The "one in a billion" John refers to sounds very dramatic and difficult.
So it may be helpful to refer to IEC 61508 which is a recently-published 'basic safety publication' covering "The functional safety of electrical / electronic / programmable safety-related systems" IEC 61508 uses the concept of the Safety Integrity Level (or SIL) to help design safety-related systems which have quantified failure probabilities. The SILs for “average probability of failure to perform design function on demand” are: SIL level 1: up to 10^ -2 SIL level 2: 10^ -2 to 10^ -3 SIL level 3: 10^ -3 to 10^ -4 SIL level 4: 10^ -4 to 10^ -5 or even lower levels The SILs for ““average probability of dangerous failure per hour of operation” are: SIL level 1: up to 10^ -6 SIL level 2: 10^ -6 to 10^ -7 SIL level 3: 10^ -7 to 10^ -8 SIL level 4: 10^ -8 to 10^ -9 or even lower levels The standard describes how to select the SIL level for a particular safety-related application, and we find that SIL4 is required where a failure of the safety system could result in the deaths or serious injuries of large numbers of people. Most safety-related applications that most practising engineers will be involved in will be SIL1 or 2, maybe even SIL3, and hence require very much lower reliability than one in a billion. 'm sure that when we are driving our cars, or living near a nuclear plant, we would like to think that the designers of the braking system or control rod control systems (respectively) had looked at 'ALL risk scenarios down to the billion-to-one against level of probability' - to use John's words. Regards, Keith Armstrong In a message dated 04/01/02 19:31:57 GMT Standard Time, j...@jmwa.demon.co.uk writes: > Subj:Re: EMC-related safety issues > Date:04/01/02 19:31:57 GMT Standard Time > From: j...@jmwa.demon.co.uk (John Woodgate) > > I read in !emc-pstc that cherryclo...@aol.com wrote (in <167.698dddc.296 > 70...@aol.com>) about 'EMC-related safety issues', on Fri, 4 Jan 2002: > > As my paper at the IEEE's EMC Symposium in Montreal and my recent > article in > > ITEM UPDATE 2001 show - at present EMC standards don't address safety > > issues, and most safety standards don't address EMC-related functional > > safety issues. > > As far as CENELEC is concerned, it was a conscious decision not to > incorporate 'EMC and Safety' issues into EMC standards, but to treat it > as a separate subject. > > Some people may find a clarification helpful. We have EMC matters, > concerned with compatibility between items of equipment, ensuring that > they continue to work (Criterion A in the Generic Standards) or fail > gracefully (Criteria B and C). These criteria do not address safety > issues, as indicated in paragraph 1 above. However, the Generic > Standards do have a limited 'blanket' requirement, that equipment must > not become unsafe *during testing*. > > We also have safety matters per se, which don't involve EMC. > > We ALSO have the separate subject, called 'EMC and Safety' or reasonable > variants thereof. This addresses the matter of equipment becoming unsafe > *in service* due to excessive emission levels in the environment, or > lack of sufficient immunity to acceptable emission levels. So far, this > seems perfectly reasonable. > > BUT it stops seeming reasonable when the question 'What could go wrong?' > is asked and statistical data is used to attempt to answer it. To take a > very simple example (maybe over-simplified), we might say that the > probability of an unsafe occurrence should be less than 10^-9. That > immediately means that the designer of the equipment has to look at ALL > risk scenarios down to the billion-to-one against level of probability. > To say that that is difficult is surely a great understatement. > > But some experts in the field seem to ignore that great difficulty, and > simply (or maybe not so simply) state that if the designer fails to take > into account ANY scenario that subsequently results in an unsafe > condition, the designer has failed in his professional responsibility, > and may be held criminally responsible for negligence. > > Well, let us be very circumspect designers and look at what immunity > levels we might need to get down to that 10^-9 probability. For radiated > emissions, the necessary test levels seem to be of the order of 100 V/m. > Test levels for other disturbances seem to be equally distantly related > to the levels normally experienced and to the test levels in pure EMC > standards. > > We might conclude that assessment of EMC immunity per se is completely > unnecessary, because testing for 'EMC and Safety' requires test levels > of the order of 30 dB higher! > > One could go, with the sort of reasoning advocated by some experts, > further into the realms of fantasy. Suppose, for a particular piece of > equipment, the designer, with great diligence, identifies a million > threat scenarios, each of which has a probability of 10^-9. The > cumulative probability of ANY ONE of them occurring is only 10^-3. Bit > risky, that! > > If the above reasoning seems flawed, consider a specific case, a lottery > with 2000 tickets, numbered 0000 to 1999. One person can buy up to 5 > tickets, and all tickets are sold. Consider the probability of a > 'remarkable occurrence'. This might be the drawing of the number '0000' > or '1111' or '1234' or even '1010', depending on what you think is > 'remarkable'. OK, we already have a cumulative probability down from 1 > in 2000 to 1 in 667 or 1 in 500. Now add in the probability that a > participant in the lottery is chosen at random to draw the winning > number, and draws (one of) his or her own numbers ...... > > You shouldn't be able to get very long odds on a 'remarkable > occurrence'! > -- > Regards, John Woodgate, OOO - Own Opinions Only. > http://www.jmwa.demon.co.uk > After swimming across the Hellespont, I felt like a Hero. > >
