Keith Armstrong, “EMC for Functional Safety”

advertisement
Introduction to “EMC
for Functional Safety”
sometimes called
“Risk Management of EMC”
Eur Ing Keith Armstrong CEng, FIET, Senior MIEEE, ACGI
phone & fax: +44 (0)1785 660 247
keith.armstrong@cherryclough.com
www.cherryclough.com
Contents
1. What is EMC for Functional Safety?
2. Why we can’t rely solely on EMC immunity testing
3. Current standardisation activities
in EMC for Functional Safety
4. The competency required
for EMC for Functional Safety
5. An overview of the steps in an
EMC for Functional Safety compliance process
2 of 83
Contents
1. What is EMC for Functional Safety?
2. Why we can’t rely solely on EMC immunity testing
3. Current standardisation activities
in EMC for Functional Safety
4. The competency required
for EMC for Functional Safety
5. An overview of the steps in an
EMC for Functional Safety compliance process
3 of 83
What is EMC for Functional Safety?

Safety systems must maintain adequately low risks
over their entire lifetimes

Where electromagnetic interference (EMI) could
affect safety risks…
– compliance with safety regulations means demonstrating
that an adequate level of electromagnetic (EM)
performance will be achieved over the operational
lifetime of the safety system…
– this is the new discipline known as…
‘Electromagnetic Compatibility for Functional Safety’
 or
simply: ‘EMC for Functional Safety’
4 of 83
Required Safety Confidence
SIL4 safety
function(s)
Safety-related
systems
SIL3 safety
function(s)
SIL2 safety
function(s)
SIL1 safety
function(s)
Systems used in applications
with an impact on safety
Systems not intended for
applications with any safety impact
Increasing
confidence
required,
that the EM
immunity
is adequate,
at all times,
for the
lifetime of
the application
SIL = Safety Integrity Level, as defined by IEC 61508 (see later)
5 of 83
What is EMC for Functional Safety?
continued…

The situation for EMC is similar to that for safetyrelated software…
– because neither can be thoroughly tested in any
practical or affordable manner, for the design confidence
required for safety

Just as for all other technical areas (including software,
see IEC 61508-3) – cost-effectively ensuring EMC for
Functional Safety requires the application of
appropriate design and validation techniques…
– that cover the reasonably foreseeable worst-case EM and
physical environments over the anticipated lifetime
6 of 83
Increasing risks
caused by EMC-related functional safety
Worsening electromagnetic environment
Rapidly increasing use of electronics
in safety-related applications
More complex circuits,
systems, systems-of-systems
Increasing susceptibility
of electronic devices
Manufacturers under
increasing pressure to reduce
costs and timescales
Manufacturers comply
with the minimum set
of safety standards
required by law
But no safety or EMC standards yet exist that
adequately control EMC-related functional safety
Rapidly increasing safety risks
for users and third parties
Rapidly increasing financial
risks for manufacturers
7 of 83
Contents
1. What is EMC for Functional Safety?
2. Why we can’t rely solely on EMC immunity testing
3. Current standardisation activities
in EMC for Functional Safety
4. The competency required
for EMC for Functional Safety
5. An overview of the steps in an
EMC for Functional Safety compliance process
8 of 83
EMC testing ignores
foreseeable faults

Functional safety risks must remain low enough
despite all reasonably foreseeable faults…
– and reasonably foreseeable combinations of them
(not “single fault safety”)…
 dry
joints, open or short circuits (tin whiskers?),
intermittent connections, etc…
 out-of-tolerance
 loose
enclosure or cable shielding fixings, etc…
 failure

or incorrect components, etc…
of a filter capacitor or surge protection device, etc…
But EMC tests are only done on perfect samples
9 of 83
EMC testing ignores
foreseeable use/misuse

People are known to behave in certain ways, e.g…
 not
always according to the User Manual…
 and
with varying degrees of competency
and muscular strength…
 and

sometimes they make mistakes
61508 requires taking use/misuse into account…
– but EMC testing ignores the whole issue…
– and assumes every operator behaves perfectly,
every time
10 of 83
Conventional test chambers
are not realistic EM environments

Anechoic chambers are generally used for radiated
RF immunity tests…
– but they are unlike all real-life EM environments (other
than missiles in flight)…
– so such tests cannot prove that safety risks will be low
enough

Reverberation (mode-tuned) test chambers can
provide much more realistic (and thorough) tests…
– which is why they are used by many manufacturers of
flight-critical avionics
11 of 83
Conventional testing uses too few
angles of incidence and polarisations

Radiated RF tests use 4 angles of incidence, plus
horizontal and vertical antenna polarisation…
– but other angles and/or polarisations can have much
more susceptibility…
– which might not be discovered found by normal testing
with a higher test level

