Functional Safety

Risk Assessment and FMEA Analysis Practice for Home Appliances

IEC 60730-1 requires systematic risk assessment. This article explains the FMEA methodology, implementation steps, and application cases for home appliances.

16 min read
Risk Assessment and FMEA Analysis Practice for Home Appliances

Introduction

In functional safety certification for home appliances, risk assessment is the foundation of the entire safety lifecycle. IEC 60730-1 Annex H explicitly requires systematic risk analysis for electronically controlled devices to identify potential hazards, assess risk levels, and determine appropriate safety measures. This article will provide an in-depth explanation of the core risk assessment method—FMEA (Failure Mode and Effects Analysis)—and demonstrate its application in home appliances through practical cases.

★ Insight ───────────────────────────────────── Three Key Values of Risk Assessment

  1. Systematic Identification: Avoid missing critical failure modes through structured methods
  2. Quantifiable Decision-Making: Objectively compare risk treatment priorities through RPN scoring
  3. Traceability: Establish a complete traceability chain from hazard identification to measure verification ─────────────────────────────────────────────────

1. Role of Risk Assessment in IEC 60730

1.1 Overview of Standard Requirements

IEC 60730-1 Annex H establishes risk assessment as a mandatory requirement for functional safety evaluation. Section H.5 “Fault Evaluation” of the standard explicitly states:

For control systems using software, systematic fault analysis must be conducted to identify all fault modes that could lead to unsafe conditions, and to evaluate the effectiveness of existing protective measures.

The results of risk assessment directly affect:

  • Safety classification of control functions (Class A/B/C)
  • Software structure selection (single-channel/dual-channel)
  • Determination of fault detection measures
  • Scope definition of testing and verification

1.2 Four Objectives of Risk Assessment

ObjectiveDescriptionOutput
Hazard IdentificationSystematically identify all potential hazard sourcesHazard list
Risk EvaluationAnalyze hazard occurrence probability and consequence severityRisk level
Measure DeterminationSelect appropriate safety measures based on risk levelsSafety function design
Integrity VerificationConfirm measures effectively reduce risksVerification report

1.3 Relationship with Other Functional Safety Activities

                    ┌──────────────┐
                    │  Product     │
                    │  Definition  │
                    └──────┬───────┘

                    ┌──────────────┐
                    │  Risk        │ ← Focus of this article
                    │  Assessment  │
                    │  (FMEA)      │
                    └──────┬───────┘

        ┌──────────────────┼──────────────────┐
        ↓                  ↓                  ↓
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ Software      │ │ Safety        │ │ Test          │
│ Structure     │ │ Measure       │ │ Strategy      │
│ Selection     │ │ Design        │ │ Definition    │
└───────────────┘ └───────────────┘ └───────────────┘

2. Risk Identification Methods

2.1 Comparison of Common Risk Analysis Methods

MethodFull NameAnalysis DirectionApplicable ScenariosIEC 60730 Application
FMEAFailure Mode and Effects AnalysisBottom-upComponent-level fault analysis✅ Must use
FMECAFailure Mode, Effects, and Criticality AnalysisBottom-up + risk prioritizationFMEA with risk ranking✅ Recommended
FTAFault Tree AnalysisTop-downSpecific hazard event analysis⚠️ Supplementary
HAZOPHazard and Operability StudyGuideword system analysisProcess control systems⚠️ Specific scenarios

2.2 FMEA Analysis Process

┌─────────────────────────────────────────────────────────┐
│                   FMEA Analysis Process                  │
└─────────────────────────────────────────────────────────┘

  ┌─────────┐   ┌─────────┐   ┌─────────┐   ┌─────────┐
  │ System  │ → │ Function│ → │  Fault  │ → │ Effect  │
  │ Definition│  │ Identification│ Identification│ Analysis│
  └─────────┘   └─────────┘   └─────────┘   └─────────┘


  ┌─────────┐   ┌─────────┐   ┌─────────┐   ┌─────────┐
  │ Measure │ ← │  Risk   │ ← │   SOD   │ ← │ Detection│
  │ Improvement│  │ Prioritization│  Scoring │  Response│
  └─────────┘   └─────────┘   └─────────┘   └─────────┘

2.3 Fault Mode Identification

Hardware Fault Modes

Fault TypeTypical ManifestationDetection DifficultyExample
Open CircuitPin breakage, solder joint detachmentMediumSampling resistor open causing false measurement
Short CircuitPin short, component breakdownLowMOSFET short causing continuous conduction
Parameter DriftResistance change, capacitance degradationHighSampling resistor drift causing measurement error
Performance DegradationAging, fatigueHighCapacitance decrease causing filtering failure
Intermittent FaultPoor contact, timing issuesVery highLoose connector causing intermittent failure

