CE
Compliance Engineering
search
Join Our Discussions
Find Suppliers Useful Links
calendar
Click here for information on advertisers and products!
About CE-Mag
Free Subscriptions
Current Issue
Article Archives
ESD Help
Mr. Static
Web Gallery
Staff Info
Contact us

 

 

 

EMC-Related and Functional Safety: Improving the Assessment Approach

Keith Armstrong

As safety standards evolve with changes in the equipment use environment, some cover EMC-related issues adequately–but many still do not.

With the rapidly increasing use of mobile and portable radio communications and other electronic technologies in safety-related applications, it becomes increasingly likely that inadequate electromagnetic compatibility (EMC) resulting from errors in the design of electronic devices–or their misoperation–could raise the health and safety risks to users and third parties, as well as perhaps the risks of damage to property, liability claims, and financial loss.

A number of initiatives are under way to deal with serious shortcomings in the way current regulations and standards address EMC-related functional safety. This article reviews progress being made in International Electrotechnical Commission (IEC) and European Union (EU) standards, EU directives, and guides produced by the European Committee for Electrotechnical Standardization (CENELEC), the Institution of Electronics Engineers (IEE; London), and the EMC Test Laboratories Association (EMCTLA; UK).

The Best Approach

Modern electronic technologies such as digital processing, wireless data communication, switch-mode power conversion, and so on are more likely to cause electromagnetic interference (EMI) than the technologies they replace. They are also more likely to suffer from degraded functionality–including complete failure–when exposed to EMI, because of the complexity of their software and hardware and the shrinking operating voltages and silicon feature sizes of their integrated circuits. Designers, maybe because encouraged to focus on cost, functionality, and time to market, often do not realize this. Consequently, device EMC may be insufficient to avoid the health and safety risks enumerated above.

Unfortunately, existing worldwide regulations on electromagnetic (EM) issues, and the associated standards, are concerned only with protecting the radio spectrum and the health of people exposed to nonionizing radiation. For instance, the European EMC Directive (EMCD; 89/336/EEC) does not cover any safety-related issues. Also, many harmonized safety standards listed under safety directives do not address EMC-related functional safety issues--and those few that do are inadequate.1,2 The initiatives discussed below concern themselves with these regulatory and standards shortcomings.

A proper approach to establishing EMC-related functional safety would be hazard and risk assessment, the methodology required by the IEE's functional-safety guide, CENELEC's R0BT-004:2002, IEC standard 61508, and IEC/TS 61000-1-2:2001.3-6 In this method, the EM environment and its possible effect on the safety functions of the equipment are assessed and then the design and verification measures required to achieve the required degree of safety are determined, based on the possibilities of error or malfunction causable by EMI.

Ideally, the assessment based on the nature of each hazard, the number of people exposed to it, and the risk of the hazard arising from the equipment's responses to possible EM disturbances in its use environments should be quantitative. But because very little quantitative information is available on most EM environments, a qualitative approach to that element of the hazard/risk equation usually has to be taken. This requires EMC expertise and experience of real-life EM environments that typical EMC test laboratory personnel cannot be expected to have.

Where a fixed installation is concerned, it is possible to measure the EM environment and to control it. Quantitative hazard and risk assessments can be performed for EMC-related functional safety in such cases. However, EM disturbances originating outside the site's boundaries may be uncontrollable; thus, risk may need to be reassessed in the future, and remedial actions taken then.

The measurement and ongoing control of an EM environment is not inexpensive, but where the safety consequences could be severe, these procedures are easily justified on a financial risk basis, let alone the ethical one. And in some facilities the financial losses due to downtime can be a greater concern than the possible safety liability. EMC-related functional safety techniques may need to be applied to improve reliability in such a case. Most safety design pays little attention to the maintenance of functionality. So, where downtime is costly, additional design work beyond what would be required to ensure safety can be necessary to achieve what might be called EMC-related functional reliability.

The IEE Guide

IEE published its guidance document on EMC and functional safety in 2000. It was presented at the Institute of Electrical and Electronics Engineers (IEEE) EMC Symposium in 2001.2 The guide has had considerable worldwide exposure, but has received only a few comments. The

responsible IEE working group has seen no need thus far to review it for possible revision.

The IEE guide is being used as a basis for the guidelines to be codified by EMCTLA for machinery manufacturers' achievement of EMC-related functional safety.

Analyzing Draft IEC 61326 Part 3

IEC 61326 is called up by IEC 61511 despite the fact that it does not cover EMC-related functional safety issues. The February 2003 draft IEC 61326-3, "Electrical equipment for measurement, control and laboratory use–EMC requirements, Part 3–Immunity requirements for equipment intended to perform safety related functions (functional safety)," is intended to be used in conjunction with IEC 61508 or related industry-sector standards such as IEC 61511.