Similar criticisms can be made for the very few
waveforms used in transient and ESD tests…
– real-life may be very different, with very different results
12 of 83
RF susceptibility of electronic systems
depends strongly on the modulation
type and frequency (or waveshape)…
– well-known to electronic warfare specialists

But for ease of testing and reproducibility most
EMC testing uses 1kHz sine-wave modulation…
– and testing at any higher level might not discover a
much higher susceptibility to a different modulation
frequency or waveform …
I
have seen 85dB between 1kHz and 170kHz modulation…
– so cannot prove low-enough safety risks in real life
13 of 83
EMC testing ignores the effects of
physical and climatic environments

Mounting stresses (e.g. bending and twisting), shock,
vibration, temperature extremes, condensation,
liquids, salt spray, conductive dusts, mould growth,
etc., etc…
– can all cause degraded EMC performance,
e.g. by reducing attenuation of shielding and/or filtering

61508 requires real-world environments to be taken
into account…
– but EMC tests use benign physical/climatic environment
14 of 83
EMC testing ignores ageing

Ageing can be caused by temperature (high, cycling),
humidity, corrosion (oxidation, galvanic, fretting), wear
and tear, cleaning, supply voltage, etc…
 e.g.
some X2 capacitors drop 90% in value over 3 years…
 and
ICs’ EMC characteristics are known to degrade
unpredictably over several years of operation

Even when products are subjected to highlyaccelerated lifecycle tests…
– the resulting ‘aged’ units are almost never retested for
EMC to see if their immunity has degraded and increased
their safety risks
15 of 83
EMC testing of perfect samples ignores
component and assembly tolerances

In volume manufacture, the EMC characteristics of
a product are affected by…
– component tolerances, semiconductor die-shrinks,
assembly variations, PCB layout changes, replacement
of obsolete components, software bug fixes, etc.

Without appropriate design and QA,
the fact that a sample once passed its EMC tests…
– does not prove that the product that has just rolled off
the production line would pass the same set of tests
16 of 83
EMC testing of perfect samples
ignores assembly errors

A product’s EMC characteristics can be badly
affected by assembly errors…
– e.g. dry solder joints, wrong or missing components,
gaskets misfitted, fixings missing or not tightened with
the correct torque…
– but the errors might not affect the normal functions of
the product when they are tested before shipment

Without appropriate design and/or production-line
EMC checks, the EMC characteristics of each
manufactured product are completely unknown17 of 83
The maximum test level
is not necessarily the worst

Most EMC immunity tests only test at the highest
levels thought likely to occur in the environment
(or higher)…
– but all electronic devices are non-linear,
and their circuits/software and systems very complex…
– so even if they pass when tested at the highest test
levels…
– they might fail when tested with lower levels…
 which
are generally more likely to occur in real life,
and so could be more important for risk control
18 of 83
Simultaneous EM disturbances

In real life, systems are often exposed to two or
more simultaneous EM disturbances, e.g…
– two RF fields with different frequencies…
– an external RF field plus a transient on the electrical
power supply…
 or

plus ESD from the operator to the control surface
Simultaneous RF disturbances at different
frequencies will demodulate and intermodulate…
– occurs in all non-linear devices (all semiconductors)
19 of 83
Demodulation and intermodulation
create new frequencies inside circuits
The original voltage or current
noises in a circuit from external RF
fields at two different frequencies
dB
Rectification
f1
f2
Demodulated
envelopes
Harmonics
(in the baseband)
f2-f1
Some
of the many
“Intermodulation
Products”
(IPs)
f1+f2
2f1-f2
2f2-f1
2f1
2f2
MHz
0
200
400
600
800
1000
20 of 83
Example of the noise spectrum created by a single
diode supplied with two RF signals: 850 and 875MHz
(10MHz to 35GHz, 20dB/division)
1st order IPs at –6dBc
2nd order IPs at –12dBc
3rd, 4th, 5th, etc., IPs
3rd, 4th, 5th, etc., IPs
2nd, 3rd, 4th, etc., harmonics
at progressively lower levels
21 of 83
Example of why testing with a single
frequency isn’t thorough enough

Conventional (single frequency) testing 150kHz - 6GHz
discovers susceptibility over 20 - 400MHz…
– we add shielding and filtering that is effective over
20 - 400MHz and the product now passes the test

But we added no protection over 0.4 – 6GHz
(it was not required to pass the test)…
– allowing simultaneous frequencies in this range to enter
the product and intermodulate in its semiconductors...
– with no protection from the creation of internal noise in
the range 20 - 400MHz which interferes with the product
22 of 83
Simultaneous EM disturbances

continued…
Tests have shown that products that pass
individual immunity tests can be very susceptible
to simultaneous EM disturbances…
– but conventional immunity tests only apply
one disturbance at a time…
– so they cannot prove that safety risks will be low enough
in real life