Software Fault Modes

Fault TypeTypical ManifestationDetection DifficultyExample
Data CorruptionRAM bit flip, variable overflowHighSample value overflow causing false judgment
Program Flow ErrorInfinite loop, unexpected jumpMediumWatchdog failure causing hang
Timing ErrorTask timeout, response delayMediumProtection response delay
Logic ErrorCondition judgment errorHighCharging state judgment error
Communication ErrorPacket loss, checksum failureLowCAN communication interruption

★ Insight ───────────────────────────────────── Hierarchical Analysis of Fault Modes Hardware faults can usually be detected through physical measurement (voltage, current, temperature); while software faults are more hidden, requiring multiple layers of protection to ensure reliability:

  1. Program flow monitoring (watchdog, state machine)
  2. Data integrity checking (CRC, checksum)
  3. Reasonableness checking (boundary checking, range validation) ─────────────────────────────────────────────────

3. Detailed FMEA Analysis Steps

3.1 Core Scoring Parameters

FMEA analysis quantifies risk through three dimensions:

Severity (S)

ScoreDegreeDescriptionHome Appliance Example
10Extremely HazardousNo warning, could cause deathBattery fire/explosion
9Very SeriousCould cause permanent injuryHigh-voltage electric shock
8SeriousRequires medical emergencyBurn injury
7HighPermanent minor injuryEquipment damage
6ModerateRequires medical treatmentMinor burn
5LowTemporary injuryFunction failure
4-1Minor or LessMinor discomfort or no impactPerformance degradation

Occurrence (O)

ScoreProbabilityTypical Failure FrequencyHome Appliance Reference
10Extremely High>1/10Frequent mechanical switch operation
9Very High1/20Relay mechanical wear
8High1/100Capacitor aging
7Moderate High1/500Sensor drift
6Moderate1/1,000Solder joint fatigue
5Low1/10,000MCU occasional fault
4-1Very Low or Less<1/100,000Component early failure

Detection (D)

ScoreLikelihoodDetection CapabilityHome Appliance Example
10Absolutely ImpossibleNo detection measuresPure hardware mechanical fault
9Very RemoteOnly discovered after failureMCU without self-test
8RemoteRandom testing possiblePeriodic functional test
7Very LowPeriodic inspection possibleAnnual maintenance inspection
6LowPeriodic testing possibleCyclical self-test
5ModerateSelf-test non-real-timePower-on self-test
4Moderately HighPeriodic real-time self-testPer-minute detection
3HighReal-time monitoringPer-second detection
2Very HighAlmost certain detectionRedundant detection
1Almost CertainMultiple redundancy + real-time2-out-of-3 logic

3.2 RPN Calculation and Evaluation

RPN (Risk Priority Number) = Severity (S) × Occurrence (O) × Detection (D)

Risk Acceptance Criteria:

RPN RangeRisk LevelMeasure RequirementsTimeline
1-50Low RiskAcceptable, continuous monitoringNext version improvement
51-100Medium RiskImprovement measures neededImprove within 3 months
101-200High RiskMust take measuresImprove within 1 month
201-1000Very High RiskImmediate corrective measuresImmediate rectification

3.3 Three Levels of FMEA Analysis

Local Effect

Consequences of the fault on directly affected components or subsystems.

Example: Current sampling resistor open

  • Local effect: Current detection circuit outputs 0V

System Effect

Impact of the fault on the entire control system functionality.

Example: Current sampling resistor open

  • System effect: BMS cannot accurately detect charging current

End Effect

Final consequences of the fault on users, equipment, or environment.

Example: Current sampling resistor open

  • End effect: Possible overcurrent without protection, leading to battery thermal runaway

4. Risk Acceptance Criteria

4.1 IEC 60730 Risk Acceptance Principles

Although the standard does not provide an explicit risk acceptance matrix, it implies requirements through:

  1. Fault Tolerance Time: For Class B functions, fault detection and response must be completed within the fault tolerance time
  2. Fault Detection Coverage: Software architecture must be capable of detecting all fault modes listed in Table H.2
  3. Safe State Definition: Any detected fault must be able to bring the system into a safe state

4.2 Home Appliance Risk Acceptance Matrix

              Severity (S)
            High │    Medium    │    Low
               │         │
    ┌───────────┼───────────┼───────────┐
 High │ Unacceptable│ Undesired │ Acceptable│
    │ (Immediate  │ (Must     │ (Continuous│
    │  Improve)   │  Improve) │  Monitor) │
    ├───────────┼───────────┼───────────┤
 Low  │ Undesired │ Acceptable│ Acceptable│
    │ (Must     │ (Continuous│ (Continuous│
    │  Improve) │  Improve) │  Monitor) │
    └───────────┴───────────┴───────────┘
              Occurrence (O)