The approach taken has been heard described as a "finger-in-the-wind" risk-based assessment. This means that an EMC expert with suitable experience decides on a fixed set of EMC disturbances and a fixed set of immunity tests and test levels to use.

The current draft takes the immunity test requirements from IEC 61326 Annex A (for equipment intended for use in industrial locations) and doubles some of its test levels. It also tests for radiated RF fields from 1.4 to 2 GHz in order to cover the mobile radio transmitting devices, such as cell phones, operating in that range.

The draft IEC 61326-3 introduces a useful new concept–the functional safety performance criterion. All of the immunity standards listed under the EMC Directive apply three performance criteria, known as A, B, and C; these specify the various degrees of degradation of functional performance that are permitted during and after application of the specified immunity tests.

Performance criterion FS, introduced by this draft, permits any amount of performance degradation or destruction of components, during and after the immunity tests, as long as "a safe state (of the equipment under control) is maintained or achieved within a stated time."

IEC 61326 requires that performance criteria used during the immunity testing be supplied to the user on request. In the case of performance criterion FS, this would certainly be necessary information for the safety system designer.

Clearly, this draft would provide some increased immunity for items of equipment and, therefore, should be of some benefit to safety-related systems that incorporate them. However, because it does not require the safety system designer to apply hazard or risk assessments, it is impossible to know whether test coverage of the EM disturbances in the environment is complete. R0BT-004 and IEC/TS 61000-1-2 were ignored and a new standard created for no known reason. Some have suggested privately that some IEC committees are prone to the "not invented here" syndrome.

The conclusion must be that the draft IEC 61326 Part 3 does not take the correct approach to dealing with EMC-related functional safety as required by IEC 61508–the standard that it claims to be supporting.

PD R0BT-004:2002

The CENELEC functional safety document summarizes how functional safety should be dealt with in harmonized European Norm (EN) standards. It says, "The specification for safety integrity is derived by undertaking a risk analysis and determining the necessary risk reduction that the safety function is required to achieve. The general principle is that more rigour is required in the engineering of safety-related systems at higher levels of safety integrity in order to achieve the necessary lower failure rates." This is in line with the general approach taken by IEE and the two IEC standards to be discussed.

PDR0BT-004:2002 also requires that EM influences be considered as part of the overall operating environment, and specifies the application of IEC 61508 and IEC/TS 61000-1-2 for, respectively, functional safety and EMC-related functional safety.4-6 However, it appears that these CENELEC requirements are not being embraced by all the committees producing standards intended to be adopted as ENs and used to achieve compliance with EU directives.

This guide points out that all aspects of functional safety are covered by what are called the total safety directives–Low Voltage, Machinery, Explosive Atmospheres, Medical Devices, etc. It notes also that the EMCD covers only interference with non-safety-related aspects of functional performance.

IEC 61508

IEC 61508 is an important new safety standard.5 It provides for the first time a means of demonstrating safe design of computers, programmable logic controllers, and other electronics in safety-related and safety-critical systems. It mandates taking EMC into account for functional safety, but gives little detail on how to do this.

The functional safety performance of a system is an emergent property of its complexity, which means that IEC 61508 can be fully applied only to complete systems. The standard can be applied to components and equipment used in a system only to the extent of prescribing the safety information that needs to be supplied with them so that the system designer can create a product with the necessary safety integrity.

The EMC industry, because it is based on testing products and equipment and has relatively little experience with testing complex systems and installations, may have a problem with this. The type of immunity tests it employs also may not be representative of real-world EM environments. For example, in actual operating circumstances, several types of disturbance can occur simultaneously. The results can be very different from those obtained when challenges are applied one at a time during immunity testing. IEC 61508 currently is undergoing its first maintenance. Major changes are not expected, but improving its coverage of EMC issues is on the agenda.

Unfortunately, many functional-safety experts are not yet up to speed on the rapid developments in electronic technologies being deployed, and know little about EMC issues. It appears that at least some of the engineers implementing IEC 61508 systems, and some of the safety assessors who check their application of this standard, are ignoring EMC issues completely. Some relevant trade literature also fails to mention any EMC-related safety issues with respect to IEC 61508.

This standard can be used industry wide, but a number of sector-specific standards are being developed to provide more-detailed guidance.

Published in seven parts, IEC 61508 can be daunting to someone not a full-time safety compliance engineer. It covers the management of functional safety; technical safety requirements for all life-cycle phases; and the competence of people involved in any safety life-cycle activity. Its technical safety requirements can be summarized as performing a comprehensive hazard and risk analysis, deriving the safety requirement specification, and designing the safety-related system to meet the safety requirement specification, taking into account all possible hardware, software, and human failures.

