Roland Hill – Fellow of SAIEE, Chairman AFSEC TC13 and Chairman BSI PEL/13/-/13+ Hardware Systems Architect, Safety & Dependability Expert @ Landis+Gyr, UK+ GB member on IEC TC13 WG11/14/15, IEC SC23K WG1, IEC TC47 WG5,
IEC SC47E WG8, IEC TC56 WG2/WG4/PT 4.8, IEC SEG8, IEC SEG9CENELEC TC13 WG01, AFSEC SMC and AFSEC TC13 PT1
+ BEAMA member on BSI PEL/13, DS/1, PEL/23, PEL/57, PEL/205, EPL/47, GEL/50, SMG TC
Safety Standards & Ongoing Safety Testing (OST)
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
The Recent Rapid Evolution of Safety Thinking
2
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
IEC guide 104 – Basic, Group & Product Safety Stds
3
IEC Standards Management Board (SMB)-> Mandatory adherence by all IEC TC’s
IEC Advisory Committee on Safety (ACOS)-> Oversight of all TC safety publications
Relevant Basic Safety Publications- IEC 60068 series (48): Environmental testing (TC104)- IEC 60529: Degrees of protection - IP code (TC70)- IEC 60664 series (5): Insulation coordination for LV eqpt (TC109)- IEC 60695 series (36): Fire hazard testing (TC89)- IEC 61508 series (26): Functional safety of systems (SC65A)
Relevant Group Safety Publications- IEC 60364 series: Electrical installations – protection (TC64)- IEC 61010 series: Test and measurement equipment (TC66)- IEC 60999-2: Connecting devices (SC121A)
Relevant Product Safety Standards- IEC 62052-31: Electricity meter – Product safety req’s (TC13)- IEC 60950-1 & -22: Safety of IT equipment (TC108)- IEC 62368 series (3): Safety of electronic equipment (TC108)- Many others (see table on next slide)
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
AMI meter lifetime safety2018 to 2033+
Era’s of safety1 - Black Box2 - Type Test3 - Risk Assess4 – PEI systems5 – Funct. safe
~ 40 Standards~ 3,148 pages
Decades of international meter safety standards
4
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Beyond Type Testing – Era of OST, ISST and AI/ML
5
Type Teston one sample
ERA 2
Lifetime AssuranceOngoing Safety Tests (OST)
ERA 3
ERA 4
In-Service Safety Testing (ISST)
ERA 5
AI & ML: System safety, Remote diagnostics, Field stress profile analysis, Forensic audit trails
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Manufacturers: Ongoing Safety Testing (OST)
6
Die
lect
ric
Test
sH
eat
Ris
eO
RT/
OD
T
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Every Manufacturers legal “Duty of Care” requires
7
1. Manufacturers have an obligation under their “Duty of Care”, to do what is reasonably practicable to prevent danger;
2. The level of safety of a product, as well as the system, must be judged according to the general knowledge & standards of the times;
3. When there is developing knowledge, Manufacturers must keep reasonably abreast of it, and not be to slow to apply it;
4. When the Manufacturer has greater than average knowledge of the risks, he is obliged to take more than the standard precautions;
5. Compliance with a relevant code of practice or regulatory instrument, may afford a defence to a claim of negligence, but there are significant circumstances where it does not do so. For instance:
a. It may be shown that the code of practice or regulatory instrument is compromised because the standards that it requires havebeen lowered as a result of heavy lobbying by affected parties ; (e.g the EU LVD provides an exemption for electricity meters)
b. Because it covers a field in which apathy and fatalism has prevailed; (e.g. where the metering industry has failed to engage the safety of the installed meter, when subjected to a variety of fusing, mounting, environmental and operational misuse conditions)
c. Because the regulatory instrument has failed to keep abreast of the latest technology and scientific understanding. (The LVD in Europe is 40 years old and desperately in need of revision. A year long consultation to revise the LVD is underway)
6. Therefore an appropriate risk analysis must be carried out from time to time (annually)…to provide evidence that the Manufacturer has exercised reasonable care and skill, and as to the reasonable foreseeability of the relevant risk(s);
7. Because standards, regulations and best practice continuously evolve, responsible Manufacturers must periodically (re)assess the risk of continued use of their legacy products, and act accordingly under their “Duty of Care” when appropriate.
The legal principles listed above, were extracted from the UK Crown judgement – Smith vs UKPN, dated 17 Sep 2012https://www.crownofficechambers.com/2012/09/20/smith-v-ukpn-michael-kent-qc-jack-macaulay-represent-victims-fire-damage-tcc/
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Dame Judith Hacket – Statements on Grenfell fire
8
This is most definitely not just a question of the specification (of cladding systems or refrigerator backing panel flammability), but of an industry that has not reflected and learned for itself, nor looked to other sectors. The key issues underpinning the system failure include:
1. Ignorance – regulations and guidance are not always read by those who need to, and when they do the guidance is misunderstood and misinterpreted.
