Keith Armstrong, “EMC for Functional Safety”

Introduction to “EMC for Functional Safety” sometimes called “Risk Management of EMC” Eur Ing Keith Armstrong CEng, FIET, Senior MIEEE, ACGI phone & fax: +44 (0)1785 660 247 keith.armstrong@cherryclough.com www.cherryclough.com Contents 1. What is EMC for Functional Safety? 2. Why we can’t rely solely on EMC immunity testing 3. Current standardisation activities in EMC for Functional Safety 4. The competency required for EMC for Functional Safety 5. An overview of the steps in an EMC for Functional Safety compliance process 2 of 83 Contents 1. What is EMC for Functional Safety? 2. Why we can’t rely solely on EMC immunity testing 3. Current standardisation activities in EMC for Functional Safety 4. The competency required for EMC for Functional Safety 5. An overview of the steps in an EMC for Functional Safety compliance process 3 of 83 What is EMC for Functional Safety?  Safety systems must maintain adequately low risks over their entire lifetimes  Where electromagnetic interference (EMI) could affect safety risks… – compliance with safety regulations means demonstrating that an adequate level of electromagnetic (EM) performance will be achieved over the operational lifetime of the safety system… – this is the new discipline known as… ‘Electromagnetic Compatibility for Functional Safety’  or simply: ‘EMC for Functional Safety’ 4 of 83 Required Safety Confidence SIL4 safety function(s) Safety-related systems SIL3 safety function(s) SIL2 safety function(s) SIL1 safety function(s) Systems used in applications with an impact on safety Systems not intended for applications with any safety impact Increasing confidence required, that the EM immunity is adequate, at all times, for the lifetime of the application SIL = Safety Integrity Level, as defined by IEC 61508 (see later) 5 of 83 What is EMC for Functional Safety? continued…  The situation for EMC is similar to that for safetyrelated software… – because neither can be thoroughly tested in any practical or affordable manner, for the design confidence required for safety  Just as for all other technical areas (including software, see IEC 61508-3) – cost-effectively ensuring EMC for Functional Safety requires the application of appropriate design and validation techniques… – that cover the reasonably foreseeable worst-case EM and physical environments over the anticipated lifetime 6 of 83 Increasing risks caused by EMC-related functional safety Worsening electromagnetic environment Rapidly increasing use of electronics in safety-related applications More complex circuits, systems, systems-of-systems Increasing susceptibility of electronic devices Manufacturers under increasing pressure to reduce costs and timescales Manufacturers comply with the minimum set of safety standards required by law But no safety or EMC standards yet exist that adequately control EMC-related functional safety Rapidly increasing safety risks for users and third parties Rapidly increasing financial risks for manufacturers 7 of 83 Contents 1. What is EMC for Functional Safety? 2. Why we can’t rely solely on EMC immunity testing 3. Current standardisation activities in EMC for Functional Safety 4. The competency required for EMC for Functional Safety 5. An overview of the steps in an EMC for Functional Safety compliance process 8 of 83 EMC testing ignores foreseeable faults  Functional safety risks must remain low enough despite all reasonably foreseeable faults… – and reasonably foreseeable combinations of them (not “single fault safety”)…  dry joints, open or short circuits (tin whiskers?), intermittent connections, etc…  out-of-tolerance  loose enclosure or cable shielding fixings, etc…  failure  or incorrect components, etc… of a filter capacitor or surge protection device, etc… But EMC tests are only done on perfect samples 9 of 83 EMC testing ignores foreseeable use/misuse  People are known to behave in certain ways, e.g…  not always according to the User Manual…  and with varying degrees of competency and muscular strength…  and  sometimes they make mistakes 61508 requires taking use/misuse into account… – but EMC testing ignores the whole issue… – and assumes every operator behaves perfectly, every time 10 of 83 Conventional test chambers are not realistic EM environments  Anechoic chambers are generally used for radiated RF immunity tests… – but they are unlike all real-life EM environments (other than missiles in flight)… – so such tests cannot prove that safety risks will be low enough  Reverberation (mode-tuned) test chambers can provide much more realistic (and thorough) tests… – which is why they are used by many manufacturers of flight-critical avionics 11 of 83 Conventional testing uses too few angles of incidence and polarisations  Radiated RF tests use 4 angles of incidence, plus horizontal and vertical antenna polarisation… – but other angles and/or polarisations can have much more susceptibility… – which might not be discovered found by normal testing with a higher test level  Similar criticisms can be made for the very few waveforms used in transient and ESD tests… – real-life may be very