It’s rather obvious why passing tests with one EM
disturbance at a time, cannot deal with the same
disturbances occurring simultaneously…
23 of 83
Simultaneous EM disturbances

continued…
All electronic circuits have a “noise margin”
or “signal-to-noise ratio”…
– the difference between perfect operation,
and “just on the point of failing to meet specification”

Because products are tested with one EM
disturbance at a time (and to keep costs low)…
– they are designed to just about meet their operational
specifications for each disturbance alone…
 so
that they pass their EMC tests…
– and so fail when two or more disturbances are applied,
as they can (and do) often in real life
24 of 83
An example of simultaneous random transients
100ns transient once/minute
(e.g. wipers, gearbox solenoids, fans,
window winders, light switches, etc.)
50ns spark ignition transients
at 3,000/minute
(e.g. 6 cylinder engine at 2000rpm)
So a safety-related vehicle ESA
is exposed to simultaneous transients from both
causes at 0.001% (10ppm) per minute
Assume vehicle driven 1hr/day, 5 days/week, 40 weeks/year…
Simultaneous transient rate = 12% per year
i.e. 1 simultaneous event for every 8 years of use, on average
Assume 1% of overlapping transient events causes a death…
Likelihood of death – 0.12% per year…
comparable with the world’s most hazardous jobs!
25 of 83
Normal EMC test performance criteria
are unsuitable for safety applications

Obviously, Performance Criterion A
(full spec operation) is just fine for safety…
– but Performance Criterion B
(any amount of temporary performance degradation)…
– and Performance Criterion C
(any amount of performance degradation until operator
intervenes)…
– are almost always unsuitable where the specified
functional performance of an electronic unit
is needed to control safety risks
26 of 83
Normal EMC testing ignores
maintenance, repair, refurbishment,
upgrades, etc.

Over its life, a product will be cleaned and
maintained…
– and will probably also be repaired, refurbished, modified,
upgraded (even if only software), and dismantled…
– and all these can degrade EMC characteristics during
and/or afterwards

Although safety risks must be maintained at low
levels throughout product life, these reasonably
foreseeable activities are ignored by EMC testing
27 of 83
Future changes to the EM environment

Because a product must remain safe enough over
its whole lifetime…
– and because its EM environment can be expected to
change over that timescale…
– its design must take into account the reasonably
foreseeable changes in its EM environment

But EMC tests address the EM environment of five
or more years ago…
– the minimum length of time it takes for a change to a
standard to reach final publication
28 of 83
Clearly, to achieve functional safety, we
can’t afford to rely solely on EMC testing

Sufficient confidence that tolerable safety risks will
be maintained over a product’s lifetime…
– would require a huge EMC test programme
to cover all the issues in the previous slides…
– and foreseeable real-life combinations of them…
 e.g.
high external RF fields at two frequencies with different
modulation frequencies, plus supply transients, plus high
temperatures and vibrations, ageing, faults, misuse,
component tolerances, etc., etc., etc…
– that no company (or Government) could possibly afford
29 of 83
Cost-effectively achieving tolerable
functional safety risks…
despite EM disturbances…
– requires the use of well-proven good EMC
engineering practices in design…
– and a variety of design verification and validation
techniques, not just (very expensive) EMC testing

Software cannot be proven to be safe enough
by any affordable test plan either…
– but the safety-critical software industry went through
this exact same learning curve in the 1990s,
and came to the same conclusions
30 of 83
Conclusions

I have shown 14 (mostly rather obvious) reasons why
EMC testing is insufficient, on its own…
– for demonstrating that EM disturbances will not cause
intolerable safety risks over a product’s lifetime

Good safety engineering methods, like those
already used for all other safety issues (including
software)…
– are required for EMC for Functional Safety, as well as
immunity testing…
– including a wide range of EM design, verification and
validation techniques
31 of 83
Contents
1. What is EMC for Functional Safety?
2. Why we can’t rely solely on EMC immunity testing
3. Current standardisation activities
in EMC for Functional Safety
4. The competency required
for EMC for Functional Safety
5. An overview of the steps in an
EMC for Functional Safety compliance process
32 of 83
The IEC’s basic standard on Functional
Safety is IEC 61508
– title: “Functional Safety of Electrical/Electronic/
Programmable Electronic Safety-Related Systems”

IEC 61508 has always required that EMI not cause
safety risks to rise above specification…
 but
has never said how this was to be achieved…
– so IEC TS 61000-1-2 Ed.2:2008 was written to be 61508’s
“missing EMC annex”…
– and it was made a Normative Requirement
(i.e. a mandatory requirement) in IEC 61508 Ed.2 :2010
33 of 83
IEC TS 61000-1-2 is
the IEC’s basic document
on EMC for Functional Safety
– title: “Methodology for the achievement of
functional safety of electrical and electronic
systems including equipment with regard to
electromagnetic phenomena”

