Getting Serious About Functional Safety & EMC

Getting Serious About Functional Safety & EMC

My last blog of 2019 was on functional safety and marathon running. For the new year we need to get back to work and be serious again. What could be more serious than electromagnetic immunity.

I spent nine years in our automotive group and several of those were spent fighting EMC issues with very little flexibility to add external protective components around our IC. The levels of immunity required in automotive can be up to 800 v/m which made it a great learning experience! Hopefully my knowledge on the topic has not gone too stale so that I may leverage it in my present role as functional safety guy for Analog Device’s industrial products.

Let’s start with some definitions

EMC = electromagnetic compatibility and includes emissions and immunity

EMI = electromagnetic immunity

Immunity means that a system, element or component is robust in an electrically noisy environment. Emissions on the other hand are a concern because you don’t want to be the one generating the electrical noise. If you have high emissions, you are a bad neighbor in an electrical and electronic sense.

From a selfish functional safety point of view EMI is the more important of the two as if you don’t have sufficient immunity in your safety related components then they can fail. In fact, for a redundant system without diversity where you use identical components in both channels insufficient EMI can even cause both channels to fail in the same way and the same time which is then a very serious form of failure. This is often addressed in functional safety standards when calculating the rate of CCF (normally expressed as a β factor). To address common cause failures due to poor immunity, standards often contain requirements and recommendations relating to the training of the design team as regards functional safety and to have increased immunity requirements above and beyond what is normally required in that environment.

Figure 1- extract from table F.1 of ISO 13849-1:2015

The table above from ISO 13849 shows that EMC contributes 25 points out of a possible 100 available required to demonstrate that the risk of CCF is sufficiently low. A score of 65 allows you to claim a CAT 3 or 4 architecture.

Figure 2 - Guidance from IEC 61508-2:2010

IEC 61508 has a few references to EMI but in general no specific guidance is given other than the safety components should be more robust than standard components. While the guidance is general it still makes sense, because while standard components are good for normal conditions functional safety is often about the once in a 10 year or once in 100-year failures (at least for process control). In effect the normal EMC limits are a pragmatic compromise between allowed interference and cost to reduce the impact of the interference. For safety we need more.

IEC 61000-6-2 is the generic EMC standard if there is no relevant dedicated product or family standard. It is does not cover functional safety requirements, but I mention it here because it covers the various port types which need to be considered. These ports are what “lets in” the electrical noise to affect the system, sub-system, element or components that make up a safety system.

Figure 3 - Port types from IEC 61000-6-2

Three of these ports are susceptible to conducted interference with the enclosure port being sensitive to radiated immunity.

IEC 61000-6-2 also has a very nice V-model and all functional safety people love V-models so I reproduce it below.

Figure 4 - V model from IEC 61000-1-2

To get serious about EMC for functional safety you need to go to IEC 61000-6-7 which uses the concepts from IEC 61000-1-2 and the levels from IEC 61326-1.

IEC 61326-3-1 and IEC 61326-3-2 expand the IEC 61326-1 (not a functionally safe standard) to cover “Immunity requirements for safety-related systems and for equipment intended to perform safety-related functions” in general and specified industrial environments. Both of these standards give actual test levels.

An interesting question for EMC in functionally safe systems is what constitutes a pass and what constitutes a fail. IEC 61000-6-2 offers performance criteria:

  • A – no performance degradation below specified levels is allowed
  • B – performance degradation allowed during the test but not after
  • C – temporary loss of function is allowed

And if talking about functional safety then you should consider performance criteria functional safety rather than the simpler performance criteria. While functional safety requires testing at higher levels than normal there is some good news; what constitutes a pass and what constitutes a fail changes when you are testing for functional safety. When testing with normal levels blowing up the device is a fail. For functional safety that could be a pass depending on the defined safe state. This also means that when testing for functional safety you should always record how a device fails rather than just saying pass/fail because what is a safe state depends on the exact safety function. You also need to be careful that while it might fail to the safe state at higher test levels it might fail to a dangerous state at some lower level.

An illustrative set of standards are the IEC 61800 series for variable speed drives. IEC 61800-3 specifies the EMC requirements and specific test methods for variable speed drives whereas IEC 61800-5-2 (functional safety for variable speed drives) Annex F gives what those higher levels are for functional safety applications. Differences include radiated immunity where from 80MHz to 1GHz the required immunity level is 10V/m for normal applications and 20V/m for functional safety applications.

Immunity testing injects large voltages and/or currents onto pins and wires. The injection can be either conducted or radiated. For an IC external components can be used to limit the voltages and currents seen by the IC but the more robust the IC the fewer external components are required and the more robust the design becomes against small changes in layout.

Despite the many standards written, I still do have some concerns as regards testing for functional safety. For instance, the fact that interferers are only applied one at a time. What happens if you are exposed to two interferers simultaneously? Also, it’s not entirely clear if you should do an analysis such as an FMEDA considering that the specified level of interference is always present. This is not specified but I believe that should be the rule. A further concern is that the testing is done with all components perfect. How should aging be coped with. If your resistor failure modes for devices include drift high and drift low along with fail open and short you will get some coverage. There are answers to all my concerns, but it would be good to see them spelled out in future revisions of the standards to ensure consistency of results. In addition, testing is only done on a very small set of parts so there is very little to account for variation between parts. Some experts say you should test to 3 or 6dB below the limits to account for that and others say the 3dB to 6dB is to allow for setup variations.

I haven’t forgotten my promised blog on the topic of “Is Verilog software” and will hopefully get to it next month.

This tongue-in-cheek video is actually very instructional on functional safety.