different, with very different results 12 of 83 RF susceptibility of electronic systems depends strongly on the modulation type and frequency (or waveshape)… – well-known to electronic warfare specialists  But for ease of testing and reproducibility most EMC testing uses 1kHz sine-wave modulation… – and testing at any higher level might not discover a much higher susceptibility to a different modulation frequency or waveform … I have seen 85dB between 1kHz and 170kHz modulation… – so cannot prove low-enough safety risks in real life 13 of 83 EMC testing ignores the effects of physical and climatic environments  Mounting stresses (e.g. bending and twisting), shock, vibration, temperature extremes, condensation, liquids, salt spray, conductive dusts, mould growth, etc., etc… – can all cause degraded EMC performance, e.g. by reducing attenuation of shielding and/or filtering  61508 requires real-world environments to be taken into account… – but EMC tests use benign physical/climatic environment 14 of 83 EMC testing ignores ageing  Ageing can be caused by temperature (high, cycling), humidity, corrosion (oxidation, galvanic, fretting), wear and tear, cleaning, supply voltage, etc…  e.g. some X2 capacitors drop 90% in value over 3 years…  and ICs’ EMC characteristics are known to degrade unpredictably over several years of operation  Even when products are subjected to highlyaccelerated lifecycle tests… – the resulting ‘aged’ units are almost never retested for EMC to see if their immunity has degraded and increased their safety risks 15 of 83 EMC testing of perfect samples ignores component and assembly tolerances  In volume manufacture, the EMC characteristics of a product are affected by… – component tolerances, semiconductor die-shrinks, assembly variations, PCB layout changes, replacement of obsolete components, software bug fixes, etc.  Without appropriate design and QA, the fact that a sample once passed its EMC tests… – does not prove that the product that has just rolled off the production line would pass the same set of tests 16 of 83 EMC testing of perfect samples ignores assembly errors  A product’s EMC characteristics can be badly affected by assembly errors… – e.g. dry solder joints, wrong or missing components, gaskets misfitted, fixings missing or not tightened with the correct torque… – but the errors might not affect the normal functions of the product when they are tested before shipment  Without appropriate design and/or production-line EMC checks, the EMC characteristics of each manufactured product are completely unknown17 of 83 The maximum test level is not necessarily the worst  Most EMC immunity tests only test at the highest levels thought likely to occur in the environment (or higher)… – but all electronic devices are non-linear, and their circuits/software and systems very complex… – so even if they pass when tested at the highest test levels… – they might fail when tested with lower levels…  which are generally more likely to occur in real life, and so could be more important for risk control 18 of 83 Simultaneous EM disturbances  In real life, systems are often exposed to two or more simultaneous EM disturbances, e.g… – two RF fields with different frequencies… – an external RF field plus a transient on the electrical power supply…  or  plus ESD from the operator to the control surface Simultaneous RF disturbances at different frequencies will demodulate and intermodulate… – occurs in all non-linear devices (all semiconductors) 19 of 83 Demodulation and intermodulation create new frequencies inside circuits The original voltage or current noises in a circuit from external RF fields at two different frequencies dB Rectification f1 f2 Demodulated envelopes Harmonics (in the baseband) f2-f1 Some of the many “Intermodulation Products” (IPs) f1+f2 2f1-f2 2f2-f1 2f1 2f2 MHz 0 200 400 600 800 1000 20 of 83 Example of the noise spectrum created by a single diode supplied with two RF signals: 850 and 875MHz (10MHz to 35GHz, 20dB/division) 1st order IPs at –6dBc 2nd order IPs at –12dBc 3rd, 4th, 5th, etc., IPs 3rd, 4th, 5th, etc., IPs 2nd, 3rd, 4th, etc., harmonics at progressively lower levels 21 of 83 Example of why testing with a single frequency isn’t thorough enough  Conventional (single frequency) testing 150kHz - 6GHz discovers susceptibility over 20 - 400MHz… – we add shielding and filtering that is effective over 20 - 400MHz and the product now passes the test  But we added no protection over 0.4 – 6GHz (it was not required to pass the test)… – allowing simultaneous frequencies in this range to enter the product and intermodulate in its semiconductors... – with no protection from the creation of internal noise in the range 20 - 400MHz which interferes with the product 22 of 83 Simultaneous EM disturbances  continued… Tests have shown that products that pass individual immunity tests can be very susceptible to simultaneous EM disturbances… – but conventional immunity tests only apply one disturbance at a time… – so they cannot prove that safety risks will be low enough in real life  It’s rather obvious why passing tests with one EM disturbance at a