4.3 ALARP Principle Application

In risk assessment, the ALARP (As Low As Reasonably Practicable) principle is widely adopted:

        Risk Level
          High

           │    Unacceptable Region
           │    (Must reduce risk)

    ───────┼────────────
           │    ALARP Region
           │    (Cost-benefit analysis)

    ───────┼────────────
           │    Acceptable Region
           │    (Continuous monitoring)

          Low

5. Practical Case Demonstration

5.1 Case Background: Water Heater Over-Temperature Protection

Product Description:

  • Product Type: Storage electric water heater
  • Control Method: MCU-controlled heating element
  • Safety Function: Prevent water temperature from causing scalding or container rupture

Function Definition:

FunctionSafety ClassFault Tolerance TimeDefined State
Over-temperature protectionClass B5 secondsDisconnect heating circuit

5.2 FMEA Analysis Table

ComponentFault ModeFault CauseLocal EffectSystem EffectEnd EffectSODRPNDetection MeasureResponse Measure
NTC Temperature SensorOpenWire breakReads minimum temperatureFalse low temperatureContinuous heating943108Open detectionDisconnect heating
NTC Temperature SensorShortSensor damageReads maximum temperatureFalse high temperatureStop heating53230Short detectionNormal response
ADC SamplingAccuracy DriftReference voltage driftReading errorThreshold judgment offsetPossible over-temperature855200Dual ADC comparisonDisconnect heating
MCU ProgramFreezeWatchdog failureProgram unresponsiveProtection failureContinuous heating92472Hardware watchdogSystem reset
RelayWeldedContact weldCannot openProtection failureContinuous heating944144Status feedbackAlarm + backup protection
Heating ElementBreakdown ShortInsulation agingContinuous heatingProtection may failContainer overpressure82348Current monitoringDisconnect main power

5.3 High-Risk Item Analysis and Improvement

Item 1: NTC Sensor Open (RPN=108)

Problem Analysis:

  • When sensor is open, ADC reading is at minimum value
  • Software misjudges as low temperature, may continue heating
  • Leads to serious scalding risk

Improvement Measures:

Measure TypeSpecific SolutionDetection ImprovementNew RPN
Hardware ImprovementAdd pull-up resistor, outputs high level when openD: 3→272
Software ImprovementOpen detection logic + range checkD: 3→272
System ImprovementAdd mechanical thermostat as backup protectionD: 3→136

Post-Implementation Effect:

Original: RPN = 9 × 4 × 3 = 108 (High Risk)
Improved: RPN = 9 × 4 × 1 = 36 (Low Risk, Acceptable)

Item 2: ADC Accuracy Drift (RPN=200)

Problem Analysis:

  • Reference voltage drift causes temperature reading error
  • May lead to incorrect overcharge or undercharge judgment
  • Extremely high risk level

Improvement Measures:

// Dual ADC sampling comparison implementation
typedef struct {
    uint16_t adc1_value;
    uint16_t adc2_value;
    uint16_t final_value;
} TempSample_t;

uint16_t read_temperature_safe(void) {
    TempSample_t sample;

    // 1. Dual ADC sampling
    sample.adc1_value = ADC1_Read(TEMP_CHANNEL);
    sample.adc2_value = ADC2_Read(TEMP_CHANNEL);

    // 2. Comparison check
    uint16_t delta = abs(sample.adc1_value - sample.adc2_value);

    if (delta > ADC_THRESHOLD) {
        // ADC mismatch, possible fault
        error_handler(ERR_ADC_MISMATCH);
        return SAFE_DEFAULT_TEMP;
    }

    // 3. Average value
    sample.final_value = (sample.adc1_value + sample.adc2_value) / 2;

    // 4. Range check
    if (sample.final_value < TEMP_MIN || sample.final_value > TEMP_MAX) {
        error_handler(ERR_TEMP_OUT_OF_RANGE);
        return SAFE_DEFAULT_TEMP;
    }

    return sample.final_value;
}

Post-Implementation Effect:

  • Detection improved from 5 to 2 (almost certain detection)
  • New RPN = 8 × 5 × 2 = 80 (Medium risk, requires continuous improvement)

5.4 Case Summary

Through systematic FMEA analysis, this case achieved:

Improvement ItemBefore ImprovementAfter ImprovementEffect
Sensor Open DetectionNoneHardware + Software dual detectionRPN reduced by 67%
ADC Accuracy MonitoringSingle pathDual path comparisonRPN reduced by 60%
Relay Status FeedbackNoneStatus readback verificationNew protection
Backup ProtectionPure softwareHardware mechanical thermostatIndependent protection

★ Insight ───────────────────────────────────── FMEA-Driven Safety Design Iteration This case demonstrates how FMEA drives continuous improvement in safety design:

  1. Identify high-risk items (RPN > 100)
  2. Analyze root causes and improvement paths
  3. Implement multi-level protection measures
  4. Verify improvement effectiveness (recalculate RPN)
  5. Form closed-loop documentation This iterative method ensures the effectiveness and traceability of safety measures. ─────────────────────────────────────────────────

6. Common Pitfalls and Best Practices

6.1 Common Pitfalls

Pitfall 1: FMEA Only Needs to Be Done Once

Misconception: FMEA is a one-time activity, can be archived once completed.

