EMCFunctional Safety

Why Conventional EMC Testing is Insufficient for Functional Safety

At the recent PSES Sym­posi­um, I atten­ded a couple of inter­est­ing work­shops on EMC and Func­tion­al Safety. One was called “Work­shop on EMC & Func­tion­al Safety” presen­ted by Keith Arm­strong, Bill Radasky and Jacques Delaballe. The oth­er was a paper present­a­tion called “Why Con­ven­tion­al EMC Test­ing is Insuf­fi­cient for Func­tion­al Safety” presen­ted by Keith Arm­strong.

For read­ers who are new to the idea of Func­tion­al Safety, this field deals with the abil­ity of a product or sys­tem to func­tion in it’s inten­ded use envir­on­ment, or in any fore­see­able use envir­on­ments, while reli­ably provid­ing the pro­tec­tion required by the users. Here’s the form­al defin­i­tion taken from IEC 61508 – 4:1998:

func­tion­al safety
part of the over­all safety relat­ing to the EUC and the EUC con­trol sys­tem which depends on the cor­rect func­tion­ing of the E/E/PE safety-related sys­tems, oth­er tech­no­logy safety-related sys­tems and extern­al risk reduc­tion facil­it­ies

equip­ment under con­trol (EUC)
equip­ment, machinery, appar­at­us or plant used for man­u­fac­tur­ing, pro­cess, trans­port­a­tion, med­ic­al or oth­er activ­it­ies

NOTE – The EUC con­trol sys­tem is sep­ar­ate and dis­tinct from the EUC.

Table 1: (E/E/PE) elec­tric­al / elec­tron­ic / pro­gram­mable elec­tron­ic

Reli­ab­il­ity require­ments are found in two key stand­ards, ISO 13849 and IEC 61508. These two stand­ards over­lap to some degree, and do not define reli­ab­il­ity cat­egor­ies in the same way, which fre­quently leads to con­fu­sion. In addi­tion there is a Machinery Sec­tor Spe­cif­ic stand­ard based on IEC 61508, called IEC 62061, Safety of machinery – Func­tion­al safety of safety-related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. These three stand­ards make ref­er­ence to EM effects on sys­tems but do not provide guid­ance on how to assess these phe­nom­ena. This is where IEC TS 61000 – 1-2 comes into play.

All three experts are mem­bers of IEC TC 77 and are dir­ectly engaged in writ­ing the second edi­tion of IEC TS 61000 – 1-2 (more info on this at the bot­tom of this post). This IEC Tech­nic­al Spe­cific­a­tion deals with elec­tro­mag­net­ic (EM) effects on equip­ment that res­ult in func­tion­al safety prob­lems, like fail­ures in guard­ing cir­cuits, or fail­ures in some of the new pro­gram­mable safety sys­tems. This is becom­ing an increas­ingly import­ant issue as pro­gram­mable con­trols migrate into the tra­di­tion­ally hard­wired safety world. In fact, Keith poin­ted out that EM effects are present even in many of our “tried and true” cir­cuits, but the fail­ures have been incor­rectly attrib­uted to oth­er phe­nom­ena because most elec­tric­al engin­eers have not been used to think­ing about these phe­nom­ena, espe­cially in 24Vdc relay-based con­trol cir­cuits.

In the work­shop, the presenters dis­cussed a typ­ic­al product life cycle, then went on to explore the typ­ic­al envir­on­ments that a product may be exposed to, includ­ing the EM and phys­ic­al envir­on­ments. They went on to dis­cuss the need for an EMC-related Risk Assess­ment and then fin­ished up by look­ing at Elec­tro­mag­net­ic Safety Plan­ning. The whole work­shop took the entire second day of the Sym­posi­um.

A key point in the work­shop is that con­ven­tion­al EMC test­ing can­not prac­tic­ally prove that sys­tems are safe. This is due to the struc­ture of the EMC tests that are nor­mally under­taken, includ­ing the use of fixed mod­u­la­tion fre­quen­cies dur­ing immunity test­ing, fail­ure to assess inter­mod­u­la­tion effects and many oth­er issues. In addi­tion, EMC test­ing does not and can­not test for aging effects on per­form­ance, wear & tear and oth­er use-related con­di­tions. The presenters dis­cussed a num­ber of ways that these prob­lems could be addressed and ways that test­ing could be exten­ded in select­ive ways to attack pre­dicted vul­ner­ab­il­it­ies. EMC test­ing does not con­sider the reli­ab­il­ity require­ments of the tested product (i.e. IEC 61508 – 1 SIL-3 or SIL-4).

On the fol­low­ing morn­ing, Keith Arm­strong presen­ted his paper. In this paper, Mr. Arm­strong went into con­sid­er­able detail on the short­com­ings of con­ven­tion­al EMC test­ing when it comes to Func­tion­al Safety. He sug­ges­ted some approaches that could be used by man­u­fac­tur­ers to address these issues in safety crit­ic­al applic­a­tions.

The work­shop present­a­tions and Mr. Armstong’s paper can be pur­chased through IEEE Xplore for those that did not attend the Sym­posi­um.

The IET has pub­lished a new book, avail­able for free from their web site, entitled Elec­tro­mag­net­ic Com­pat­ib­il­ity for Func­tion­al Safety. This guide will be reviewed in a future post, so keep read­ing!

Keith Arm­strong, Bill Radasky and Jacques Delaballe are mem­bers of IEC Tech­nic­al Com­mit­tee 77, writ­ing IEC TS 61000 – 1-2 Ed 2.0, ELECTROMAGNETIC COMPATIBILITY (EMC) – PART 1 – 2: GENERALMETHODOLOGY FOR THE ACHIEVEMENT OF THE FUNCTIONAL SAFETY OF ELECTRICAL AND ELECTRONIC EQUIPMENT WITH REGARD TO ELECTROMAGNETIC PHENOMENA. Edi­tion 2 of this stand­ard should be pub­lished by Mar-2009 accord­ing to the IEC.

Keith Arm­strong is Prin­cip­al Con­sult­ant at Cherry Clough Con­sult­ants in Broc­ton, UK.

Bill Radasky works with Met­a­t­ech Cor­por­a­tion from his office in Goleta, Cali­for­nia.

Jacques Delaballe works for Schneider Elec­tric Indus­tries SAS in Gren­oble, France.