time, cannot deal with the same disturbances occurring simultaneously… 23 of 83 Simultaneous EM disturbances  continued… All electronic circuits have a “noise margin” or “signal-to-noise ratio”… – the difference between perfect operation, and “just on the point of failing to meet specification”  Because products are tested with one EM disturbance at a time (and to keep costs low)… – they are designed to just about meet their operational specifications for each disturbance alone…  so that they pass their EMC tests… – and so fail when two or more disturbances are applied, as they can (and do) often in real life 24 of 83 An example of simultaneous random transients 100ns transient once/minute (e.g. wipers, gearbox solenoids, fans, window winders, light switches, etc.) 50ns spark ignition transients at 3,000/minute (e.g. 6 cylinder engine at 2000rpm) So a safety-related vehicle ESA is exposed to simultaneous transients from both causes at 0.001% (10ppm) per minute Assume vehicle driven 1hr/day, 5 days/week, 40 weeks/year… Simultaneous transient rate = 12% per year i.e. 1 simultaneous event for every 8 years of use, on average Assume 1% of overlapping transient events causes a death… Likelihood of death – 0.12% per year… comparable with the world’s most hazardous jobs! 25 of 83 Normal EMC test performance criteria are unsuitable for safety applications  Obviously, Performance Criterion A (full spec operation) is just fine for safety… – but Performance Criterion B (any amount of temporary performance degradation)… – and Performance Criterion C (any amount of performance degradation until operator intervenes)… – are almost always unsuitable where the specified functional performance of an electronic unit is needed to control safety risks 26 of 83 Normal EMC testing ignores maintenance, repair, refurbishment, upgrades, etc.  Over its life, a product will be cleaned and maintained… – and will probably also be repaired, refurbished, modified, upgraded (even if only software), and dismantled… – and all these can degrade EMC characteristics during and/or afterwards  Although safety risks must be maintained at low levels throughout product life, these reasonably foreseeable activities are ignored by EMC testing 27 of 83 Future changes to the EM environment  Because a product must remain safe enough over its whole lifetime… – and because its EM environment can be expected to change over that timescale… – its design must take into account the reasonably foreseeable changes in its EM environment  But EMC tests address the EM environment of five or more years ago… – the minimum length of time it takes for a change to a standard to reach final publication 28 of 83 Clearly, to achieve functional safety, we can’t afford to rely solely on EMC testing  Sufficient confidence that tolerable safety risks will be maintained over a product’s lifetime… – would require a huge EMC test programme to cover all the issues in the previous slides… – and foreseeable real-life combinations of them…  e.g. high external RF fields at two frequencies with different modulation frequencies, plus supply transients, plus high temperatures and vibrations, ageing, faults, misuse, component tolerances, etc., etc., etc… – that no company (or Government) could possibly afford 29 of 83 Cost-effectively achieving tolerable functional safety risks… despite EM disturbances… – requires the use of well-proven good EMC engineering practices in design… – and a variety of design verification and validation techniques, not just (very expensive) EMC testing  Software cannot be proven to be safe enough by any affordable test plan either… – but the safety-critical software industry went through this exact same learning curve in the 1990s, and came to the same conclusions 30 of 83 Conclusions  I have shown 14 (mostly rather obvious) reasons why EMC testing is insufficient, on its own… – for demonstrating that EM disturbances will not cause intolerable safety risks over a product’s lifetime  Good safety engineering methods, like those already used for all other safety issues (including software)… – are required for EMC for Functional Safety, as well as immunity testing… – including a wide range of EM design, verification and validation techniques 31 of 83 Contents 1. What is EMC for Functional Safety? 2. Why we can’t rely solely on EMC immunity testing 3. Current standardisation activities in EMC for Functional Safety 4. The competency required for EMC for Functional Safety 5. An overview of the steps in an EMC for Functional Safety compliance process 32 of 83 The IEC’s basic standard on Functional Safety is IEC 61508 – title: “Functional Safety of Electrical/Electronic/ Programmable Electronic Safety-Related Systems”  IEC 61508 has always required that EMI not cause safety risks to rise above specification…  but has never said how this was to be achieved… – so IEC TS 61000-1-2 Ed.2:2008 was written to be 61508’s “missing EMC annex”… – and it was made a Normative Requirement (i.e. a mandatory requirement) in IEC 61508 Ed.2 :2010 33 of 83 IEC TS 61000-1-2 is the IEC’s basic document on EMC for Functional Safety – title: “Methodology for