IEC 61000-1-2 Ed.2:2008 has, just recently, been
proposed for adoption as a full International
Standard…
– which should happen in 2012
34 of 83
IEC Medical standards use
ISO 14971 instead of IEC 61508

All IEC standards are required to follow IEC basic
standards (e.g. IEC 61511, 62061 and others follow 61508)…
– but the IEC medical standards were given special
permission to use ISO 14971 because it is very difficult
to apply IEC 61508 to medical equipment…
 and
anyway ISO 14971 uses the same basic functional
safety principles as 61508

ISO 14971 does not use “Functional Safety”…
– instead, medical standards use the phrase:
“Risk Management of EMC”…
 which
means almost exactly the same thing
35 of 83
Ed. 2.0 of 61000-1-2 is the basis for
all of the material presented here
– and the presenter (Keith Armstrong) is the UK’s expert
for the team that created it

IEC basic standards can be applied on their own…
– but their main purpose is to provide ‘pilot functions’ for
generic and product standards

The first to be created under IEC 61000-1-2
is IEC 61000-6-7 (currently in draft)…
– the generic standard on EMC for Functional Safety for
equipment intended for use in industrial safety systems
36 of 83
Standardisation activity in
EMC for Functional Safety
continued…

The presenter is also the UK’s expert on the IEC
61000-6-7 committee…
– and also on the IEC 60601-1-2 (medical EMC) committee,
which added “Risk Management of EMC” at Edition 3…
 now
a mandatory requirement for compliance with any of
the three Medical Devices Directives...
– now working on 60601-1-2 Edition 4, which will be
published in 2012…
 and
which will be much more helpful in achieving Risk
Management of EMC…
 it
uses the IET’s Guide (see later) as Informative Annex
37 of 83
Standardisation activity in
EMC for Functional Safety
continued…

The UK’s new Defence Standard on EMC…
– DEF STAN 59-4911, January 2010…
– includes mandatory requirements for achieving
“EMC for Functional Safety”
38 of 83
Applying existing EMC immunity
testing standards is insufficient
for EMC for Functional Safety…
– including: commercial, industrial, marine, military,
automotive, aerospace, etc., standards…
 for
the reasons already discussed…
– but some immunity testing standards claim
to cover EMC for functional safety…
 IEC
60335-1:2002 + A1:2004
“Safety of household appliances and portable tools”
 and
the IEC 61326-3-x series…
– but they are all insufficient, if used on their own
39 of 83
Standardisation activity in
EMC for Functional Safety
continued…

There are two standards in the IEC 61326-3-x
series…
– “Electrical equipment for measurement, control and
laboratory use – EMC requirements – Immunity
requirements for safety-related systems and for
equipment intended to perform safety related
functions (functional safety)”…
– 61326-3-1 “– General industrial applications”…
– 61326-3-2 “– Industrial applications with specified EM
environment”
40 of 83
Standardisation activity in
EMC for Functional Safety
continued…

The titles of the 61326-3-x standards make them
sound as if they are full ‘EMC for Functional Safety
Standards’…
– but they only cover a fraction of the requirements
in 61000-1-2…
 so
they are insufficient if used on their own…
– and according to their convenor Bernd Jaekel
they were only ever intended to be…
“Building blocks within an overall procedure that was
governed by IEC TS 61000-1-2 and IEC 61508”
41 of 83
Contents
1. What is EMC for Functional Safety?
2. Why we can’t rely solely on EMC immunity testing
3. Current standardisation activities
in EMC for Functional Safety
4. The competency required
for EMC for Functional Safety
5. An overview of the steps in an
EMC for Functional Safety compliance process
42 of 83
The amount of work, and competency,
required for EMC for Functional Safety

Because the EMC industry has always focussed on
testing as being the sole way to prove a design…
 some
industries have EMC design guides, but they are
often treated as informative, not mandatory…
– most EMC experts do not (yet) understand how to do
EMC for Functional Safety
– and most safety-related system designers and safety
experts do not (yet) understand how to do EMC, for
Functional Safety reasons, either

It will take a few years to train enough people in the
required competencies
43 of 83
The amount of work, and competency,
required for EMC for Functional Safety

The depth and extent of the EMC safety planning…
– and hence the amount of work and degree of
competency requires…
– depends on the complexity of the Safety-related System
system…
– and on the SIL required by its “Safety Requirements
Specification”…
 called
the SRS by IEC 61508
(standards based on 61508, such as IEC 61511 or IEC
62061, have corresponding specification requirements)
44 of 83
‘Emergence’ and its implications

Many different electrical/electronic components
might have to work together to perform a safety
function…
– may also be combined with non-electrical measures
(e.g. physical barriers) to achieve acceptable risks…
– IEC 61508 calls the result a ‘safety-related system’

So a safety function is only performed by the
safety-related system as a whole…
– none of the components of a safety-related system
(modules, products, systems, etc….) can ever be
described as providing a safety function in themselves
45 of 83
‘Emergence’ and its implications
continued…

