Where functional safety risks need to be controlled, relying solely on EMC testing is inadequate, no matter how high the test levels are cranked up. Further, many engineers and project managers are unaware of the functional safety and financial risks they incur by relying solely on EMC testing.
On its own, no amount of EMC testing can ever provide sufficient confidence in immunity to EMI for the control of functional safety risks. This is because EMC tests:
•?Ignore foreseeable faults, misoperation, and misuse.
•?Ignore simultaneous EM disturbances that can occur in real life.
•?Fail to take into account the effects of the physical and climatic environments, wear, and aging on EMC.
•?Disregard emergent behavior, resulting in a system having poor EMC performance even when every unit in the system passes EMC tests individually.
•?Use test chambers that do not represent all real-life EM environments.
•?Use over-simplified test methods that only cover a fraction of the possible EM threats.
•?Do not check whether the EMC design allows for the tolerances and variability that can occur in production, even though a sample once passed its EMC tests.
•?Ignore assembly errors.
•?Mostly assume that the maximum test level is the worst-case.
Some industries, such as avionics, automotive, and military, apply test methods that at least partially address a few of these issues, such as using reverberation chambers instead of anechoic and testing with pulse and square wave modulations. But a comprehensive test program that covers them all would be expensive and take years to complete.
To control functional safety risks, we must apply risk management techniques to EMC, which is the subject of EMC for Functional Safety, a new practical guide for managers and engineers from the Institute of Engineering and Technology (IET).1 The guide describes practical and cost-effective procedures for management and engineering. When properly applied, these procedures can help save lives and reduce injuries wherever electronic technologies are used in a product, equipment, system, or installation in which a malfunction or failure of electrotechnology could increase functional safety (EFS) risks.
Figure 1 (Click here to view.) shows the nine basic steps recommended by the guide for a simple EFS risk. The guide also outlines how to apply its process to complex EFS risks of any size or scale having any number of subcontractors.
Helpful annexes and a comprehensive set of checklists also are provided in the guide. These are useful aids for project management, design, and compliance assessment.
Why EMC Testing Alone Is Insufficient
Many EMC and safety engineers still think to control EMI for safety reasons is to pass the normal EMC immunity tests. Some engineers go further by increasing the test levels, believing that doing so provides a safety margin. Reference 2 explains why this approach doesn’t work.
But relying only on EMC testing is too simplistic an approach for modern electronic control systems. EMC testing alone ignores most of the issues that arise over the product’s life cycle that can affect how EMI increases safety risks.
For example, let’s look at the case of simultaneous EM disturbances. Traditional EMC testing applies a limited number of types of EM disturbance one at a time. But in real-life operation, equipment typically is exposed to multiple and simultaneous EM disturbances; for example, a radiated field plus a conducted transient on the AC lines or ESD from an operator. Experiments have shown that equipment that passes such tests individually can be extremely susceptible to low levels of those same disturbances when they are applied simultaneously.
Another example is two or more RF fields at different frequencies, which can cause EMI through intermodulation (IM). IM, like demodulation, occurs naturally in nonlinear devices such as semiconductors. Figure 2 shows a simple example of two frequencies that can cause EMI by:
•?Direct interference from each frequency independently.
•?Demodulation of the amplitude envelopes of either frequency or both mixed together.
•?IM in which new frequencies are created.
Imagine that conventional single-frequency testing over the 150-kHz to 6-GHz frequency range discovers that the equipment is susceptible to frequencies in the range of 10 MHz to 200 MHz. The usual approach is to add shielding and filtering over the susceptible frequency range until the equipment passes the test. No protection is added for the rest of the frequency range because it is not needed and it adds unnecessary costs.
But in real life, simultaneous noises in the 200-MHz to 6-GHz frequency range can and do occur. Noises will enter the equipment where they will intermodulate, likely creating internal noises in the 10-MHz to 200-MHz range and causing EMI problems that the original test would never have discovered. In fact, in some operational environments, having two or more EM fields present at different frequencies and significant levels at the same time is the norm rather than the exception.
The Importance of Risk Management
To demonstrate that the design of a product, system, or installation will be safe despite reasonably foreseeable EMI during its life cycle, we must now apply risk-management methods as described in Edition 2 of IEC/TS 61000-1-2.3 It uses the terminology and life-cycle concept of IEC 61508, the IEC’s basic standard on functional safety so that it can be applied as that standard’s missing EMC Annex.
There are other standards on functional safety, such as ISO 14971 (medical) and draft ISO 26262 (automotive), that describe the same basic functional safety principles. But these standards use different terminologies, making it difficult to apply IEC/TS 61000-1-2 directly to them. For this reason, the IET guide has been written in a way that is universally applicable, regardless of which functional safety standard is being used.
Interestingly, manufacturers who follow this new guide could benefit from lower financial risks because improved immunity to EMI should significantly reduce the number of warranty returns and repairs as well as product liability lawsuits.