the achievement of functional safety of electrical and electronic systems including equipment with regard to electromagnetic phenomena”  IEC 61000-1-2 Ed.2:2008 has, just recently, been proposed for adoption as a full International Standard… – which should happen in 2012 34 of 83 IEC Medical standards use ISO 14971 instead of IEC 61508  All IEC standards are required to follow IEC basic standards (e.g. IEC 61511, 62061 and others follow 61508)… – but the IEC medical standards were given special permission to use ISO 14971 because it is very difficult to apply IEC 61508 to medical equipment…  and anyway ISO 14971 uses the same basic functional safety principles as 61508  ISO 14971 does not use “Functional Safety”… – instead, medical standards use the phrase: “Risk Management of EMC”…  which means almost exactly the same thing 35 of 83 Ed. 2.0 of 61000-1-2 is the basis for all of the material presented here – and the presenter (Keith Armstrong) is the UK’s expert for the team that created it  IEC basic standards can be applied on their own… – but their main purpose is to provide ‘pilot functions’ for generic and product standards  The first to be created under IEC 61000-1-2 is IEC 61000-6-7 (currently in draft)… – the generic standard on EMC for Functional Safety for equipment intended for use in industrial safety systems 36 of 83 Standardisation activity in EMC for Functional Safety continued…  The presenter is also the UK’s expert on the IEC 61000-6-7 committee… – and also on the IEC 60601-1-2 (medical EMC) committee, which added “Risk Management of EMC” at Edition 3…  now a mandatory requirement for compliance with any of the three Medical Devices Directives... – now working on 60601-1-2 Edition 4, which will be published in 2012…  and which will be much more helpful in achieving Risk Management of EMC…  it uses the IET’s Guide (see later) as Informative Annex 37 of 83 Standardisation activity in EMC for Functional Safety continued…  The UK’s new Defence Standard on EMC… – DEF STAN 59-4911, January 2010… – includes mandatory requirements for achieving “EMC for Functional Safety” 38 of 83 Applying existing EMC immunity testing standards is insufficient for EMC for Functional Safety… – including: commercial, industrial, marine, military, automotive, aerospace, etc., standards…  for the reasons already discussed… – but some immunity testing standards claim to cover EMC for functional safety…  IEC 60335-1:2002 + A1:2004 “Safety of household appliances and portable tools”  and the IEC 61326-3-x series… – but they are all insufficient, if used on their own 39 of 83 Standardisation activity in EMC for Functional Safety continued…  There are two standards in the IEC 61326-3-x series… – “Electrical equipment for measurement, control and laboratory use – EMC requirements – Immunity requirements for safety-related systems and for equipment intended to perform safety related functions (functional safety)”… – 61326-3-1 “– General industrial applications”… – 61326-3-2 “– Industrial applications with specified EM environment” 40 of 83 Standardisation activity in EMC for Functional Safety continued…  The titles of the 61326-3-x standards make them sound as if they are full ‘EMC for Functional Safety Standards’… – but they only cover a fraction of the requirements in 61000-1-2…  so they are insufficient if used on their own… – and according to their convenor Bernd Jaekel they were only ever intended to be… “Building blocks within an overall procedure that was governed by IEC TS 61000-1-2 and IEC 61508” 41 of 83 Contents 1. What is EMC for Functional Safety? 2. Why we can’t rely solely on EMC immunity testing 3. Current standardisation activities in EMC for Functional Safety 4. The competency required for EMC for Functional Safety 5. An overview of the steps in an EMC for Functional Safety compliance process 42 of 83 The amount of work, and competency, required for EMC for Functional Safety  Because the EMC industry has always focussed on testing as being the sole way to prove a design…  some industries have EMC design guides, but they are often treated as informative, not mandatory… – most EMC experts do not (yet) understand how to do EMC for Functional Safety – and most safety-related system designers and safety experts do not (yet) understand how to do EMC, for Functional Safety reasons, either  It will take a few years to train enough people in the required competencies 43 of 83 The amount of work, and competency, required for EMC for Functional Safety  The depth and extent of the EMC safety planning… – and hence the amount of work and degree of competency requires… – depends on the complexity of the Safety-related System system… – and on the SIL required by its “Safety Requirements Specification”…  called the SRS by IEC 61508 (standards based on 61508, such as IEC 61511 or IEC 62061, have corresponding specification requirements) 44 of 83 ‘Emergence’ and its implications  Many different electrical/electronic components might have to work together to perform a safety function… – may also be combined with non-electrical measures (e.g. physical barriers) to achieve acceptable risks… – IEC 