- Advertisement -

Discovering EMC’s Role in Functional Safety

Electromagnetic disturbances can greatly influence the performance of equipment and the functional safety of systems. Consider the current problems we hear in the news with unintended acceleration in some vehicles. While this complication’s true cause may never be determined, analysts have theorized that electromagnetic disturbances could play a large role. Due to the amount of electronics and ever changing technologies found in today’s automobiles, unintended acceleration is only one of many examples of unwanted anomalies that could occur due to an EMC issue. Automakers are faced everyday with the risk and associated liability that could come with a problem such as this once the vehicle is on the street with the consumer. That risk is why the automakers over time have had to develop specific test standards that relate to the EMC concerns of their vehicles and enforce their suppliers to meet them by way of specific test plans. The automotive industry is just one example of how EMC can relate to the functional safety of a product as guided by IEC TS 61000-1-2: 2008.

General Considerations
According to IEC TR 61508-0: 2005, Product Safety is the freedom from unacceptable risk of physical injury or of damage to the health of people, either directly or indirectly as a result of damage to property or to the environment. Functional safety is part of the overall safety that depends on a system or equipment operating correctly in response
to its inputs.

Electromagnetic compatibility is the ability of an equipment or system to function satisfactorily in its electromagnetic environment, without introducing intolerable electromagnetic disturbances to anything in that environment.

Note that functional safety must be maintained over the anticipated lifetime of the product, which means taking into account all reasonably foreseeable faults, use/misuse, component tolerances and variations/errors in assembly, exposure to physical, climatic, biological, etc. conditions, and ageing. However, when we do EMC testing, we are usually only concerned with a new fault-free product passing its tests on one day, when operated correctly and in a benign environment. Doing EMC for functional safety reasons is therefore going to be a little different from what we are used to!

- Advertisement -

EMC testing traditionally involves identifying the test requirements, which varies in the different economies and sectors of industry. An automotive component designed for automakers, whose end product (the car) will be sold in the US market, has different EMC requirements than a notebook computer intended to be sold in the EU. For example automotive products could be subjected to much higher EM fields than the notebook computer. As a result automotive radiated immunity testing is performed at a magnitude that is often 10 times or more than what is performed on a standard notebook PC. The basic EMC testing of the notebook computer would involve testing its immunity to EN 55024. If that same laptop were used in a situation where it controlled a safety function, the tests and test levels described in EN 55024 may not be adequate.

Functional safety as an aspect of EMC is based on assessment of the electromagnetic environment.  However, it should also include consideration of the total environment that the product is expected to be exposed to in its lifetime such as physical (mechanical forces, shock, vibration, etc., exposure to liquids, gases, dusts, etc.) climatic (temperature extremes and cycling, humidity, condensation, rain, air pressure extremes and cycling, etc.) biological (mould growth, rodent gnawing, nesting bugs and animals, etc.)

It is also based on the product’s intended function, acceptable level of safety risk, design (including the fact that some of its electronics might serve a safety function), and electromagnetic immunity verification/validation (i.e. immunity testing). For many of my friends in the world of EMC, we just crossed into uncharted territory. The relatively straight forward application of specific test standards to a product has given way to specifying the EMC tests based on automotive products could be subjected to much higher EM fields than the notebook computer. As a result automotive radiated immunity testing is performed at a magnitude that is often 10 times or more than what is performed on a standard notebook PC.

The basic EMC testing of the notebook computer would involve testing its immunity to EN 55024. If that same laptop were used in a situation where it controlled a safety function, the tests and test levels described in EN 55024 may not be adequate.

Functional safety as an aspect of EMC is based on assessment of the electromagnetic environment, the product design (the fact that some of its electronics serve a safety function), electromagnetic immunity verification/validation, and immunity testing. For many of my friends in the world of EMC, we just crossed into uncharted territory. The relatively straight forward application of specific test standards to a product has given way to specifying the EMC tests based on hazard analysis and risk assessment.

EMC Design Considerations
A risk assessment should be taken into consideration during the product’s design and intended function into consideration, and acknowledge the electromagnetic environments in which the product will be used. EMC of the product should be considered and implemented in the design process. The product should be validated against immunity tests appropriate for its type, and the electromagnetic environment for its installation. Specific operation and maintenance instructions may be needed to ensure the desired functional safety.

It is important to recognize that waiting until the end of the design process to consider traditional EMC compliance, and especially EMC for functional safety, can be detrimental. In this process, procrastination can greatly increase the cost of compliance and decrease the time to market, should failures occur. The options available to fix compliance problems are sometimes limited without redesign of the product.

Sources of Electromagnetic Disturbances
The electromagnetic environment consists of the total electromagnetic phenomena existing at a given location. There are three basic categories of phenomena: low-frequency (conducted and radiated from any source except ESD), high-frequency (conducted and radiated from any source except ESD), and electrostatic discharge (conducted and radiated). Table 1 shows an overview of types of electromagnetic phenomena.