‘Emergence’ is an important property of systems…
– and means that the characteristics of a system can differ
from those of the components used to construct it,
sometimes in ways that are hard to predict in advance

So a safety-related system can never be created
simply combining together items (subassemblies,
products, systems, etc…) that claim to provide functions
in a safe or reliable manner…
– for example, due to emergence it is possible for two very
reliable items to become very unreliable when
interconnected to operate as a system
46 of 83
Contents
1. What is EMC for Functional Safety?
2. Why we can’t rely solely on EMC immunity testing
3. Current standardisation activities
in EMC for Functional Safety
4. The competency required
for EMC for Functional Safety
5. An overview of the steps in an
EMC for Functional Safety compliance process
47 of 83
This section is
based on the IET’s
Guide to EMC for
Functional Safety

First published in August
2008

A practical implementation
of IEC TS 61000-1-2
Ed.2:2008

Available (free) from:
www.theiet.org/factfiles/
emc/emc-factfile.cfm
48 of 83
The IET’s 2008 Guide on
EMC for Functional Safety…
– was intentionally written using plain engineering
language…
– so that it would be easy to understand whether a
designer was using functional safety standards
based on either IEC 61508 or ISO 14971…
– or if he/she was using no functional safety standard
at all
49 of 83
Overview for a simple safety-related system
Design of the safetyrelated system
3
0
Overall EM safety planning and project management
1
Determine intersystem EM and physical phenomena
2
Determine intrasystem EM and physical phenomena
Specify EM/physical phenomena vs functional performance
4 Study and design
the safety-related system
5 Create EM and physical
verification/validation plans
Volume-manufactured standard products’ EM/physical spec’s
6
Select the standard products to construct the system
7
Realise the design, and verify it whilst doing so
8
Realisation of the
safety-related system
Design iteration may be required (e.g. additional
mitigation) to be able to employ certain products
Validate the system
Operation of the
safety-related
system
Standard products
available on the
market
9
Maintain adequate EM/physical/performance
characteristics over the lifecycle
50 of 83
Step 0: Overall EM safety planning
and project management

Determine:
– who is in overall charge
– the aims of the project
– the boundaries of the safety-related system
– budgets and timescales
– the personnel, and their responsibilities and authorities

Then set up the activities that manage all the
following steps…
– in the process of achieving EMC for Functional Safety
for the safety-related system
51 of 83
Step 1: Determine intersystem
EM and physical phenomena

In order to maintain the EM/safety performance of
the safety-related system over its anticipated
lifecycle…
– its EM and physical design and mitigation measures
must take account of the lifecycle physical phenomena,
e.g….
 Mechanical
 Climatic
(temperature, humidity, liquids, dusts, sand, etc.)
 Biological
 Chemical
 Wear
(static forces, shock, vibration, etc.)
(rodent gnawing, mould growth, etc.)
(oxidation, corrosion, etc.)
(abrasion, fretting, compression set, etc.)
52 of 83
Step 1: Determine intersystem
EM and physical phenomena
continued…

So Step 1 determines the maximum EM and
physical external environment(s) …
– that the safety-related system could be reasonably
foreseeably exposed to…
– including emissions from other equipment or systems

Also determine the reasonably foreseeable effects
of the emissions of EM and physical disturbances
from the new safety-related system…
– on other safety-related systems
53 of 83
Step 2: Determine intrasystem EM
and physical phenomena

Determine the maximum EM and physical
environment(s) that parts of the safety-related
system could reasonably foreseeably be exposed
to over its lifecycle…
– due to other parts of the same safety system…
– as before, physical environments include:
mechanical, climatic, biological, chemical, etc.

This assessment usually requires iteration
as more detail emerges about the safety-related
system, during its design (Step 4)
54 of 83
Step 3: Specify EM/physical
phenomena vs functional performance

An initial hazard identification and risk assessment
that takes EMI into account, is required…
– which leads to the creation of a specification for the
performance of the safety-related system’s safety
functions…
– for each type of inter/intrasystem EM phenomenon…
– taking into account the relevant physical phenomena…
– and also taking into account any arrangements for
ensuring adequate EMC performance over the lifecycle
55 of 83
Step 3: Specify EM/physical phenomena
vs functional performance
continued…

Appropriate Risk Analysis techniques for dealing
with the safety risks caused by EMI…
– is the subject of the third topic in this workshop

Emissions specifications are also needed…
– to help ensure that the new system does not increase
the risks of existing safety-related systems
56 of 83
Step 3: Specify EM/physical phenomena
vs functional performance
continued…

The EM and physical specifications that result from
this process are important parts of IEC 61508’s
“Safety Requirement Specification” (SRS)….
– and the control the entire design, verification and
validation of the safety-related system
as far as EMC is concerned…
– i.e. all of the subsequent steps
57 of 83
Step 3: Specify EM/physical phenomena
vs functional performance
continued…