61508 calls the result a ‘safety-related system’  So a safety function is only performed by the safety-related system as a whole… – none of the components of a safety-related system (modules, products, systems, etc….) can ever be described as providing a safety function in themselves 45 of 83 ‘Emergence’ and its implications continued…  ‘Emergence’ is an important property of systems… – and means that the characteristics of a system can differ from those of the components used to construct it, sometimes in ways that are hard to predict in advance  So a safety-related system can never be created simply combining together items (subassemblies, products, systems, etc…) that claim to provide functions in a safe or reliable manner… – for example, due to emergence it is possible for two very reliable items to become very unreliable when interconnected to operate as a system 46 of 83 Contents 1. What is EMC for Functional Safety? 2. Why we can’t rely solely on EMC immunity testing 3. Current standardisation activities in EMC for Functional Safety 4. The competency required for EMC for Functional Safety 5. An overview of the steps in an EMC for Functional Safety compliance process 47 of 83 This section is based on the IET’s Guide to EMC for Functional Safety  First published in August 2008  A practical implementation of IEC TS 61000-1-2 Ed.2:2008  Available (free) from: www.theiet.org/factfiles/ emc/emc-factfile.cfm 48 of 83 The IET’s 2008 Guide on EMC for Functional Safety… – was intentionally written using plain engineering language… – so that it would be easy to understand whether a designer was using functional safety standards based on either IEC 61508 or ISO 14971… – or if he/she was using no functional safety standard at all 49 of 83 Overview for a simple safety-related system Design of the safetyrelated system 3 0 Overall EM safety planning and project management 1 Determine intersystem EM and physical phenomena 2 Determine intrasystem EM and physical phenomena Specify EM/physical phenomena vs functional performance 4 Study and design the safety-related system 5 Create EM and physical verification/validation plans Volume-manufactured standard products’ EM/physical spec’s 6 Select the standard products to construct the system 7 Realise the design, and verify it whilst doing so 8 Realisation of the safety-related system Design iteration may be required (e.g. additional mitigation) to be able to employ certain products Validate the system Operation of the safety-related system Standard products available on the market 9 Maintain adequate EM/physical/performance characteristics over the lifecycle 50 of 83 Step 0: Overall EM safety planning and project management  Determine: – who is in overall charge – the aims of the project – the boundaries of the safety-related system – budgets and timescales – the personnel, and their responsibilities and authorities  Then set up the activities that manage all the following steps… – in the process of achieving EMC for Functional Safety for the safety-related system 51 of 83 Step 1: Determine intersystem EM and physical phenomena  In order to maintain the EM/safety performance of the safety-related system over its anticipated lifecycle… – its EM and physical design and mitigation measures must take account of the lifecycle physical phenomena, e.g….  Mechanical  Climatic (temperature, humidity, liquids, dusts, sand, etc.)  Biological  Chemical  Wear (static forces, shock, vibration, etc.) (rodent gnawing, mould growth, etc.) (oxidation, corrosion, etc.) (abrasion, fretting, compression set, etc.) 52 of 83 Step 1: Determine intersystem EM and physical phenomena continued…  So Step 1 determines the maximum EM and physical external environment(s) … – that the safety-related system could be reasonably foreseeably exposed to… – including emissions from other equipment or systems  Also determine the reasonably foreseeable effects of the emissions of EM and physical disturbances from the new safety-related system… – on other safety-related systems 53 of 83 Step 2: Determine intrasystem EM and physical phenomena  Determine the maximum EM and physical environment(s) that parts of the safety-related system could reasonably foreseeably be exposed to over its lifecycle… – due to other parts of the same safety system… – as before, physical environments include: mechanical, climatic, biological, chemical, etc.  