1007_F3_table1

Table 1: Overview of types of electromagnetic phenomena

 

Specific Applications
Extensive work has been done by standards writing bodies to give general guidance to test levels for these different phenomena based on the location of intended use. A product intended to be used in a home will generally be exposed to lower levels of electromagnetic phenomena than one intended to be used in a heavy industrial environment. The electromagnetic environment in an automobile or the military defense facility may be even harsher than the heavy industrial environment.

Generic EMC standards, such as IEC 61000-6-1 and IEC 61000-6-2 are specifically targeted for the light industrial and heavy industrial environments, respectively. Each of these standards contains the same basic tests with levels set appropriately for a specific type of environment. Other product-specific standards recognize that the product function is critical for safety and know when higher test levels are needed. For example, the immunity standard for elevators and lifts, EN 12016, includes higher test levels for safety circuits.

Table 2 shows a non-exhaustive comparison of the tests levels.

Table 2: Comparison of test levels in IEC 61000-6-1 / IEC 61000-6-2 / EN 12016

 

As expected, the test levels for the heavy industrial environment are generally higher than those specified for the light industrial environment. A notable exception is ESD, which is identical in both locations.

Note also that for the safety circuits of the lift standard, test levels are almost always higher than those for either the light or heavy industrial/elevator standard. Higher test levels were provided for radiated immunity due to the expectation that radio transmitters would be present. According to this document, radio transmitters are not commonly found below 166 MHz and mobile phones that operate in the 1710-1784 MHz and 1880-1960 MHz bands. In addition to higher test levels, the criteria for compliance have been modified specifically for safety circuits.

For each immunity test, criteria are specified so that compliance to the test may be assessed. The following are abbreviated descriptions of the different performance criteria.

Performance criterion A: Operation must continue as intended during and after the test. This criterion applies primarily to continuous phenomenon such as Radiated and Conducted RF Immunity.

Performance criterion B: Operation must continue as intended after the test. This criterion applies primarily to transient phenomenon such as fast transients and surge.

Performance criterion C: Temporary loss of function is allowed, provided the function is self-recoverable or can be restored by the operation of the controls. This criterion applies primarily to 5 second voltage interruption (not shown in table) where most products will shut down.

Performance criterion D (as defined in EN 12016): Operation must continue as intended during and after the test, including the associated safety components. No degradation of performance loss of function is allowed, other than a failure into a safe mode. This criterion applies to all safety circuits and is not dependent on the electromagnetic phenomenon. Not only are safety circuits tested to higher levels of electromagnetic phenomenon, they also have a stricter criterion for compliance.

Performance criterion FS: The performance criterion for functional safety is specified as FS and is only applicable for functions contributing to or intended for safety applications. As seen for the lift/elevator standard, the FS criterion shall be considered for all electromagnetic phenomena. There is no differentiation required between continuous and transient electromagnetic phenomena. Equipment performing safety functions must remain safe.

Performance criterion A is always acceptable for safety functions contributing to or intended for safety applications, whereas Performance criterion FS allows failure to a stable state that is defined by the manufacturer of a product intended for incorporation into a safety-related system, and in the case of a complete safety-related system means failure to a safe state.

EMC for Medical Equipment
Functional safety is also a concern in IEC 60601-1-2, the collateral EMC standard for medical equipment. As detailed in Clause 6.2.1.10 of IEC 60601-1-2: 2007, the performance criteria is very specific, but could generally be considered to fall into criterion A, above. Degradation in performance, giving a condition of unacceptable risk is not allowed, even if accompanied by an alarm.

IEC 60601-1-2 also assigns higher immunity test levels to life-supporting medical equipment. Further specifications are made in compliance with the particular requirements of specific instruments. Table 3 shows a non-exhaustive comparison of the test levels for medical equipment.

From this information, we can conclude that the electromagnetic environment is expected to be similar for general medical equipment and for life supporting equipment. However, because of its potential to harm patients, life supporting medical equipment has higher test levels for Radio Frequency Electromagnetic fields, to correspond more closely with the maximum levels of an EM phenomenon that could occur in the environment over the lifetime.

The particular standard for infusion pumps classifies them as life-supporting equipment and generally uses the same test level. However, ESD and Magnetic Field immunity are exceptions. ESD levels were increased from 6 kV to 8 kV for contact discharge and from 8 kV to 15 kV for air discharge. The magnetic field immunity was increased from 3 A/m to 400 A/m. These higher test levels were used due to reports of interference from radio transmitters in ambulances and from electromagnetic fields, generated by diathermy equipment and mobile telephones. Examples of degradation included unpredictable cessation of infusion and a reversion to a purge mode of operation.

Note that IEC 60601-1-2 Ed3 states: “Subclause 6.2.1.1 – IMMUNITY TEST LEVELS The IMMUNITY TEST LEVELS in this collateral standard were selected to represent the normal use environment and therefore to be appropriate for an EMC IMMUNITY standard, rather than for a safety standard. Test levels for a safety standard would be significantly higher. (See IEC 61000-1-2 [4].)”  In fact, IEC TS 61000-1-2 requires a great deal more than simply testing with higher levels!