And because the guide’s procedures require the use of EMC expertise from the start of a project, following them also will help manufacturers get their new products to market more quickly and with lower overall manufacturing costs.
The Steps to Achieving Functional Safety
Here is a brief overview of the steps in the guide’s EMC for functional safety process:
Step 0. Overall EM Safety Planning
This step identifies the person(s) with overall responsibility for the project, the aims of the project, the physical boundaries of the EFS risk to be managed, budgets, time scales, and the personnel with their responsibilities and authorities. With these parameters in place, the designated parties then manage Steps 1-9.
Step 1. Determine the Intersystem EM and Physical Phenomena
Before the EFS risk can be designed, it is necessary to determine the worst-case external EM disturbances to which the product could be exposed over its anticipated life cycle (Figure 3). So too should the physical, climatic, and user environments be defined because they can cause EM characteristics to be degraded during operation.
For example, exposure to liquids will hasten corrosion of EMC gaskets and ground bonds, and users might leave shielding doors open or remove shielding panels. Functional safety has to take reasonably possible misuse into account.
Step 2. Determine Intrasystem EM and Physical Phenomena
This is exactly the same as Step 1 except that it deals with the effects on the EM, physical, climatic, and user environments due to the EFS risk itself. For example, a motor used in the EFS risk might cause problems due to vibration or its magnetic fields.
Because Step 2 depends on the design of the EFS risk, it is necessary to start out with a rough idea of the design and refine the anticipated effects later as the other steps proceed.
Step 3. Specify EM/Physical Phenomena vs. Functional Performance
This step combines inputs from Steps 1 and 2 and uses hazard identification and risk assessment techniques that take EMI possibilities into account. The output is a specification that guides the design, manufacture, and verification/validation of the EFS risk to ensure that EMI will not cause safety risks to exceed tolerable levels over the product’s life cycle.
Step 4. Study and Design EFS Risk
This step applies EM and safety design techniques along with mitigation techniques to reduce the effects of the EM, physical, climatic, and user environments such as filters, surge suppressers, shock absorbers, or anticondensation heaters to the EFS risk or standard products incorporated within it. It also creates user instructions that specify necessary maintenance.
The goal of Step 4 is for the finished EFS risk to comply with the EM, physical, and performance specifications noted in Step 3 over the anticipated life cycle. Risk assessment techniques are applied to the design as it develops. The final risk assessment is available only at the end of the project, part of verifying compliance with the specifications identified in Step 3.
Step 5. Create EM and Physical Verification/Validation Plans
Because cost-effective and time-effective verification and validation depend on the design, this step occurs in parallel with Step 4. Some of the verification activities are applied to elements of the EFS risk during Step 4, such as calculations, simulations, experiments, and design reviews.
Step 6. Select the Volume-Manufactured Standard Products to be Used
These are selected so that their EM, physical, and performance specifications, in conjunction with the EM/safety design of the EFS risk from Step 4, will meet the EM, physical, and performance specifications for the finished EFS risk found in Step 3.
The required EM and physical specifications should be spelled out in the products’ purchasing contracts. It is important to remember that CE Marking or Declarations or Certificates of Conformity should not be taken as evidence of actual performance.
Step 7. Assemble/Install/Commission and Verify the EFS Risk
During the manufacture, installation, and commissioning of the EFS risk, this step requires that quality control techniques be used to ensure that no problems are caused by errors or poor quality materials, goods, services, or workmanship. Also, the remaining verification plans in Step 5 are applied to confirm that the EM and physical performance of the elements of the EFS risk and of any necessary EM and physical mitigation measures not incorporated within it are consistent with specifications for the final EFS risk found in Step 3.
Step 8. Validate the EFS Risk
The validation plans created in Step 5 are applied to the EFS risk at its highest practical level of assembly. This must demonstrate that the EM, physical, climatic, and use/misuse performance of the finished EFS risk, including any necessary EM and physical mitigation measures that are not incorporated within the EFS risk itself, complies with specifications in Step 3.
Step 9. Maintain the EM/Physical/Performance Characteristics of the EFS Risk Over Its Life Cycle
The users follow instructions in Step 4 to maintain the EFS risk characteristics necessary for the achievement of safety risks specified in Step 3 during operation, maintenance, repair, refurbishment, upgrade, modification, decommissioning, and disposal.
References
- EMC for Functional Safety, Institute of Engineering and Technology, free download from www.theiet.org/factfiles/emc/index.cfm
- Armstrong, K., “Why Increasing Immunity Test Levels Is Not Sufficient for High-Reliability and Critical Equipment,” 2009 IEEE International EMC Symposium.
- IEC TS 61000-1-2 Edition 2: EMC—Part 1-2: General—Methodology for the Achievement of Functional Safety of Electrical and Electronic Systems Including Equipment With Regard to Electromagnetic Phenomena, December 2008.
About the Author
Eur Ing Keith Armstrong is a principal with Cherry Clough Consultants. e-mail: [email protected]
January 2010