2. Indifference – the primary motivation is to do things as quickly and cheaply as possible rather than to deliver quality homes which are safe for people to live in. When concerns are raised, by others involved in building work or by residents, they are often ignored. Some of those undertaking building work fail to prioritise safety, using the ambiguity of regulations and guidance to game the system.
3. Inadequate regulatory oversight and enforcement tools – the size or complexity of a project does not seem to inform the way in which it is overseen by the regulator. Where enforcement is necessary, it is often not pursued. Where it is pursued, the penalties are so small as to be an ineffective deterrent.
4. Lack of clarity on roles and responsibilities – there is ambiguity over where responsibility lies, exacerbated by a level of fragmentation within the industry, and precluding robust ownership of accountability.
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
AFSEC TC13 members – Harmonising AMI Std’sMEMBER’S NAME ALTERNATE’S NAME REGION COUNTRY LANGUAGE
Roland HILL (chairman) <Don Taylor> n/a n/a English
Khaled ZAKY (secretary) Randa REZK North Egypt Arabic
Habiballa ELBAGIR Amany IBRAHIM Sudan Arabic
Abdoulaye SANOGO Omar BAKAYOKO West Cote d’Ivore French
John BATURE Tasiu WUDIL Nigeria English
Bukari DANLADI Azeriwie AGALISI Ghana English
Souleymane NDIAYE <vacant> Senegal French
Alain Konzi MPIANA Clovis MAFUTA Central Dem Rep Congo French
Charles NDUNGU <vacant> East Kenya English
Casimir NYIRINKINDI Theoneste ISHIMWE Rwanda English
Phillip CHINDARA <vacant> Zimbabwe English
Ackim ZULU, Dr Joseph MALAMA South Zambia English
Gerhard WILSNACH Shawn PAPI South Africa English
Jona HAMBATA Rudolf OUSEB Namibia English
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Forecasted improvements to IEC 62052-31 (Ed.2)
Decade (Era) 1990’s (1) 2000’s (2) 2010’s (3) 2020’s (4) 2030’s (5)
Method Black Box Type Test HBRA & RR PEI systems Functional
Primary IEC standards
61010-1 &61010-2-30
62052-31 Ed.1effective 2019!
Guide 116 &62368-1 & 2
ACOS 116 Ed.362052-31 Ed.2
JTC1 SC7/25 62368-3 DC
Supply voltage < 600 Vac < 1000 Vac & < 1500 Vdc Islanding LVDC select
Heat rise 25K or 35K Cls 10, ‘52-31 BS 7856 Ann.C Hazard assess Dependability
Enclosure Foil & Flash Creep & Clear Lifetime, OST V-0 and IP54 Mng’d temp.
Disturbances 6kV, OVC IV 4kV, ok in EU! 4kV + MOV’s? OVC IV, global Funct ranges
Arc-flash test Required No test req’d! Enedis test Add to 52-31 Ed.2 Site PSCC’s
Control switch No switches 62055-31UK=UC1, ZA=UC2
62052-31BS 7856:2017, UC3
62054-31?UC4 to UC6, Iovl=1.45
Control f/w
OCPD co-ord Not req’d None! (Imax=Imax) Iovl = 1.45*Imax Coordinated Selected
EU LV safety None Exempt > DtC Exempt > DtC Safety guide LVD: 2020
IEC TC/WG IEC TC66 TC13 WG11 IEC TC108 IEC TC64, TC8 SyC SE/LVDC
10
Thank you for your attention
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Roland HillHardware Systems [email protected]
… so your Homework Assignment is;- Review the additional twelve slides- Read the detailed manuscript- Engage your AFSEC TC13 experts- Apply your learnings at your work- Support your National Safety efforts
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Arc Fault with low PSCC - Load side fusing hazard
12
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Example of thermal runaway on mV test results
13
Failure of a SCS having a single pair of contacts is shown opposite.
The test was aborted when the mV value reached 0.4 mV (40 W)
L+G have evidence of SCS contacts reaching 0.6 mV on a 100A Imax meter.
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Thermal issues – Safety under single fault condition
14
Meter10W
1mOhmALCS24W
6mOhm
63A37AMax
100A
Meter10W
1mOhmADPS60W
6mOhm
100A0AMax
100A
63A fuse
100A fuse 100A fuse
34W 70W
An ALCS is not designed to withstand this condition
Internalfire
ignition
Thermal damage to EV tail
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Periodic heat rise test method and analysis process
15
Contact resistance degradation is the major thermal safety hazard
The thermal integrity and spread of fire safety of an electricity meter must be measured and analysed based on:
1. The requirements of clause 10 of IEC 62052-31. This defines the basic test method and requirements;
2. The supplementary requirements of BS 7856:2017. This corrects the errors and omissions in 62052-31;
3. L+G’s best safety practice based on acquired knowledge of SCS failure hazards.
The thermal integrity and lifetime of a meter is critically dependant on the quality of the SCS contact tips, as shown opposite.