This assessment usually requires iteration as more detail emerges about the safety-related system, during its design (Step 4) 54 of 83 Step 3: Specify EM/physical phenomena vs functional performance  An initial hazard identification and risk assessment that takes EMI into account, is required… – which leads to the creation of a specification for the performance of the safety-related system’s safety functions… – for each type of inter/intrasystem EM phenomenon… – taking into account the relevant physical phenomena… – and also taking into account any arrangements for ensuring adequate EMC performance over the lifecycle 55 of 83 Step 3: Specify EM/physical phenomena vs functional performance continued…  Appropriate Risk Analysis techniques for dealing with the safety risks caused by EMI… – is the subject of the third topic in this workshop  Emissions specifications are also needed… – to help ensure that the new system does not increase the risks of existing safety-related systems 56 of 83 Step 3: Specify EM/physical phenomena vs functional performance continued…  The EM and physical specifications that result from this process are important parts of IEC 61508’s “Safety Requirement Specification” (SRS)…. – and the control the entire design, verification and validation of the safety-related system as far as EMC is concerned… – i.e. all of the subsequent steps 57 of 83 Step 3: Specify EM/physical phenomena vs functional performance continued…  The EM and physical specifications in the SRS should take into account the uncertainties in the estimation and measurement techniques that were used… – during the assessments in Steps 1 & 2… – and those that will be used during verification or validation of the safety-related system’s design…  including the measurement uncertainty in EMC testing… – by using ‘expanded uncertainty’ methods (see Amendment 3 to IEC 61000-4-6) 58 of 83 Step 4: Study and design the safety-related system  Steps 4 produces the actual design, and applies detailed risk analysis methods (e.g. FMEA, Fault Tree) at each stage of the design… – to ensure that the EM and physical specifications in the SRS will be met  The detailed hazard assessment and risk analysis that finally results is an important part of the final safety documentation… – but it is the application of risk analysis techniques, as the design proceeds, that is most important 59 of 83 Step 4: Study and design the safety-related system continued…  There are many well-proven EMC design techniques available, that can be used to help meet the EM and physical specifications in the SRS… – many of these are described in Annex B of IEC TS 61000-1-2 Edition 2.0 and in Chapter 4 of the IET’s 2008 Guide 60 of 83 Step 4: Study and design the safety-related system continued…  Mitigation techniques are generally applied at ‘Zone’ boundaries, and use… – Techniques for improving Power Quality – Galvanic isolation – Earthing/grounding techniques to create RF References that have a low impedance up to the highest frequency that is to be controlled – Filtering – Shielding – Surge and transient suppression  Physical mitigation may also be needed, e.g. shock and vibration damping, waterproofing, cooling, etc. 61 of 83 The boundary of the Safetyrelated System Equipment Equipment 1 2 Equipment Equipment 3 4 Equipment 6 Product 1 Product 2 Product 3 Equipment 5 Equipment 6 This example is composed of 6 items of Equipment See Figure D.1 of IEC TS 61000-1-2 Ed2.0 Each item of Equipment can incorporate any number of Products in systems, subsystems, or assemblies of any scale A Product is something obtained from the market, and could be mass-produced or custom built, and of any size This example Equipment is assembled using three Products 62 of 83 A similar approach can be used to apply physical mitigation and create protected physical zones EM Zone 0 (The external EM environment) EM Zone 1 Equipment 1 Equipment 2 Equipment 3 Equipment 4 Equipment 6 EM Zone 3 Product 1 Product 2 EM Zone 2 Equipment 5 Equipment 6 Mitigation applied at the boundary of the Safety-related System creates EM Zone 1 Mitigation can be applied to regions within the system to create new EM Zones (e.g: 2A, 2B, etc.) Mitigation can be applied at the boundary of an Equipment to create a new EM Zone (e.g: 3A, 3B, etc.) for all of the Products (and other items) within it EM Zone 4 Product 3 Mitigation can be applied to regions within an Equipment to create new EM Zones (e.g: 4A, 4B, etc.) to include some of the Products and other circuits and components used within it 63 of 83 Step 5: Create EM and physical verification/validation plans for the safety-related system  These are plans for verifying the EM and physical characteristics of the design elements as the design and realisation progress… – and for validating the safety-related system at its highest practical level of assembly  They also include plans for verifying/validating any EM/physical mitigation measures that are not incorporated into the safety-related system itself… – e.g. lightning protection for the building, where it is specified in the User Manual for the system 64 of 83 Step 5: Create EM and physical verification plans for the safety-related system continued…  Steps 4 and 5 are shown as separate tasks… – but in fact they should progress in parallel, so that each can influence the other to save costs and time overall… – e.g. if a costly testing regimes appears necessary, it could be avoided by doing the design in a different way  e.g. EM enclosures can be purchased that provide very high levels of protection from the EM environment…  when combined with appropriate mains filters and cable conduits it can be possible to rely solely on EM testing of the enclosure (instead of the equipment it protects) 65 of 83 Step 6: Select the standard products to construct the system  Custom-engineered equipment that is intended to be incorporated into a