The EM and physical specifications in the SRS
should take into account the uncertainties in the
estimation and measurement techniques that were
used…
– during the assessments in Steps 1 & 2…
– and those that will be used during verification or
validation of the safety-related system’s design…
 including
the measurement uncertainty in EMC testing…
– by using ‘expanded uncertainty’ methods
(see Amendment 3 to IEC 61000-4-6)
58 of 83
Step 4: Study and design
the safety-related system

Steps 4 produces the actual design, and applies
detailed risk analysis methods (e.g. FMEA, Fault Tree)
at each stage of the design…
– to ensure that the EM and physical specifications in the
SRS will be met

The detailed hazard assessment and risk analysis
that finally results is an important part of the final
safety documentation…
– but it is the application of risk analysis techniques,
as the design proceeds, that is most important
59 of 83
Step 4: Study and design
the safety-related system
continued…

There are many well-proven EMC design
techniques available, that can be used to help meet
the EM and physical specifications in the SRS…
– many of these are described in Annex B
of IEC TS 61000-1-2 Edition 2.0
and in Chapter 4 of the IET’s 2008 Guide
60 of 83
Step 4: Study and design
the safety-related system
continued…

Mitigation techniques are generally applied at
‘Zone’ boundaries, and use…
– Techniques for improving Power Quality
– Galvanic isolation
– Earthing/grounding techniques to create RF References
that have a low impedance up to the highest frequency
that is to be controlled
– Filtering
– Shielding
– Surge and transient suppression

Physical mitigation may also be needed, e.g. shock
and vibration damping, waterproofing, cooling, etc.
61 of 83
The boundary of the Safetyrelated System
Equipment Equipment
1
2
Equipment Equipment
3
4
Equipment 6
Product
1
Product
2
Product
3
Equipment
5
Equipment
6
This example is composed of 6
items of Equipment
See Figure D.1
of IEC TS 61000-1-2 Ed2.0
Each item of Equipment can incorporate
any number of Products in systems, subsystems, or assemblies of any scale
A Product is something obtained from the
market, and could be mass-produced or
custom built, and of any size
This example Equipment is assembled
using three Products
62 of 83
A similar approach can be used to apply physical
mitigation and create protected physical zones
EM Zone 0
(The external EM environment)
EM Zone 1
Equipment
1
Equipment
2
Equipment
3
Equipment
4
Equipment 6
EM Zone 3
Product
1
Product
2
EM Zone 2
Equipment
5
Equipment
6
Mitigation applied at the
boundary of the Safety-related
System creates EM Zone 1
Mitigation can be applied to
regions within the system to create
new EM Zones (e.g: 2A, 2B, etc.)
Mitigation can be applied at the boundary of an
Equipment to create a new EM Zone (e.g: 3A, 3B,
etc.) for all of the Products (and other items) within it
EM
Zone 4
Product
3
Mitigation can be applied to regions within an
Equipment to create new EM Zones (e.g: 4A, 4B, etc.)
to include some of the Products and other circuits
and components used within it
63 of 83
Step 5: Create EM and physical
verification/validation plans for
the safety-related system

These are plans for verifying the EM and physical
characteristics of the design elements as the
design and realisation progress…
– and for validating the safety-related system at its highest
practical level of assembly

They also include plans for verifying/validating
any EM/physical mitigation measures that are not
incorporated into the safety-related system itself…
– e.g. lightning protection for the building, where it is
specified in the User Manual for the system
64 of 83
Step 5: Create EM and physical
verification plans for the safety-related
system
continued…

Steps 4 and 5 are shown as separate tasks…
– but in fact they should progress in parallel, so that each
can influence the other to save costs and time overall…
– e.g. if a costly testing regimes appears necessary, it
could be avoided by doing the design in a different way
 e.g.
EM enclosures can be purchased that provide very
high levels of protection from the EM environment…
 when
combined with appropriate mains filters and cable
conduits it can be possible to rely solely on EM testing of
the enclosure (instead of the equipment it protects)
65 of 83
Step 6: Select the standard
products to construct the system

Custom-engineered equipment that is intended to
be incorporated into a safety-related system…
– would be designed, realised, and validated to meet the
detailed specifications of the safety-related system’s
designer…
– which were derived from the EM and physical
specifications in the SRS for the whole system
(see Step 3, earlier)
66 of 83
Step 6: Select the standard products to
construct the system
continued…

But both systems and custom-engineered
equipment will often incorporate standard volumemanufactured products…
– which of course were made to specifications chosen by
their manufacturers…
– which might not correspond to what the safety-related
system’s designers required

So EMC and/or physical mitigation techniques
might be required in the system design…
– to make it possible to use the standard products
67 of 83
Step 6: Select the standard products to
construct the system
continued…