To make the standard easier to understand and use, especially for small businesses, Professor Johan Catrysse of KHBO University in Belgium has produced a graphical guide to help safety system designers apply it.7 Requiring that safety integrity specifications and safety function specifications address the EM environment likely to be encountered during operation, specified in terms of EMC levels, the tool correctly applies the IEC 61508 methodology to EMC-related functional safety issues. It does encourage the use of EMC immunity testing even though this might not correspond with actual EM environments.

IEC/TS 61000-1-2:2001

This IEC technical specification–not yet a full standard–employs a hazard and risk assessment methodology just as the three previously discussed documents do. It specifies a method for achieving functional safety with regard to the EM phenomena associated with electrical and electronic equipment–products, systems, and installations–that are installed and operated under normal conditions.6

The document includes procedures for determining and specifying requirements; equipment design, including its installation; analytical assessment; testing; and documentation. Having application to the influence of the EM environment on equipment, the specification is intended for use by product standard committees, designers, and the manufacturers and installers of equipment and systems. It focuses on EM safety analysis and testing methods. With respect to quantitative assessment methods, i.e., determinations of the probability of failures, it recommends the methods described in IEC 61508.

Issues covered by this specification include the achievement of functional safety, the EM environment, safety requirements and failure criteria, dependability analyses, EMC testing with regard to safety, and reporting the influence of EM disturbances on the functional safety of an equipment item.

Its first maintenance commenced in February 2004. The specification is intended to become a full IEC standard and then a harmonized EN standard listed under a number of safety directives. Several improvements to the document have been suggested, including increasing its emphasis on assessing the EM environment; adding the requirement that safety functions requiring higher integrity should be designed to be more resistant to interference; and reducing its emphasis on EMC immunity testing as the means of verification.

Sector-Specific Standards

IEC 61511. Covering the functional safety of safety instrumented systems for the process industry sector, IEC 61511 applies to systems based on electrical, electronic, and programmable electronic technologies.8 It is a process industry-specific standard within the framework of IEC 61508. Parts 1, 2, and 3 were published in 2003.

For EMC-related functional safety at the system level, IEC 61511 requires that all the safety requirement specifications acknowledge "extremes of all environmental conditions that are likely to be encountered," including electromagnetic interference (EMI/RFI) and electrostatic discharge. At the equipment level, it requires either that the equipment comply with IEC 61508 or that there be strong evidence on the basis of prior use that it will work correctly in its intended environment.

More emphasis could have been placed on EMC considerations at the system level. And the proven-in-use approach can be problematical, because no two applications are really quite the same, especially with respect to their EM environments. Safety experts tend to agree that a lack of adverse safety incidents does not necessarily indicate a safe design. Also, IEC 61511 includes a reference to IEC 61326, which is a little unfortunate because the latter standard states in its Note 1 that it does not address safety issues (see sidebar, page 148).9

So, as with IEC 61508, there is room for improvement in IEC 61511's approach to EMC

related functional safety.

Draft IEC 62061. The functional safety of electrical, electronic, and programmable control systems for machinery is the focus of this sector-specific implementation of IEC 61508.10 The first draft mentioned the need to deal with EMC-related functional safety but was short on detail about how to do this. It also referred to Machinery Directive standards that in turn referred to EMCD immunity standards that do not cover safety issues.

Work responsive to the 476 comments on the first draft that were received is complete, and the committee draft for vote (CDV) was published in mid-2003. Additions to the EMC-related functional safety provisions of IEC 62061 were based on the work done on IEC 61326-3, a standard that does not use a risk-based approach. Thus, the CDV will still have room for improvement.

Immunity Testing: Inadequate for Safety Performance

Safety testing might show that an equipment is safe at the time it was tested, but says nothing about whether it will be safe in a few year's time, after some wear and tear and exposure to its physical environment. This is why all safety standards rely on ensuring that good, well-proven safety design methods are used, rather than simply relying on testing.

Where the reliable operation of safety-related circuits is an issue, EMC immunity testing is usually inadequate for the same reasons as above. EMC testing is a valuable technique for helping to prove EMC design techniques, but it is the good, well-proven EMC-for-reliability design techniques that are the key to achieving EMC-related functional safety. This was the problem that faced safety-related software. There is no practical way to thoroughly test modern software (just as there is no way to thoroughly test for EMC), so it was necessary to develop and prove good software design techniques. Great effort by many in academia and industry over many years achieved this goal, and the necessary safety-related software design techniques are now specified in IEC 61508-3. The discipline of EMC has not had the same effort applied, and it is about time that it did.