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Controlling the Operational mV drop characteristics
16
The operational mV drop of three meters shall be determined from the average value, of a 100 point moving average, of the mV values measured during the BS 7856 endurance test (Normative Annex D.2). Results similar to those shown opposite from three different meters done for 10 000 cycles, are recorded as part of the meter safety assessment records;
a. Heat rise testing of SCS contacts must be periodically performed to ensure safety conformity as OEM manufacturers may cost reduce the composition of the contact tips or the contact tip material composition/processing may change without their knowledge.
b. Irreversible contact damage can also occur due to tamper attacks that repeatedly switch the SCS onto intentional short circuit conditions, excessive use beyond the rated endurance and/or poor material/component/design in the switch mechanism. Lifetime contact ageing - mV measurements from
BS 7856:2017 Annex D.2 endurance testing
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Long term heat rise test – BS 7856:2017 (for each SCS)
17
Long-term heat rise test on E470 100mm to BS 7856:2017 Annex C- with “typical new” SCS contacts, at ambient temperature of 23C
The long-term heat rise test as specified in Normative Annex C of BS 7856:2017 shall be performed under the defined conditions.
The heat rise test is run for two hours at Imax, followed by two hours at Iovl (1.45*Imax), followed by two hours with no current flow. Typical results are shown opposite.
Care must be taken to ensure consistent placement and naming of thermocouple measurement points, so that results can be compared between similar meter types (e.g comparison of 100mm with 120mm or comparison of 100mm with or without ALCS fitted or with SCS from 2nd
source).
Preferred names of the measurement points in the E470 meters are shown in the heat rise analysis template.
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Thermal safety assessment and test record (TCF)
18
Having measured the heat rise at ambient temperatures (Step 3), the results are placed into an assessment template to evaluate the thermal margins over the product lifetime, and with different ambient temperatures, up to the maximum specified operational temperature of the meter.
This heat rise assessment does not cover the SCS thermal failure safety condition as that will be tested and reported separately, when the PEL/13 committee has agreed the test method, conditions and pass/fail criteria.
In cases where the heat rise safety/reliability assessment indicates an unsafe and/or undesirable temperature rise, the severity of the risk is analysed and declared in the Hazard Based Risk Assessment document. The HBRA is a defined part of the Technical Construction File (TCF) and follows IEC Guide 116 and CENELEC Guide 32 (Annex D)hazard-based risk assessment procedure.
An incomplete example of a thermal safety assessment is shown on the next slide.
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
ROUTINE end-of-line production safety test
19
Era 1 – Foil and “flash” test (erroneous use of design validation stress test method)Era 2 – IEC 60950-1 Hi-Pot test (adjust to avoid “flash” damage with two or more
layers of dielectric in series. Review creepage and clearance distances;
Era 3 – Ignore Annex I of IEC 62052-31, instead use Annex F of IEC 61010-1- method based on IEC 62368-1 hazard based risk assessment (HBRA);- test method and limits based on ageing characteristics of each isolation;- clarification of process to identify voltage zones to be added;- clarification of process to decide on zone interconnection rules;- zoning to identify and reduce all system safety hazards with all possible
combinations of modules and build versions;- need to list all “critical to safety” components and establish supplier
lifetime quality assurance specification for all CTS components;- introduce IEC TC13 standardised method for OST evaluation of plastic
enclosure dielectric ageing properties.
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Risk Assessment Techniques – IEC Guide 116 Ed.2
20IEC Guide 116 Ed.2 Safety risk assessment and risk reduction of Low Voltage equipment
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Periodic Hazard Based Risk Assessment (HBRA)
21
The CENELEC Guide 32 Annex D is used for the L+G HBRA in Europe as it complements ISO/IEC Guide 51 and it provides useful guidelines for achieving safety in low voltage (LV) equipment. These guidelines include risk assessment, in which the knowledge and experience of the design, use, incidents, accidents and harm related to low voltage equipment are brought together to assess the risks during the relevant phases of the life of the equipment, and to form a platform for further risk reduction measures.
The CENELEC guide does not cover basic or CTS components whose risk assessment depends to a very large extent on how they are used and incorporated into a machine, electrical system or installation.
❖ The scope of the exclusion of basic components should not be misunderstood and extended to items like lamps, starters, fuses, switches for household use, elements of electrical installations, etc., which, even if they are often used in conjunction with other electrical equipment and have to be properly installed in order to deliver their useful function, are themselves to be considered electrical equipment in the sense of the Guide.
❖ When the risk assessment identifies aspects not directly related to health and safety, such as environment protection, energy consumption, climate change, etc., the risk reduction for health and safety related risks, in particular with respect to persons, overrules the priority of those other aspects. However, regulations related to the other aspects shall be taken into account.
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Risk assessment - CENELEC Guide 32 Annex D
22
Roland Hill | 3rd African Smart Grid Forum | Sept 2018
Safety recalls – L+G CAPA, BS PAS 7100, EU prosafe
23
L+G quality crisis management and resolution procedure: D000054362
EU prosafe (EMARS II) corrective action guide