The following management process shows how to
deal with standard products…
– when used in an item of equipment that is to be a part of
a safety-related system…
– based on the ‘EM Zoning’ approach…
 for
example, as described in IEC TS 61000-5-6
68 of 83
The SRS for the safety-related system
Design any electromagnetic mitigation that may be
required for the Safety-related System and/or within the
system, and for each item of Equipment create an ERS
that includes electromagnetic performance specifications
Achieve the
ERSs of
other items
of Equipment
Achieve the electromagnetic specifications in
an ERS by appropriate choice of Product
Specifications, plus the application of
electromagnetic mitigation if required
Product Specifications
are offered by suppliers,
and include
electromagnetic
performance data
Iterate until
compliance
with the ERS is
achieved
Responsibility of
the Equipment
designer
Take into
account the
EM
emissions
from other
parts of the
same system
Apply or modify electromagnetic
mitigation measures (if required)
at any level (Safety-related
System, Equipment, or Product)
Selection of the Product(s) to be purchased
for use in creating the item of Equipment
See Figure D.2
of IEC TS 610001-2 Ed2.0
69 of 83
Step 7: Realise the design,
and verify it whilst doing so

The ‘realisation’ of the design of the safety-related
system includes…
– assembly; construction; manufacture; integration of subsystems; installation; commissioning, etc.

Quality Control techniques should ensure that…
– the system’s component parts, materials, and realisation
techniques and workmanship are suitable for the level of
safety risk (or risk reduction) required by the SRS…
– the intentions of the safety-related system designers
were correctly and accurately achieved
70 of 83
Step 7: Realise the design,
and verify it whilst doing so
continued…

The design verification plans resulting from Step 5
are applied during the realisation…
– to verify aspects of the design that will not be fully
assessed by the validation of the complete safety-related
system (Step 8)…
– and because it is most cost-effective to discover any
problems early in the process
71 of 83
Step 7: Realise the design, and verify
continued…
it whilst doing so

We cannot afford to use EMC testing alone to
demonstrate that a system really will be safe
enough over its lifecycle…
– but a wide range of other verification and validation
techniques are available, and are already widely used in
functional safety engineering other than EMC, e.g…
 Demonstrations
Checklists
Inspections
Audits
Reviews/assessments
Independent reviews
Non-standardised checks Validated computer modelling
Individual and/or integrated hardware tests
EMC testing
72 of 83
Step 7: Realise the design,
and verify it whilst doing so
continued…

During the realisation of the Safety-related System,
and/or during its verification…
– it may be discovered that the design needs modifying…
– and/or that the intrasystem EM disturbances are different
from what was anticipated during Step 2…
 before

the design was done
So there is a strong likelihood that modifications
will be required at this stage….
– iterating the EM and physical specifications in the SRS,
and/or the design
73 of 83
Step 8: Validating the
safety-related system

Validate the EM and physical performance of the
system using the validation plan from Step 5…
– also validate the performance of any EM/physical
mitigation measures not incorporated in the system
(and therefore not tested as part of it)…
 any
remedial work should be carried out and the necessary
verification/validation carried out again…
 using
a range of validation techniques (see previous slide)
to prove that the system really will be safe enough over its
lifecycle with confidence appropriate to its SIL
74 of 83
Step 9: Maintain the safety-related
system’s EM and physical
characteristics over its lifecycle

Certain activities may be required during…
– operation, maintenance, repair, refurbishment, upgrade,
modification, decommissioning and disposal

The owner or operator of the system is responsible
for these activities…
– which should have been specified in the User Manual
that was created during Steps 4 and 5…
 but
appropriate activities should be undertaken
at the appropriate times, nevertheless
75 of 83
Introduction to
“EMC for Functional Safety”
sometimes called “Risk Management of EMC”
the end
Eur Ing Keith Armstrong CEng, FIET, Senior MIEEE, ACGI
phone & fax: +44 (0)1785 660 247
keith.armstrong@cherryclough.com
www.cherryclough.com
Some useful references

IEC TS 61000-1-2 Ed.2:2008
“Electromagnetic Compatibility (EMC) – Part 1-2: General –
Methodology for the achievement of the functional safety of
electrical and electronic equipment with regard to
electromagnetic phenomena.”