Here are some reasons why it is unsafe to rely on EMC immunity testing as the sole verification for the EMC performance of safety-related applications:

  • Conventional Immunity Testing Only Covers One Disturbance at a Time. In real life, equipment is usually subjected to a number of electromagnetic disturbances (threats) simultaneously. Tests have shown that when one disturbance is applied (e.g., a radiated radio-frequency [RF] field), the immunity to a simultaneous disturbance (e.g., fast transient burst, ESD, etc.) can be seriously compromised. When multiple RF fields are applied at once, intermodulation in electronic devices can result in failure modes not found by conventional one-frequency-at-a-time testing.
  • Conventional Immunity Testing Does Not Necessarily Simulate Real-Life EM Exposure. Traditional EMC test methods are designed for accuracy and repeatability. They do not simulate real life exposure very well. For example, normal RF immunity testing uses a single modulation frequency (e.g., 1 kHz) but electronic warfare experts know very well that equipment is much more susceptible to RF fields when these fields are modulated with a frequency close to one of the equipment's control frequencies, as real-life threats sometimes can be.
  • Conventional Immunity Testing Does Not Simulate Foreseeable EM Exposure. Normal immunity tests cover normal EM environments, not low-probability EM threats or unusual environments. But where safety integrity levels are high, even very low-probability risks may be unacceptable and low-probability EM threats will need to be considered.
  • Faults Are Not Addressed by Conventional Immunity Testing. The normal EM activity in an environment must be withstood all of the time. But conventional immunity testing does not simulate common faults that can affect EMC, such as a dry joint in a filter's ground bond, a short-circuit or out-of-tolerance component that makes a circuit more unstable at RF, or corrosion which reduces shielding effectiveness over time.
  • Effects of the Physical Environment on EMC. Shock, vibration, condensation, dust, exposure to liquids, aging, temperature extremes and cycling, bending and twisting (e.g., nonflat mounting), etc., can all have a bad effect on susceptibility, including reducing shielding through poor contact at EMC gaskets and reducing filtering by breaking filter ground connections.

But conventional immunity tests take no account of the degradation in EMC performance that can occur due to the foreseeable physical environment or aging. Special EMC test methods that overcome some of these problems are used by experts in electroexplosive devices (EEDs), but no practical (or affordable) EMC immunity testing can prove that an EMC design is adequate. Good practice and well-proven EMC design methods that will ensure that the required level of EMC performance is maintained over the life of the equipment are required.

NFPA 79. This U.S. fire protection industry standard pertaining to electrical safety for industrial machinery simply mentions a few EMC assembly and installation practices.11 It is inadequate for ensuring EMC-related functional safety in situations involving electronic control of safety-related functions.

 

EMCTLA Technical Guidance Notes

EMCTLA, the only international association of EMC test laboratories, has devoted some of its energies to creating technical guidance notes (TGNs) to help achieve consistency in testing despite the difficulties and ambiguities presented by EMC regulations and standards. All of its TGNs can be downloaded from the Web (www.emctla.co.uk). They are a very valuable resource for EMC test laboratories.

EMCTLA has three working groups that generate TGNs. Working Group B (WG[B]) has recently created two TGNs on EMC-related functional safety. TGN 45 is a guide to dealing with EMC-related safety issues for machinery, and for complying with the Machinery Directive (98/37/EC).12 It recommends applying the IEE guide and IEC/TS 61000-1-2. The document has relevance for machines supplied in non-European as well as European countries.

TGN 46 covers EMC-related functional safety issues for electrical equipment, and provides assistance for achieving compliance with the Low Voltage Directive (LVD; 73/23/EEC, amended by 93/68/EEC).13 It also recommends applying the IEE guide and IEC/TS 61000-1-2.

EMC and Functional Safety for Machinery

Although the Machinery Directive requires all EM disturbances to be taken into account to achieve safe machinery, existing standards and guidance before TGN 45 were weak on the issue, leading to conflicting interpretations and uncontrolled safety risks. And neither the EMCD nor its harmonized EMC standards cover EMC-related functional safety. The European Commission (EC) requires all safety issues, including EMC-related ones, to be dealt with under the total safety directives, such as the LVD and Machinery Directive.4

Although non-EU countries do not have the same type of machinery safety laws as the EU, they often have other legal constraints on the supply of unsafe machinery, such as product liability laws. Most do not have laws that mandate a minimum level of EMC immunity, possibly increasing the likelihood of EMC-related safety problems.

The methods recommended by the new EMCTLA TGN 45 are not country-specific. All EN standards referred to in it are available as IEC equivalents suitable for use worldwide.

The EMCD. The EMCD is not intended to be used for safety purposes. Safety directives must cover such issues as foreseeable overload, environmental extremes, equipment faults, human error, and misuse, but the EMCD covers only normal operation. Thus, it is clearly unsuitable where safety is concerned. The final draft of a proposed second edition does not change the situation; rather, it only confirms it.14

The standards referenced by the EMCD are little better. The most up-to-date generic EMC immunity standard for industrial apparatus, IEC/EN 61000-6-2, notes that "safety considerations are not covered by this standard."15 Another note in its Scope section advises that "special mitigation measures may have to be employed" when the level of disturbances exceeds levels specified in the standard, for example, where an apparatus is installed in proximity to ISM equipment using RF energy or where a handheld transmitter is used in close proximity to an apparatus. However, the standard does not say what it means by close proximity, and it fails to mention foreseeable situations such as proximity to powerful vehicle-mounted radio transmitters or proximity to the base stations of private mobile radio or cell phone systems.

