In addition to renewing acquaintances and learning about the latest technical advances, attendees at the IEEE 2015 and 2016 EMC Symposia received USB memory sticks with presentations from previous years. The 2015 USB device contained records from 2000 through 2014, and the device distributed this year included records from 1964 through 1999. Several of the papers provide important background on the EMC perspective on functional safety, which is the subject of current work by the IEEE Standards Association.
Functional safety is defined in similar ways by many organizations. The following representative definition is from the TÜV SÜD website: “Functional Safety is the part of the overall safety of a system or piece of equipment that depends on the system or equipment operating correctly in response to its inputs, including the safe management of likely operator errors, hardware and software failures, and environmental changes. It is an additional step beyond the traditional product safety assessment and tackles our ever increasingly complex world of interoperating technologies and the hazards they cause.”
As shown in Figure 1, the risk of unsafe operation needs to be kept at a low level. If risk increases for some reason, remedial steps must be taken to reduce it.
Courtesy of PTC
From the early 2000s, Keith Armstrong, Dr. William Radasky, and others have been highlighting the limitations of EMC testing with regard to functional safety. In particular, Armstrong cautions in a 2004 paper1 that “… the normal immunity testing approach is inadequate, on its own, as a means of verifying this aspect of safety integrity.” Also, in that paper, Armstrong quotes a presentation Radasky made during Workshop VII of the IEC Advisory Committee on Safety in March 2004: “Generic EMC standards have been developed to advise product committees on the ‘essential’ immunity tests and their levels depending on the location of the equipment (home, industry, power substations, etc.). The problem is that some of the EM environments not considered ‘essential’ for EMC could produce a safety hazard in some systems.”
Armstrong lists a number of factors that demonstrate ways in which EMC immunity testing does not match functional safety objectives:
- Immunity testing only covers one EM disturbance at a time.
- Immunity tests do not simulate real-life exposure.
- EMC risk analysis is not done.
- Immunity testing compatibility levels may be too relaxed.
- Foreseeable faults are not addressed by immunity testing.
- The physical environment may affect EM performance.
- Only a representative sample is tested for EMC.
- EMC testing does not address maintenance, repair, refurbishment, or upgrades.
- Performance degradations acceptable for EMC might not be acceptable for safety.
The 2004 paper recommends “… the application of well-proven and well-understood EM assessment, design, and assembly techniques, backed up by a suitable program of EMC testing that verifies the suitability of the techniques used. These EMC good-engineering-practice techniques should aim to ensure that the level of confidence that equipment will work correctly—for the equipment’s lifetime; electromagnetic, physical, and climatic environments; reasonably foreseeable use; and single faults—is not likely to be compromised by EMI.”
Reconciling EMC and functional safety standards
The IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems standard was first issued in 2000. It was followed in 2001 by IEC 61000-1-2 Electromagnetic compatibility (EMC) – Part 1-2: General – Methodology for the achievement of the functional safety of electrical and electronic equipment with regard to electromagnetic phenomena. From the titles of the standards, you might think that functional safety had been thoroughly addressed.
Unfortunately, as recounted in a 2007 paper2 that discusses the 61000 standard, “It was … not possible … to consider the latest approach given in the basic functional safety documents of IEC 61508….” As a result, a maintenance team within the IEC’s Technical Committee 77 (TC 77) later undertook the task of including the methodology of IEC 61508 within the EMC specification. The result was IEC 77/327/CD—a TC 77 committee draft document published in 2006.
A 2008 paper3 by Sabine Alexandersson covers much of the same ground highlighted in 2004 by Armstrong but emphasizes automotive applications and the use of fault-tree analysis (FTA) to address functional safety concerns. Especially in cars, Alexandersson says, “The current trend … is toward a new generation of electronic systems that are both complex and safety critical. These systems will act autonomously and will have direct electronic control over things such as steering, braking, and suspension. This will provide accident preventive systems for the future vehicles, but in order to be competitive with the traditional systems, these systems cannot have longer lead times or higher prices than today’s systems. The required reliability of such a system has to be in the order of one failure per billion running hours or lower, which makes it impossible to prove the compliance to the safety requirements by only testing the system. It is therefore necessary to consider the reliability at all levels throughout the design process.”
Because cars are such complex systems and can be driven into hostile EMI environments, a top-down, deductive methodology such as FTA “… allows the user to identify the responsible system levels and components for each specified top event,” according to Alexandersson. She explains, “When an FTA should be performed with the intention to carry out an EMC analysis, the work starts with a definition of the system that should be investigated and the electromagnetic environment to which the system is exposed. Before a fault tree can be built, all undesirable safety events have to be specified. Most of the events can be found as hazards from the hazard analysis that is carried out on the system. These events often involve no operation, unwanted operations, or wrong operations from the system. This will then serve as top events in the FTA…. The analysis continues with several levels until the base events (leafs) are found. In the case where the FTA method is used for analyzing the circuit from an EMC point of view, electromagnetic disturbances are considered as base events.”
The author cautions, “For a large system such as a vehicle, the fault trees are often many, large, and complex. It is therefore important to limit the FTA to safety-critical top events. The results from the FTA could be used to find different cases that ought to be tested in order to provoke a wanted top event.”
She extends this idea to suggest that testing under fault conditions also may be useful, although it is not included in EMC standards. If the overall functional safety of the larger system can be compromised by failure at a lower level, then simulating that failure would allow the behavior of fail-safe modes and other safety-related elements to be studied.
