Single fault analysis and negligible probability of IC internal fault

[BHakes]

Hello all! We are preforming single fault analysis to determine if there is a source of ignition in an oxygen rich environment for our ME device. Our approach has been to determine if any components have the possibility of reaching 300C given the fault of any other single component. This has been through a sort of whitepaper analysis of the schematics.

I have a feeling we may be interpreting the IEC 60601 standards incorrectly somewhere as this method of analysis seems to be near impossible to pass without taking into account the probability of a fault occurring.

There is a particular repeating situation we have run into with ICs which leads me to question if we can argue negligible probability of the fault occurring. As an example, if we have an IC being powered with say 3.3V and an internal short to ground occurs in the IC, should this be considered as a single fault? While it is possible for an IC to fail in such a way, I believe it is extremely unlikely - but is it to the point of being a negligible risk?

Would love to hear anyone else's thoughts on this, any help is much appreciated!

 

[Peter Selvey]

I think this approach highlights one of the problems with the "single fault" approach which implies a component by component analysis. Safety is rarely achieved this way because of the difficulties and uncertainties involved in this approach (can a faulty IC cause a fire? who knows ...). It is not only just the number of components, but also many failure modes as well as operating conditions, essentially impossible to analyse with any level of confidence.

Instead, safety is normally achieved by concentrating on the quality of any protective features. In this case, presumably the oxygen path is not directly over the electronics and there is some barrier that prevents the enriched oxygen (EO) from reaching that area. So, the focus should be on the quality of that barrier rather than trying to work out the probability of a faulty IC reaching 300°C or more.

That said, it is possible to have higher uncertainty when there are two independent events involved in the sequence. For example:

- oxygen barrier fails
- low voltage electronics starts a fire

Both of these are considered rare but would be very difficult to put a precise number on probability. Even so, we can be confident they are rare individually (assuming the barrier is good quality), and hence the probability of both events happening simultaneously is negligible. This is especially true when we consider other "hazard to harm" factors in the sequence. For example, the EO might not be 100% after mixing (assuming the barrier is just a leak into normal air), the PCB, wiring etc have flame retardants which will still help even with >25% oxygen concentration, which overall means that even if a fire starts it may not propagate or ultimately has say ≤10% chance of actually causing harm: another 0.1 factor to help in the probability. Normally we ignore these kind of factors (because, they are after all just another guesstimate), but when you already have two rare events, this kind of factor is OK to consider as icing on the cake.

Note this is not the only approach, it's just an example of switching the focus to protective features (quality of the barrier) rather than the faults. Another approach might involve limiting the electronics that must be in the OE environment and then limiting the power to those electronics. Again, this is still a protective approach: limit the electronics and power to the minimum necessary and to values that are obviously safe (e.g. mW); rather than a free for all and later try to prove it is "single fault" safe by individual component analysis.

 

[MarekM]

Good aproach for SFC is analyze block by block. When you point blocks that can create a hazard, then you dive deeper and as Peter Selvey mentioned, you analyze chain (or tree) of events than is needed to happen for Risk to occur.
From HW design point of view: that's why fuses are so important. You should calculate how much power each power line needsand place a fuse. Then try to estimate what is the risk of fire with this fuse used.
If still there is a component that could ignite, then maybe replace it with another or place another fuse with lower rating? Or use some potting, that is resistant to Oxigen-Rich environment, and will prevent any fire fron getting out (might need extra process validation)? I suggest not using lacquer coating as these even if imflammable can make PCB more flammable than it was, due to having worse rating than soldermask.