safety-related system… – would be designed, realised, and validated to meet the detailed specifications of the safety-related system’s designer… – which were derived from the EM and physical specifications in the SRS for the whole system (see Step 3, earlier) 66 of 83 Step 6: Select the standard products to construct the system continued…  But both systems and custom-engineered equipment will often incorporate standard volumemanufactured products… – which of course were made to specifications chosen by their manufacturers… – which might not correspond to what the safety-related system’s designers required  So EMC and/or physical mitigation techniques might be required in the system design… – to make it possible to use the standard products 67 of 83 Step 6: Select the standard products to construct the system continued…  The following management process shows how to deal with standard products… – when used in an item of equipment that is to be a part of a safety-related system… – based on the ‘EM Zoning’ approach…  for example, as described in IEC TS 61000-5-6 68 of 83 The SRS for the safety-related system Design any electromagnetic mitigation that may be required for the Safety-related System and/or within the system, and for each item of Equipment create an ERS that includes electromagnetic performance specifications Achieve the ERSs of other items of Equipment Achieve the electromagnetic specifications in an ERS by appropriate choice of Product Specifications, plus the application of electromagnetic mitigation if required Product Specifications are offered by suppliers, and include electromagnetic performance data Iterate until compliance with the ERS is achieved Responsibility of the Equipment designer Take into account the EM emissions from other parts of the same system Apply or modify electromagnetic mitigation measures (if required) at any level (Safety-related System, Equipment, or Product) Selection of the Product(s) to be purchased for use in creating the item of Equipment See Figure D.2 of IEC TS 610001-2 Ed2.0 69 of 83 Step 7: Realise the design, and verify it whilst doing so  The ‘realisation’ of the design of the safety-related system includes… – assembly; construction; manufacture; integration of subsystems; installation; commissioning, etc.  Quality Control techniques should ensure that… – the system’s component parts, materials, and realisation techniques and workmanship are suitable for the level of safety risk (or risk reduction) required by the SRS… – the intentions of the safety-related system designers were correctly and accurately achieved 70 of 83 Step 7: Realise the design, and verify it whilst doing so continued…  The design verification plans resulting from Step 5 are applied during the realisation… – to verify aspects of the design that will not be fully assessed by the validation of the complete safety-related system (Step 8)… – and because it is most cost-effective to discover any problems early in the process 71 of 83 Step 7: Realise the design, and verify continued… it whilst doing so  We cannot afford to use EMC testing alone to demonstrate that a system really will be safe enough over its lifecycle… – but a wide range of other verification and validation techniques are available, and are already widely used in functional safety engineering other than EMC, e.g…  Demonstrations Checklists Inspections Audits Reviews/assessments Independent reviews Non-standardised checks Validated computer modelling Individual and/or integrated hardware tests EMC testing 72 of 83 Step 7: Realise the design, and verify it whilst doing so continued…  During the realisation of the Safety-related System, and/or during its verification… – it may be discovered that the design needs modifying… – and/or that the intrasystem EM disturbances are different from what was anticipated during Step 2…  before  the design was done So there is a strong likelihood that modifications will be required at this stage…. – iterating the EM and physical specifications in the SRS, and/or the design 73 of 83 Step 8: Validating the safety-related system  Validate the EM and physical performance of the system using the validation plan from Step 5… – also validate the performance of any EM/physical mitigation measures not incorporated in the system (and therefore not tested as part of it)…  any remedial work should be carried out and the necessary verification/validation carried out again…  using a range of validation techniques (see previous slide) to prove that the system really will be safe enough over its lifecycle with confidence appropriate to its SIL 74 of 83 Step 9: Maintain the safety-related system’s EM and physical characteristics over its lifecycle  Certain activities may be required during… – operation, maintenance, repair, refurbishment, upgrade, modification, decommissioning and disposal  The owner or operator of the system is responsible for these activities… – which should have been specified in the User Manual that was created during Steps 4 and 5…  but appropriate activities should be undertaken at the appropriate times, nevertheless 75 of 83 Introduction to “EMC for Functional Safety” sometimes called “Risk Management of EMC” the end Eur Ing Keith Armstrong CEng, FIET, Senior MIEEE, ACGI phone & fax: +44 (0)1785 660 247 keith.armstrong@cherryclough.com www.cherryclough.com Some useful references  IEC TS 61000-1-2 Ed.2:2008 “Electromagnetic Compatibility (EMC) – Part 1-2: General – Methodology for the achievement of the functional safety of electrical and electronic equipment with regard to electromagnetic phenomena.”  