Not only a machine's immunity but its emissions could be troublesome for existing safety-related systems. The most up-to-date generic EMC emissions standard for industrial apparatus, IEC/EN 61000-6-4, notes that its specified limits may not provide "full protection against interference to radio and television reception when the apparatus is used closer than 30 m to the receiving antenna."16 But where radio communications or other radio-based systems are used for safety-related functions, a 30-m- (100-ft)-radius exclusion zone might be unacceptable.

Many modern radio-based systems operate at frequencies above 1 GHz--higher than those for which IEC/EN 61000-6-4 sets emissions limits. These include GPS, GSM, PCS, Bluetooth, and IEEE 802.11b. Meeting the standard is no guarantee that such systems will operate even at distances greater than 30 m.

Ambiguity arises as well with the emissions standard. States note 2 in the Objectives section: "In special cases, for instance when highly susceptible apparatus is being used in proximity, additional mitigation measures may have to be employed to reduce the electromagnetic emissions further below the specified levels." The terms highly susceptible and proximity are not clearly defined, however. And if the susceptibility of the apparatus being used in proximity (if it has any safety-related functions) is unknown, then the new source of EM disturbances is a safety concern that may require performance of a new hazard and risk analysis.

The necessary susceptibility information may not be forthcoming from suppliers, even for CE marked apparatus, and immunity testing may never have been done for legacy equipment predating the EMC Directive. In the EU, all equipment and machinery that people must employ in accomplishing their work must comply with the Provision and Use of Work Equipment Directive (PUWER), which requires safety to be maintained even when machines or their environments are changed.

Most, if not all, other harmonized EMC standards include statements having the same effect as those just described.

The Machinery Directive. The Machinery Directive and its listed harmonized standards take a very piecemeal and unsatisfactory approach to EMC-related functional safety. The directive itself includes several clauses that concern EMC-related functional safety.

  • Annex 1, 1.2.1: "Control systems must . . . withstand the rigors of normal use and external factors," where external factors could be interpreted as meaning reasonably foreseeable EM disturbances (although this is not mentioned in the EC's own interpretation.17
  • Annex 1, 1.2.6: "The interruption, re-establishment after an interruption, or fluctuation in whatever manner of the power supply to the machinery must not lead to a dangerous situation," though the EC interpretation has it that the EMCD "deals with all electromagnetic phenomena likely to cause operating problems in a device, an appliance, or a system"–this despite the fact that the EMCD is officially considered inadequate to deal with safety-related issues.17
  • Annex 1, 1.2.7: "A fault in the control circuit logic, or failure of or damage to the control circuit, must not lead to dangerous situations."
  • Annex 1, 1.5.10: "Machinery must be so designed and constructed that any emission of radiation is limited to the extent necessary for its operation and that the effects on exposed persons are nonexistent or reduced to nondangerous proportions." (Here, the guidance, which references the EMCD, could mean that emissions should be limited for reasons other than health, such as protecting other equipment.17
  • Annex 1, 1.5.11: "Machinery must be so designed and constructed that external radiation does not interfere with its operation," which is explicated by robust EC commentary specifying that the manufacturer must take into account foreseeable environmental conditions at the intended machine location–a commentary with requirements unfortunately limited to radiated disturbances and not applicable to conducted disturbances in power, ground, signal, or control conductors.
  • Annex 1, 1.7.4: A list of the instructions that must accompany a machine does not include any requirement to specify the EM environment or the disturbances the machine is designed to withstand, nor installation and commissioning instructions that would help ensure that the EM performance designed in by the manufacturer was achieved in practice.

An EC document designed to coordinate the activities of machinery notified bodies, in considering how to take account of EM effects in the context of the Machinery Directive, states: "We should bear in mind that effects of interference on the machine are covered specifically by the EMCD and not the machinery directive."18 This is contradicted by R0BT-004.

The foregoing suggests that, while the Machinery Directive attempts to deal with the issue of EMC-related functional safety, it is not comprehensive enough. And when it is interpreted as simply requiring compliance with the EMCD, the case would be laughable if the potential consequences were not so grave.

Some machinery manufacturers, and most of the relevant notified bodies, take a much more serious approach to EMC-related functional safety. However, there is no legal obligation for a manufacturer to involve a notified body, or any third party, when declaring a machine compliant with the Machinery Directive unless the machine comes under Annex IV.

The machinery standards referenced by the directive provide no more useful guidance on EMC-related functional safety.