In a 2010 EE-Evaluation Engineering article,4 Armstrong cites a “… new practical guide for managers and engineers from the Institute of Engineering and Technology (IET). The guide describes practical and cost-effective procedures for management and engineering. When properly applied, these procedures can help save lives and reduce injuries wherever electronic technologies are used in a product, equipment, system, or installation in which a malfunction or failure of electrotechnology could increase functional safety risks.”
Cost-effectiveness is an important consideration. Many papers include this factor along with repeatability and effectiveness in descriptions of standard EMC immunity testing. The point also is made by many authors that the increasingly larger digital electronics content of products is virtually impossible to thoroughly test for all possibilities, especially when EMI is considered.
The basic concern is, can EMI by itself or in combination with product fault conditions cause a significant reduction in functional safety? Because so many possibilities could apply, it’s very seldom that a confident no can be given. As Armstrong states in the 2010 article, “Traditional EMC testing applies a limited number of types of EM disturbance one at a time. But in real-life operation, equipment typically is exposed to multiple and simultaneous EM disturbances; for example, a radiated field plus a conducted transient on the AC lines or ESD from an operator. Experiments have shown that equipment that passes such tests individually can be extremely susceptible to low levels of those same disturbances when they are applied simultaneously.”
Functional safety and EMC today
In a 2016 paper,5 Armstrong lists several standards based on IEC 61508 including ISO 26262, Automobile Functional Safety—at the time of Alexandersson’s 2008 paper, a committee draft. As a 2014 National Instruments white paper6 about ISO 26262 states, “The Automotive Safety Integrity Level (ASIL) … is a key component for ISO 26262 compliance. The ASIL is determined at the beginning of the development process. The intended functions of the system are analyzed with respect to possible hazards. The ASIL asks the question, ‘If a failure arises, what will happen to the driver and associated road users?’
“The estimation of this risk, based on a combination of the probability of exposure, the possible controllability by a driver, and the possible outcome’s severity if a critical event occurs, leads to the ASIL [shown in Figure 2]. The ASIL does not address the technologies used in the system; it is purely focused on the harm to the driver and other road users.
Courtesy of National Instruments
“Each safety requirement is assigned an ASIL of A, B, C, or D, with D having the most safety-critical processes and strictest testing regulations. The ISO 26262 standard specifically identifies the minimum testing requirements depending on the ASIL of the component. This aids in determining the methods that must be used for test.” The paper concluded, “Once the ASIL is determined, a safety goal for the system is formulated. This defines the system behavior needed to ensure safety.”
ISO 26262 is just one example of how IEC 61508 has been applied, and as the NI white paper makes clear, the tests required by the ASIL level depend on the estimation of risk. How can you address functional safety without a detailed understanding of the likelihood that it will be degraded by some combination of events including faults and EMI?
Establishing the functional safety influence of an intentional EMI (IEMI) source in combination with many foreseeable risks is the very broad goal of a 2016 paper7 by Dr. Heyno Garbe and two colleagues. To cope with the difficult job of quantifying risk, the authors suggest using fuzzy logic. As the paper explains, “To analyze the risk of an IEMI scenario, we need information about the victim system, the area plan of the infrastructure, and the possible IEMI sources which can harm the integrated system.” Typically, these inputs will not be numerical values.
The benefit of this approach is that it “… adds subjective information, uncertain data, nonphysical quantities … and the opinion of experts to the assessment of risk, which can still be simulated with a numerical or analytical math program.” An extensive example is included, which demonstrates the many levels of risk and mitigation involved. For example, the technique can assign probabilities to the availability of certain classes of IEMI sources.
Functional safety in the future
In a 2016 paper8 by Armstrong and Dr. Davy Pissoort, many of the familiar arguments are made again for adopting risk-based design modeled on the techniques in IEC 61508. In addition, the authors state in the paper’s conclusion, “The upcoming new IEEE standard Techniques and Measures to Manage Risks with Regard to Electromagnetic Disturbances, [project P1848] will describe the big grey box [military shielding] approach, then go on to provide an alternative—identifying which of IEC 61508’s practical techniques and measures should be used in design and its verification and validation, what modifications they might need, and what new techniques and measures also may be required to ensure that acceptable safety risk levels will not be exceeded by any reasonably foreseeable EMI over the lifetime.
“This alternative … effectively means that any EMI which occurs because of EM disturbances outside the tested parameters, or because of … other problems, is detected by the system itself. If the effects of the EMI could increase safety risks above acceptable levels, they are corrected, or the system is switched into one of its safe states or switched to an unaffected back-up system.”
- Armstrong, K., “Why EMC Immunity Testing is Inadequate for Functional Safety,” IEEE EMC Symposium Proceedings, 2004, pp. 145-149.
- Jaekel, B. W., “Recent developments in standardization related to EMC and Functional Safety,” IEEE EMC Symposium Proceedings, 2007.
- Alexandersson, S., “Functional Safety and EMC for the Automotive Industry,” IEEE EMC Symposium Proceedings, 2008.
- Armstrong, K., “EMC Testing to Achieve Functional Safety,” EE-Evaluation Engineering, January 2010, pp. 42-44.
- Armstrong, K., “How to Manage Risks with Regard to Electromagnetic Disturbances,” IEEE EMC Symposium Proceedings, 2016, pp. 72-77.
- What is the ISO 26262 Functional Safety Standard? National Instruments, White Paper, April 2014.
- Garbe, Dr. H. et al, “Fuzzy Based Risk Analysis for IT-System and their Infrastructure,” IEEE EMC Symposium Proceedings, 2016, pp. 51-56.
- Pissoort, Dr. D., and Armstrong, K., “Why is the IEEE Developing a Standard on Managing Risks Due to EM Disturbances?” IEEE EMC Symposium Proceedings, 2016, pp. 78-83.