IEC 61508 Ed.2:2010:
“Functional Safety of Electrical/Electronic/ Programmable
Electronic Safety-Related Systems”
Part 1: General requirements
Part 2: Requirements for electrical/electronic/programmable electronic safetyrelated systems
Part 3: Software requirements
Part 4: Definitions and abbreviations
Part 5: Examples of methods for the determination of safety integrity levels
Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
Part 7: Overview of techniques and measures
77 of 83
Some useful references

continued…
“Guidance on EMC for Functional Safety”, The IET (London, UK)
August 2008: www.theiet.org/factfiles/emc/emc-factfile.cfm
– or purchase a printed copy from www.emcacademy.org/books.asp

Keith Armstrong, “Why EMC Immunity Testing is Inadequate for
Functional Safety”, 2004 IEEE Int’l EMC Symposium., Santa
Clara, Aug. 9-13 2004, ISBN 0-7803-8443-1, pp 145-149.
Also published by Conformity, March 2005,
http://www.conformity.com/artman/publish/printer_227.shtml

“Why Conventional EMC Testing is Insufficient for Functional
Safety (and what to do about it)”, Keith Armstrong, IEEE PSES
Symposium October 2008, Austin, Texas
78 of 83
Some useful references

Keith Armstrong, “Functional Safety Requires Much More Than
EMC Testing”, EMC-Europe 2004 (6th International Symp. on
EMC), Eindhoven, The Netherlands, Sept. 6-10 2004, ISBN: 906144-990-1, pp 348-353.

Keith Armstrong: “EMC in Safety Cases – Why EMC Testing is
Never Enough”, EMC-UK 2007 Conference, Newbury, UK,
Defence & Avionics session, October 17, 2007

Keith Armstrong, “EMC for the Functional Safety of Automobiles
– Why EMC Testing is Insufficient, and What is Necessary,”
2008 IEEE International EMC Symposium Detroit, MI (August 1822, 2008) ISBN 978-1-4244-1699-8 (CD-ROM)
79 of 83
Some useful references

Keith Armstrong, “Why Increasing Immunity Test Levels is Not
Sufficient for High-Reliability and Critical Equipment,” 2009 IEEE
International EMC Symposium Austin, TX (August 17-21, 2009),
ISBN (CD-ROM): 978-1-4244-4285-0

Keith Armstrong, “Including EMC in Risk Assessments,”
2010 IEEE International EMC Symposium Fort Lauderdale, FL
(July 25-31, 2010), ISBN: 978-1-4244-6307-7 (CD-ROM)

Keith Armstrong, “Opportunities in Risk Management of EMC”
2011 IEEE International EMC Symposium, Long Beach,
California, August 2011
80 of 83
Some useful references
continued…

Keith Armstrong, “EMC for Functional Safety”, (half-day tutorial),
2004 IEEE Int. Symp., Product Safety Engineering Society, Santa
Clara, Aug 13-15

Keith Armstrong, “Specifying Lifetime Electromagnetic and
Physical Environments – to Help Design and Test for EMC for
Functional Safety”, 2005 IEEE International Symposium on EMC,
Chicago, August 8-12, ISBN: 0-7803-9380-5, pp. 495-499

D A Townsend et al, “Breaking All the Rules: Challenging the
Engineering and Regulatory Precepts of Electromagnetic
Compatibility”, 1995 IEEE International Symposium on EMC,
Atlanta, ISBN: 0-7803-2573-7, pp 194-199

Michel Mardiguian, “Combined Effects of Several, Simultaneous,
EMI Couplings”, 2000 IEEE International Symposium on EMC,
Washington D.C., August 21-25 2000, ISBN 0-7803-5680-2,
pp. 181-184
81 of 83
Some useful references
continued…

Wendsche S. and Habiger E., “Using Reinforcement Learning
Methods for Effective EMC Immunity Testing of Computerised
Equipment”, Proc. Int. Symp. EMC (ROMA’96), Rome, Italy, Sept
1996, pp.221-226

Vick R. and Habiger E., “The Dependence of the Immunity of
Digital Equipment on the Hardware and Software structure”,
Proc. Int. Symp. Electromagnetic Compatibility, Beijing, China,
May 1997, pp 383-386

W H Parker, W Tustin and T Masone, “The Case for Combining
EMC and Environmental Testing”, ITEM 2002, pp 54-60.

F Beck and J Sroka, “EMC Performance of Drive Application
Under Real Load Condition”, Schaffner Application Note, 11th
March 1999.
82 of 83
Some useful references
continued…

Lena Sjögren and Mats Bäckström, “Ageing of Shielding Joints,
Shielding Performance and Corrosion”, IEEE EMC Society
Newsletter, Summer 2005,
www.ieee.org/organizations/pubs/newsletters/emcs/summer05/
practical.pdf

“Assessing an EM Environment”, Technical Guidance Note 47,
EMC Test Labs Association,
www.emctla.co.uk/Pages/TechGuideMain_new.html

Keith Armstrong, “Design and Mitigation Techniques for EMC for
Functional Safety”, 2006 IEEE International EMC Symposium,
Portland, August 14-18 2006, ISBN: 1-4244-0294-8

Keith Armstrong, “Validation, Verification and Immunity Testing
Techniques for EMC for Functional Safety”, 2007 IEEE
International EMC Symp., July 9-13 2007, Honolulu, Hawaii,
ISBN: 1-4244-1350-8
83 of 83
Download