EN 292-2 soon to be replaced by EN ISO 12100-2), whose clause 3.7.11 covers other measures for preventing hazardous malfunction, and IEC 60204-1, with its relevant clause 4.4.2, mandate that equipment shall have adequate immunity to EM disturbances to allow correct operation in its intended environment.19,20 Both imply or state that compliance with the EMCD and its harmonized standards is sufficient for functional safety, although it clearly is not. Annex 18 to IEC 60204-1 describes the technical documentation to be provided with the machine, but it does not suggest specifying the EM environment within which the equipment has been designed to operate safely. No other machinery safety standards are found to shed more light on EMC-related functional safety (see Figure 1).

 

Figure 1. The current situation for functional safety.

Machinery Hazards and Risk Analyses. The relevant standard for performing a hazards and risk analysis as required by the Machinery Directive is EN 1050.21 Its clause 7.3.5 on the reliability of safety functions says, "Risk estimation shall take account of the reliability of components and systems. It shall . . . identify the circumstances which can result in harm (e.g., component failure, power failure, electrical disturbances)." But the standard does not specify analyzing the EM environment or the responses of components, equipment, or systems to EM disturbances.

It cannot be assumed that safety standards cover all possible hazards and reduce risks to negligible amounts. Such an approach neglects the risk component of hazard and risk analysis. Risk is the probability that a hazard will occur. Any analysis that ignores EMC might assess the risk incorrectly.

For example, consider an assembly machine that uses different attached tool pieces to assemble different products. Replacing it with a programmable robot to reduce the changeover time could introduce hazards previously almost impossible but now likely as a consequence of EM interference from the operating environment. Rapid, repetitive tool changes might occur in the middle of an operation when control software gets stuck in an internal loop; the robot might apply the wrong movement profile to a tool, making it encroach on a person working nearby; and so on.

Hard-Wired Systems. Hard-wired safety systems–those using only electromechanical components such as relays, switches, push buttons, wires, etc.–are commonly, and incorrectly, assumed to be unaffected by EM disturbances. But relays, contractors, and solenoids are vulnerable to voltage fluctuations in their power supplies and will change state with undervoltages whose depth and duration depend upon their model, age, and ambient temperature. Where relay logic is involved, a change in state of some relays during a supply dip could lead to numerous possible temporary logic states.

Also, electromechanical contacts are susceptible to overvoltage events that can arc across open contacts, momentarily closing them. For a given overvoltage, some contacts will arc and others not, fairly unpredictably. After a lightning strike to the building housing it, a large packaging machine that used a hard-wired safety system was reported to have run at full speed backwards with all of its protective doors and guards open. The surge not only damaged the machine's electronic control but also defeated its safety system.

Very few designers of hard-wired safety systems take into account all the wide variety of possible transient effects caused by supply voltage fluctuations and overvoltages, and even fewer actually test their systems for resistance to these possible disturbances. Given that, in addition, few manufacturers also assess the EM environment in which their machines are to be used, the reliability of those machines' safety systems is not quantified, and their hazard and risk analyses are incomplete.

TGN 45 for Machinery Safety

EMCTLA tasked its Working Group B with creating a guidance document on how machinery manufacturers should go about achieving EMC-related functional safety–the eventual TGN 45–because of the problems outlined. TGN 45 covers the following issues a machinery manufacturer should address:

  • The EM disturbances, however infrequent, the apparatus might be exposed to during its life cycle. Help in determining these is available from several documents, including the IEE guide,3 IEC/TS 61000-1-2,6 EN 1050,21 IEC 61000-2-5,22 the textbook EMC for Systems and Installations,23 and soon a TGN from EMCTLA (http://www.emctla.co.uk).
  • The reasonably foreseeable effects of such disturbances on the apparatus. These are to be determined by the application of IEC/TS 61000-1-2, using the fault tree approach that it recommends, or a similar method.
  • How the EM disturbances emitted by the apparatus might affect other apparatus, existing or planned. This should be addressed by the application of IEC/TS 61000-1-2, using the fault tree approach that it recommends, or a similar method. (It is important to remember that equipment in use outside the EU, and pre-1996 legacy equipment within the EU, may never have been designed or tested for EM immunity.)
  • The reasonably foreseeable safety implications of all of the above, in particular the severity of any hazard, the scale of any risk, and their corresponding safety integrity levels. These should be determined by completing a hazard and risk assessment using EN 1050 and referencing IEC 61508.
  • The level of confidence (verification or proof) necessary to ensure that all of the above have been fully considered and all necessary actions taken to achieve the desired level of safety. The validation requirements are addressed in IEC/TS 61000-1-2.

The manufacturer should record what has been done to achieve functional safety in the Machinery Directive technical documentation, including results or reports generated from any safety-related EMC testing carried out, together with the hazard and risk assessment.

Support documents listed in the EMCTLA guidance include those mentioned in the first bulleted list item, as well as another technical guidance note being prepared by its Working Group B for publication in 2004 to help with specifying the EM environment.

