out on all relevant components of the ESPE. For Type 4, fault-accumulation testing must be performed where a single fault is not detected. Testing of more than three accumulated faults is unnecessary, provided that the probability of a greater number of faults is low. For many machine control systems, the system
behavior at fault will need to be analyzed. The annex of fault modes
may also be used in validating other safety-related parts of
machinery. An FMEA to validate a category according to EN 954-1 may
use the IEC 61496-1 fault modes for electronic equipment.
Complex Electronics and Software A quality system compliant with the requirements of ISO 9001 is mandated for those designing with software or complex integrated circuits. The IEC standard does not require the manufacturer to actually hold a certificate, but a quality system must be in place. It is interesting that this requirement covers not only the functionality and features of the product but also its development. In fact, most of the standard's requirements concerning software and complex electronics address the documentation and development process; measures for fault avoidance during development are strongly emphasized. Over time, the market has come to accept the use of
electronics such as microcontrollers, software, and
application-specific integrated circuits (ASICs) in ESPE. Few now
question whether it is possible to create a design of adequate
safety using complex electronics. IEC 61496 stipulates that two
independent channels must be employed when programmable or complex
integrated circuits are used in Type 4 ESPE, reflecting the fact
that it is extremely difficult to prove whether or not a
single-channel design can ever be fault-tolerant.
Environmental Stress IEC 61496 specifies which kinds of environmental disturbances must be tested. Certain requirements are common to all types of ESPE, but in some cases a higher severity level will be needed for Type 4 products (see Table II). Several aspects of EMC are covered, but emissions requirements are not included.
Optional Functions ESPE may perform other functions in addition to the
detection of objects and persons. Annex A of IEC 61496-1 defines the
following options:
The definitions and corresponding functional
requirements provided in this annex can be a useful tool for
manufacturers in need of a well-established terminology.
Optical Requirements The accuracy of the sensing function of ESPE will to a large extent depend on the optical design of the particular device, which will be required to detect objects of a certain size throughout the detection zone. This parameter is tested by placing a test piece in the detection zone, often a rod of a specific diameter. Objects with reflective surfaces positioned close to the detection zone may cause the light beam to be transmitted even if a target is present (see Figure 1). This possibility is covered by the requirement for a maximum effective aperture angle (EAA) in the ESPE. Note, here, that misalignment may also be the source of undesirable hazards.
The AOPD will also need to be tested for resistance
to interfering light: neither fluorescent light, strong daylight,
welding flashes, nor even other emitting AOPDs must be able to cause
a danger of failure. If interfering light can be interpreted by the
receiving part of the AOPD as having been sent by its corresponding
emitting part, there is a risk that the equipment may go to "on"
state, even if a target object is present in the detection zone.
Future Development Even though it is already an international standard,
Part 2 (EN 61496-2) has not yet been approved as a European
standard, and certain points will have to be clarified before that
can happen. Even as this work is under way, however, the working
group within CENELEC/IEC is proceeding with the next parts of the
standard. Future documents will cover AOPDs that respond to diffuse
reflection, passive infrared sensors, capacitive sensors, and
ultrasonic sensors. A draft of Part 3 (IEC 61496-3) was circulated
for comments in 1998 and will be further developed.
Bibliography
European Council Directive of 14 June 1989 on the
Approximation of the Laws of the Member States Relating to
Machinery, (89/392/EEC).
Part 1: General Standards and Tests. (IEC 61496-1,
1997) Safety of Machinery—Electrosensitive Protective Equipment.
Part 2: Particular Requirements for Equipment Using
Active
Optoelectronic Protective Devices (AOPDs). (IEC
61496-2, 1997) Safety of Machinery—Electrosensitive Protective
Equipment.
Part 1: Safety of Machinery: Safety-Related Parts of
Control Systems—General Principles for Design, (EN 954-1).
Jan Jacobson is head of the Software
& Safety section of SP Swedish National Testing and Research
Institute (Borås, Sweden). He has an MSc in electrical engineering
from Chalmers University of Technology in Sweden. His research
activities are focused on safety of machinery and programmable
electronic systems. He can be contacted by e-mail at
jan.jacobson@sp.se. More information about the SP Institute can be
found on the Internet at http://www.sp.se/.
|