Correct Practice: FMEA is a living document, should be updated when:

  • Design changes occur
  • New fault modes are discovered
  • Field failures occur
  • Regular reviews (e.g., annually)

Pitfall 2: The Lower the RPN, The Better

Misconception: Pursue lowering RPN for all items to the minimum.

Correct Practice: Based on ALARP principle, balance safety and cost:

  • Prioritize high-risk items
  • Reasonably improve medium-risk items
  • Continuously monitor low-risk items

Pitfall 3: Rely on Software to Solve All Problems

Misconception: Any fault can be detected and protected through software.

Correct Practice: Follow failure-oriented design principles:

  • Hardware first: independent protection devices
  • Software assistance: detection and response
  • Redundant design: multi-level protection

Pitfall 4: Detection Measures Only Need to Be Listed

Misconception: In FMEA, just listing detection measures is sufficient, no need for verification.

Correct Practice: All detection measures must be verified:

  • Fault injection testing
  • Boundary condition testing
  • Long-term reliability testing

6.2 Best Practices

Practice 1: Establish FMEA Checklist

FMEA Completeness Checklist:
□ All safety functions analyzed
□ Table H.2 fault modes covered
□ Hardware and software faults considered
□ Three-level effects (local/system/end) analyzed
□ SOD scoring has clear basis
□ RPN > 100 items have improvement plans
□ All detection measures have verification methods
□ Document version clearly traceable

Practice 2: Use Structured Templates

ColumnContentFilling Requirements
Function/ComponentClear analysis objectDown to component level
Fault ModeStandardized fault descriptionReference Table H.2
Fault CauseRoot cause analysisNot limited to surface causes
Effect AnalysisThree-level effect descriptionClear and specific
Detection MeasureSpecific detection methodVerifiable implementation
SOD ScoringStandard-based scoringNote scoring basis
Improvement PlanHigh-risk item measuresClear timeline

Practice 3: Team Review Mechanism

FMEA Review Process:
┌─────────────┐
│ Initial     │ → Scoring and measures complete
│ Draft       │
└──────┬──────┘

┌─────────────┐
│ Peer        │ → Other engineers review
│ Review      │
└──────┬──────┘

┌─────────────┐
│ Expert      │ → Functional safety expert confirmation
│ Review      │
└──────┬──────┘

┌─────────────┐
│ Approval    │ → As baseline document
│ Release     │
└─────────────┘

Practice 4: Closed Loop with Testing and Verification

FMEA → Test Cases → Test Execution → Result Feedback → FMEA Update
   ↑                                            │
   └────────────────────────────────────────────┘

6.3 Relationship Between FMEA and Other Safety Activities

ActivityRelationship with FMEAOutput/Input
Hazard AnalysisPrerequisite to FMEAHazard list → FMEA
Functional Safety AssessmentFMEA is core inputFMEA → Assessment report
Fault Injection TestingFMEA defines test scopeTest results → FMEA verification
Safety Requirement DefinitionFMEA drives safety requirementsSafety requirements → FMEA measures
Design VerificationFMEA defines verification scopeVerification results → FMEA update

Conclusion

Risk assessment and FMEA analysis are foundational work for IEC 60730 functional safety certification. Through systematic FMEA analysis, you can:

  1. Comprehensively Identify Risks: Avoid missing critical fault modes
  2. Quantify Risk Levels: Objectively compare risk priorities through RPN
  3. Drive Safety Design: Select appropriate measures based on risk levels
  4. Establish Traceability Chain: Complete records from hazard identification to verification

Effective FMEA is not a one-time document, but a dynamic management process throughout the product lifecycle. Through continuous review, update, and verification, FMEA becomes an important guarantee for product functional safety.


Reference Standards

  1. IEC 60730-1:2022 Annex H - Household and similar electrical automatic controls - Functional safety requirements
  2. IEC 60812:2018 - Analysis techniques for system reliability - Procedure for failure mode and effects analysis (FMEA)
  3. IEC 61508:2010 - Functional safety - Basic standard

The author is a functional safety certification assessment engineer. The content is organized based on IEC 60730-1 Annex H requirements and actual certification experience.

Tags

#IEC-60730 #risk-assessment #FMEA #FMEDA #hazard-analysis