This new TGN will be similar to tables 4.1-4.3 in EMC in Systems and Installations, which list a wide range of EM disturbances, their causes, the standards to assess them, the electromechanical and electronic devices or circuits likely to suffer interference from them, and the test standards that can be used to validate the immunity of apparatus against them.

Other Guidance

Low Voltage Directive. The current version of the LVD does not mention functional safety, and neither do most of its listed standards. Nevertheless, it is regarded by the EC as a total safety directive that covers all aspects of safety, even those not mentioned explicitly in its text. But many manufacturers prefer to follow the letter of safety directives rather than their spirit, especially if that saves money. Or they may simply not be as knowledgeable about legal safety requirements as they should be. Applying IEC/TS 61000-1-2 could help them to achieve EMC-related functional safety in the context of complying with the LVD.24

To make sure that functional safety is clearly understood to be covered by this directive, a section titled Principles of safety integration will be added to the LVD, according to the latest LVD review document.25 This would include a statement mandating protection against all hazards caused by reasonably foreseeable external influences on the electrical equipment, taking account of its functionality. The amended directive also would specifically mention protecting against hazards arising from malfunctions due to electric, magnetic, and EM disturbances.

Amendments to IEC 60335-1. IEC 60335-1, covering the general requirements for the safety of household and similar electrical appliances, is commonly considered a good safety standard. However, although it expressly covers functional safety, it includes no requirements for EMC-related functional safety, a problematic shortcoming owing to the proliferation of electronics and programmable electronics used to control household appliances and the like.

It is unfortunate that 61-2329-CDV, as an attempt to add EMC-related functional safety requirements to IEC 60335-1, completely ignores the approach taken by the IEE guide, R0BT-004, IEC 61508, and IEC/TS 61000-1-2 and simply applies a few EMC tests at higher levels than the relevant EMCD standards.26 Not only is this a risk-based approach, but the standard applies these tests only during standby mode to check for unintended start-up. It does not apply them when electronic devices are used to control operation.

Unless submitted suggestions for improvement of this CDV are incorporated, the amended standard will not provide an adequate approach to EMC-related functional safety.

Medical Devices. Although the three European medical device directives all require EMC-related functional safety to be taken fully into account, they do not say how this should be done. Most medical equipment manufacturers would automatically apply IEC/EN 60601-1-2.27

First published in 1993, this standard was less demanding than the EMCD generic standards that do not cover safety issues. The new 2001 issue of the standard is much better than the 1993 version. From November 1, 2004, it will be illegal for any equipment to be supplied in the EU with a declaration of conformity to any of the medical device directives that lists the 1993 rather than the 2001 version.

Despite its recent improvement, this standard sets fixed immunity testing requirements instead of using the desirable hazard and risk-based approach. Not only that, but the tests it applies are no tougher than the EMCD's generic standards except that the range of radiated immunity testing is increased from 1 to 2.5 GHz to include all cell phones and most current wireless local-area networks.

Worse, it allows manufacturers to pass significant responsibility for the EMC-related safety of their medical equipment on to the user. This assumes that healthcare premises employ the EMC resources and skills necessary to fully manage their EM environments on a day-to-day basis, a far from typical situation. Conformity with the EMC-related functional safety requirements of the medical device directives clearly cannot be ensured solely by applying IEC/EN 60601-1-2:2001.

Automotive EMC Directives. Directives 72/245/EEC (amended by 95/54/EC) for the EMC of four-wheeled vehicles and 97/56/EC for the EMC of two- and three-wheeled vehicles both apply a few types of immunity tests at fixed test levels. These directives do not employ the best EMC-related functional safety techniques. However, most reputable vehicle manufacturers do conduct EMC testing using very comprehensive and stringent proprietary standards.

Product Liability

It is one thing to claim conformity to a safety directive or other safety regulation, but it is quite another to avoid product liability lawsuits and the associated financial risk.

The European Product Liability Directive (85/374/EEC, amended by 99/34/EC) adds one useful defense to the assertion that "it was someone else's fault," and that is that the product met the state of the art in safety when it was supplied. This is sometimes called the no defects, or development risks, defense.

It can be difficult to demonstrate achievement of the state of the art in safety. And in the case of a safety incident that could have been caused by interference with electronics associated with a safety function, reliance solely on applying safety standards that did not involve a hazard and risk assessment approach to EMC-related functional safety would not make for a strong defense. It may be some time before most safety standards usefully incorporate EMC-related functional safety requirements. In the meantime, product liability risks arising from the increasing use of electronics can be reduced by applying the IEE guide.

Conclusion

The best, and correct, approach to ensuring EMC-related functional safety involves conducting a hazard and risk assessment, as required by the IEE guide, R0BT-004, IEC 61508, and IEC/TS 61000-1-2. Unfortunately, the last two of these are not yet perfect in their application of this safety methodology, and developments in other standards show a lack of understanding of the correct way to deal with this increasingly important issue. Attempts being made to improve this situation do not seem likely to result in most safety standards incorporating the state of the art in EMC-related functional safety for many years.

The development and testing of software in safety-related and safety-critical systems has received considerable attention from the technical, academic, and standards-making safety community in recent years. Inadequate EMC performance can be just as important a threat to health and safety. This, however, is not yet receiving the attention it requires. People will suffer as a result.

References

1. Keith Armstrong, "EMC-Related Functional Safety–An Update," EMC Compliance Journal, no. 44 (January 2003): 24-30.

2. Keith Armstrong, "New Guidance on EMC-Related Functional Safety," in Proceedings of the 2001 IEEE International Symposium on EMC (Montreal: IEEE, 2001), 774-779.

3. EMC and Functional Safety (London: Institution of Electronics Engineers 2000); available from Internet: www.iee.org.uk/ Policy/Areas/Electro/index.cfm.

4. R0BT-004:2001, EC Directives, Functional Safety and the role of CENELEC standardization.

5. IEC 61508, Functional Safety of Electrical, Electronic and Programmable Electronic Systems.

6. IEC/TS 61000-1-2:2001, Electromagnetic Compatibility (EMC)–Part 1-2: General–Methodology for the achievement of the functional safety of electrical and electronic equipment with regard to electromagnetic phenomena.

7. Safecheck; a free copy of the guide, instructions on use, and a summary of IEC 61508 are available from Internet: http://khbo.be/emc/PrUtS16s29a4f9e/Hobusafe.zip.

8. IEC 61511, Functional safety: Safety instrumented systems for the process industry sector.

9. IEC 61326, Electrical equipment for measurement, control and laboratory use–EMC requirements.

10. IEC 62061 (draft), Safety of Machinery–Functional safety of electrical, electronic, and programmable control systems for machinery.

 

11. NFPA 79, Electrical Safety for Industrial Machinery (2002).

12. EMCTLA TGN 45, EMC for machinery safety and compliance with the Machinery Safety Directive; available on Internet: http:// www.emctla.co.uk.

13. EMCTLA TGN 46, EMCD/LVD guidance document (EMC for the safety of electrical equipment and compliance with the Low Voltage Directive; available on Internet: http://www.emctla.co.uk.

14. Proposal for a new EMC Directive COM (2002)759 final of 23.12.2002, 2002/0306 (COD); available from Internet: http://europa.eu.int/comm/enterprise/electr_equipment/emc/revision/ proposal.htm.

15. IEC 61000-6-2:1999, Electromagnetic Compatibility (EMC)–Part 6-2: Generic standards–Immunity for industrial environments; modified and notified under the EMCD as EN 61000-6-2:2001.

16. IEC 61000-6-4:1997, Electromagnetic Compatibility (EMC)–Part 6-4: Generic standards–Emission standard for industrial environments; modified and notified under the EMCD as EN 61000-6-4:2001.

17. European Commission, Comments on Directive 98/37/EEC (1999); available from Internet: http://europa.eu.int/comm/enterprise/ mechan_equipment/machinery/guide/content.htm.

18. European Commission, Useful Facts in Relation to the Machinery Directive 98/37/EC; available from Internet: http://europa.int/comm/enterprise/mechan_equipment/machinery/index.htm.

19. EN 292-2, Safety of machinery–Basic concepts, general principles for design–Part 2. Technical principles and specifications.

20. IEC 60204-1:1997, Safety of machinery–Electrical equipment of machines–Part 1: General requirements.

21. EN 1050:1997, Safety of machinery–Principles for risk assessment.

22. IEC 61000-2-5, Electromagnetic compatibility (EMC) Part 2. Environment Section 5. Classification of electromagnetic environments –Basic EMC Publication.

23. Tim Williams and Keith Armstrong, EMC for Systems and Installations (Oxford: Newnes, 2000); ISBN 0-7506-4167-3.

24. Peter Burt, "EMC and Safety Under the LVD 73/23/EEC," ERA Technology's Safety and EMC Newsletter, no. 65 (October 2002); available from Internet: www.era.co.uk.

25. LVD Update working documents; available from Internet: http://europa.eu.int/comm/enterprise/electr_equipment/lv/direct/ review.htm.

26. 61/2329/CDV, Committee draft for vote 60335-1, Am.2 f2 Ed.4: General requirements--Safety related aspects of electronic circuits.

27. IEC 60601-1-2:2001, Medical electrical equipment--Part 1-2: General requirements for safety–Collateral standard: Electromagnetic compatibility–Requirements and tests.

Keith Armstrong is a founding partner of Cherry Clough Consultants. He can be reached at keith.armstrong@ cherryclough.com