Table 3: Comparison of immunity levels of medical equipment

 

Functional Safety Considerations
In most cases, there is no practical way to verify by testing alone that adequate immunity to functional safety risks has been achieved over the anticipated lifetime of the product. This is exactly the situation faced by the software industry in the 1990s, resulting in a great deal of international work on how to make software safe enough, out of which came IEC 61508-3:2000. What the software safety experts found was that to achieve the required levels of confidence in correct operation required the use of proven design methods and a variety or verification and validation methods (including, but not limited to, testing).  This is exactly the approach that IEC TS 61000-1-2 applies to EMC – the only practical way to ensure that EMI does not cause unacceptable safety risks over the product’s lifetime.

Let’s say a product was expected to be installed in an environment where a particular electromagnetic phenomenon was present. Its prudent manufacturer would test for immunity against that phenomenon, even if said test was not specified in the generic or product specific EMC standards.

As observed in the specific EMC requirements for lift/elevator and medical equipment, the test levels may be higher than those specified in the normal test environments. In most cases, the adequacy of immunity can be assessed by evaluating to higher test levels. However, little safety benefit is achieved by testing at higher levels, other than achieving extra confidence that the immunity test applied the specified level or higher. Table 4 shows estimates of maximum electromagnetic disturbance levels.

Many of the phenomena found in Table 4 are associated with a basic EMC standard in the 61000-4 series. The test levels in Table 4 generally exceed the test levels given in the generic or product family standards. When designing an EMC test for functional safety, testing to these higher levels will give greater assurance or proper operation in the final installation. Testing to failure can give great insight as to what type of response might be observed when failures do occur.

Table 4: Estimates of maximum electromagnetic disturbance levels

 

In addition to elevated test levels, a product’s immunity can be evaluated by using variants of these standard test methods. For example, extending the number of pulses or the duration of a particular test will increase the likelihood of exposing a particularly susceptible period in the operational cycle (might only last for a few nanoseconds!), and attempt different test setups of the product (i.e. testing a different combination of equipment, versions, and /or cabling).

Also, 1 kHz sinewave modulation might not represent the real-life worst-case “EM threat” to the product, and there may be significantly higher levels of carrier frequencies outside of the normally tested range. All products have specific frequencies to which they are particularly susceptible, and which they can be exposed to by direct interference (with the carrier wave), demodulation of the carrier’s envelope, or intermodulation between two or more carrier frequencies. It is clearly impossible to test for all these possibilities, which is why it is necessary to adopt certain “good design practices” and a range of verification and validation techniques to prove them. However, test methods can be modified (e.g. by using different modulations) to more comprehensively test the product against its real-life EM environment.

Reverberation chamber testing may also be better at simulating the real-life environment, than anechoic chambers are, because in real-life EM waves can impinge from any angle and polarization, in fact with several angles and polarizations at once, and EM susceptibility can strongly depend upon both.

The impact of a particular environment on a product’s immunity behavior should also be considered. Temperature and humidity may vary significantly depending on the location of final installation. For example, a product may be very susceptible to ESD when the relative humidity is 20%, and yet show no signs of degradation to ESD levels two to three times higher when the relative humidity is 60%. Surges may be withstood when dry, but not when there is condensation. Corrosion of earth/ground bonds, shielding joints/gaskets, etc., can have very great consequences for immunity, as can faults and misuse (e.g. leaving a shielding door open). And mains filter capacitors and surge protection devices can wear out and fail after just a few years if not suitably dimensioned for their real-life environment, which includes AC mains power surges reliably up to ±6kV (at least, in single-phase distribution systems, more in dedicated three-phase systems) – a lot more stress than the usual ±2kV!

The performance over the product’s life should also be considered. After exposure to highly accelerated life testing (HALT) that simulates the maximum (“worst-case”) environmental exposure over the anticipated lifetime of the product, EMC testing should be repeated to check that the product’s immunity is still adequate for the safe operation of the product over its expected life.

Functional safety for EMC is about mitigating risk of electromagnetic phenomena by identifying the probability of occurrence of electromagnetic interference, and determining the severity of that interference. The product must then be designed and verified/validated accordingly.

David Schramm is the EMC Manager for SGS North America, Inc. In this capacity he is responsible for the technical activities in EMC, Regulatory Wireless and SAR testing. His responsibilities within industry trade groups include: Member, ANSI C63.10 and ANSI C63.26 Working Groups, which is establishing a set of unified test methods for unlicensed and licensed wireless products for Certification in the US and Canada and is an iNARTE Certified EMC Engineer (EMC-002792-NE).

A special thanks to Keith Armstrong of Cherry Clough Consultants for his invaluable insight.  Any error or omission found in this article is certainly mine, not his.

Sign up for the In Compliance Email Newsletter

Discover new products, review technical whitepapers, read the latest compliance news, and trending engineering news.

Exit mobile version
X