IEC 61508 Ed.2:2010: “Functional Safety of Electrical/Electronic/ Programmable Electronic Safety-Related Systems” Part 1: General requirements Part 2: Requirements for electrical/electronic/programmable electronic safetyrelated systems Part 3: Software requirements Part 4: Definitions and abbreviations Part 5: Examples of methods for the determination of safety integrity levels Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 Part 7: Overview of techniques and measures 77 of 83 Some useful references  continued… “Guidance on EMC for Functional Safety”, The IET (London, UK) August 2008: www.theiet.org/factfiles/emc/emc-factfile.cfm – or purchase a printed copy from www.emcacademy.org/books.asp  Keith Armstrong, “Why EMC Immunity Testing is Inadequate for Functional Safety”, 2004 IEEE Int’l EMC Symposium., Santa Clara, Aug. 9-13 2004, ISBN 0-7803-8443-1, pp 145-149. Also published by Conformity, March 2005, http://www.conformity.com/artman/publish/printer_227.shtml  “Why Conventional EMC Testing is Insufficient for Functional Safety (and what to do about it)”, Keith Armstrong, IEEE PSES Symposium October 2008, Austin, Texas 78 of 83 Some useful references  Keith Armstrong, “Functional Safety Requires Much More Than EMC Testing”, EMC-Europe 2004 (6th International Symp. on EMC), Eindhoven, The Netherlands, Sept. 6-10 2004, ISBN: 906144-990-1, pp 348-353.  Keith Armstrong: “EMC in Safety Cases – Why EMC Testing is Never Enough”, EMC-UK 2007 Conference, Newbury, UK, Defence & Avionics session, October 17, 2007  Keith Armstrong, “EMC for the Functional Safety of Automobiles – Why EMC Testing is Insufficient, and What is Necessary,” 2008 IEEE International EMC Symposium Detroit, MI (August 1822, 2008) ISBN 978-1-4244-1699-8 (CD-ROM) 79 of 83 Some useful references  Keith Armstrong, “Why Increasing Immunity Test Levels is Not Sufficient for High-Reliability and Critical Equipment,” 2009 IEEE International EMC Symposium Austin, TX (August 17-21, 2009), ISBN (CD-ROM): 978-1-4244-4285-0  Keith Armstrong, “Including EMC in Risk Assessments,” 2010 IEEE International EMC Symposium Fort Lauderdale, FL (July 25-31, 2010), ISBN: 978-1-4244-6307-7 (CD-ROM)  Keith Armstrong, “Opportunities in Risk Management of EMC” 2011 IEEE International EMC Symposium, Long Beach, California, August 2011 80 of 83 Some useful references continued…  Keith Armstrong, “EMC for Functional Safety”, (half-day tutorial), 2004 IEEE Int. Symp., Product Safety Engineering Society, Santa Clara, Aug 13-15  Keith Armstrong, “Specifying Lifetime Electromagnetic and Physical Environments – to Help Design and Test for EMC for Functional Safety”, 2005 IEEE International Symposium on EMC, Chicago, August 8-12, ISBN: 0-7803-9380-5, pp. 495-499  D A Townsend et al, “Breaking All the Rules: Challenging the Engineering and Regulatory Precepts of Electromagnetic Compatibility”, 1995 IEEE International Symposium on EMC, Atlanta, ISBN: 0-7803-2573-7, pp 194-199  Michel Mardiguian, “Combined Effects of Several, Simultaneous, EMI Couplings”, 2000 IEEE International Symposium on EMC, Washington D.C., August 21-25 2000, ISBN 0-7803-5680-2, pp. 181-184 81 of 83 Some useful references continued…  Wendsche S. and Habiger E., “Using Reinforcement Learning Methods for Effective EMC Immunity Testing of Computerised Equipment”, Proc. Int. Symp. EMC (ROMA’96), Rome, Italy, Sept 1996, pp.221-226  Vick R. and Habiger E., “The Dependence of the Immunity of Digital Equipment on the Hardware and Software structure”, Proc. Int. Symp. Electromagnetic Compatibility, Beijing, China, May 1997, pp 383-386  W H Parker, W Tustin and T Masone, “The Case for Combining EMC and Environmental Testing”, ITEM 2002, pp 54-60.  F Beck and J Sroka, “EMC Performance of Drive Application Under Real Load Condition”, Schaffner Application Note, 11th March 1999. 82 of 83 Some useful references continued…  Lena Sjögren and Mats Bäckström, “Ageing of Shielding Joints, Shielding Performance and Corrosion”, IEEE EMC Society Newsletter, Summer 2005, www.ieee.org/organizations/pubs/newsletters/emcs/summer05/ practical.pdf  “Assessing an EM Environment”, Technical Guidance Note 47, EMC Test Labs Association, www.emctla.co.uk/Pages/TechGuideMain_new.html  Keith Armstrong, “Design and Mitigation Techniques for EMC for Functional Safety”, 2006 IEEE International EMC Symposium, Portland, August 14-18 2006, ISBN: 1-4244-0294-8  Keith Armstrong, “Validation, Verification and Immunity Testing Techniques for EMC for Functional Safety”, 2007 IEEE International EMC Symp., July 9-13 2007, Honolulu, Hawaii, ISBN: 1-4244-1350-8 83 of 83

Keith Armstrong, “EMC for Functional Safety”

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib