P1848/D6, January 2020

Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to
Electromagnetic Disturbances

1 P1848™/D6
2 Draft Standard for Techniques &
3 Measures to Manage Functional
4 Safety and Other Risks with Regard
5 to Electromagnetic Disturbances
6 Sponsor
7
8 Standards Development and Education Committee
9 of the
10 IEEE EMC Society
11
12
13 Approved <Date Approved>
14
15 IEEE-SA Standards Board
16
17 Copyright © 2020 by The Institute of Electrical and Electronics Engineers, Inc.
18 Three Park Avenue
19 New York, New York 10016-5997, USA
20 All rights reserved.

21 This document is an unapproved draft of a proposed IEEE Standard. As such, this document is subject
22 to change. USE AT YOUR OWN RISK! IEEE copyright statements SHALL NOT BE REMOVED
23 from draft or approved IEEE standards, or modified in any way. Because this is an unapproved draft,
24 this document must not be utilized for any conformance/compliance purposes. Permission is hereby
25 granted for officers from each IEEE Standards Working Group or Committee to reproduce the draft
26 document developed by that Working Group for purposes of international standardization
27 consideration. IEEE Standards Department must be informed of the submission for consideration prior
28 to any reproduction for international standardization consideration ([email protected]). Prior to
29 adoption of this document, in whole or in part, by another standards development organization,
30 permission must first be obtained from the IEEE Standards Department ([email protected]). When
31 requesting permission, IEEE Standards Department will require a copy of the standard development
32 organization's document highlighting the use of IEEE content. Other entities seeking permission to
33 reproduce this document, in whole or in part, must also obtain permission from the IEEE Standards
34 Department.
35 IEEE Standards Department
36 445 Hoes Lane
37 Piscataway, NJ 08854, USA
38
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Abstract: IEEE 1848 provides a set of practical methods for helping to manage the levels of risks
2 due to electromagnetic (EM) disturbances throughout the lifecycles of electronic equipment.
3 These risks include the consequences of all types of errors, malfunctions or failures in products,
4 equipment and systems that employ modern electronic technologies (i.e. in hardware and/or
5 software).
6
7 It supplements the work done in creating IEC 61000-1-2:2016 (Electromagnetic compatibility
8 (EMC) - Part 1-2: General - Methodology for the achievement of functional safety of electrical and
9 electronic systems including equipment with regard to electromagnetic phenomena) by providing
10 requirements for detailed practical techniques and measures for helping to manage risks (not just
11 functional safety) that could be caused by EM disturbances.
12
13 These techniques and measures would be used in the management, specification, design,
14 implementation, verification and validation, and through-life operation, maintenance, repair,
15 refurbishment, upgrading, and eventual dismantling for disposal of equipment and systems
16 employing digital electronic systems, for both hardware and software (firmware).
17
18 Keywords: Risk management, Risk reduction, Digital systems, Functional Safety,
19 Electromagnetic Interference, EMI, Electromagnetic Compatibility, EMC, Electromagnetic
20 Disturbances.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Important Notices and Disclaimers Concerning IEEE Standards Documents

2 IEEE documents are made available for use subject to important notices and legal disclaimers. These
3 notices and disclaimers, or a reference to this page, appear in all standards and may be found under the
4 heading “Important Notices and Disclaimers Concerning IEEE Standards Documents.” They can also be
5 obtained on request from IEEE or viewed at http://standards.ieee.org/IPR/disclaimers.html.

6 Notice and Disclaimer of Liability Concerning the Use of IEEE Standards

7 Documents
8 IEEE Standards documents (standards, recommended practices, and guides), both full-use and trial-use, are
9 developed within IEEE Societies and the Standards Coordinating Committees of the IEEE Standards
10 Association (“IEEE-SA”) Standards Board. IEEE (“the Institute”) develops its standards through a
11 consensus development process, approved by the American National Standards Institute (“ANSI”), which
12 brings together volunteers representing varied viewpoints and interests to achieve the final product. IEEE
13 Standards are documents developed through scientific, academic, and industry-based technical working
14 groups. Volunteers in IEEE working groups are not necessarily members of the Institute and participate
15 without compensation from IEEE. While IEEE administers the process and establishes rules to promote
16 fairness in the consensus development process, IEEE does not independently evaluate, test, or verify the
17 accuracy of any of the information or the soundness of any judgments contained in its standards.

18 IEEE Standards do not guarantee or ensure safety, security, health, or environmental protection, or ensure
19 against interference with or from other devices or networks. Implementers and users of IEEE Standards
20 documents are responsible for determining and complying with all appropriate safety, security,
21 environmental, health, and interference protection practices and all applicable laws and regulations.

22 IEEE does not warrant or represent the accuracy or content of the material contained in its standards, and
23 expressly disclaims all warranties (express, implied and statutory) not included in this or any other
24 document relating to the standard, including, but not limited to, the warranties of: merchantability; fitness
25 for a particular purpose; non-infringement; and quality, accuracy, effectiveness, currency, or completeness
26 of material. In addition, IEEE disclaims any and all conditions relating to: results; and workmanlike effort.
27 IEEE standards documents are supplied “AS IS” and “WITH ALL FAULTS.”

28 Use of an IEEE standard is wholly voluntary. The existence of an IEEE standard does not imply that there
29 are no other ways to produce, test, measure, purchase, market, or provide other goods and services related
30 to the scope of the IEEE standard. Furthermore, the viewpoint expressed at the time a standard is approved
31 and issued is subject to change brought about through developments in the state of the art and comments
32 received from users of the standard.
33 In publishing and making its standards available, IEEE is not suggesting or rendering professional or other
34 services for, or on behalf of, any person or entity nor is IEEE undertaking to perform any duty owed by any
35 other person or entity to another. Any person utilizing any IEEE Standards document, should rely upon his
36 or her own independent judgment in the exercise of reasonable care in any given circumstances or, as
37 appropriate, seek the advice of a competent professional in determining the appropriateness of a given
38 IEEE standard.
39 IN NO EVENT SHALL IEEE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
40 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO:
41 PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
42 OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
43 WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
44 OTHERWISE) ARISING IN ANY WAY OUT OF THE PUBLICATION, USE OF, OR RELIANCE
45 UPON ANY STANDARD, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE AND
46 REGARDLESS OF WHETHER SUCH DAMAGE WAS FORESEEABLE.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Translations
2 The IEEE consensus development process involves the review of documents in English only. In the event
3 that an IEEE standard is translated, only the English version published by IEEE should be considered the
4 approved IEEE standard.

5 Official statements
6 A statement, written or oral, that is not processed in accordance with the IEEE-SA Standards Board
7 Operations Manual shall not be considered or inferred to be the official position of IEEE or any of its
8 committees and shall not be considered to be, or be relied upon as, a formal position of IEEE. At lectures,
9 symposia, seminars, or educational courses, an individual presenting information on IEEE standards shall
10 make it clear that his or her views should be considered the personal views of that individual rather than the
11 formal position of IEEE.

12 Comments on standards
13 Comments for revision of IEEE Standards documents are welcome from any interested party, regardless of
14 membership affiliation with IEEE. However, IEEE does not provide consulting information or advice
15 pertaining to IEEE Standards documents. Suggestions for changes in documents should be in the form of a
16 proposed change of text, together with appropriate supporting comments. Since IEEE standards represent a
17 consensus of concerned interests, it is important that any responses to comments and questions also receive
18 the concurrence of a balance of interests. For this reason, IEEE and the members of its societies and
19 Standards Coordinating Committees are not able to provide an instant response to comments or questions
20 except in those cases where the matter has previously been addressed. For the same reason, IEEE does not
21 respond to interpretation requests. Any person who would like to participate in revisions to an IEEE
22 standard is welcome to join the relevant IEEE working group.
23 Comments on standards should be submitted to the following address:

24 Secretary, IEEE-SA Standards Board

25 445 Hoes Lane
26 Piscataway, NJ 08854 USA

27 Laws and regulations

28 Users of IEEE Standards documents should consult all applicable laws and regulations. Compliance with
29 the provisions of any IEEE Standards document does not imply compliance to any applicable regulatory
30 requirements. Implementers of the standard are responsible for observing or referring to the applicable
31 regulatory requirements. IEEE does not, by the publication of its standards, intend to urge action that is not
32 in compliance with applicable laws, and these documents may not be construed as doing so.

33 Copyrights
34 IEEE draft and approved standards are copyrighted by IEEE under U.S. and international copyright laws.
35 They are made available by IEEE and are adopted for a wide variety of both public and private uses. These
36 include both use, by reference, in laws and regulations, and use in private self-regulation, standardization,
37 and the promotion of engineering practices and methods. By making these documents available for use and
38 adoption by public authorities and private users, IEEE does not waive any rights in copyright to the
39 documents.

40
41
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Photocopies
2 Subject to payment of the appropriate fee, IEEE will grant users a limited, non-exclusive license to
3 photocopy portions of any individual standard for company or organizational internal use or individual,
4 non-commercial use only. To arrange for payment of licensing fees, please contact Copyright Clearance
5 Center, Customer Service, 222 Rosewood Drive, Danvers, MA 01923 USA; +1 978 750 8400. Permission
6 to photocopy portions of any individual standard for educational classroom use can also be obtained
7 through the Copyright Clearance Center.

8 Updating of IEEE Standards documents

9 Users of IEEE Standards documents should be aware that these documents may be superseded at any time
10 by the issuance of new editions or may be amended from time to time through the issuance of amendments,
11 corrigenda, or errata. An official IEEE document at any point in time consists of the current edition of the
12 document together with any amendments, corrigenda, or errata then in effect.

13 Every IEEE standard is subjected to review at least every ten years. When a document is more than ten
14 years old and has not undergone a revision process, it is reasonable to conclude that its contents, although
15 still of some value, do not wholly reflect the present state of the art. Users are cautioned to check to
16 determine that they have the latest edition of any IEEE standard.

17 In order to determine whether a given document is the current edition and whether it has been amended
18 through the issuance of amendments, corrigenda, or errata, visit the IEEE Xplore at
19 http://ieeexplore.ieee.org/ or contact IEEE at the address listed previously. For more information about the
20 IEEE-SA or IEEE’s standards development process, visit the IEEE-SA Website at http://standards.ieee.org.

21 Errata
22 Errata, if any, for all IEEE standards can be accessed on the IEEE-SA Website at the following URL:
23 http://standards.ieee.org/findstds/errata/index.html. Users are encouraged to check this URL for errata
24 periodically.

25 Patents
26 Attention is called to the possibility that implementation of this standard may require use of subject matter
27 covered by patent rights. By publication of this standard, no position is taken by the IEEE with respect to
28 the existence or validity of any patent rights in connection therewith. If a patent holder or patent applicant
29 has filed a statement of assurance via an Accepted Letter of Assurance, then the statement is listed on the
30 IEEE-SA Website at http://standards.ieee.org/about/sasb/patcom/patents.html. Letters of Assurance may
31 indicate whether the Submitter is willing or unwilling to grant licenses under patent rights without
32 compensation or under reasonable rates, with reasonable terms and conditions that are demonstrably free of
33 any unfair discrimination to applicants desiring to obtain such licenses.

34 Essential Patent Claims may exist for which a Letter of Assurance has not been received. The IEEE is not
35 responsible for identifying Essential Patent Claims for which a license may be required, for conducting
36 inquiries into the legal validity or scope of Patents Claims, or determining whether any licensing terms or
37 conditions provided in connection with submission of a Letter of Assurance, if any, or in any licensing
38 agreements are reasonable or non-discriminatory. Users of this standard are expressly advised that
39 determination of the validity of any patent rights, and the risk of infringement of such rights, is entirely
40 their own responsibility. Further information may be obtained from the IEEE Standards Association.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Participants
2 At the time this draft standard was completed, the P1848 Working Group had the following membership:

3 Keith Armstrong, Chair

4 Alistair Duffy, Vice Chair

5
6 Participant1 9 Participant4 12 Participant7
7 Participant2 10 Participant5 13 Participant8
8 Participant3 11 Participant6 14 Participant9
15
16 The following members of the <individual/entity> balloting committee voted on this standard. Balloters
17 may have voted for approval, disapproval, or abstention.

18 [To be supplied by IEEE]

19 Balloter1 22 Balloter4 25 Balloter7

20 Balloter2 23 Balloter5 26 Balloter8
21 Balloter3 24 Balloter6 27 Balloter9
28
29 When the IEEE-SA Standards Board approved this standard on <Date Approved>, it had the following
30 membership:

31 [To be supplied by IEEE]

32 <Name>, Chair
33 <Name>, Vice Chair
34 <Name>, Past Chair
35 Konstantinos Karachalios, Secretary

36 Dr. Bill Radasky 49 Damian Lopez 62 Murray T Marple

37 Prof. Davy Pissoort 50 Hrvoje Grganic 63 Prof. Kai Borgeest
38 Elya Joffe 51 Steve Zerenner 64 Dr. Luk Arnaut
39 Prof. Frank Sabath 52 Lionel Doris 65 Nicholas Zagrodnik
40 Tom Braxton 53 Dr. Hugo Pues 66 Felix Burghardt
41 Dr. Brian Kirk 54 Radu Gosav 67 Yeou (Brian) Song Lee
42 Harald Buchwald 55 Ken Webb 68 Johan Catrysse
43 Matthias Kreitlow 56 Dr. Junhong Deng 69 Adrian Monk
44 Tim Peikert 57 Dr Richard Hoad 70 Christine Blair
45 Richard Worley 58 Doug Nix 71 Jong Hwa Kwon
46 Dr. Carlos Sartori 59 Pete Dorey 72 Warwick Wong
47 Curt Sponberg 60 Nicholas Monk
48 Ken Lynch 61 Eric Easton

73 *Member Emeritus
74

6
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Introduction

2 This introduction is not part of P1848/D6, Draft Standard for Techniques & Measures to Manage Functional Safety and
3 Other Risks with Regard to Electromagnetic Disturbances.

4 This IEEE Standard provides guidance on the assessment and application of techniques and measures that
5 can help reduce the risks associated with the interfering effects of electromagnetic disturbances on digital
6 electronic systems, especially safety- or mission-related systems.

7 When competently selected and applied, a set of such techniques and measures can provide the part of the
8 evidence relevant to EMI required for justifying functional safety decisions and for compliance with
9 functional safety standards (including all applicable parts of IEC 61508 Ed.2:2010 or functional safety
10 standards that are based on IEC 61508).

11 The scope of this Standard does not cover human health effects caused by electromagnetic fields (EMF);
12 HERF (Hazards of Electromagnetic Radiation to Fuel) or HERO (Hazards of Electromagnetic Radiation to
13 Ordnance).

14 Beneficial comments (recommendations, additions, deletions) and any pertinent data which may be of use
15 in improving this document should be addressed to: IEEE, EMC Society, Standards Development and
16 Education Committee, PAR-1848 Working Group.

17 A committee consisting of representatives of academia, government and industry prepared this document
18 under the IEEE EMC Society Standards Development and Education Committee.

vii
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Contents

2 1. Overview .................................................................................................................................................... 1
3 1.1 Scope ................................................................................................................................................... 2
4 1.2 Purpose ................................................................................................................................................ 2
5 1.3 How to use this standard ...................................................................................................................... 2
6 1.4 The relationship between this IEEE Standard and IET 2017 [B8] ...................................................... 3

7 2. Normative references.................................................................................................................................. 4

8 3. Definitions .................................................................................................................................................. 5

9 4. General introduction to the techniques and measures for achieving electromagnetic resilience ...............11
10 4.1 Overview ............................................................................................................................................11
11 4.2 Why manage risks due to electromagnetic disturbances? ...................................................................11
12 4.3 The aims and application of this Standard ..........................................................................................14
13 4.4 Relationship with IEC 61508:2010 and other safety standards ..........................................................14
14 4.5 Achieving electromagnetic resilience for functional safety ................................................................15
15 4.6 Application of electromagnetic resilience techniques and measures ..................................................19
16 4.7 Assessment of electromagnetic resilience techniques and measures ..................................................20
17 4.8 Documentation of electromagnetic resilience .....................................................................................22

18 5. Checklist of electromagnetic resilience techniques and measures .............................................................23

19 Annex A Detailed guidance on electromagnetic resilience techniques and measures (informative).............41

20 A.1 Electromagnetic resilience in project management, planning and specification................................41
21 A.2 Electromagnetic resilience techniques and measures for use in system design .................................46
22 A.3 Techniques and measures for use in operational design ....................................................................59
23 A.4 Techniques and measures for implementation, integration, installation and commissioning ............89
24 A.5 Techniques and measures for verification and validation (including testing) ....................................92
25 A.6 Techniques and measures for operation, maintenance, repair, overhaul, refurbishment and upgrade
26 ..................................................................................................................................................................97
27 A.7 Maintaining electromagnetic resilience during decommissioning ...................................................101
28 A.8 Integrating third-party items into safety-related systems .................................................................102

29 Annex B Bibliography .................................................................................................................................105

30 B.1 General references ...........................................................................................................................105
31 B.2 Good EMC engineering for systems and installations .....................................................................106
32 B.3 Good EMC engineering for individual items of equipment .............................................................108
33 B.4 Software design techniques and measures .......................................................................................109
34 B.5 IEC and CISPR standardized EMC test methods .............................................................................112
35 B.6 Automotive industry EMC test standards ........................................................................................114
36 B.7 Marine industry EMC test standards ................................................................................................115
37 B.8 Undersea industry EMC test standards ............................................................................................115
38 B.9 Rail industry EMC standards and guidance documents ...................................................................116
39 B.10 Civilian avionics and aerospace industry EMC test standards .......................................................118
40 B.11 Military industry EMC test standards ............................................................................................118
41 B.12 ITE, Telecommunications and Wireless industry EMC test standards ..........................................119
42 B.13 Some ‘Ad Hoc’ test methods .........................................................................................................119
43 B.14 Assessing the electromagnetic environment, and detecting threats ...............................................120
44 B.15 Verification/validation and other techniques (not specifically related to electromagnetic
45 disturbances) ...........................................................................................................................................121
46 B.16 References associated with Annex E .............................................................................................125

viii
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Annex C Some functional safety standards based on applicable parts of IEC 61508 .................................127

2 Annex D Glossary .......................................................................................................................................129

3 Annex E General concepts and definitions of ‘Risk’...................................................................................130

4 E.1 Different kinds of Risk .....................................................................................................................130
5 E.2 Managing Functional Safety (and Other) Risks Due to EMI ...........................................................134
6 E.3 Examples of Techniques and Measures for EM Resilience .............................................................135

7 Annex F Comparisons with IEC standard ...................................................................................................137

8 Annex G Cross-reference between the reference numbering in this IEEE Standard and that in IET 2017
9 [B8]..............................................................................................................................................................142
10 G.1 General references, cross-reference list ...........................................................................................142
11 G.2 Good EMC engineering for systems and installations, cross-reference list .....................................143
12 G.3 Good EMC engineering for individual items of equipment, cross-reference list.............................143
13 G.4 Software design techniques and measures, cross-reference list .......................................................144
14 G.5 IEC and CISPR standardized EMC test methods, cross-reference list ............................................145
15 G.6 Automotive industry EMC test standards, cross-reference list ........................................................146
16 G.7 Marine industry EMC test standards, cross-reference list................................................................146
17 G.8 Undersea industry EMC test standards, cross-reference list ............................................................146
18 G.9 Rail industry EMC standards and guidance documents, cross-reference list...................................146
19 G.10 Civilian avionics and aerospace industry EMC test standards, cross-reference list.......................147
20 G.11 Military industry EMC test standards, cross-reference list ............................................................148
21 G.12 ITE, Telecommunications and Wireless industry EMC test standards, cross-reference list ..........148
22 G.13 Some ‘Ad Hoc’ test methods, cross-reference list .........................................................................148
23 G.14 Assessing the electromagnetic environment, and detecting threats, cross-reference list ...............148
24 G.15 Verification/validation and other techniques (not specifically related to electromagnetic
25 disturbances), cross-reference list ...........................................................................................................149
26 G.16 References associated with Annex E, cross-reference list .............................................................150
27
28

ix
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Draft Standard for Techniques &

2 Measures to Manage Functional Safety
3 and Other Risks with Regard to
4 Electromagnetic Disturbances

5 1. Overview
6 This IEEE Standard provides guidance on the assessment and application of techniques and measures that
7 can reduce the risks associated with the interfering effects of electromagnetic disturbances on digital
8 electronic systems, especially safety- or mission-related systems.

9 When competently selected and applied, a set of such techniques and measures can provide the part of the
10 evidence relevant to EMI required for justifying functional safety decisions and for compliance with
11 functional safety standards (including all applicable parts of IEC 61508 Ed.2:2010 or functional safety
12 standards that are based on IEC 61508, see the partial list in Annex C).

13 They can also provide part of the evidence relevant to EMI for medical/healthcare systems for which risks
14 are managed in accordance with ISO 14971:2007 [B11].

15 This standard supports the adoption of adequate electromagnetic resilience engineering practices
16 throughout the functional safety lifecycle, by offering further guidance and practical advice on the
17 application of risk management activities, including the techniques and measures set out in IEC 61000-1-
18 2:2016.

19 While it is primarily intended to be used by those who have responsibilities for functional safety, the
20 methodologies, techniques and measures it describes can also be used for the reduction of other kinds of
21 risks in any systems that employ electronic technology, such as security risks and non-safety-related risks
22 (for example, risks to the operation of commercial IT systems). However, this standard does not address the
23 risks to human health that can be caused by electromagnetic fields (EMF); HERF (Hazards of
24 Electromagnetic Radiation to Fuel), or HERO (Hazards of Electromagnetic Radiation to Ordnance).

25

1
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 1.1 Scope

2 This standard provides a set of practical methods for managing functional safety and other risks due to
3 Electromagnetic (EM) disturbances throughout the life of a product.

4 This includes all types of errors, malfunctions or failures in products, equipment and systems that employ
5 modern digital technologies (i.e. hardware and software).

6 1.2 Purpose

7 The purpose of this standard is to provide requirements for the techniques and measures used in the design,
8 verification and validation of systems, hardware and software (firmware).

9 These would be applied where EM disturbances could cause errors, malfunctions or failures leading to
10 unacceptable risks over the lifetime of equipment; whether safety or any other kind of risk is to be
11 managed.

12 1.3 How to use this standard

13 This standard requires a structured justification of adequate electromagnetic resilience of a system to be

14 individually provided for each of the safety functions in that system, following the approach taken by the
15 IEC’s Basic Standard on Functional Safety, IEC 61508.

16 Clause 4 describes the use of this standard in detail, and the required structured justification for each of a
17 system’s safety functions is achieved by completing the cells in the right-hand-most column of the checklist
18 in Clause 5 plus providing all the documents referenced in those cells.

19 In general, it is expected that most systems requiring safety risk management will have several safety
20 functions, each one of which will be associated with its own, completed, Clause 5 checklist. In some
21 circumstances two or more different safety functions may be able to be addressed by a single Clause 5
22 checklist.

23 Note that IEC 61508 provides a well-proven process for assessing functional safety-related risks and by
24 how much they need reduction (its SILs 1-4), and then prescribes the well-proven techniques and measures
25 that shall or should be employed to reducing those risks to the extent required. Unfortunately, neither it nor
26 its ‘daughter’ standards (see the partial list in Annex C) contains a complete set of techniques and measures
27 suitable for reducing the functional safety risks due to EM disturbances to the extent required.

28 This standard relies on IEC 61508’s hazard analysis and risk assessment process having been completed as
29 part of the overall risk management of functional safety for a system, and merely adds the missing
30 techniques and measures necessary for fully controlling the functional safety risks that could be affected by
31 EM disturbances.

32

2
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 1.4 The relationship between this IEEE Standard and IET 2017 [B8]

2 These two documents are very closely related. Because the risk management of EM disturbances is such a
3 new field, a conscious effort was made by the IEEE’s working group to keep the texts of the two
4 documents identical as far as possible.

5 The reasons for this were to minimize the possibilities for accidentally causing confusion by describing the
6 same thing in two different ways; and to minimize the increase in functional safety (or other) risks that
7 could foreseeably be caused in projects (especially multinational projects) in which some people are using
8 IET 2017 [B8] and some are using this standard.

9 It has not been possible to keep the reference numbering – for example: [B999] – identical between IET
10 2017 [B8] and this standard, so a new Annex G has been added in this standard to provide cross-references
11 between them. Throughout the text of this standard, reference numbers in square brackets are linked to their
12 relevant cross-reference lists in Annex G by text or a footnote.

13 The cross-reference tables in Annex G should make it easy for anything referenced in this standard to be
14 correlated with the same thing in IET 2017 [B8], to help avoid confusion in geographically-diverse project
15 teams when some members might be using [B8] while others are using this standard.

16 Another significant difference concerns the normative checklist in Clause 5 of this IEEE Standard. In IET
17 2017 [B8] this checklist is merely a recording convenience in its informative Annex A, whereas in this
18 IEEE Standard it is a normative requirement in Clause 5.

19 This change has caused some knock-on renumbering of Clauses and Subclauses in this standard, so they no
20 longer correspond directly with IET 2017 [B8], as follows. In Annex A of this standard, the numbering is
21 identical to that in Clause 2 of [B8] except that the first character in the numbering in this Standard is the
22 letter A (e.g. A.3.2) whereas in [B8] it is the number 2 (e.g. 2.3.2).

23 Finally, because this IEEE Standard is a newer document than [B8], some of its contents have been slightly
24 changed from those in [B8] in order to clarify their meanings without changing them. Also, some of the
25 contents of this IEEE Standard are new, and additional to the contents of [B8].

26

3
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 2. Normative references
2 The following referenced documents are indispensable for the application of this document (i.e., they shall
3 be understood and used, so each referenced document is cited in the text and its relationship to this
4 document is explained). For dated references, only the edition cited applies. For undated references, the
5 latest edition of the referenced document (including any amendments or corrigenda) applies.

6 The IEEE Standards Dictionary Online

7 IEEE/ANSI C63.14-2014, American National Standard Dictionary of Electromagnetic Compatibility

8 (EMC) including Electromagnetic Environmental Effects (E3)

9 IEC 61000-1-2:20161, Electromagnetic compatibility (EMC) - Part 1-2: General - Methodology for the
10 achievement of functional safety of electrical and electronic systems including equipment with regard to
11 electromagnetic phenomena (an IEC Basic Safety standard as defined in IEC Guide 104)

12 IEC 61508-1 Ed. 2.01 : Functional safety of electrical/electronic/programmable electronic safety-related

13 systems – Part 1: General requirements

14 IEC 61508-2 Ed. 2.0 : Functional safety of electrical/electronic/programmable electronic safety-related

15 systems – Part 2: Requirements for electrical/electronic/programmable electronic safety related systems

16 IEC 61508-3 Ed. 2.0 : Functional safety of electrical/electronic/programmable electronic safety-related

17 systems – Part 3: Software requirements

18 IEC 61508-4 Ed. 2.0 : Functional safety of electrical/electronic/programmable electronic safety-related

19 systems – Part 4: Definitions and abbreviations

20 IEC 61508-5 Ed. 2.0 : Functional safety of electrical/electronic/programmable electronic safety-related

21 systems – Part 5: Examples of methods for the determination of safety integrity levels

22 IEC 61508-6 Ed. 2.0 : Functional safety of electrical/electronic/programmable electronic safety-related

23 systems – Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3

24 IEC 61508-7 Ed. 2.02 : Functional safety of electrical/electronic/programmable electronic safety-related

25 systems – Part 7: Overview of techniques and measures

26

27

1
For the corresponding reference number in IET 2017 [B8] see Annex G
2
For the corresponding reference number in IET 2017 [B8] see Annex G

4
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 3. Definitions
2 For the purposes of this document, the following terms and definitions apply. The IEEE Standards
3 Dictionary Online3 and IEEE/ANSI C63.14-2014 should be consulted for terms not defined in this clause.
4 The Glossary in Annex D may also be useful.

5 3.A: ‘Amperes’.

6 3.1 AC: ‘Alternating current’, a term used to denote electrical power or signals that are at a
7 frequency other than 0 Hz.

8 3.2 Amp: Abbreviation of Ampere, the standard unit of measuring electrical current flow.

9 3.3 Anticipated lifecycle:

10 The ‘safety lifecycle’ that is anticipated by the risk management process at the planning
11 stage.

12 3.4 Availability:
13 The probability of functioning at a given instant.

14 3.5 CE marking:
15 A form of mark that indicates that a product is claimed by its supplier to comply with all
16 relevant EU Directives, such as the EMC Directive [B1]4.

17 3.6 Competence:
18 Having the training, technical knowledge, experience and qualifications relevant to the
19 specific duties to be performed. (Adapted from IEC 61508-1, for more detail see IEC
20 61508-1 Ed.2:2010, sub-clauses 6.2.13 to 6.2.15)

21 3.7 Competent:
22 Having the appropriate competence relevant to the specific duties to be performed.
23 (Adapted from IEC 61508-1, for more detail see IEC 61508-1 Ed.2:2010, sub-clauses
24 6.2.13 to 6.2.15.)

25 3.8 Conducted transients:

26 Conducted emissions that are transient (short-term) in their nature, such as ‘spikes’,
27 usually described in time-domain terms, for example, as a waveform, rather than
28 frequency-domain terms, such as a spectrum.

29 3.9 Conducted:
30 When applied to emissions or immunity, this term refers to unwanted electromagnetic
31 energy conducted from equipment via the power supply or data, signal or control
32 conductors.

33 3.10 DC: ‘Direct current’, a term used to denote an electrical power or signal voltage or current at 0
34 Hz.

35 3.11 Dropout: A sudden reduction of the electrical power supply voltage to zero for a short period of
36 time, usually less than 1 second, followed by a recovery to the original level.

3The IEEE Standards Dictionary Online is available at:

http://www.ieee.org/portal/innovate/products/standard/standards_dictionary.html.
4
For the corresponding reference number in IET 2017 [B8] see Annex G

5
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 3.12 DS: ‘Defined state’, an equipment ‘performance criterion’: a specified, detectable operational
2 state that an element or sub-system of a safety-related system switches to, temporarily or
3 permanently within a stated time, if it suffers from errors, malfunctions or failures, for
4 example, from EMI during an immunity test.
5 Destruction of components is allowed as long as the DS of the EUT is maintained or
6 achieved within a stated time. See 3.1.21 in IEC 61000-1-2:2016.
7 Some EMC publications related to functional safety used to use the abbreviation ‘FS’ for
8 this performance criterion, instead of ‘DS’.

9 3.13 EDR: Event data recorder, a non-volatile memory that stores ‘events’ detected by programmed
10 diagnostic techniques, such as errors or failures, whether or not they were associated with
11 a safety incident/accident.

12 3.14 Electromagnetic field:

13 As an electromagnetic wave propagates in three-dimensional space and time, the
14 magnitudes of its electric and magnetic waves can be represented as varying fields within
15 the volume through which it is passing or has passed. Electric field strengths are
16 measured in Volts/meter (V/m) and magnetic field strengths in Amps/meter (A/m).

17 3.15 Electromagnetic phenomenon:

18 Any type of propagating electromagnetic energy (conducted, radiated, continuous,
19 transient, electric, magnetic, voltage, current, common-mode, differential-mode, antenna-
20 mode, arc or spark, etc.) or a change in the propagating medium itself.

21 3.16 Element: A part of a system comprising a single component or any group of components that
22 performs one or more element safety functions. Note 1: An element may comprise
23 hardware and/or software. Note 2: A typical element is a sensor, programmable controller
24 or final element. (IEC 61000-1-2:2016 definition 3.1.12)

25 3.17 EMC Directive:

26 Legal instrument by which all member states in the European Union (EU) are obliged to
27 enact national laws that have the same effect, to restrict the supply of electrical and
28 electronic goods in the EU to those that meet certain minimum requirements for
29 electromagnetic emissions and immunity, see [B1]5

30 3.18 Equipment:
31 A general term that refers to a wide variety of possible elements, modules, devices and
32 assemblies of products (see IEC 61000-1-2:2016 definition 3.1.14).

33 3.19 ETSI: European Telecommunications Standards Institute, www.etsi.org.

34 3.20 EUC: ‘Equipment under control’, equipment, machinery, apparatus or plant used for
35 manufacturing, process, transportation, medical or other activities, including the EUC’s
36 control systems (see IEC 61508-4, definition 3.2.1, modified).

37 3.21 Field: See ‘electromagnetic field’.

38 3.22 Filter: A combination of capacitors, inductors, RF absorbers, resistors and/or other types of
39 components intended to reduce the amount of electromagnetic energy at certain
40 frequencies from being conducted along a cable or wire.

5
For the corresponding reference number in IET 2017 [B8] see Annex G

6
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 3.23 FPGA: ‘Field-programmable gate array’, an integrated circuit designed to be configured by a

2 customer or a designer after manufacturing – hence ‘field-programmable’. The FPGA
3 configuration is generally specified using a hardware description language (HDL), similar
4 to that used for an application-specific integrated circuit (ASIC). (Circuit diagrams were
5 previously used to specify the configuration, as they were for ASICs, but this is
6 increasingly rare.) FPGAs contain an array of programmable logic blocks, and a
7 hierarchy of reconfigurable interconnects that allow the blocks to be ‘wired together’, like
8 many logic gates that can be inter-wired in different configurations. Logic blocks can be
9 configured to perform complex combinational functions, or merely simple logic gates like
10 AND and XOR. In most FPGAs, logic blocks also include memory elements, which may
11 be simple flip-flops or more complete blocks of memory. (From Wikipedia:
12 https://en.wikipedia.org/wiki/Field-programmable_gate_array.)

13 3.24 Functional safety:

14 That part of the overall safety that depends on the correct functioning of electrical,
15 electromechanical or electronic (hardware and software) technologies.

16 3.25 HR: ‘Highly recommended’.

17 3.26 I/O: Input/output.

18 3.27 IC: ‘Integrated circuit’, a type of semiconductor device that contains many transistors,
19 arranged to provide certain electronic functions. The latest types of IC can contain several
20 million individual transistors.

21 3.28 IEMI: ‘Intentional electromagnetic interference’, intentional malicious generation of

22 electromagnetic energy introducing noise or signals into electric and electronic systems,
23 thus disrupting, confusing or damaging those systems for terrorist or criminal purposes
24 (taken from IEC 61000-2-13:2004 Electromagnetic compatibility (EMC): Environment -
25 High-power electromagnetic (HPEM) environments – radiated and conducted).

26 3.29 IET: The Institution of Engineering and Technology, created in 2006 by the merger of the
27 Institution of Electrical Engineers (IEE, which dates back to 1884), with the Institution of
28 Incorporated Engineers (IIE). Based in London, U.K.

29 3.30 Interference:
30 Usually shorthand for ‘electromagnetic interference’, also known as EMI or RFI.

31 3.31 Jammer: A jamming device (‘jammer’) is a radio frequency transmitter that intentionally blocks,
32 jams, or interferes with communications such as cell phone calls, text messages, GPS
33 systems, and Wi-Fi networks. Visit: https://www.gps.gov/spectrum/jamming/

34 3.32 Jamming: The act of using a jamming device or ‘jammer’ to intentionally block, jam, or interfere
35 with lawful communications such as cell phone calls, text messages, GPS systems, and
36 Wi-Fi networks. Visit: https://www.gps.gov/spectrum/jamming/

37 3.33 JTAG: IEEE Standard 1149.1-1990, Standard Test Access Port and Boundary-Scan Architecture.

38 3.34 Lifecycle: A period of time that starts at the concept phase of a project and finishes when all of the
39 safety-related systems and other risk reduction measures are no longer available for use
40 (see IEC 61508-4, definition 3.7.1; excerpt modified).

41 3.35 Lightning protection:

42 Protection against the direct and/or indirect effects of lightning.

7
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 3.36 Liveness: In concurrent computing, liveness refers to a set of properties of concurrent systems that
2 require a system to make progress despite the fact that its concurrently executing
3 components (processes) may have to ‘take turns’ in critical sections, parts of the program
4 that cannot be simultaneously run by multiple processes. Liveness guarantees are
5 important properties in operating systems and distributed systems. See [B126]6.

6 3.37 Packet sequencing:

7 ‘A powerful tool that uses the Sequenced Packet Protocol (SPP): a networking protocol
8 that provides reliable transport of packets with flow control in environments where
9 multiple transport connections are established. SPP uses destination ID reference numbers
10 to identify the target end of a transport connection; sequence numbers to keep transmitted
11 packets in the order in which they were sent; and acknowledge numbers that are assigned
12 to the last packet in a sequence that a destination received properly to indicate that the
13 transmission is complete and successful.’
14 (From www.webopedia.com/TERM/S/sequenced_packet_protocol.html.)

15 3.38 PCB: ‘Printed circuit board’, laminated structure with layers of etched foil conductors (usually
16 copper) known as tracks or traces, interspersed with layers of dielectrics (often a glass-
17 fiber matrix). Sometimes called a printed wiring board (PWB). The traces are
18 interconnected between layers by plated-through holes (PTH) known as ‘via holes’.
19 Electronic components are mounted onto the PCB and soldered to the traces on the
20 outermost layer(s). Components with long pins or leads may be connected directly to
21 traces on inner layers by plated through holes.

22 3.39 Power quality:

23 A general term embracing a number of issues affecting the quality of the AC or DC
24 electrical power supply, such as dips, dropouts, interruptions, sags, swells, harmonic
25 waveform distortion, inter-harmonic waveform distortion, surges, spikes and transients.
26 The standard for instruments measuring power quality is IEC 61000-4-30.

27 3.40 Reliability:
28 The probability of functioning properly over a given period of time.

29 3.41 Resilience:
30 The capacity to recover quickly or easily from difficulties, misfortune or change;
31 toughness.

32 3.42 Resilient: Having resilience.

33 3.43 RF Reference:
34 A conductive structure, usually a continuous or meshed (gridded) metal sheet or volume;
35 in installations usually a meshed structure made of interconnected conductors and metal
36 structures, that maintains a low impedance (generally much less than 1 ) up to some
37 defined frequency.

38 3.44 Safety case:

39 A structured argument, supported by a body of evidence, that provides a compelling,
40 comprehensible and valid case that a safety-related system is safe enough for a given
41 application in a given environment.

42 3.45 Safety documentation:

43 Includes all the information necessary for the safe use of the item. Safety manuals and
44 safety cases are examples of such documentation.

6
For the corresponding reference number in IET 2017 [B8] see Annex G

8
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 3.46 Safety function:

2 A function to be implemented by an Electrical/Electronic/Programmable Electronic
3 safety-related system or other risk reduction measures, that is intended to achieve or
4 maintain a safe state for the EUC, in respect of a specific hazardous event.
5 Examples of safety functions include: functions that are required to be carried out as
6 positive actions to avoid hazardous situations (for example switching off a motor); and
7 functions that prevent actions being taken (for example preventing a motor starting).
8 (From IEC 61508-4, definition 3.5.1)

9 3.47 Safety integrity level:

10 A discrete level (one out of a possible four), corresponding to a range of safety integrity
11 values, where safety integrity level 4 has the highest safety integrity level and safety
12 integrity level 1 has the lowest. The target failure measures for the four safety integrity
13 levels are specified in Tables 2 and 3 of IEC 61508-1 (see IEC 61508-4, definition 3.5.8).

14 3.48 Safety lifecycle:

15 The necessary activities involved in the implementation of safety-related systems,
16 occurring during a period of time that starts at the concept phase of a project and finishes
17 when all of the E/E/PE safety-related systems and other risk reduction measures are no
18 longer available for use.
19 NOTE 1 The term ‘functional safety lifecycle’ is more accurate, but the adjective
20 ‘functional’ is not considered necessary in this case within the context of this document.
21 NOTE 2 The safety lifecycle models used in this document are specified in Figures 2, 3
22 and 4 of IEC 61508-1.
23 (See IEC 61508-4, definition 3.7.1)

24 3.49 Safety manual:

25 For compliant items, a document that provides all the information relating to the
26 functional safety of an element, in respect of specified element safety functions, that is
27 required to help ensure that the system meets the requirements of IEC 61508 series (see
28 IEC 61508-4:2010, definition 3.8.17).

29 3.50 Safety: Freedom from unacceptable risk (see ISO/IEC Guide 51:1999, definition 3.1).

30 3.51 Safety-related system:

31 The designated system that both: implements the required safety functions necessary to
32 achieve or maintain a safe state for the EUC; and is intended to achieve, on its own or
33 with other safety-related systems and other risk reduction measures, the necessary safety
34 integrity for the required safety functions. (see (IEC 61508-4, definition 3.4.1.)

35 3.52 SC: Systematic capability

36 3.53 Screening: An alternative term for shielding.

37 3.54 SIL: See ‘Safety integrity level’

38 3.55 Surge: A type of transient voltage and/or current with a high energy content, typically produced
39 by the energy associated with a lightning strike or flyback of stored inductive energy (for
40 example, in a large electric motor or generator) coupling into cables such as power supply
41 or telecommunication cables. A surge is generally considered to have much longer rise
42 times and decay times, and have much more energy associated with it, than a ‘transient’,
43 ‘fast transient’ or ‘spike’.

9
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 3.56 Systematic capability:

2 The measure (expressed on a scale of SC 1 to SC 4) of the confidence that the systematic
3 safety integrity of an element meets the requirements of the specified SIL, in respect of
4 the specified element safety function, when the element is applied in accordance with the
5 instructions specified in the compliant item safety manual for the element.
6 Note 1: Systematic capability is determined with reference to the requirements for the
7 avoidance and control of systematic faults (see IEC 61508-2 and IEC 61508-3).
8 Note 2: What is a relevant systematic failure mechanism will depend on the nature of the
9 element. For example, for an element comprising solely software, only software failure
10 mechanisms will need to be considered. For an element comprising hardware and
11 software, it will be necessary to consider both systematic hardware and software failure
12 mechanisms.
13 Note 3: A Systematic capability of SC N for an element, in respect of the specified
14 element safety function, means that the systematic safety integrity of SIL N has been met
15 when the element is applied in accordance with the instructions specified in the compliant
16 item safety manual for the element.

17 3.57 Wave shape, waveshape:

18 Another term for waveform.

19 3.58 Wave: A physical quantity (e.g. voltage, current, field strength) that fluctuates with time and/or
20 distance.

21 3.59 Waveform:
22 The two-dimensional shape made by a plot or graph of a physical quantity (e.g. voltage,
23 current, field strength) when it is plotted or displayed on the vertical axis, with time or
24 distance on the horizontal axis.
25

10
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 4. General introduction to the techniques and measures for achieving

2 electromagnetic resilience

3 4.1 Overview

4 This Standard provides guidance on the assessment and application of techniques and measures that can
5 help reduce the risks associated with the interfering effects of electromagnetic disturbances on digital
6 electronic systems, especially safety- and mission-related systems.

7 When competently selected and applied, a set of such techniques and measures will provide the part of the
8 evidence relating to EMI, required for justifying functional safety decisions and for compliance with
9 functional safety standards (including all applicable parts of IEC 61508 Ed.2:2010 or functional safety
10 standards that are based on IEC 61508:2010).

11 The expectation is that compliance with this Standard will be achieved by adding text and links to other
12 design, verification or validation documents, into the cells in the right-hand-most column of one or more
13 copies of the checklists in Clause 5 to demonstrate whether and how each of the techniques or measures has
14 been applied for each of a system’s safety functions.

15 The scope of this Standard does not cover human health effects caused by electromagnetic fields (EMF);
16 HERF (Hazards of Electromagnetic Radiation to Fuel) or HERO (Hazards of Electromagnetic Radiation to
17 Ordnance).

18 4.2 Why manage risks due to electromagnetic disturbances?

19 All electronic and electro-mechanical technologies can suffer errors, malfunctions or failures due to
20 electromagnetic interference (EMI), which can be caused by electromagnetic disturbances. For non-safety
21 equipment, functionality in this regard is generally demonstrated by compliance with all applicable
22 electromagnetic immunity test standards.

23 Where electronic or electro-mechanical technologies are used in a safety-related application, it is necessary

24 to ensure that EMI cannot cause safety risks to exceed tolerable limits. However, compliance with
25 electromagnetic immunity test standards (for example, those listed as providing a presumption of
26 conformity to the EMC Directive [B1]7) does not demonstrate safety performance, and traditional
27 immunity testing cannot validate equipment’s safety performance to the confidence required for safety
28 applications.

29 In practice a number of factors related to electromagnetic disturbances limit the confidence with which
30 safety performance can be demonstrated, including:
31 a) over a lifecycle, in any real situation the characteristics and locations of sources of electromagnetic
32 disturbances can rarely be known with confidence, and often cannot be predicted with complete
33 confidence.
34 b) operational experience is of very limited value in demonstrating safety performance with respect to
35 EMI throughout the operation of a safety-related system. Errors, malfunctions and failures caused
36 by EMI are often transitory, leaving no tangible evidence of their occurrence, making fault
37 identification and evidence gathering extremely difficult unless specific techniques and measures
38 are used.

7
For the corresponding reference number in IET 2017 [B8] see Annex G

11
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 c) no practicable amount of electromagnetic immunity testing can be sufficient, on its own, to

2 demonstrate the performance of a safety component or system throughout its life.

3 The likelihood of EMI impacting upon the performance of safety-related systems is also increasing
4 because:
5 d) there is a rapidly increasing use of wireless systems, high-speed and/or high-power switching
6 devices and programmable electronics, in all applications. The electromagnetic disturbances
7 increasingly being emitted by these technologies, and their increasing use, will make the
8 electromagnetic environment progressively worse, in terms of noise levels, spectral density and
9 bandwidth for the foreseeable future.
10 e) modern safety systems increasingly employ technologies with the potential for decreased immunity
11 (increased susceptibility), for example, modern electronics operating at lower switching voltages,
12 lower power consumption, and wireless receivers. The application of such technologies may not be
13 evident without detailed analysis of product design information.
14 f) the use of intentionally-generated electromagnetic disturbances to prevent the operation of a system
15 is a growing concern, not just for the military sector but also for critical infrastructure and other
16 sectors.

17 Consequently, there is a need to manage the electromagnetic resilience of safety systems, in order to help
18 ensure that they are capable of delivering their intended risk reduction throughout their operation.

19 The basic IEC publication covering electromagnetic compatibility (EMC) for functional safety is IEC
20 61000-1-2:2016. This publication establishes a methodology that may contribute to the achievement of
21 functional safety as regards the effects of electromagnetic phenomena for electrical and electronic systems
22 and installations.

23 IEC 61000-1-2:2016 uses the terminology of IEC 61508:2010 and can be used to support claims, made in
24 accordance with the applicable parts of IEC 61508:2010 and functional safety standards based upon it, that
25 functional safety has been achieved with regard to electromagnetic disturbances.

26 The methodology set out in IEC 61000-1-2:2016 is based on risk management principles and focuses on
27 reducing risks throughout the lifecycle of a safety-related system. However, it is used as a framework for
28 this Standard based on good engineering practices in managing risks. Table 3 and Annex B within that
29 Standard briefly describe a number of techniques and measures related to electromagnetic resilience – the
30 subject of this Standard – as being a practical method for helping to achieve compliance. Figure 1 provides
31 an overview of the use of IEC 61000-1-2 from a management perspective.

32 The medical industry uses IEC 60601-1-2 Ed.4:2014 (see Annex C) to manage the risks that can be caused
33 by electromagnetic disturbances.

34

12
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

Functional Safety Electromagnetic Interference (EMI)

This is the part of the
overall safety of a system
that depends upon the
correct functioning of
electrical and/or electronic
equipment
The Basic Publication on
Functional Safety is
IEC 61508
Some natural phenomena (lightning, static
discharges, etc.) and all electrical and
electronic equipment emit certain EM
disturbances
All electrical and electronic equipment
(hardware, software, systems, installations, etc.) is
vulnerable to certain EM disturbances
When they are so affected,
we say they are suffering from EMI

Functional Safety Risks due to EMI

Where EMI may cause errors, malfunctions or failures in the correct
functioning of electrical or electronic equipment (hardware and/or
software), this can in turn increase functional safety risks
Note: this is not concerned with compliance with any directives or
regulations on EMC; only with functional safety risks
The IEC’s Basic Publication on achieving Functional Safety
despite EM disturbances is IEC 61000-1-2:2016

Reduction of Risks due to EMI

Requires the use of appropriate design, verification and
validation techniques and measures from concept to completion
Also in maintenance, repair, refurbishment, upgrades,
modifications, etc., throughout the lifecycle

Electromagnetic Resilience

Costs and Liabilities

Functional Safety risks caused by EMI can be very costly
to deal with, and may also cause breaches of
Health & Safety and/or Product Liability legislation
Note: “electrical” equipment includes electromechanical;
and “electronic” equipment includes programmable electronic
1 Figure 1 — Overview of electromagnetic resilience issues (source: IET 2017 [B8])
13
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 4.3 The aims and application of this Standard

2 The aim of this Standard is to support the achievement of functional safety performance by providing
3 guidance on the selection and application of electromagnetic resilience techniques and measures.

4 Its purpose is to support the adoption of adequate electromagnetic resilience engineering practices
5 throughout the functional safety lifecycle, by offering further guidance and practical advice on the
6 application of risk management activities, including the techniques and measures set out in IEC 61000-1-
7 2:2016.

8 This Standard is intended to be used by those who have responsibilities for functional safety. While it is
9 aimed at functional safety, the methodologies, techniques and measures described here can also be used for
10 the reduction of other risks, such as security risks and non-safety-related risks (for example, risks to the
11 operation of commercial IT systems).

12 4.4 Relationship with IEC 61508:2010 and other safety standards

13 Designers of systems have a professional obligation to be aware of relevant safety standards and comply
14 with them at the current state of the art.

15 This Standard supplements the information on dealing with EMI given in all applicable parts of IEC
16 61508:2010 and other standards or specifications containing electromagnetic requirements for functional
17 safety, such as IEC 61000-1-2, IEC 61326-3-1 [B4]8, IEC 61326-3-2 [B5]8, IEC 61000-6-7 [B3]8 and IEC
18 60601-1-2 (see Annex C).

19 This Standard also updates and adds to the information in the IET's 2008 and 2013 guides [B7]8, and the
20 IET’s 2017 Code of Practice on Electromagnetic Resilience [B8] on which it is based.

21 NOTE: All editions of IEC 61326-3-1 and IEC 61326-3-2 up to and including their 2017 editions
22 are not considered complete ‘EMC for functional safety’ standards because they are not
23 based on IEC 61000-1-2, which is the IEC’s basic standard on this topic.

24 The situation regarding electromagnetic disturbances and functional safety was not well-understood when
25 the basic safety standard IEC 61508 was first published in 2000, or when the functional safety standards
26 based upon IEC 61508 were first published (see Annex C).

27 The result is that, generally, the EMC requirements in those standards are currently based upon a restricted
28 set of standard laboratory tests, applied only to representative examples of equipment, which cannot
29 provide sufficient confidence that safety-related systems, or the sub-systems or elements they incorporate,
30 will not suffer intolerable risks because of EMI throughout the lifecycle.

31 IEC 61000-1-2 Ed.1:2016 was created specifically to provide the electromagnetic requirements that are
32 missing from such standards, and the relevant parts of IEC 61508:2010 lists an early version, IEC TS
33 61000-1-2:2008, as a normative reference.

34 IEC 61000-1-2:2016 is intended by its authoring committee to complement all applicable parts of IEC
35 61508:2010. It provides guidance on how electromagnetic engineering may contribute to the achievement
36 of functional safety, because this area is not covered in detail in the applicable parts of IEC 61508:2010.
37 IEC 61000-1-2:2016 is a basic safety standard and, like IEC 61508:2010, is intended to be used by the
38 authors of other functional safety standards as the technical basis for the requirements in the standards they
39 create.

8
For the corresponding reference number in IET 2017 [B8], see Annex G

14
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 IEC 61000-1-2:2016 describes the situation regarding electromagnetic disturbances and the achievement of
2 functional safety, and its Annex B describes electromagnetic resilience. It includes practical techniques and
3 measures for helping to ensure that electromagnetic disturbances do not cause functional safety risks to
4 exceed tolerable levels, based upon the IET’s 2013 guidance [B7]9.

5 The relationship of this Standard to IEC and ISO standards has been described above. Where IEC and ISO
6 standards have been adapted to fulfil national or Trade Bloc regulatory purposes (for example, when
7 prefixed with EN, ANSI, etc., or completely renumbered) this Standard can be considered to be relevant to
8 them in the same way.

9 4.5 Achieving electromagnetic resilience for functional safety

10 The methodology set out in IEC 61000-1-2 (and, for medical devices, in IEC 60601-1-2 see Annex C) is
11 based on risk management principles and focuses on reducing risks due to electromagnetic disturbances
12 throughout the entire lifecycle, from concept to end of life. The approach taken by this Standard is
13 illustrated in Figure 2.

Good EMC and functional safety

engineering practices used throughout
the design, including appropriate
techniques and measures
Result:
EM Resilience
Compliance with EMC test standards
for emissions and immunity applicable The safety integrity
to the normal EM environments achieved is sufficiently
expected to be experienced – resilient to all
over the lifecycle (assuming no faults) reasonably foreseeable
EM disturbances and
faults over the lifecycle
Appropriate additional practices,
techniques & measures are used to
ensure risks remain tolerable –
despite reasonably foreseeable EMI
and/or faults over the lifecycle

14 Figure 2 — Achieving electromagnetic resilience (source: IET 2017 [B8])

15 The intention is to support architectures and designs that are inherently resilient to electromagnetic
16 disturbances.

17

9
For the corresponding reference number in IET 2017 [B8], see Annex G

15
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 The approach shown in Figure 2 builds on the existing competency of the EMC and functional safety
2 engineering communities, as follows:

3 a. Compliance with EMC standards

4 EMC design/testing competency, for example, to comply with the EMC Directive [B1]10, other
5 EMC regulations or customer-specific EMC specifications such as those used by the military, is
6 very well established in the developed world.

7 The EMC emissions and immunity standards that are used have been developed over the years (and
8 are still developing) for the purpose of ensuring adequate availability of equipment/system
9 functionality, with different standards being developed to suit the wide variety of generalized
10 electromagnetic environments (such as domestic, commercial, light industrial, heavy industrial,
11 military, road vehicles, railways, etc.)

12 This Standard builds on the above experience, competency, and existing EMC test facilities, by
13 recommending that equipment or systems:
14 1) comply with all published test standards relevant for the electromagnetic disturbances that are
15 expected both to occur in the normal electromagnetic environments and to be experienced by
16 the safety-related system, sub-system or element.
17 2) continue to comply with all published relevant test standards throughout their anticipated
18 lifecycles.

19 Note 1: These tests may exceed what is required for EMC Directive compliance, in the number of
20 types of electromagnetic disturbance tested, their levels, and their characteristics (for
21 example, for continuous disturbances: modulation types; frequency ranges; dwell times,
22 etc., and for transient disturbances: wave shapes; number of occurrences, etc.).

23 Note 2: If the electromagnetic environment experienced by the system, sub-system or element

24 changes over time, these tests should be reviewed to help ensure that the availability of
25 the equipment under control (EUC) remains adequate.

26 b. The use of electromagnetic resilience techniques and measures

27 Functional safety requirements should be met over the complete lifecycle, taking into account all
28 reasonably foreseeable:
29 1) operating conditions;
30 2) errors, malfunctions and faults, whether static or intermittent, and whether they are random or
31 systematic (i.e. due to the design, sometimes called ‘design-related’ failures);
32 3) environmental conditions (shock, vibration, humidity, condensation, temperature,
33 electromagnetic disturbances, etc.);
34 4) wear, corrosion, aging, degradations and failures;
35 5) component tolerances and variability, construction and installation errors, etc.;
36 6) use and misuse, whether intentional or not;
37 7) multiple electromagnetic disturbances of the same or different types, occurring at the same
38 time or in some critical sequence;
39 8) any combinations of (1) – (7) above.

10
For the corresponding reference number in IET 2017 [B8], see Annex G

16
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Attempting to take all of the above issues into account by EMC testing would take an impractical
2 amount of time and resources, which is why the electromagnetic resilience techniques and
3 measures described in this Standard have been developed.

4 The level of functional safety competency that is required in order to comply with all applicable
5 parts of IEC 61508:2010 and its related standards is well-established worldwide. Generally, the
6 techniques and measures employed by these standards are well understood, well-proven and widely
7 used.

8 These techniques and measures have been developed to help prevent the introduction of systematic
9 errors in the safety-related systems.

10 Electromagnetic disturbances can also be a cause of errors, malfunctions or faults in any of the
11 electrical or electronic parts of a safety-related system, and such failures are called electromagnetic
12 interference (EMI). Some of the techniques and measures that have been widely used to achieve
13 compliance with all applicable parts of IEC 61508:2010 and its related standards may also be
14 partially effective at preventing electromagnetic disturbances from causing EMI that could increase
15 functional safety risks.

16 This Standard builds on the existing experience and competency in the functional safety
17 engineering community by recommending the use of:
18 9) well-established functional safety techniques and measures that are known to be especially
19 effective against the effects of EMI;
20 10) modifications to certain techniques and measures to make them more effective against the
21 effects of EMI;
22 11) the application of good electromagnetic engineering techniques and measures at every level of
23 design (such as components, circuit, PCB, wiring, software, product, element, sub-system and
24 system design, installation design, design for maintainability and repair, etc.) during the
25 anticipated lifecycle.
26 12) the application of good electromagnetic engineering practices, including appropriate
27 techniques and measures at every stage of the system lifecycle.

28 IEC 61508:2010 manages the functional safety over the entire lifecycle, and IEC 61000-1-2:2016
29 gives additional requirements and guidance on functional safety activities relating to
30 electromagnetic disturbances.

31 This Standard recommends compliance with IEC 61000-1-2, including the application of an
32 adequate range of electromagnetic resilience techniques and measures, in order to achieve an
33 appropriate level of electromagnetic resilience. This Standard provides expanded guidance on
34 electromagnetic resilience techniques and measures, complementary with that published in Table 3
35 and Annex B of IEC 61000-1-2:2016.

36 The selection of techniques and measures employed for a particular system will depend on:
37 13) the technology employed;
38 14) the application; and
39 15) the safety integrity level (SIL) of the system as specified in the applicable parts of IEC
40 61508:2010, or similar measures of safety integrity such as the ASILs in the applicable parts
41 of ISO 26262.

42 Sufficient assessment shall be carried out to justify the selection of electromagnetic resilience
43 techniques and measures for a safety-related system (see 4.7).

17
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 No single technique or measure can be relied upon alone. The functional safety designer will
2 choose a set that helps confirm that – regardless of the electromagnetic disturbances that can cause
3 the errors, malfunctions or failures – the overall functional safety specifications are met.

4 As the required level of risk reduction for a safety-related system increases, so does the safety
5 integrity level from, for example, SIL 1 to SIL 4. Demonstrations of adequacy for higher SIL levels
6 will typically involve more developed technical arguments and documentation than those for lower
7 SIL levels. The range of techniques and measures required, as well as the rigor expected from their
8 demonstration, will depend on the situation, but will usually increase significantly with each SIL
9 level. A similar approach applies to elements, as the systematic capability increases from SC1 to
10 SC4.

11 The competent application of a set of electromagnetic resilience techniques and measures (see
12 Annex A) shall be recorded as part of an overall approach to safety documentation based on the
13 principles expressed in the applicable parts of IEC 61508. The safety documentation should
14 demonstrate that there is sufficient confidence that functional safety would not be compromised by
15 electromagnetic disturbances over the anticipated lifecycle. The adequacy of the overall safety
16 argument expressed in the safety documentation could be subject to independent assessment, where
17 appropriate.

18 For equipment intended to be used in a safety-related system (for example, sub-systems or

19 elements), the competent application of electromagnetic resilience techniques and measures should
20 be recorded in the product’s documentation, and made available to system integrators, installers,
21 end users, and assessors as necessary. For example, information related to electromagnetic
22 resilience could be included in the safety manual for compliant items required by the applicable
23 parts of IEC 61508, and in safety documentation used for assessing safety-related systems.

24

25

18
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 4.6 Application of electromagnetic resilience techniques and measures

2 This Standard describes a range of techniques and measures that are considered to be useful, where
3 relevant, for improving the electromagnetic resilience during all stages in the safety-related system or
4 safety-related product lifecycle (see Figure 3).

5 Figure 3 — Overview of the functional safety lifecycle (source: IEC 61508-1:2010)

19
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Applicable parts of IEC 61508:2010 require all functional safety-related projects to consider all these
2 stages, whether they concern the creation of equipment for use in constructing a safety-related system
3 (usually standard products manufactured in volume) or the integration or creation of a safety-related system
4 itself.

5 Activities shall be identified and employed to deliver sufficient electromagnetic resilience for functional
6 safety over the anticipated lifecycle of a safety-related system. These activities shall meet the requirements
7 of relevant functional safety standards and IEC 61000-1-2:2016, and should be applied during the
8 following project stages, as necessary:

9 a) project management, planning and specification;

10 b) system design;
11 c) operational design;
12 d) system implementation, integration, installation and commissioning;
13 e) verification and validation, including through-life monitoring;
14 f) operation, maintenance, repair, overhaul, refurbishment, upgrade as necessary; and
15 g) decommissioning as necessary.

16 These activities should be identified, managed and documented in line with the standards expected for
17 other aspects of functional safety, and should therefore be allocated to competent persons.

18 Responsibilities for the achievement of functional safety should therefore be identified. This should include
19 the identification of responsibilities for ensuring adequate electromagnetic resilience of the safety-related
20 system or product.
21 Clause 5 is a checklist of the electromagnetic resilience techniques and measures that are described in detail
22 in Appendix A of this Standard. This checklist includes columns detailing their importance versus their
23 safety integrity level or safety capability.

24 4.7 Assessment of electromagnetic resilience techniques and measures

25 As part of functional safety lifecycle management activities, appropriate arrangements shall be made to
26 select and implement a suitable range of techniques and measures for electromagnetic resilience.

27 An adequate combination of techniques and measures shall be selected that, together, achieve the required
28 safety integrity level/systematic capability with respect to electromagnetic disturbances. Their selection
29 shall be recorded within the safety documentation. It is recommended that an assessment of the necessary
30 techniques and measures should be prepared. Adequate reasons should be recorded for the selections made
31 and for rejecting those that are not used. Clause 5 in this Standard provides a basic checklist that shall be
32 applied for this purpose.

33 Annex A of this Standard identifies a number of techniques and measures that may be employed at
34 appropriate stages of the system lifecycle as necessary. However, those applied need not be limited to those
35 given in this Standard – additional techniques and measures may give added assurance of electromagnetic
36 resilience.

37 No electromagnetic resilience techniques and measures, such as those described in this Standard, should be
38 assumed to guarantee complete protection against every possible type of electromagnetic disturbance,
39 combination of electromagnetic disturbances, faults or misuse that could result in EMI.

20
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 The exact combination of techniques and measures selected for a particular application will depend on
2 many factors specific to the application in question. Except where stated otherwise, the techniques and
3 measures covered by this Standard are appropriate for both ‘continuous’ and ‘on-demand’ safety functions.

4 Depending on the nature of the project, different electromagnetic resilience techniques and measures might
5 be used in its various stages:
6 a) if a project did not involve any software design, then no software design techniques and measures
7 would be selected for any of the project's stages; likewise
8 b) if there was no circuit design required, then circuit design techniques and measures are not needed.

9 The extent to which robust conventional electromagnetic compatibility (EMC) management techniques
10 (such as high-specification electromagnetic mitigation including shielding, filtering and transient
11 suppression) can prevent electromagnetic disturbances from affecting the correct operation of a safety-
12 related system during its anticipated lifecycle may be taken into account during the selection and
13 application of the techniques and measures, where this is justified.

14 Each of the techniques or measures described in Appendix A of this Standard is presented based on its
15 relevance to the stage of the project, under the headings: Aim; Description; Identification; Mitigation, and
16 Importance.

17 Aim The overall purpose of the technique or measure.

18 Description Broadly how the technique or measure achieves its aim.
19 Identification The effectiveness of the technique or measure to reveal the presence of
20 an error or malfunction that could be caused by electromagnetic
21 disturbances.
22 Mitigation The behavior of the system safety function in response to the detected
23 errors or malfunctions that could have been caused by electromagnetic
24 disturbances.
25 Importance Specifies the necessity and/or desirability of the technique or measure
26 for reducing the risks due to electromagnetic disturbances using the
27 attributes, as follows:
28 Not Recommended (NR) Recommended (R)
29 Highly Recommended (HR) Mandatory (M)

30 In this Standard, the Importance of a technique or measure as NR, R,

31 HR or M (see above) is graded according to the relevant safety integrity
32 level (SIL) as specified in the applicable parts of IEC 61508:2010 or
33 similar measures of safety integrity specified in a related functional
34 safety or risk management standard.

35 Parts 1 and 5 of IEC 61508:2010 describes its methodology for determining the safety integrity level of a
36 safety function, and other functional safety or risk management standards will have equivalent
37 methodologies. Also see Annex D in Part 7 of IEC 61508:2010.

38 In accordance with the methodology used in IEC 61508:2010, if a technique or measure rated as HR for the
39 relevant safety integrity level/systematic capability is not used, a detailed technical explanation of why not
40 should be included in the relevant safety documentation. For example, the technique or measure might not
41 actually be relevant for the design being implemented, or it might be that an alternative technique or
42 measure is used instead, which provides the same benefits for risk-reduction to the design issue concerned.

43

21
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Notes to consider when reading this Standard

2 Note 1: For clarity, the Importance for each technique and measure is only shown in the checklist
3 table in Clause 5.

4 Note 2: Where a technique or measure in A.2 or A.3 applies to a technology that is not relevant to
5 the equipment or system concerned, and the importance as shown in Clause 5 as being M
6 or HR, a justification for why that technique or measure was not applied should be
7 included in the safety documentation (see 4.8).

8 Note 3: The Importance levels (R, HR, M) listed in Clause 5 are generic starting points, and an
9 informed application consistent with expectations of the relevant sector should be made.
10 For example, in certain industries (e.g. rail, military, nuclear) where Clause 5 lists
11 importance as R they might expect HR or M; and where Clause 5 lists HR they might
12 expect M.

13 4.8 Documentation of electromagnetic resilience

14 4.8.1 Documentation of electromagnetic resilience for safety-related systems

15 In the case of a complete safety-related system, the safety documentation should contain all the necessary
16 evidence that shows that the overall safety-related system is adequate for its required safety duty.

17 Prior to the safety-related system being put into use, a structured justification of adequate electromagnetic
18 resilience of the system shall be produced. This justification could be assessed as part of functional safety
19 assessment activities; alternatively, other appropriate structured assessment approaches could be used.

20 This justification should assess the extent of compliance with the requirements of relevant functional safety
21 standards including IEC 61000-1-2:2016, and the adequacy of the range of activities, techniques and
22 measures employed for electromagnetic resilience, including verification and validation activities.

23 Supporting information should be available for this justification as necessary and this will usually include
24 electromagnetic environment specifications, electromagnetic tests results and certifications, and material
25 demonstrating the range and suitability of the electromagnetic resilience techniques and measures used in
26 the safety lifecycle.

27 Information used to support claims made as to the safety performance of a safety-related system should be
28 made available to system integrators and end users and should be retained in order to support system
29 review activities throughout the lifecycle of the system.

30 Independent assessment of the electromagnetic resilience justification should be undertaken where

31 appropriate. The extent of independence required for assessment should be in line with the approach
32 suggested for independent assessment in the applicable parts of IEC 61508-1:2010.

33 The expectation is that compliance with this Standard will be achieved by adding text and hyperlinked
34 references to other design, verification or validation documents, into the cells in the right-hand-most
35 columns of the checklist in Clause 5, to demonstrate whether and how each of the techniques or measures
36 have been applied to each safety function.

37 For safety systems having more than one safety function, it is usually necessary to consider the range of
38 techniques and measures applied from the perspective of each safety function in turn. However, some
39 techniques and measures may apply across more than one safety function, and the presentation of

22
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 justifications for these may be able to avoid repetition by being covered by a single checklist from Clause
2 5, as long as this can be done without losing clarity.

3 As discussed in 4.7, if a technique or measure in the checklist in Clause 5 is categorized as HR for the level
4 of safety integrity appropriate for the safety function in question, but has not been applied, the right-hand-
5 most column will communicate the reasons why not, and what was done instead.

6 The structured justification of adequate electromagnetic resilience of a system is expected to be provided

7 for all of the safety functions in that system, by one or more copies of the checklist in Clause 5, with their
8 right-hand-most columns duly completed, plus all of the documents referenced in those columns.

9 4.8.2 Documentation of electromagnetic resilience for equipment (e.g. system elements)

10 In the case of equipment intended for use in a safety-related system, where electromagnetic resilience
11 claims are made for the equipment, information supporting these claims shall be made available in the
12 compliant item’s safety manual.

13 This should include information that will be required by the safety-related system integrator, for example,
14 the safety-related environmental tests that the equipment complies with, the functional safety techniques
15 and measures that have been applied in the design of the equipment, guidance on installation, maintenance
16 etc., as necessary.

17 A safety manual should also include information on equipment behavior, where appropriate, in the case of
18 failure, for example, ‘defined states’ (DSs) that the equipment can assume in response to errors or failures
19 due to intolerable EMI, as well as guidance on the application of the equipment.

20 Information used to support claims made as to the safety performance of a safety-related system element
21 should be made available to system integrators and end users, and should be retained in order to support
22 system review activities throughout the lifecycle of the element's application. Such information might use
23 one or more copies of the checklist in Clause 5, broadly as discussed in 4.8.1, to help to provide a
24 structured justification of its electromagnetic resilience.

25
26
27

28 5. Checklist of electromagnetic resilience techniques and measures

29 Complete as many copies of Table 1 below as are needed to cover all of the Safety Functions in the system
30 concerned, see 4.8.

31 Note that in these tables, the “Ref’s in this Standard” are identical to those in IET 2017 [B8], except that
32 the first character in this Standard is the letter A (e.g. A.1.1), whereas in [B8] it is the number 2 (e.g. 2.1.1).
33 Some references in this Standard have no counterpart in [B8], because this is a newer document.

34

23
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Techniques and measures in project management, planning and specification 4 & A.1

Establishment of a Risk Management Process

A Risk Management Process shall be established for the system concerned, in
accordance with the latest version(s) of the most relevant standard(s) based on the
applicable parts of IEC 61508:2010 (see Annex C). M M M M 4

A competent person shall have the overall responsibility for managing the risks of the
system, by employing the Risk Management Process throughout all of its lifecycle stages.
Project management and planning
The processes for the management, planning, selection, design, implementation,
commissioning, modification verification and maintenance of each safety function should
explicitly include electromagnetic resilience measures and be documented. M M M M A.1.1
A competent person should have the overall responsibility for managing the
electromagnetic resilience of the system. Appropriate competency should be made
available at all lifecycle stages.
Creating a design requirements specification
To help confirm that the design specification includes requirements for EMI, and that all
reasonably foreseeable electromagnetic disturbances and their effects are taken into
account in the specification of the system and its sub-systems and elements.
Appropriate techniques and measures shall be defined and used to help confirm that the
safety-related system shall achieve the required SIL, and all of the sub-systems and
elements incorporated within it shall achieve their required systematic capabilities, despite
any electromagnetic disturbances over the lifecycle.
M M M M A.1.2
Amongst other issues, the following shall be taken into account:
(a) non-operation, when operation is required;
(b) operation, when no operation is required; and
(c) unintended or inaccurate operations.
The specification for electromagnetic resilience techniques and measures shall be (as far
as is possible): complete, free from errors and contradictions, and easy to verify.

24
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Specifying EMC test standards to help ensure the availability of the EUC
To help ensure the availability of the EUC and its safety-related systems, throughout its
lifecycle, so that safety-related systems continue to provide safe operation, taking into M M M M A.1.3
account availability, throughput rate, production rate, or other financial or mission-critical
requirements.
Protecting against high impact, unusual and malicious EMI
To help achieve functional safety where high impact, unusual and malicious
electromagnetic disturbances could reasonably foreseeably occur and cause temporary M M M M A.1.4
disturbance and/or permanent damage to hardware (electronic components,
interconnections, etc.).

Other technique or measure used in project management and planning: - - - -

Other technique or measure used in project management and planning: - - - -

Other technique or measure used in project management and planning: - - - -

25
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Techniques and measures in system design A.2

Separating safety-related system parts from non-safety-related system parts HR HR HR HR A.2.1

Recording how the design requirements are implemented through design choices HR HR M M A.2.2
Co-design of electromagnetically diverse hardware and software in multiple
redundant channels
To detect and/or correct systematic failures, using multiple electromagnetically diverse
hardware channels and/or software components, to reduce the likelihood that the
common-cause characteristics of electromagnetic disturbances will cause an incorrect
output to be created. R R HR HR A.2.3

Hardware and software designers should work together (i.e. co-design) to achieve the
required overall diversity in the most effective way in order to meet the requirements of
the design requirements specification and its required safety integrity levels and/or
systematic capabilities.
System integration, installation and commissioning
To help confirm that electromagnetic resilience is correctly considered when separately HR HR M M A.2.4
tested parts are brought together to form the complete functional system.
Fault detection and event data recording for later diagnosis
To increase the probability of localizing malfunctions caused by electromagnetic R R HR HR A.2.5
disturbances.

26
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Error detection
Redundant data is appended to the actual data using error detection
coding (EDC) techniques such as parity or cyclic redundancy
checking (CRC) (see A.3.11, A.3.12, and A.3.14), or suitable
equivalent EDC techniques, to detect data corruption.
Upon detection of data corruption, appropriate action is taken to
maintain the safety integrity level/systematic capability, as described HR HR HR HR A.2.6.1
in the safety documentation. For example, various retry schemes
could be used to improve the reliability of the link (at the expense of
overall system performance).

Improving the Where the safety manual for a sub-system or element includes a DS,
electromagnetic it shall provide sufficient detail for correct use by a safety system
resilience of designer.
communication Error correction
links, A variation of error detection using code such that a level of error
by using correction is possible in order to both detect corruption and correct
hardware and/or for its effects.
software
techniques to Various error correcting code (ECC) schemes (seeA.3.11, A.3.12, HR HR HR HR A.2.6.2
improve the and A.3.14) can be used to improve the reliability of the link at the
reliability of expense of reduced data rate.
the links
Whenever error correction occurs, this should be logged to aid later
diagnosis. See A.2.5.
Protection of a sequence
Extra sequence codes can be appended to each packet to enable
detection of delayed, lost or duplicated packets.
Various techniques and measures in this Standard can be used at
HR HR HR HR A.2.6.3
the packet level, e.g. just a single bit can be alternated between
packets to detect a single packet failure (omission or duplication).
More elaborate techniques can detect multiple packet failures or
corruption.

27
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Wireless Mesh Networks

Creates multiple geographically-diverse wireless datacommunication R R HR HR A.2.6.4
links to improve the redundancy of datacommunications

Synchronous system safety functions intended for continuous

Synchronization HR HR HR HR
operation.
and
re- Synchronous systems safety functions intended to operate on A.2.7
R R R R
synchronization demand.
techniques
Any kind of synchronous system that has no safe state. M M M M

Protection from Systems intended for continuous operation. HR HR HR HR

persistent
interference by A.2.8
monitoring retry On-demand systems. R R R R
counts

Independent detection of electromagnetic disturbances and/or EMI R R R R A.2.9

Protection of systems from tampering via communication links to external systems

To conserve the safety integrity level/systematic capability of systems, sub-systems or
R R HR M A.2.10
elements that have external communication links, especially with the Internet, at least for
electromagnetic resilience.

Robust, high-specification electromagnetic mitigation

R R R R A.2.11
Especially useful when degradation or interruption of functionality is not desired.

Techniques and measures to prevent Virtualization of memory and process

R R HR M A.2.12
resources from causing unacceptable risks

28
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Usability engineering R R HR M A.2.13

Other technique or measure used in system design: - - - -

Other technique or measure used in system design: - - - -

Other technique or measure used in system design: - - - -

Other technique or measure used in system design: - - - -

29
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Techniques and measures in operational design

In the subclauses below, techniques and measures are classified as either hardware or software based, but some may A.3
have equivalent representations in either hardware or software which might be more effective in some useful manner.

Developing appropriate operation and maintenance instructions

For procedures that help avoid EMI-induced failures during the operation & maintenance HR HR HR HR A.3.1
of a safety-related system or a sub-system or element within a safety-related system.
Designing appropriate maintenance techniques
To make it practical to monitor the condition/performance of, and replace if necessary,
HR HR HR HR A.3.2
electromagnetic mitigation items such as filters, surge suppressors, conductive gaskets,
etc., which can have a limited operational life.
Limiting the possibilities for operation and hence for mis-operation.
HR HR HR HR A.3.3
To help avoid EMI causing failures by affecting operator controls.
Protecting against operator errors, mistakes and other foreseeable misuse HR HR HR HR A.3.4
Protecting against hardware/software modifications or manipulations HR HR HR HR A.3.5
Range checking in hardware and in software
Range checking the values of all variables (not just
I/Os), sometimes called strong data typing. A number
of bands are defined for the value of each variable. A
R R HR HR A.3.6.1
typical 3-band example is:
Defensive programming
(a) normal operation;
techniques
(b) warning zone; and
To design software programs to
(c) out of range.
detect anomalous control flow,
data flow, or data values, which Safety functions intended for
might have been caused by EMI HR HR HR HR
Sequence continuous operation
during their execution, and to A.3.6.2
checking Safety functions intended for on-
react in a predetermined and R R R R
acceptable manner. demand operation
Correct rounding and resolution in all calculations HR HR HR HR A.3.6.3

Floating point unit and real number arithmetic

HR HR M M A.3.6.4
Help avoid corruption of arithmetic by EM disturbances

30
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Limited use of interrupts

R HR HR M A.3.7
To help reduce the impact of corruption due to EMI upon program execution
System-safety functions intended for continuous
HR HR HR HR
operation
Limited use of memory address
pointer variables to reduce System-safety functions intended for on-demand A.3.8
R R R R
impact of memory corruption operation
Any/all systems with no safe state M M M M

Avoiding recursion
HR HR HR HR A.3.9
To help reduce the impact of corruption due to EMI on program execution
Signature of a word or block of data
To detect single and multi-bit corruption within a block of data.
Various checking techniques are available, such as: Cyclic R R HR HR A.3.10.1
Redundancy Checks (CRC), Secure Hash Algorithm (SHA), and
Hamming Codes (for correction as well as detection).
Error detection and
correction for Block replication with inversion to detect all bit failures
invariable memory HR HR HR HR A.3.10.2
(i.e. ROM or program Plus the use of electromagnetically diverse memories to
R R HR HR A.2.3
memory) improve effectiveness.
Memory boundary protection
To prevent incorrect areas being overwritten in the following
R R HR HR A.3.10.3
types of memory: program; stack; statically-allocated variables;
heap (dynamically allocated variables); inputs, and outputs
Error detection and System-safety functions intended for continuous operation HR HR HR HR
error correction
A.3.11
techniques in System-safety functions intended for on-demand operation R R HR HR
redundant designs

31
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Time-based error detection/correction in buses and interfaces to detect transient A.3.12

R R HR HR
failures
A.3.11 &
R R HR HR
Combine with error checking codes to protect the sequence numbers or time codes. A.3.13
Memory testing
Before and/or during operation to detect memory-system- R R HR HR A.3.13.1
Error detection and specific errors.
error correction for
variable memory One-bit redundancy
(e.g. RAM). To detect some changes in the content of a memory location, R R R R A.3.13.2
bus or I/O register.
Detecting failures during
addressing, writing, Block replication with inversion to detect all bit failures
HR HR HR HR A.3.13.3
storing and reading data Using diverse types of memory can improve the effectiveness of
in memory. R R HR HR A.3.3
this technique.
Memory boundary protection R R HR HR A.3.13.4
Error detection/correction in ROM, RAM, buses and interfaces
R R HR HR A.3.14
Detects/corrects one or more bit failures in a word.
Self-test supported by hardware (one-channel) HR HR HR HR A.3.15.1
Coded processing (one-channel) R R R R A.3.15.2

Error detection for Reciprocal comparison by software

logic and data Two or more electromagnetically diverse processing units
processing units exchange data (results, intermediate results, and test data) and HR HR HR HR A.3.15.3
cross-check at defined ‘restore points’ from which system
operation could be continued in the event of a fault.
Self-test by software during operation R R HR HR A.3.15.4

32
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Error detection and error correction for electrical and electromechanical

components HR HR HR HR A.3.16
To help control failures in components such as relays, actuators, magnetic logic devices
etc.
When using redundancy, diverse hardware and/or software improves the effectiveness as A.2.3
regards the common-cause effects typical of electromagnetic disturbances.
Caution when using hardware or software libraries
To help confirm that the electromagnetic resilience measures are applied and verified HR HR M M A.3.17
throughout the whole software design and implementation of a safety related system.
Testing by redundant hardware
R R R R A.3.18.1
To monitor the operation of the relevant function.
Using dynamic signaling techniques
R R R R A.3.18.2
To detect static failures in communications and processing.
Caution with use of test access ports and boundary-scan
To prevent any tests/diagnostics from making the system more R R R R A.3.18.3
susceptible to electromagnetic disturbances.
Monitored redundancy
Compares the behavior of two or more electromagnetically diverse R R HR HR A.3.18.4
Error detection (see A.2.3) channels.
and correction
for electronic Hardware with automatic self-test
components To detect faults by periodic checking of the safety functions using R R R R A.3.18.5
automatic self-tests.
Analogue signal monitoring
HR HR HR HR A.3.18.6
To improve confidence in signals and controls.
‘Data assurance’ System-safety functions for continuous
HR HR HR HR
(content credibility operation.
checking)
A.3.18.7
Uses known relationships System-safety functions for on-
within a dataset to detect R R R R
demand operation.
corruption due to EMI.

33
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Watchdog (temporal monitoring) with separate time base without

time-window R R NR NR
– only to be used if A.3.19.2 or A.3.19.3 below cannot be used. A.3.19.1

Watchdog (temporal monitoring) with separate time base and

time-window
Periodically triggered to monitor the computer’s behavior and the HR HR HR HR A.3.19.2
plausibility of the program sequence, with both lower and upper time
Error detection limits set; preferred over A.3.19.1.
and correction by
monitoring Logical monitoring of program sequence
program Monitoring of individual program sections using software (e.g.
R R HR HR A.3.19.3
sequence counting procedure, key procedure) or using external monitoring
facilities; preferred over A.3.19.1.
(i.e. ‘watchdogs’)
Combination of temporal and logical monitoring of program
sequences
Combining both temporal (with time window) and logical monitoring to
retrigger a temporal facility (e.g. an external watchdog) only if the
R R HR HR A.3.19.4
sequence of the program sections is executed correctly. Preferred
over either A.3.19.2 or A.3.19.3 above.
Also preferred over A.3.19.1 and A.3.19.1 used together but
independently.
Error detection and error correction by comparing multi-channel input/output
interfaces R R HR HR A.3.20

Using electromagnetically diverse hardware and/or software

To improve the effectiveness of this technique as regards the common-cause effects A.2.3
typical of electromagnetic disturbances, permitting more confident error correction.

34
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Using test patterns: static and dynamic

Using static and dynamic test patterns to detect static failures (‘stuck-at’ failures) and A.3.21
HR HR HR HR
cross-talk, particularly in input and output units (digital, analogue, serial or parallel), and
to prevent the sending of inadmissible inputs or outputs to the process.
Using electromagnetically-diverse channels A.2.3
To permit more confident error correction.
Use metal-free fiber-optic cables for signals and data
R R R HR A.3.22
They are intrinsically immune to electromagnetic disturbances.
Detecting degradations and defects A.3.23.1
Various devices and circuit techniques are readily available for HR HR HR HR
Techniques for AC detecting any/all defects in AC or DC power supplies. A.3.3
and DC power
supplies Power hold-up
and power Using sufficient energy storage (e.g. batteries, supercapacitors, etc.)
converters or back-up power supplies (e.g. generators) with appropriate action HR HR HR HR A.3.23.2
taken to maintain the safety integrity/systematic capability when the
To detect or energy storage runs out.
tolerate failures
caused by Detecting excessive radio frequency noise on power supplies R R R HR A.3.23.3
degradations or
defects in any of Redundant electromagnetically diverse power supplies
the electrical power Using redundant electromagnetically-diverse power supplies to
supplies. continue safe operation by switching from a failed power supply to R R HR HR A.3.23.4
one that is still operating correctly (e.g. a backup/reserve power
supply).
Monitoring of ventilation, cooling and heating
R R HR HR A.3.24
To detect whether they have been influenced by electromagnetic disturbances.
Careful use of wireless (radio) data communications
Ensuring that wireless (radio) data communications will not cause an unsafe failure, and HR HR M M A.3.25
will not adversely impact other safety-related parts of the system.

35
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Good electromagnetic engineering practices used at every level of design

To use accepted, good electromagnetic engineering practices at the time of system
HR HR HR HR A.3.26
implementation in order
to provide a first line of defense against electromagnetic disturbances.
Design to comply with EMC test specifications from A.1.3 (and A.1.4 if appropriate)
To help ensure that the safety-related system will comply with these EMC test M M M M A.3.27
specifications during verification and validation.
De-rating of hardware components, where appropriate
To increase the reliability of hardware components, particularly those used for the R R R HR A.3.28
suppression of electromagnetic disturbances or protection against their effects.

Improve robustness of interrupts

To help reduce the impact of CPU saturation and program execution lock-up due to EMI through HR HR M M A.3.29
interruptions.

Other technique or measure used in operational design: - - - -

Other technique or measure used in operational design: - - - -

Other technique or measure used in operational design: - - - -

36
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Techniques and measures in implementation, integration, installation and commissioning A.4

Providing information on any constraints and/or additional measures required for

installation and commissioning
HR HR HR HR A.4.1
To aid installation and commissioning in accordance with the relevant design requirements
for electromagnetic resilience.

Procure materials, components and products

HR HR M M A.4.2
According to their design specifications for achieving electromagnetic resilience.

Assemble/integrate according to the electromagnetic resilience design

Using the correct materials, components and products according to their design HR HR M M A.4.3
specifications for achieving electromagnetic resilience.

Install/commission according to the design for achieving electromagnetic resilience

Also to help ensure that good electromagnetic engineering practices are employed (see
A.3.25) as appropriate during installation and commissioning.
HR HR M M A.4.4
Also to help ensure that the safety-related system will comply with the EMC test
specifications from A.1.3 and (if appropriate) A.1.4 during verification and validation (see
A.5.2).

Other technique or measure used for implementation, integration, installation and

- - - -
commissioning:

Other technique or measure used for implementation, integration, installation and

- - - -
commissioning:

Other technique or measure used for implementation, integration, installation and

- - - -
commissioning:

37
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Techniques and measures in verification and validation (including testing) A.5

Applying verification, and validation techniques and measures

To verify and/or validate as far as is practicable that the design techniques and measures
that have been applied function according to the relevant design specification (created by M M M M A.5.1
A.1).
(Note that EMC testing is covered in A.5.2 and A.5.3.)

Verification testing to the EMC test plan resulting from A.1.3 (and A.1.4 if
M M M M A.5.2
appropriate)

Using non-standardized ad hoc checks or tests

To help ensure that the safety-related system or any component part of it has sufficient
HR HR HR HR A.5.3
electromagnetic resilience, taking into account the final safety integrity level/systematic
capability being aimed for.

Verifying correct installation and commissioning

Having regard to the constraints and additional measures listed as the result of applying HR HR HR M A.5.4
A.4.1 and A.4.2, and any others not listed in those subclauses.

EMC tests before and after accelerated life tests

R HR M M A.5.5
To help ensure that EM Resilience is effective during and after accelerated life tests.

Other technique or measure used for verification and validation (including testing): - - - -

Other technique or measure used for verification and validation (including testing): - - - -

Other technique or measure used for verification and validation (including testing): - - - -

38
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Techniques and measures in maintenance, refurbishment, repair, overhaul,

A.6
modification, upgrade, etc., over the lifecycle

Assessment of changes in the electromagnetic environment

And if necessary modify/upgrade as required so that availability is maintained at a high HR HR HR M A.6.1
level (discussed in A.1.3).

Assessment of continuing correct installation

Having regard to the constraints and additional measures listed as the result of applying HR HR HR M A.6.2
A.4.1, and any others not listed in that subclause.

Maintaining electromagnetic resilience despite modifications or changes

Assessing proposed changes to the safety-related system to help ensure that repairs,
HR HR M M A.6.3
overhauls, modifications, upgrades, refurbishment, etc. do not unacceptably degrade its
electromagnetic resilience.

Batch (lot) traceability

To help ensure analysis of the root cause of the problem caused by EMI events and HR HR M M A.6.4
containment by identifying product at risk.

Component changes, new supplier, dual / alternate source

To help preserve electromagnetic resilience design when replacing component due to HR HR M M A.6.5
changes in specifications or process, a reference change, a change of supplier, or
obsolescence.
Other technique or measure used for maintenance, refurbishment, repair, modification,
- - - -
upgrade, etc., throughout the lifecycle:
Other technique or measure used for maintenance, refurbishment, repair, modification,
- - - -
upgrade, etc., throughout the lifecycle:
Other technique or measure used for maintenance, refurbishment, repair, modification,
- - - -
upgrade, etc., throughout the lifecycle:

39
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic Disturbances

1 Table 1 —Checklist of electromagnetic resilience techniques and measures (continued)

Overview of the electromagnetic resilience techniques and measures Importance (see 4.7) Ref’s in
How applied
this
for this Safety Function?
applied to the Safety Function: ………………………………………………. SIL1 SIL2 SIL3 SIL4 Standard Add all relevant document links,
comments, references, etc .

Techniques and measures in decommissioning A.7

To help ensure – where appropriate – that decommissioning does not cause

unacceptable functional safety risks due to the electromagnetic resilience of its HR HR HR M A.7
safety-related system being degraded by the decommissioning process.

Other technique or measure used for decommissioning: - - - -

Other technique or measure used for decommissioning: - - - -

Other technique or measure used for decommissioning: - - - -

Techniques and measures in integrating third-party items into the safety function A.8

The general iterative approach

A.8.1
As shown in Figure 4 (see A.8.1).

Suppliers’ certifications and electromagnetic performance

Suppliers’ markings, certifications and declarations (including CE marking with respect to the EMC Directive [B1]) A.8.2
should not be taken as reliable evidence of electromagnetic performance.

Alternatively, use custom-manufactured elements

A.8.3
And make producing reliable evidence of electromagnetic performance part of the contract specification.

Other technique or measure used for integrating third-party items into a safety-related system:

Other technique or measure used for integrating third-party items into a safety-related system:

Other technique or measure used for integrating third-party items into a safety-related system:

40
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Annex A Detailed guidance on electromagnetic resilience techniques and

2 measures (informative)
3 Note that in this Annex A, the numbering is identical to that in Clause 2 of IET 2017 [B8] except that the
4 first character in the numbering in this Standard is the letter A (e.g. A.3.2) whereas in [B8] it is the number
5 2 (e.g. 2.3.2).

6 Because this Standard is a newer document than [B8], some of the contents of this Annex A have been
7 slightly changed from those in Clause 2 of [B8] in order to clarify their meaning but without changing it.
8 Also, some of the contents of this Annex A are additional to those in Clause 2 of [B8].

9 A.1 Electromagnetic resilience in project management, planning and specification

10 A.1.1 Techniques and measures for project management and planning

11 Aim: To help avoid failures in the management, planning, selection, design, implementation,
12 commissioning, verification, and maintenance of measures for avoiding and controlling dangerous failures
13 due to electromagnetic disturbances and EMI.

14 This applies to a whole safety-related system, and to separate parts of a safety-related system.

15 Description: The processes for the management, planning, selection, design, implementation,
16 commissioning, modification, verification, and maintenance of each safety function should explicitly
17 include electromagnetic resilience measures and should be documented.

18 A competent person should have the overall responsibility for managing the electromagnetic resilience of
19 the system. Appropriate competency should be made available at all lifecycle stages.

20 Identification: By independent assessment of the design for conformance with this Standard, see Clause 8
21 of IEC 61508-1 for guidance on the appropriate level of independence.

22 Mitigation: By employing the techniques and measures described in this Standard (or equivalent
23 techniques and measures justified in the safety documentation).

24 A.1.2 Techniques and measures for use when creating a design requirements specification

25 Aim: To help ensure that the design specification includes requirements for EMI, and that all reasonably
26 foreseeable electromagnetic disturbances and their effects are taken into account in the specification of the
27 system and its sub-systems and elements.

28 Description: Appropriate techniques and measures shall be defined and used to help ensure that the safety-
29 related system can achieve the required SIL, and all of the sub-systems and elements incorporated within it
30 can achieve their required systematic capabilities, despite any electromagnetic disturbances over the
31 lifecycle.

32 Amongst other issues, the following shall be taken into account:

33 a) non-operation, when operation is required;
34 b) operation, when no operation is required; and
35 c) unintended or inaccurate operations.

41
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 The specification for electromagnetic resilience techniques and measures shall be (as far as is possible):
2 complete; free from errors and contradictions; and easy to verify.

3 The requirements and design specifications shall be defined using a variety of semi-formal and formal
4 modelling techniques, for example those listed in Annex B.15, including a preliminary hazards analysis as
5 a semi-quantitative technique to be used in the initial design process, and Taguchi's ‘Design of
6 Experiments’ (see [B753]1) approach to help get a robust design and also to help test for robustness by
7 quickly determining the worst cases where there are multiple orthogonal effects acting.

8 Whichever techniques are chosen, the potential effects of EMI on the hardware and software shall be taken
9 into account. Typically, this might include consideration of the possibility of corruption of data and
10 program memory content, corruption of data in transit on internal or external serial or parallel buses and
11 their consequent effects on the safe operation of the system.

12 Put more simply: EMI (including intentional EMI (IEMI)) may contribute towards the risk of a hazard, and
13 its effects either eliminated, mitigated, or accommodated using appropriate techniques and measures, for
14 example, as described in this Standard.

15 This activity should take fully into account the fact that electromagnetic disturbances and EMI can cause an
16 effectively infinite variety of:
17 d) any/all kinds of noisy, degraded, distorted, false, delayed, re-prioritized, overvoltage, etc.
18 controls/signals/data, both intermittently and continuously;
19 e) any/all kinds of under/over voltages, noises, dropouts and interruptions, lasting from less than one
20 microsecond to many seconds, minutes, even permanent, in one or any number of AC or DC power
21 supplies, both intermittently and continuously;
22 f) any/all kinds of waveform distortions, frequency perturbations in any number of AC power
23 supplies, plus phase and voltage imbalances in multi-phase supplies;
24 g) one or more combinations of any of the above, occurring in any number of signal paths or power
25 supplies, simultaneously or in any critical time relationship.

26 The design requirements specification should state the selection of electromagnetic resilience techniques
27 and measures to be used for achieving adequate electromagnetic resilience for the intended system, sub-
28 system or element to comply with its safety integrity level/systematic capability in its expected operational
29 environment over its lifecycle.

30 References: See the list in Annex B.15.

31 A.1.3 Specifying EMC test standards to help ensure the availability of the EUC

32 Aim: To help ensure adequate availability of the equipment under control (EUC), and of its safety-related
33 systems, throughout its lifecycle, so that safety-related systems continue to provide safe operation, taking
34 into account availability, throughput rate, production rate, or other financial or mission-critical
35 requirements.

36 Description:
37 a) To help ensure that both intentional and unintentional electromagnetic emissions, over the lifecycle,
38 do not exceed levels that are likely to affect other equipment.
39 b) To help ensure that the reasonably foreseeable normal operational electromagnetic environment
40 does not cause sufficient EMI to activate any safe failure modes, ensuring adequate availability of
41 the EUC over the lifecycle.

1
For the corresponding reference number in IET 2017 [B8] see Annex G

42
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Emissions and immunity tests are selected from the IEC (including CISPR) series of EMC emissions and
2 immunity test methods considered appropriate for both the intended application and the expected
3 electromagnetic environment(s) over the lifecycle (see Annex B.5). The assessment of the expected
4 electromagnetic environment should include both inter-system and intra-system electromagnetic energy
5 coupling paths.

6 However, other types of EMC tests might be more appropriate than IEC or CISPR, especially for
7 automotive, rail, aerospace, military, etc., applications and environments for which specific EMC test
8 standards have been developed (see Annexes B.6–B.12).

9 To correspond to the predicted electromagnetic environment and the application, the test standards might
10 need to be modified, for example an emissions limit might need to be reduced over a certain frequency
11 range because of the close proximity of certain sensitive equipment, or might need to be extended by some
12 GHz to help protect certain wireless communications.

13 Example 1: A safety-related system in an industrial plant located near to an airport or harbor might
14 apply IEC 61000-6-4 and IEC 61000-6-2 (the generic standards for emissions and
15 immunity for the heavy industrial environment). It might also need to be tested for
16 immunity to the various radars it will be exposed to by applying tests using the IEC
17 61000-4-3 method modified to simulate the nearby radar levels, frequencies, modulations,
18 pulse repetition rates, etc.

19 Example 2: Most safety-related systems will be exposed to close-proximity transmitting portable

20 electronic devices (T-PEDs), radio-frequency identification (RFID) readers, and/or
21 machine-to-machine (M2M) transmitters, and wireless-data-enabled laptops, tablets,
22 PDAs, e-book readers and the like. Consequently, their immunity should be tested
23 accordingly, probably requiring the application of test standards such as [B239]2 and/or
24 [B315]2, in addition to the other EMC immunity tests that have been selected.

25 Example 3: Proximity to high-power electrical installations might expose safety-related systems to

26 large magnetic fields, high-amplitude conducted noise at frequencies from DC to at least
27 10 kHz, and/or high energy radiated and conducted transients requiring appropriate
28 testing in addition to the other EMC immunity tests that have been selected.

29 Also, an immunity level might need to be increased over a certain frequency range, or extended to higher
30 frequencies, because of the close proximity of certain ‘noisy’ equipment (for example, radio-frequency
31 materials processing equipment operating with high RF power in an ISM band, or a radio-communications
32 transmitter).

33 It might also be useful to modify standard testing to help confirm that specific aspects of the equipment’s
34 performance are adequately tested, for example, by extending test frequencies to help confirm that the
35 performance of the system clock is adequately tested. The tables of recommended tests in IEC 61000-1-2
36 and IEC 61000-6-7 [B3]2 can assist with identifying far-field immunity tests. Near-field immunity testing
37 (for an example, see [B315]2) can also be appropriate for situations where portable radio transmitters (such
38 as mobile phones, cellphones, Wi-Fi, Bluetooth, etc.) could be in very close proximity to the equipment.

39 Immunity levels might also need to be increased to account for test measurement uncertainty. Testing at the
40 specified limit only provides a 50 % confidence interval that the immunity level has been applied as there is
41 equal probability that the immunity level applied is plus or minus the required limit. Safety standards such
42 as IEC 61508 do not mandate a particular confidence level for electromagnetic measures but for EMC tests
43 a minimum 95 % confidence interval is recommended. Further guidance is available in the UKAS
44 document LAB 34 “The expression of measurement uncertainty in EMC testing” [B13]2.

2
For the corresponding reference number in IET 2017 [B8], see Annex G

43
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Where a customer’s contractual EMC test is equivalent to a selected test, or exceeds its requirements, it
2 should replace that selected test.

3 See Clause 4 and [B12]3, [B15]3 and [B14]3 for discussions of the fact that no practicable immunity testing
4 plan can, on its own, demonstrate sufficient confidence that electromagnetic disturbances will not cause
5 unacceptable degradation of functional safety over the lifecycle.

6 Other appropriate techniques and measures, for example, those described in this Standard, are also needed
7 to help achieve functional safety as regards electromagnetic disturbances.

8 Identification: A test plan shall be devised by persons competent in applying the selected EMC tests, and
9 verification and validation testing carried out according to this plan.

10 Verification tests (see A.5) should be applied to all relevant elements of the safety-related system, ideally
11 by their manufacturers, during the integration phase.

12 Validation tests (see A.5) should preferably be applied to the complete safety-related system, functioning in
13 its final configuration in its intended application and environment.

14 Where this is not practicable the standard tests should be applied at the highest practicable level of
15 assembly of the safety-related system or sub-systems and the likely limitations and consequences of the
16 partial testing documented. In addition, in-situ EMC testing should be carried out where practicable, for
17 example, by using the methodology described in [B602]3.

18 The immunity tests should show that the system elements or the safety-related system itself are unaffected
19 at the applied test levels (i.e. their good electromagnetic design, plus filtering, shielding, etc. offers
20 adequate protection against the electromagnetic disturbances).

21 The point of complying with immunity test standards is to maintain the required availability of the EUC
22 and its safety-related systems. To that end, element functions intended for use in system-safety functions
23 should not fail during these tests – unless they fail to a DS and this situation is adequately addressed in the
24 safety documentation.

25 For the same reason, safety functions themselves should not be triggered during these tests – unless this is
26 adequately addressed in the safety documentation.

27 Safety functions should never be inhibited from operating as a result of these tests, which might require the
28 use of certain techniques and measures such as those described in this Standard.

29 The results of the testing according to the plan should be documented and assessed against the relevant
30 design requirements specification. Unexpected or anomalous behavior should be investigated, the
31 underlying causes corrected, and the work involved documented.

32 The tests should be carried out in a manner that provides sufficient confidence that compliance with them
33 will be maintained over the complete lifecycle.

34 Example: Some manufacturers take equipment that complies with its specified EMC emissions and
35 immunity test standards, artificially age it using well-established acceleration techniques,
36 then retest the aged units to check that they still comply with those EMC test standards.

37 Mitigation: By competently modifying the design using good electromagnetic engineering practices (see
38 A.3.26) until the test requirements are met in a way that indicates their maintenance over the lifecycle.

3
For the corresponding reference number in IET 2017 [B8], see Annex G

44
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Note 1: Compliance with EMC Regulations applicable in the country of application is generally a
2 starting point for this specification exercise, but is almost never sufficient, because
3 complying with the conventional test standards alone is insufficient for electromagnetic
4 resilience (see Clause 1 and [B12]4, [B15]4 and [B14]4).

5 Note 2: Manufacturers are not necessarily precluded from doing these tests themselves, nor are
6 they constrained to using certain types of third-party test laboratories.

7 The degree of accuracy, confidence, test accreditation and independence required for these tests is – like
8 most functional safety issues – generally dependent on the safety integrity level/systematic capability.

9 References: Annex B.14 includes some references on assessing electromagnetic environments, and some
10 relevant standards from different industries and application areas.

11 A.1.4 Protecting against high impact, unusual and malicious EMI

12 Aim: To help achieve functional safety where the occurrence of high impact, unusual and malicious
13 electromagnetic disturbances could reasonably be foreseen and cause temporary disturbance and/or
14 permanent damage to hardware (electronic components, interconnections, etc.).

15 Description: Examples of unusual EMI include: very near proximity lightning stroke, unusual electrostatic
16 discharge (ESD) events and transients, such as corona due to a nearby power fault or high-voltage
17 switching event. Examples of malicious EMI include HEMP, IEMI and jamming of wireless channels (see
18 [B26]4 [B658]4 [B659]4 [B660]4 and [B661]4).

19 Identification: By specifying appropriate environments, selecting appropriate electromagnetic mitigation

20 and resilience techniques and measures and performing appropriate tests, using (for example) the relevant
21 documents and standards listed in Annex B.

22 A test plan shall be devised by persons competent in applying the selected EMC tests, and verification and
23 validation testing carried out according to this plan. Verification tests (see A.5) shall be applied to all
24 elements of the safety-related system, ideally by their manufacturers, during the integration phase.
25 Validation tests (see A.5) should preferably be applied to the complete safety-related system, in its final
26 configuration in its intended application, running a typical application program. Where this is not
27 practicable the standard tests should be applied at the highest practicable level of assembly of the safety-
28 related system or sub-systems and the likely limitations and consequences of the partial testing
29 documented. Some of these tests might require in-situ testing with electromagnetic disturbances.

30 Mitigation: Where it is considered necessary to cope with the occurrence of one or more such high-impact
31 electromagnetic disturbances over the lifecycle, appropriate mitigation should be applied, for example, as
32 described in documents listed in Annexes B.2 or B.3, to pass the relevant tests.

33 Alternatively, appropriate techniques and measures could be applied to detect inhibition or false operation
34 of the safety function and cause it to default to a redundant or backup safety-related system. To aid fault
35 attribution and diagnostics the fault detection should be correlated to independent EMI event detection and
36 monitoring (see A.2.9).

37 The redundant or backup safety-related system could be normally completely disengaged from all power
38 and signals, so that it is more likely to survive these powerful electromagnetic events and minimize
39 common-cause failures.

4
For the corresponding reference number in IET 2017 [B8], see Annex G

45
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A redundant or backup safety-related system that uses low-technology electronics (i.e. does not use
2 programmable electronics) is more likely to survive such powerful electromagnetic events, with a non-
3 electrical backup system likely to be the most rugged. A ‘non-electrical backup system’ is one based on
4 mechanical, hydraulic and/or pneumatic technologies alone (i.e. with no electrical or electronic control).

5 Note: The military and defense sectors have their own sets of standards for these high-power
6 electromagnetic disturbances. See the relevant references in Annex B for examples.

7 A.2 Electromagnetic resilience techniques and measures for use in system design

8 This subclause describes various techniques and measures to help prevent electromagnetic disturbances
9 from degrading the safety integrity of the safety-related system.

10 During the operation of a system, EMI might cause hardware malfunction in the form of corruption of data
11 in memories, and corruption of signals on data, address and control bus lines and interfaces. This in turn
12 can cause software, and hence the system, to malfunction, possibly presenting a system safety hazard.
13 Techniques and measures should be applied accordingly, bearing in mind all the possible susceptibilities of
14 the system to the variety of electromagnetic disturbances described in A.1.

15 Some suitable techniques and measures are described in A.3-A.8, or alternatives can be used if technical
16 justifications are provided in the safety documentation.

17 Note: Where a technique or measure in this subclause applies to a technology that is not
18 relevant to the equipment or system concerned, and the importance as shown in Clause 5
19 as being M or HR, a justification for why that technique or measure was not applied
20 should be included in the safety documentation (see 4.8).

21 A.2.1 Separating safety-related system parts from non-safety-related parts

22 Aim: To separate the safety-related parts of a system from non-safety-related parts, such that the
23 electromagnetic disturbances created by the non-safety-related parts, or the consequences of EMI occurring
24 in the non-safety-related parts, do not affect the safety-related parts.

25 Description: In the specification, it should be decided whether a complete or partial separation of the
26 safety-related systems and non-safety-related systems is possible.

27 Identification: Clear specifications should be written for the interfacing of the two parts.

28 Possible remaining routes for interference that could create coupling between the safety-related part and the
29 non-safety-related parts should be identified and documented, such that appropriate techniques and
30 measures can be implemented to address them.

31 Mitigation: By applying the above specifications throughout all project stages, plus verifying and
32 validating that the specifications have been correctly applied at all project stages and at the end.

33 Reference: [B113]5

34 Note: This technique concerns the physical separation of hardware and the connections made
35 between hardware elements (i.e. their communication, power and physical interfaces).

36

5
For the corresponding reference number in IET 2017 [B8], see Annex G

46
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.2.2 Recording how the design requirements are implemented through design choices

2 Aim: To produce a stable design of the safety-related system, and any part of it, in conformance with its
3 design specification (see A.1).

4 Description: This is where the design choices, mitigation strategies, techniques and their justifications for
5 the electromagnetic resilience techniques, and the measures used to comply with the design specification,
6 are documented.

7 These will typically include EMI filtering, separation, segregation, grounding and shielding, sufficient at
8 least to meet normal requirements for electromagnetic immunity, together with a selection of techniques
9 and measures such as those described in this Standard according to their importance for the required safety
10 integrity level/systematic capability. See also A.3.26.

11 Identification: The checklists in Clause 5 provide a non-exhaustive selection of techniques and measures
12 that are likely to be applicable during the design process and for the practical implementation. Additional
13 techniques c be used if justified in the safety documentation.

14 Mitigation: The safety documentation shall include a list of all the applicable techniques and measures.
15 This should record the justification for not implementing any rated HR importance (see 3.7). The safety
16 documentation should show that the electromagnetic resilience requirements described in the design
17 requirements specification relating to the required safety integrity level/systematic capability are fulfilled.

18 Note 1: It is generally impractical to demonstrate/verify/validate that a set of electromagnetic

19 mitigation techniques and measures alone is sufficient for any particular safety integrity
20 level/systematic capability.

21 Note 2: The degree of competence, amount of detail, amount of work, and amount of
22 documentation involved in the above shall be commensurate with the safety integrity
23 level/systematic capability.

24 A.2.3 Co-design electromagnetically diverse hardware/software in redundant channels

25 Aim: To detect and/or correct systematic failures using multiple electromagnetically diverse hardware
26 channels and/or software components, to reduce the likelihood that the common-cause characteristics of
27 electromagnetic disturbances will cause an incorrect output to be created.

28 Description: Electromagnetically diverse hardware and software designs have different modes and rates of
29 failure due to electromagnetic disturbances.

30 Appropriate parts of IEC 61508 describe hardware and software diversity as being different types of
31 techniques and measures. However, these days some traditional hardware diversity techniques and
32 measures may be more effectively accomplished in software, and some traditional software diversity
33 techniques and measures may now be more effectively accomplished in hardware (for example, by using
34 field-programmable gate arrays (FPGAs)) – so co-design is required.

35 Hardware and software designers should work together (i.e. co-design) to achieve the required overall
36 diversity in the most effective way in order to meet the requirements of the design requirements
37 specification and its required safety integrity levels and/or systematic capabilities.

38

47
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Identification / Mitigation for Diverse hardware:

2 Where a safety-related system uses redundant hardware ‘channels’ with comparison or voting on their
3 outputs to detect and/or correct errors or faults, these channels should be electromagnetically diverse.

4 This helps reduce the probability of systematic common cause errors or failures when the safety-related
5 system experiences electromagnetic disturbances, and helps to increase the probability of detecting such
6 errors and failures, surviving them and maintaining availability.

7 Methods for achieving electromagnetically diverse hardware channels include (but are not limited to):
8 a) Different physical principles, such as sensing different but related physical parameters, for
9 example, the temperature and pressure of a sealed vessel; using resistances and thermocouple
10 voltages to measure temperature; etc.
11 b) Different digital architectures, such as using processors and FPGAs with different internal
12 structures.
13 c) Algorithms that use different techniques to solve the same problem or calculate the same results.
14 d) Different methods of physical realization, such as using shielded cables, wireless or fiber-optics for
15 communications.
16 e) Spatial separation, so that an electromagnetic disturbance or ionizing radiation track is likely to
17 only affect one of the redundant channels.
18 f) Locating each item of equipment in a different electromagnetic environment.
19 g) Routing cables such that each cable runs through a different electromagnetic environment.
20 h) Different circuit design principles, such as operating on a signal, the value of which is represented
21 as either a voltage; current; frequency; mark-space ratio; digital code, etc.
22 i) Functional diversity, i.e. the use of different approaches to achieve the same result, such as
23 analogue, digital or optical electronic technologies.
24 j) Mechanical, hydraulic and pneumatic technologies have the advantage of being immune to all EMI
25 and can be used to great benefit in some situations.
26 k) Inversion of data or signals.
27 l) Where different channels are synchronized to the same clock, operating them out of step with each
28 other. Ideally, operating redundant channels non-synchronously.
29 m) Where different communication channels, sensors, etc., use specific narrowband frequencies,
30 ensure that each of them uses frequencies that are not harmonically related to the others. Examples
31 include linear variable displacement transducers (LVDTs), strain gauges and other bridge
32 measurements run on AC, Doppler sensors for velocity, metal detectors, solid-state gyroscopes, and
33 any sensor, transducer or other type of circuit that uses phase-sensitive detection, phase-locked
34 loops, or very narrow band-pass filters.
35 n) Provide different channels with power from different, independent sources.

36 An example of using diversity in a multi-channel control system:

37 Two redundant, identical electronic sensors are mounted on the same printed circuit board, or in
38 the same integrated circuit (IC), and sense the same physical parameter (for example, the position,
39 velocity, temperature, gas concentration, etc.). A comparator checks whether their outputs agree,
40 and switches the EUC into a safe state when they do not.

41 Because the sensors are so close together, they share the same electromagnetic environment,
42 which means that they experience the same electromagnetic disturbances at the same time.

48
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A common effect of electromagnetic disturbances on electronic sensors is to cause a positive or

2 negative ‘zero shift’; when this occurs both of these sensors will give false high or low
3 measurements at the same time.

4 If large enough, electromagnetic disturbances can cause zero-shifts in many types of sensors of as
5 much as full scale deflection (FSD), but the comparator will be unable to detect any false high or
6 low measurements, even up to ±FSD, because both sensors have the same (false) output at the
7 same time. The EUC would not be switched into a safe state, even if the errors in the sensor
8 signals resulted in unsafe operation (if, for example, the position was too far or not far enough; the
9 velocity, temperature or gas concentration was too high or too low; etc.).

10 However, introducing electromagnetic diversity by connecting one of the sensors so that it

11 produces signals that are inverted with respect to the other, and restoring the correct polarity at its
12 input to the comparator, makes it highly probable that the sensors’ zero-shifts, due to the
13 electromagnetic disturbances, would in fact be detected by the comparator.

14 There are many other ways of introducing electromagnetic diversity to this simple example.

15 Identification / Mitigation for Diverse software:

16 The first option for electromagnetic diversity of software is to use two or more independent software
17 components to implement the same safety function, where each component is designed and coded
18 separately and uses different partitions of memory for its data (and may use different algorithms where this
19 is feasible). To avoid common conceptional errors it is reasonable to have the diverse software developed
20 by different people.

21 Differences in the outputs of these components are detected by the software itself or by means of
22 comparison or voting logic as for hardware redundancy.

23 The rationale for the use of electromagnetically diverse software components is that a memory corruption
24 or incorrect instruction execution caused by EMI might not affect both (all) of the diverse software
25 components. If it does, then the effects of the EMI will, in general, be different, allowing the comparison or
26 voting logic to detect the error.

27 The second option for electromagnetically diverse software is to use an electromagnetically diverse
28 monitor: a software component that checks the expected output of the main software against the actual
29 output, to help ensure safe (but not necessarily correct) behavior.

30 The electromagnetically diverse monitor continually checks the output of the main software and prevents
31 the system entering an unsafe state, either by means of a separate output or by bringing the main software
32 back to a correct state.

33 An electromagnetically diverse monitor should be simpler than achieving electromagnetically diverse main
34 software. If not, it is equivalent to a redundant implementation.

35 It might be helpful to implement the electromagnetically diverse monitor on a separate computer to reduce
36 the likelihood of the main software and the diverse software monitor being affected in the same way by the
37 same EMI event.

38 If a separate computer is not used then the electromagnetically diverse monitor needs to be capable of
39 operating (and in particular, capable of recovering from EMI-induced errors) independently of the main
40 software, for example, in a different process or task using separate memory areas.

49
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Electromagnetically diverse software of both kinds can be combined with electromagnetically diverse
2 hardware (using different input channels and/or processors) to further reduce the likelihood of common
3 cause errors due to EMI.

4 Extending the method to three or more channels requires a voting function that is sufficiently reliable and
5 adequately electromagnetically resilient at the required level of safety. This voter needs to have a reliability
6 (despite EMI) corresponding to the improvement in confidence that is the purpose of using the multiple
7 channels. Various techniques can be used to do this, for example, dynamic self-testing as described in
8 A.3.21.

9 Where such voting is used it can be assumed, given sufficient confidence in the electromagnetically diverse
10 behavior of the channels, that channels that meet the requirements of the voting function are operating
11 correctly. While the voting result is positive the system can maintain the correct operation of the EUC
12 without any need to fail to a safe state.

13 In the absence of a safe state, the use of a sufficient number of redundant electromagnetically diverse
14 technology channels with a voting function is one of the most important methods for maintaining safety
15 integrity.

16 Note 1: Bear in mind that functionally equivalent items of hardware from the same or alternative
17 suppliers might not behave sufficiently differently when subjected to the same
18 electromagnetic disturbances. Their internal hardware and/or software design might not
19 be sufficiently electromagnetically diverse.

20 Note 2: It might be possible to suspend the operation of the safety function for a period of time
21 until the channels agree once more, without degrading the safety integrity.

22 This helps to maintain availability by reducing the number of times the system fails to a
23 safe state as the result of temporary or transient EMI, and so reduces the possibility that
24 users will modify the system to compromise the correct operation of the safety function
25 (an example of foreseeable misuse).

26 Note 3: EMI might cause software instructions or data to change, due to corruption of instruction
27 address and/or data bus.

28 References: Methods of partitioning software on the same computer: [B110]6, [B111]6, [B112]6, [B141]6,
29 Annex F of [B103]6; and [B108]6, [B113]6, [B114]6, [B133]6, [B139]6, [B145]6. Common cause failures:
30 [B703]6.

31 A.2.4 System integration, installation and commissioning

32 Aim: To help ensure that electromagnetic resilience is correctly considered when parts of the system that
33 have been separately tested are brought together to form the complete functional system.

34 Description: Most systems are constructed from a variety of functional modules and multiple
35 commercially sourced products.

36 Each part needs to be designed and verified as being resilient to EMI, however, further attention is needed
37 when the individual parts of the system are housed and connected, including the shared power supplies and
38 system interconnections that can create additional opportunities for EMI to occur or its effects to be
39 propagated within the system.

6
For the corresponding reference number in IET 2017 [B8], see Annex G

50
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Typical system-level EMI issues might occur through, for example, the inappropriate selection of cable
2 types; cable segregation issues (such as crosstalk); unsuitable earthing/grounding structures; common cause
3 failures due to EMI, etc.

4 The approach taken to avoid an increase in system-wide EMI vulnerability due to system integration
5 (physical, electrical and functional) should be documented in the safety documentation.

6 Identification: By independent assessment of the design and realization of the integration against relevant
7 good electromagnetic engineering practices for systems and installations (see A.3.26).

8 Clause 8 of IEC 61508-1, especially its Tables 4 and 5, provide guidance on the independence required for
9 the assessment according to the safety integrity level/systematic capability.

10 The use of event data recorders within the system might help to pinpoint the likely causes of malfunction,
11 (see A.2.5), and data communication error counts might provide an indication that EMI is influencing
12 communications networks or systems.

13 Mitigation: By modification of the relevant design.

14 A.2.5 Fault detection and event data recording for later diagnosis

15 Aim: To increase the probability of localizing malfunctions caused by electromagnetic disturbances.

16 Description: Unless physical damage is caused by EMI, there is usually no evidence that it has occurred,
17 other than a transient malfunction of the system, which might not even be noticed at the time.

18 Physical damage caused by EMI is also likely to be misdiagnosed unless EMI detection is used to correlate
19 events.

20 An event data recorder (EDR) can be used to enable the establishment of evidence that a malfunction,
21 which could have been caused by EMI, has occurred.

22 Whenever an anomaly is detected (such as an out-of-range data value, checksum failure, sequencing error,
23 etc.) relevant data can be recorded. For example, electromagnetically diverse software might reveal
24 implementation errors via the discrepancy of results during operation, so all such discrepancies shall be
25 timestamped and logged in an EDR when one is required.

26 This data can then be analyzed statistically in real time or at some later time to detect and diagnose trends
27 due to sporadic failures and to propose remedial action.

28 Data captured by an EDR can only reflect the events and malfunctions it has been designed and
29 programmed to detect and record. Consequently, to be practically useful, an EDR needs to store
30 information for the sort of event types adequate for diagnosing the system behavior retrospectively.

31 To aid fault attribution and diagnostics the fault detection should be time-correlated to independent EMI
32 event detection (see A.2.9).

33 Identification: A routine can be called each time a malfunction is detected and should usually record, at
34 the very least, the data itself and a time stamp code.

35 It is necessary for the resolution of the data recorded and its sample rate to be adequate for meaningful
36 subsequent analysis.

51
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Depending on the type of event recorder used and its mode of operation, pre-event data settings might also
2 be important.

3 Depending on the size of the system and the safety integrity level/systematic capability, the EDR might be
4 physically separate (and able to be ‘arrested’ by the relevant safety authorities) for example, for a train or
5 plane.

6 Mitigation: Analysis and diagnosis of the data can be used to look for co-related events and trends.

7 Future designs, or modifications to the existing design, should take the resulting information into account to
8 keep pace with the worsening of the electromagnetic environment, and also to improve the risk-reduction
9 achieved when using electromagnetic resilience techniques and measures.

10 Note 1: Also see the anti-tampering techniques and measures in A.2.10.

11 Note 2: Consideration should also be given to increasing the electromagnetic immunity and/or
12 electromagnetic resilience of the EDR, for example, by using techniques detailed in this
13 Standard, to ensure that an electromagnetic event that affects the safety-related system
14 does not also affect the data stored in the EDR.

15 A.2.6 Improving the electromagnetic resilience of communication links

16 Overall aim: To help confirm that safety-related system communication links are sufficiently
17 electromagnetic resilient

18 Overall description: The electromagnetic resilience of a safety-related system can be made more robust by
19 improving the electromagnetic resilience of its communication links, such as networks (for example, CAN,
20 Profibus, Ethernet, wireless links including wide/local area networks, etc.), backplanes (for example,
21 VME), printed circuit boards (ground planes) and even on-chip interconnect, by applying hardware and
22 software techniques and measures.

23 Overall Identification/mitigation: Hardware and software techniques should be used, either individually
24 or together, to improve the reliability of the links. Suitable hardware techniques are described in this
25 Standard. Suitable software techniques include, but are not limited to, those set out in A.2.6.1-3.

26 Wireless links are especially susceptible to electromagnetic disturbances (see A.3.25).

27 References: [B119]7, [B120]7, [B137]7.

28 A.2.6.1 Error detection on parallel or serial buses

29 Description: Redundant data is appended to the actual data using error detection coding (EDC) and error
30 correction coding (ECC) techniques (for examples, see A.3.11- A.3.13).

31 This enables the detection of data corruption using techniques such as parity or cyclic redundancy checking
32 (CRC).

33 Once data corruption is detected, appropriate action can be taken to maintain the safety integrity
34 level/systematic capability, as described in the safety documentation. For example, various retry schemes
35 could be used to improve the reliability of the link (at the expense of the overall system performance).

7
For the corresponding reference number in IET 2017 [B8], see Annex G

52
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Where the safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it
2 to allow its correct use by a safety system’s designer.

3 A.2.6.2 Error correction on serial or parallel buses

4 Description: This is a variation of the previous technique, however, the code is such that a level of error
5 correction is possible in order to both detect corruption and also correct for its effects.

6 Various error correcting code (ECC) schemes (see A.3.11–A.3.13) can be used to improve the reliability of
7 the link at the expense of a reduced data rate.

8 Whenever error correction occurs, this should be logged to aid later diagnosis (see A.2.5).

9 A.2.6.3 Protection of a sequence

10 Description: When there is a stream of data packets on a data bus or communications link the packets
11 might be duplicated, corrupted, delayed or lost during transmission possibly due to EMI.

12 Extra sequence codes can be appended to each packet to enable detection of delayed, lost or duplicated
13 packets.

14 Various techniques and measures in this Standard can be used at the packet level, for example, even just a
15 single bit can be alternated between packets to detect a single packet failure (omission or duplication) (for
16 example, see [B144]8).

17 More elaborate techniques are needed to detect multiple packet failures or corruption.

18 Identification: Depends on the technique used for marking the sequence of the packets.

19 A.2.6.4 Wireless mesh datacommunications networks

20 Description: Creates multiple geographically-diverse wireless datacommunication links to improve the

21 redundancy of datacommunications. Wireless mesh networks are being made increasingly cost-effective by
22 the creation of low-cost commercial products intended to be used in the ‘Internet Of Things’ (IOT).

23 Identification: A wireless mesh network (WMN) is a communications network made up of radio nodes
24 organized in a mesh topology. It is also a form of wireless ad hoc network. Wireless mesh networks often
25 consist of mesh clients, mesh routers and gateways. The mesh clients are often laptops, cell phones, sensors
26 and other wireless devices while the mesh routers forward traffic to and from the gateways which may, but
27 need not, be connected to the Internet.

28 The coverage area of the radio nodes working as a single network is sometimes called a mesh cloud.
29 Access to this mesh cloud is dependent on the radio nodes working in harmony with each other to create a
30 radio network.

31 A mesh network is reliable and offers redundancy. When one node can no longer operate, the rest of the
32 nodes can still communicate with each other, directly or through one or more intermediate nodes, as long as
33 the nodes have been programmed to automatically adapt to changes in the mesh. Wireless mesh networks
34 can be programmed to self-form and self-heal.

8
For the corresponding reference number in IET 2017 [B8], see Annex G

53
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Wireless mesh networks can be implemented with various wireless technologies including 802.11, 802.15,
2 802.16, cellular technologies and need not be restricted to any one technology or protocol. (From
3 https://en.wikipedia.org/wiki/Wireless_mesh_network, Jan 31, 2017)

4 Mitigation: The geographically-diverse redundant nature of an automatically adaptive mesh network helps
5 to ensure that datacommunication is maintained despite electromagnetic disturbances, because they tend to
6 occur at high enough levels to cause EMI only over relatively small areas.

7 Accordingly: the larger the size of the mesh network, and the more redundant paths exist in the network,
8 the greater is the resilience of the datacommunications as regards the effects of electromagnetic
9 disturbances.

10 It is common to create mesh networks using all the same wireless technologies and frequency bands,
11 however, additional protection against degradation of datacommunications as the result of electromagnetic
12 disturbances can be achieved by using different technologies and frequency bands in the network. See also
13 A.3.25.

14 A.2.7 Synchronization and resynchronization techniques

15 Aim: To improve the availability of a synchronous function or system in the event of a detected EMI-
16 induced corruption.

17 Description: The ability of a synchronous function or system to detect that it is running abnormally and
18 then reset its own state, or the state of the system, while maintaining its safety integrity level or systematic
19 capability.

20 For example, in some processor architectures EMI can cause a processing exception due to corrupt data or
21 the incorrect execution of an instruction.

22 Identification: By any appropriate techniques and measures, such as those described in this Standard.

23 Mitigation: A clear and understandable system design concept is needed for the credible and practical
24 implementation of this technique.

25 Different techniques might be needed to resynchronize continuous and non-continuous synchronous

26 systems.

27 The application needs to be able to safely tolerate the reset or resynchronization.

28 The use of low-level programming features might be necessary to implement state resynchronization, or to
29 return the system to a safe state.

30 The use of built-in exception handling (for example, https://en.wikipedia.org/wiki/Exception_handling)

31 within the language runtime package or operating system should only be relied upon if the resulting
32 response is deterministic and accommodated as part of the overall design.

33 The use of an electromagnetically diverse monitor should be considered (see A.2.3).

34 Note: The Importance of this technique depends on whether the safety function is intended for:
35 continuous operation; to operate ‘on demand’; or where any kind of system has no safe
36 state.

37

54
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.2.8 Protection from persistent interference by monitoring retry counts

2 Aim: To improve system resilience during persistent failures including those caused by EMI.

3 Description: If a system is exposed to persistent electromagnetic disturbances to which it is susceptible,

4 causing it to suffer EMI, then the operation of the system might be severely affected or even halted.

5 For example, a communication link, even with a retry facility, might be so affected that no message traffic
6 can successfully be communicated.

7 Any defense mechanism relying on reactivation of a function or retransmission of a message might be so

8 affected that there is effectively a ‘denial of service’ (DoS) which might, or might not, be deliberate.

9 Identification: A task that continually monitors the retry counter values and timestamps of functions,
10 memory checkers, communication protocols, and any other function that uses a retry or state recovery
11 approach, to improve its perceived short-term reliability.

12 This task itself would require some check for ‘Liveness’ [B126]9, for example, a timeout in order to be
13 effective, preferably based on an electromagnetically diverse independent hardware watchdog timer (see
14 A.2.3 and A.3.19).

15 Mitigation: Possible approaches might be to switch to a backup system; to switch to manual operation; or
16 to provide information to operators or maintainers. Many other possibilities for the end-use application
17 should be considered at the system design stage.

18 Reference [B142]9 can also be of use in the case of near-continuous electromagnetic interference.

19 Note: The importance of this technique depends on whether the safety function is intended for
20 continuous or on-demand operation.

21 A.2.9 Independent detection of electromagnetic disturbances and/or EMI

22 Aim: To help detect electromagnetic disturbances in the environment and/or EMI in the equipment.

23 Description: Independent detectors are used to sense the occurrence of certain types (ideally, all types) of
24 electromagnetic disturbances, although perhaps only when they exceed certain levels. An example is
25 described in [B650]9, and [B667]9 describes current experience of a deployed IEMI Detector. Several other
26 types of detector have been developed, usually by military/security organizations.

27 Identification: Where certain electromagnetic signals are required for safe operation, such as GPS signals,
28 some means to detect their absence or ‘jamming’ might be necessary for maintenance of the safety integrity
29 level/systematic capability. (Also see A.2.10, where the communication link is electromagnetically based).

30 An approach that relies on the internal resources of commercial off-the-shelf (COTS) devices operating
31 system logs and other internal data and signals to provide valuable information about whether EMI is being
32 experienced, is introduced in references [B652]9 and [B654]9. An effective set of sensors has been
33 identified for computers and smartphones and it has been shown that these observables were responsive to
34 electromagnetic disturbances.

35 This definition of observables is empirical as it involves only resources that are accessible to users with
36 simple or administrative rights in the operating system and which were not designed by the COTS

9
For the corresponding reference number in IET 2017 [B8], see Annex G

55
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 manufacturers to be used for EMC testing or functional safety. Consequently, the approach described here
2 could be improved by having CPU manufacturers and operating system editors provide more interfaces to
3 gather low-level information about the health status of the system, which would have the benefits of
4 allowing the design of a real-time remote monitoring system for electromagnetic disturbances that cause
5 EMI.

6 Mitigation: This technique may be used in many different ways, for example:
7 a) to help manage the external conducted and/or radiated electromagnetic environment over the
8 lifecycle, for example, by displaying or sounding a warning – or initiating other actions according
9 to the safety documentation – if the equipment starts to experience levels of electromagnetic
10 disturbance in excess of the level of immunity the equipment was designed to withstand.
11 It could, for example, warn of the use of equipment using high RF power, such as a diathermic
12 heater, in too-close proximity. This technique has been used in hospitals to help enforce their ‘no
13 cellphones’ policies by sounding a warning, and could be helpful in enforcing the walkie-talkie
14 example in A.3.4.
15 b) by detecting a failure of electrostatic control measures (such as humidity control, static floor re-
16 treatments, etc.) that could expose equipment to higher levels of ESD than it was designed to be
17 able to cope with.
18 (The usual maximum ESD test level in immunity standards is ±8 kV, but levels of ±25 kV or more
19 have been seen during reduced atmospheric humidity and the automobile industry has tested to
20 such levels for decades for this reason.
21 c) by making sure that certain sensor or transducer readings were ignored, or certain circuits were
22 reset, for the duration of an excessive disturbance.
23 This is a well-established technique for preventing intentional interference with machines that can
24 pay out money, for example gambling machines, change machines, automatic teller machines
25 (ATMs), etc. (A typical tool used for such IEMI is the cattle prod, which generates impulses of
26 around 35 kV.)
27 It has also been used with some very sensitive medical diagnostic instruments to warn when their
28 results should be ignored because the electromagnetic environment was noisier than they were
29 designed to cope with (sometimes at quite low levels, such as > 1 V/m).
30 d) by recording data on the occurrence of certain types and/or levels of electromagnetic disturbances
31 in an EDR (see A.2.5), ideally with time-of-event correlation to help attribute and diagnose the
32 causes of failures, after the fact.
33 e) by monitoring the internal electromagnetic environment of equipment that relies on external
34 shielding, filtering and/or surge protection so that if any of them should degrade, and if that
35 degradation permits higher-than-acceptable levels of electromagnetic disturbance to enter the
36 equipment, then action in accordance with the safety documentation can be initiated.
37 This could be helpful in enforcing A.6.2 so that, for example, if someone uses an incorrect type of
38 shielded cable, or does not terminate it correctly, an alarm is sounded.
39

56
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.2.10 Protection of systems from tampering via communication links to external systems

2 Aim: To help conserve the safety integrity/systematic capability of systems, sub-systems or elements that
3 have external communication links, especially with the internet, at least as regards electromagnetic
4 resilience.

5 Description: Many systems are connected to the internet or an intranet and as such are vulnerable to
6 hacking attacks, virus infestation, Trojan attacks, spoofing (imitation of identity), and DoS attacks.

7 The offensive techniques can be used to access, change or delete electronic data recorder (EDR) records
8 and to change programs to make them more vulnerable to EMI.

9 Identification: Typically, a firewall is used to prevent attack and enable protection of the EMI log, and
10 keeps a record of the attacks it has detected, together with any consequent actions.

11 For EDRs that are built in, the removal and replacement record can be consulted.

12 Remember that it is the system integrator who is responsible for protecting the system from this kind of
13 threat (see A.1.4).

14 Mitigation: At least provide some protection of the EMI log by using a firewall to help prevent attacks
15 from succeeding. Actually detecting and subsequently attributing a malicious event is more likely to be
16 effective in a broader context than just achieving electromagnetic resilience.

17 If the EDR log media is physically removable then the records of its removal and replacement should be
18 stored in non-volatile memory, which is built permanently into the system.

19 In the event of the EMI log being tampered with this record can be consulted.

20 Some EDR logs are built into the system and accessed interactively via a port. In this case it is necessary to
21 restrict access to ‘read only’ so that the EDR data cannot be altered or deleted, thus destroying possible
22 evidence. EDR data may be encrypted to make tampering harder and alteration easier to detect.

23 A.2.11 Robust, high-specification electromagnetic mitigation

24 Aim: To provide a benign ‘internal electromagnetic environment’ by reliably attenuating the external
25 electromagnetic environment to a very high degree, over the anticipated lifecycle.

26 Description: A combination of high-specification electromagnetic mitigation including shielding, filtering,

27 transient suppression, galvanic isolation, etc., traditionally taking the form of a mechanically rugged metal
28 enclosure fitted with bulkhead-mounted cable connectors incorporating robust filtering, transient
29 suppression and/or galvanic isolation.

30 This combination is designed so as to provide reliable attenuation of all electromagnetic disturbances,

31 possibly even including direct lightning strike and electromagnetic pulse (EMP – see A.1.4), over the entire
32 lifecycle by a suitable combination of initial design plus regular maintenance, repair and refurbishment,
33 which includes reverification of mitigation performance.

34 EM detection techniques (see A.2.9) might be able to be used within an overall enclosure used for this
35 purpose, in order to provide prior indication of certain failures or degradations in mitigation, perhaps
36 enabling repair and refurbishment to take place when needed outside of the regular maintenance schedule.
37 EM detection techniques can also be useful to help identify foreseeable misuse, such as doors or panels left

57
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 open or not fitted properly, the use of incorrect types of cables/connectors, etc., or to identify
2 electromagnetic disturbances that exceed those covered by the original design.

3 Robust, high-specification electromagnetic mitigation, when implemented correctly, can allow an

4 electronic system to operate continuously throughout any/all external electromagnetic disturbances, so can
5 be very useful when degradation or interruption of functionality is not desired.

6 Identification/mitigation: With appropriate design, this technique can be used to address any external (i.e.
7 inter-system) electromagnetic disturbances over the anticipated lifecycle. However, it cannot deal with
8 intra-system (internal) electromagnetic disturbances.

9 Note: The extent to which robust conventional EMC mitigation techniques (for example, high-
10 specification electromagnetic mitigation including shielding, filtering, transient
11 suppression, galvanic isolation, etc.) can prevent electromagnetic disturbances from
12 affecting the correct operation of a safety-related system during its anticipated lifecycle
13 may be taken into account during the selection and application of the techniques and
14 measures, where this is justified.

15 A.2.12 Techniques and measures to prevent risks being increased by virtualization of

16 memory and process resources

17 Aim: To help confirm the electromagnetic resilience of virtualized systems.

18 Description: Virtualization is a technique for creating a virtual (rather than actual) version of something,
19 including virtual computer hardware platforms, storage devices, and computer network resources. The
20 virtualization is designed to provide a more idealized or convenient representation of the underlying
21 physical computing resources, for example a virtual apparently contiguous memory address space
22 composed from disjoint physical segments of memory.

23 Identification: For the system designer and programmer virtualization can be very convenient, particularly
24 when attempting to support multiple programs on shared hardware, each apparently running on a different
25 processor and with its own address space. However, the convenient illusion comes at a cost, and this needs
26 to be considered during the design process in order to be aware of the potential for errors or malfunctions
27 that could be caused by electromagnetic disturbances.

28 Virtualization almost always requires the low-level manipulation of computing resource. It makes systems
29 more susceptible to EMI. For example, with memory virtualization, when data is read or written the virtual
30 address has to be translated by software or hardware at run time into the actual physical location of the
31 memory. So this mechanism itself needs to be protected from effects of corruption by EMI.

32 Similar situations arise for processor (instruction set) virtualization and network (private virtual network)
33 virtualization.

34 Mitigation: In each case (memory, processor and network) the mechanism used to translate between the
35 virtual and physical needs to be subjected to a hazard and mitigation analysis, with appropriate mechanisms
36 put in place to help understand the behavior of the system safety function in response to the detectable
37 errors or malfunctions that could have been caused by electromagnetic disturbances.

38 Note that errors induced by corruption of the virtualization mechanisms can be extremely hard to detect and
39 compensate for at the application software level, precisely because the virtualization is presumed to provide
40 an ideal execution environment at that level and the virtualization mechanism is (intentionally) hidden from
41 the application layer of the software.

42

58
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.2.13 Usability Engineering (Human Factors)

2 Aim: To use human resources and electronic resources wisely, to help minimize risks due to EMI.

3 Description: People are unaffected by a wide range of electromagnetic disturbances that can cause
4 malfunctions (EMI) in electronics. So sometimes it makes good sense to use human resources instead of
5 electronics.

6 Also, a human might recognize that electronics have malfunctioned even though no overt indication of the
7 malfunction is being provided.

8 Identification: When using human resources, a number of issues needs to be managed to optimize the
9 design for effectiveness – this is generally called Usability Engineering, but is also known as Human
10 Factors Engineering.

11 Like the topic of electromagnetic disturbances, the topic of usability engineering is briefly mentioned in
12 applicable parts of IEC 61508:2010, but no detail is provided. It is not within the scope of this standard to
13 discuss how to do usability engineering to help manage functional safety or other risks, but it is worth
14 mentioning that [B6]10 will be found to be a valuable resource, and provides references to many other
15 resources on this important issue.

16 Mitigation: By the appropriate use of usability engineering techniques and measures to help minimize
17 functional safety risks, or other risks that are to be controlled.

18 A.3 Techniques and measures for use in operational design

19 When the design is implemented the functionality may be realized in hardware and/or software. In the
20 subclauses below, techniques and measures are classified as either hardware or software based, but some
21 techniques and measures might have equivalent representations in either hardware or software, which
22 might be more effective.

23 Note: Where a technique or measure in this subclause applies to a technology that is not
24 relevant to the equipment or system concerned, and the importance as shown in Clause 5
25 as being M or HR, a justification for why that technique or measure was not applied
26 should be included in the safety documentation (see 3.8).

27 A.3.1 Developing appropriate operation and maintenance instructions

28 Aim: To develop instructions for procedures that help to avoid EMI-induced failures during the operation
29 and maintenance of a safety-related system, sub-system, or element used within a safety-related system.

30 Description: This is where the operation and maintenance requirements – and their justifications – for the
31 electromagnetic resilience techniques and methods used to comply with the design specification are
32 documented (also see Clause 7.6 of [B102]10).

33 The operation instructions may include, for example:

34 a) restrictions on the use of potentially interfering equipment in the vicinity of the safety system (such
35 as mobile phones, cellphones, welding equipment etc.)
36 b) restrictions on the removal of access panels where these contribute to protection from
37 electromagnetic disturbances.

10
For the corresponding reference number in IET 2017 [B8], see Annex G

59
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 c) for portable safety-related equipment, restrictions on the type of electromagnetic environment in

2 which the equipment is intended to be used.
3 d) restrictions in the use of the safety-related equipment, for example, where it is user-configurable,
4 where this might affect protection from electromagnetic disturbances.
5 e) requirements for recording and reporting system upsets, system restarts, safe failures, trips to safe
6 state etc., especially where the cause is not obvious and might be due to an EMI event. (Recording
7 and assessing system trips is an important contributor to reliability growth in general, and could be
8 the only indication that the electromagnetic protection is not operating as intended.)
9 f) requirements for monitoring the electromagnetic environment and detecting/recording EMI events
10 to enable correlation with faults.

11 The maintenance instructions may include, for example:

12 g) monitoring/inspection of physical protection measures against electromagnetic disturbances, such
13 as access panel/door gaskets for deterioration or corrosion of mating surfaces, shielding
14 effectiveness, etc.
15 h) recommendations on the inspection and maintenance intervals necessary to maintain physical
16 defenses against electromagnetic disturbances.
17 i) any lifetime restrictions due to the anticipated degradation of physical protection measures against
18 electromagnetic disturbances, such as those due to corrosion.
19 j) procedures to be followed to verify the continued effectiveness of physical protection measures
20 after an unusual electromagnetic disturbance event, such as a major power surge, nearby lightning
21 strike, etc.

22 Identification: By independent assessment of the relevant documents against the guidance in this Standard;
23 see Clause 8 of IEC 61508-1 for guidance on the appropriate level of independence.

24 Mitigation: By correction of the relevant documents.

25 Note: Experience indicates that operation and maintenance instructions typically only achieve a
26 risk reduction factor of no more than two.

27 A.3.2 Designing appropriate maintenance techniques

28 Aim: To help ensure electromagnetic resilience throughout the anticipated lifecycle.

29 Description: To make it practical to monitor the condition/performance of, and replace if necessary,
30 electromagnetic mitigation items such as filters, surge suppressors, conductive gaskets, etc., which might
31 have a limited operational life.

32 Identification: By independent assessment of how easy it is for the relevant people to monitor and replace
33 electromagnetic mitigation items that might have a limited life.

34 Mitigation: By correction of the relevant documents.

35 Note: Experience indicates that maintenance instructions typically only achieve a risk reduction
36 factor of no more than two.

37

60
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.3.3 Limiting the possibilities for operation and hence mis-operation

2 Aim: To help avoid EMI causing failures by affecting operator controls.

3 Description: EMI can affect operator controls, creating the same effect as an unskilled or even malicious
4 operator. This technique helps to avoid operation in unwanted or unnecessary modes.

5 Identification: Helps to reduce the possibilities for operation, and therefore the possibilities for EMI to
6 cause failures, for example by:
7 a) limiting the number of generally possible operating modes;
8 b) physically protecting the operation of special operating modes, for example, by using key switches
9 that are lockable or have protected access;
10 c) limiting the number of operating elements;
11 d) consistency checks specifically aimed at detecting operationally inconsistent or non-plausible
12 operating modes.

13 The hardware and/or software design techniques and measures used for limiting the possibilities for
14 operation should comply with the requirements of this Standard.

15 Competent independent assessment of the hardware and/or software design techniques used for limiting the
16 possibilities for operation.

17 Mitigation: By modification of the design using appropriate techniques, for example, those techniques
18 described in this Standard.

19 A.3.4 Protecting against operation errors

20 Aim: To help protect the system against operator errors, mistakes and other foreseeable misuse.

21 Description: Incorrect operator inputs (value, time, etc.) are detected via plausibility checks, monitoring of
22 the EUC or other methods.

23 To integrate these facilities into the design, it is necessary to state at a very early stage which inputs are
24 possible and which are permissible.

25 A mistake in operation should not result in dangerous failure. Such foreseeable use/misuse should never be
26 permitted to compromise functional safety.

27 Identification: Competent independent assessment of the hardware and/or software design techniques and
28 measures used for the protection against operator mistakes.

29 For example, using a walkie-talkie or cellphone closer than is permitted, or the failure to correctly close a
30 shielding door, or to refit a shielding inspection panel, could reduce availability and/or prevent the
31 attainment of a safe state (see A.2.9).

32 Mitigation: By hazard analysis, modification of the design and logging of mal-operations, using
33 appropriate techniques and measures, for example, those described in this Standard.

34

61
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.3.5 Protecting against hardware or software modifications or manipulations

2 Aim: To help protect the safety-related system against hardware or software modifications or
3 manipulations by any technical means.

4 Description: Modifications or technical manipulations can be detected automatically, for example, by

5 plausibility checks for the sensor signals, detection by the technical process, automatic start-up tests, etc.

6 If an un-approved modification or technical manipulation is detected, appropriate action is taken in

7 accordance with the safety documentation.

8 (A.2.9 describes one way of detecting modifications that could degrade electromagnetic mitigation.)

9 Identification: Competent independent assessment of the hardware and/or software design techniques used
10 for detecting modifications or manipulations.

11 Mitigation: By modification of the design, using techniques and measures that comply with the
12 requirements of this Standard.

13 Note: Modifications should be subject to a documented change control procedure and should
14 not compromise the safety documentation or functional safety.

15 A.3.6 Defensive programming techniques

16 Overall aim: To design software programs in such a way that they will assist in the detection of anomalous
17 control flow, data flow or data values that might have been caused by EMI during their execution and to
18 react in a predetermined and acceptable manner.

19 Overall description: Many techniques can be used during programming to help detect and control the
20 anomalies induced by EMI-induced corruption; see the references.

21 A range of error detection and/or correction techniques and measures, such as those described in this
22 Standard, can be used to implement an acceptable hardware/software solution.

23 To aid fault attribution and diagnostics the fault detection should be correlated to independent EMI event
24 detection (see A.2.9).

25 Overall identification/mitigation: The principal defensive mechanisms are listed below, in A.3.6.1-
26 A.3.6.3.

27 Where the safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it
28 to allow its correct use by a safety system’s designer.

29 References: –[B119]11, [B120]11, [B137]11 and [B128]11 and by prevention: –[B110]11, [B111]11, [B112]11,
30 [B141]11.

31

11
For the corresponding reference number in IET 2017 [B8], see Annex G

62
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.3.6.1 Range checking in hardware and in software

2 Identification: Range checking of the values of all variables, for credibility.

3 This is achieved by defining a number of bands for the value of each variable, the meaning of the bands
4 being specific to the application.

5 A typical example of three bands is: normal operational values; warning zone values; and out of range
6 values.

7 This applies to values anywhere in the processing chain, not just I/O ‘signals’, whether they are analogue or
8 digital. It also applies to algorithms implanted in hardware such as FPGAs.

9 This is valuable for EMI detection as the value of the original variable might have been corrupted by an
10 EMI event.

11 A program might well be correct but the result of an assignment might be ‘out of range’ and cause the
12 program to malfunction.

13 The programming language provides a means of assigning a data type to a data variable to define the range
14 (or set) of values that it is intended to contain.

15 Whenever values are assigned to the variable, either at compile time (constant values) or at runtime
16 (constant or modified values) then a check is made that the new data value is within the range of values
17 specified by the type of the variable.

18 IEC 61508 calls this ‘strong data typing’.

19 In any case all variables should be initialized explicitly to an acceptable value, before being used, so that
20 out-of-range errors are not caused by the arbitrary value in memory when power is first applied.

21 Mitigation: If the language’s run-time package supports range checking, then that can be used (bearing in
22 mind the loss of performance and increased size of program). If there is no automatic run-time range
23 checking, then explicit tests should be designed into the program. This also applies to hardware, for
24 example hardware specified algorithmically in languages such as Verilog, including in FPGAs.

25 Range checks can be implemented both at:

26 a) ‘Compile time’, using assertions about the value ranges that the software/logic is specified to
27 handle. This is often referred to as ‘static analysis’; it has no runtime overhead.
28 b)‘Operation time’ or ‘run time’, using program checks during system operation to verify values
29 before they are relied upon for decision-making. This is often referred to as ‘dynamic analysis’.
30 The run-time load needs to be allowed for in the system design.
31 References: [B137]12, [B119]12 and [B128]12

32

12
For the corresponding reference number in IET 2017 [B8], see Annex G

63
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.3.6.2 Sequence checking

2 Identification: Sequence checking is a powerful technique for ensuring that a sequence of values or stream
3 of data packets is in the correct order and that there is no duplication or omission.

4 Sequence checking can be used for data and also for program state, for example, using finite state machines
5 or Petri nets.

6 The program contains intermediate points where the expected state of the program, i.e. the values of data or
7 status variables, can be checked for credibility.

8 Mitigation: Various techniques and measures, such as those described in this Standard, can be used at the
9 hardware level to implement an acceptable solution.

10 Communication protocols using sequencing can be used to improve the effective quality and reliability of
11 the link, for example, packet sequencing.

12 If the program is detected as being out of sequence then this fact can be logged and then, if appropriate, a
13 recovery attempted so that processing can continue from a known valid state.

14 References: [B119]13, [B128]13 and [B144]13.

15 Note: The importance of this technique depends on whether the safety function is intended for
16 continuous operation or on demand.

17 A.3.6.3 Correct rounding and resolution in all calculations

18 Description: The incorrect handling of rounding errors and resolution (fixed or floating point) has been the
19 cause of many high-profile project failures, such as [B140]14, and [B143]14. Where different parts of
20 systems use different units of measurement then conversions between data used need to be carefully
21 checked in all contexts.

22 The corruption of data by EMI might cause invalid values of data to occur and software exception handling
23 techniques, such as range checking, can be used to verify the plausibility of data before it is relied upon by
24 a safety critical function.

25 References: [B107]13, [B138]13, [B140]13 (an example of poor exception handling), [B143]13 (an example
26 of incompatible units), [B123]13.

27 A.3.6.4 Floating-point unit and real number arithmetic

28 Aim: To help avoid the corruption of arithmetic computation by EM disturbances.

29 Description: Floating-point is an example of a class of instructions that take multiple CPU cycles, making
30 them more vulnerable to suffering interference due to EM disturbances (i.e. they have a larger time-window
31 for data corruption).

32 Identification: In most applications the fixed-point capability of processors gives adequate accuracy for
33 real number arithmetic and use of either hardware or software floating-point is not contemplated. However,
34 as the complexity of the arithmetic computations increases rounding errors rapidly become significant.

13
For the corresponding reference number in IET 2017 [B8], see Annex G

64
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 In safety-related system where response times are important generalized software floating-point routines
2 are unlikely to offer a viable solution and the addition of a hardware floating-point begins to look attractive.
3 The hardware may be either a co-processor or on-chip.

4 There are a number of difficulties with verifying that programs using real-number arithmetic are free from
5 overflow, divide-by-zero, or error accumulated from the effects of rounding. These difficulties may be
6 reduced by using hardware floating-point arithmetic with the required precision.

7 Mitigations:
8 a) Use scaled integers and fixed-point arithmetic where possible.
9 b) Extend the normal fixed-word lengths when necessary by double precision. Round and truncate
10 before output.
11 c) Use floating-point only where fixed-word-arithmetic is inadequate.
12 d) Minimize the number of clock cycles required to perform the arithmetic functions.
13 e) Range and clip results from both fixed- and floating-point calculations.
14 f) Use the overflow, divide-by-zero, and various error states for failure management and diagnostics.
15 g) Interweave a diagnostics routine within the application to compare sample fixed- and floating-point
16 calculations. Invoke failure management when differences are detected.
17 h) Use on-chip floating-point implementations rather than external co-processors because these can be
18 subjected to either temporary or permanent corruption that might not at the same time corrupt the
19 CPU. These errors might not detectable.
20 i) Use integrated circuit immunity test techniques (robotized near field immunity test-bench, special
21 GTEM cells, etc.) to check EMC resilience of critical arithmetic computations at CPU / floating-
22 point component level.
23 j) Seek evidence of validation / certification from the manufacturer.

24 A.3.7 Limited use of interrupts

25 Aim: To reduce the likelihood that EM disturbances will affect the execution of the software.

26 Description: EMI can increase the likelihood that spurious interrupts are generated, possibly at such high
27 rates that the timing of the software execution can be affected.

28 Interrupts can arrive asynchronously and, of course, interrupt the flow of the main program and possibly
29 other interrupt routines that might be running at the time.

30 Interrupts are therefore prone to causing errors, and the determinism of the program’s behavior becomes
31 very difficult to predict. For example, can it be guaranteed that an interrupt routine will never cause a loop
32 that freezes the whole system?

33 The use of interrupts should be restricted, but they may be used if they simplify the safety-related system to
34 give an overall advantage for functional safety.

35 It is understood that some very critical nuclear and military software is designed without any interrupts at
36 all, in order to improve the determinism of the program’s behavior.

37 Identification: At compile time a static analysis program can be used to flag up any use of interrupts.

38 Mitigation: The use of interrupt routines should be limited and, when used, their effect on system timing
39 and the sharing of computing resources should be documented.

65
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Software handling of interrupts should be inhibited during critical parts (for example, time critical, critical-
2 to-data changes) of the executed functions.

3 If interrupts are used, then parts not interruptible should have a specified maximum computation time, so
4 that the maximum time for which an interrupt is inhibited can be calculated.

5 Also see A.2.1.

6 References: [B108]14, [B113]14, [B127]14 and [B109]14.

7 A.3.8 Limited use of memory address pointer variables

8 Aim: To reduce the impact of memory corruption due to EMI.

9 Description: A pointer is a variable with a value that is an address of data in memory.

10 If the pointer variable is corrupted by EMI then the impact on the behavior of the program is likely to be
11 unpredictable. For example, the corrupted pointer might either be pointing at some data, the program
12 subroutine stack, the heap, or even the program itself, and consequently any write operation will corrupt the
13 system.

14 Identification: At compile time a static analysis program can be used to flag up any use of pointers.

15 Mitigation: A set of programming guidelines would normally prohibit the explicit use of pointers, unless
16 this is essential from an algorithmic viewpoint and its use can be clearly justified in the safety
17 documentation.

18 If the hardware or run-time system architecture allows memory address ranges to have protected access
19 then this feature can be used to ensure that only the intended memory partitions are accessible in each
20 context. This would also make available the means for detecting an access violation. However, it would not
21 detect data content corruption within accessible address ranges.

22 Partitioned ranges of memory and/or a memory management unit can be used to detect violations and
23 provide some measure of protection (see A.3.10.3).

24 References: –[B110]14, [B111]14, [B112]14, [B141]14.

25 Note: The importance of this technique depends on whether the safety function is intended for:
26 continuous operation; to operate ‘on demand’; or where any kind of system has no safe
27 state. Be aware that the executable code might call addresses indirectly even if the source
28 code is free from pointers.

29

14
For the corresponding reference number in IET 2017 [B8], see Annex G

66
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.3.9 Avoiding recursion

2 Aim: To help reduce the impact of corruption due to EMI on program execution.

3 Description: Recursion is the act of a program calling or referencing a part of itself, either directly or
4 indirectly.

5 It is more susceptible to the effects of EMI-induced corruption as the nested chain of calls is held as a
6 linked list of pointers on the stack, in effect potentially a very large list of pointers that increases
7 susceptibility to electromagnetic disturbances. The deeper the level of recursion used the more susceptible
8 the implementation. In general, the use of recursion can be replaced by an equivalent loop structure; this
9 avoids extensive use of pointers and the possibility of running out of memory used to accommodate the
10 pointer linkages for implementing recursion.

11 Recursion should only be used with the greatest caution – and comprehensive justification in the safety
12 documentation – in safety-related software.

13 Identification: At compile time a static analysis program may be used to find instances of recursion in the
14 program source text.

15 Mitigation: Programming guidelines would normally prohibit the use of recursion unless its use is fully
16 analyzed for resource usage and is clearly justified in the safety documentation. This would require a
17 rigorous argument for, or proof of, the maximum depth of recursion that would be experienced during
18 operation, and the amount of memory that would be required to support this at runtime.

19 Every algorithm that can be expressed using recursion also has an equivalent using an iterative looping
20 construct. In general, the latter should be the preferred solution for safety-related systems or equipment
21 intended to be used in them.

22 A.3.10 Error detection and correction for invariable memory

23 Overall aim: To help detect information modifications in the invariable memory (i.e. ROM, or program
24 memory).

25 Overall mitigation: Techniques and measures should be applied accordingly, bearing in mind all the
26 possible susceptibilities of the system to the variety of electromagnetic disturbances described in A.1.

27 Some other suitable techniques and measures are described in A.3, and alternative or additional techniques
28 may be used if technical justifications for them are provided in the safety documentation.

29 A.3.10.1 Signature of a word or block of data

30 Aim: To detect single and multi-bit corruption within a block of data. Various checking techniques are
31 available, such as cyclic redundancy checks (CRC), secure hash algorithm (SHA), and Hamming codes (for
32 correction as well as detection).

33 Description: This procedure calculates a signature using an error-checking technique. The extended
34 signature is stored, recalculated and compared as in the single-word case. A failure is indicated if there is a
35 difference between the stored and recalculated signatures.

67
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Identification/Mitigation: When an error is detected, apply a response defined by the safety

2 documentation. The error detection and/or correction method used should be commensurate with the
3 requirements of the safety integrity level/systematic capability.

4 Where a safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it to
5 allow its correct use by a safety system’s designer.

6 References: –[B100]15, [B104]15, [B115]15, [B121]15, [B131]15 inclusive, [B122]15 for Hamming codes and
7 CRC, [B135]15 for SHA.

8 A.3.10.2 Block replication with inversion (e.g. dual redundant ROM with comparison)

9 Aim: To help detect bit failures.

10 This is a powerful technique that should be used wherever practicable.

11 Description: The address space is duplicated in two memories, which ideally should be physically
12 separate. The data is stored inversely in one of the two memories and inverted again to be compared with
13 the other copy. The inversion of the data in one memory makes this technique much more effective against
14 the common-cause errors, malfunctions or failures including the typical effects of EMI.

15 Identification: The outputs are compared, and a failure indication is produced if a difference is detected.

16 Mitigation: Repeat the memory read as many times as necessary without unacceptably degrading the
17 safety integrity. If the failure clears, continue operation as usual. In any case, if a log is available, the fault
18 should be recorded (see A.2.5). If during the time available the failure does not disappear, apply an
19 appropriate response defined by the safety documentation.

20 Where a safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it to
21 allow its correct use by a safety system’s designer.

22 Note: The use of electromagnetically diverse memories improves the effectiveness of this
23 technique for electromagnetic resilience (see A.2.3).

24 A.3.10.3 Memory boundary protection

25 Aim: To prevent incorrect areas from being overwritten in specified types of memory.

26 Description: Runtime plausibility checking of use of a memory segmented into partitions. This is
27 important as EMI-induced corruption of the program counter, stack pointer, heap pointer or any pointer in a
28 program could cause data to be written to a wrong memory address, resulting in corruption of data or
29 execution of the storing program instructions.

30 Statically defined and protected address ranges are used for the following:
31 a) program;
32 b) stack;
33 c) statically allocated variables;
34 d) heap (dynamically allocated variables);
35 e) inputs; and

15
For the corresponding reference number in IET 2017 [B8], see Annex G

68
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 f) outputs.

2 Identification: This technique simply prevents incorrect memory areas from being used, for example, by
3 the effects of EMI on the address bus.

4 If the mechanism used to manage memory accesses can detect out-of-range addressing violations, they
5 could be logged to support testing and diagnosis of system malfunction.

6 Mitigation: Upon detection, apply an appropriate response defined in the safety documentation.

7 Where a safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it to
8 allow its correct use by a safety system’s designer.

9 References: –[B110]16, [B111]16, [B112]16, [B141]16.

10 A.3.11 Error detection and correction techniques in redundant designs

11 Aim: To enhance electromagnetic resilience by comparing the results of multiple redundant channels in
12 hardware or software.

13 Description: The system is replicated using one or more processors and/or buses. Each system
14 independently determines the next action to be taken and their results are compared before the action is
15 sanctioned. Various schemes can be used, for example, two channels, three channels, one channel per
16 processor or multiple channels per processor.

17 Where duplicate or triplicate channels are used without hardware diversity, with or without software
18 diversity, the effectiveness of this technique against common-cause errors can be increased by ensuring that
19 the channels are desynchronized, or if synchronous are kept out of step with one another. This makes it
20 less likely that EMI will affect all the channels in the same way.

21 Similarly, to increase the effectiveness of this technique against the common-cause errors, malfunctions or
22 failures typical of EMI, electromagnetically diverse encoding of data and or programs can be used (see
23 Section A.2.3).

24 When multiple channels are implemented on physically separate processors the resilience will be enhanced
25 if the power supplies are isolated and the interconnections are properly protected against electromagnetic
26 disturbances.

27 Identification: The result of comparing the sets of signals needs to be acceptable for safety in the current
28 context.

29 The comparator or voter (the circuit used to compare channels and detect errors) is a potential single point
30 of failure and so needs to be designed to have considerably greater resilience to electromagnetic
31 disturbances for this technique to be effective. This may be achieved by, for example, the strong use of
32 self-testing to verify correct operation, switching to a redundant comparator or voter (ideally one using
33 diverse technology; see A.2.9) if necessary. An alternative possibility is the use of rugged, lifetime-reliable,
34 high-specification electromagnetic mitigation, which can be achieved with small size and low weight on a
35 printed circuit board (see [B67]16).

36 Mitigation: Upon detection of an anomaly, apply an appropriate response as defined in the safety
37 documentation.

16
For the corresponding reference number in IET 2017 [B8], see Annex G

69
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Where a safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it to
2 allow its correct use by a safety system’s designer.

3 Note: The importance of this technique depends on whether the safety function is intended for
4 continuous operation or on demand.

5 A.3.12 Time-based error detection/correction in buses and interfaces

6 Aim: To assist in the detection of transient failures in bus and/or interface communication.

7 Description: The information is transferred several times in sequence.

8 The repetition is effective only against transient failures.

9 Identification: Each instance of the information is stored as it is received and then the instances are
10 compared to see if they are consistent.

11 Often, sequence numbers or time stamps are incorporated into the data so that it becomes possible to check
12 that data has arrived in the correct order and that none have been lost in transit.

13 To improve the effectiveness of this technique it is often combined with the use of error-checking codes to
14 protect the sequence numbers or time codes (see A.3.11 and A.3.13).

15 Mitigation: Apply an appropriate response as defined in the safety documentation.

16 Where a safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it to
17 allow its correct use by a safety system’s designer.

18 Note: Requires at least one complete repetition in one cycle time of the process.

19 References: [B137]17, [B119]17, [B128]17, [B144]17 and [B104]17.

20 A.3.13 Error detection and correction for variable memory

21 Overall aim: To assist in the detection of failures during addressing, writing, storing and reading data in
22 memory.

23 A.3.13.1 Memory testing

24 Aim: To provide memory testing before operation and/or during operation to help detect errors specific to
25 memory systems.

26 Description: It is crucial that read/write memory devices function correctly in order for any computer-
27 based system to work reliably. The content of memory devices can be corrupted by EMI and the devices
28 themselves might even be physically damaged by severe EMI.

29 It is therefore necessary to efficiently test the memory before operation and during operation to confirm
30 that it is functioning normally. It is also necessary to design the testing in such a way that the known causes
31 of error are tested as separately as possible.

17
For the corresponding reference number in IET 2017 [B8], see Annex G

70
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 This becomes more and more important as products and systems increase their use and size of memory. It
2 is important that memory tests do not corrupt the running of the system itself, for example, the content of
3 memory stacks, heaps and configuration data.

4 However, even well-designed memory systems are naturally susceptible to EMI, in particular when they
5 rely on the storage of electrical charge to represent digital values as charge can be altered by EMI (and by
6 ionizing radiation).

7 The purpose of the memory test is to confirm that the memory device is fully functional, so the test needs to
8 write a set of data to each individual address in the device and verify its correct value by reading the data
9 back. In cases where such a test would destroy the data in the memory precautions need to be taken, such as
10 copying it, or specific techniques are used to conserve the memory content in situ.

11 The tests used need to be designed to efficiently identify the likely kinds of faults that the memory device
12 being tested is likely to suffer from, or have induced by, electromagnetic disturbances and/or ionizing
13 radiation.

14 Catastrophic internal failure of devices sometimes occurs and needs to be detectable, but most memory
15 failures are caused by wiring problems, including crosstalk on the data, address and control line busses.
16 Often these problems are difficult to detect and isolate as the memory affected might not actually be used
17 for extended periods of time. When it is used and causes mal-operation of the system it can be very difficult
18 to diagnose and isolate the originating cause.

19 A memory test strategy that takes account of at least the following points is required:
20 a) detection of missing memory chips;
21 b) detection of incompletely inserted or connected memory devices;
22 c) testing the memory data bus, preferably one bit at a time to aid fault isolation;
23 d) testing the memory address bus, primarily to detect that address bus faults are not causing
24 overlapping memory locations to be addressed;
25 e) testing the function of the memory device itself;
26 f) if dynamic memories are being tested then signal integrity tests for DDR memory signal lines
27 would also need to be tested;
28 g) testing of systems using ‘memory caching’ techniques requires special consideration, such as
29 provision for the safe flushing of cache memory, which might otherwise temporarily mask a fault
30 that has developed after the saved data has been cached.
31 h) testing of memory currently in use by the system (its stacks, heaps and state variables) requires
32 great care in order for the testing not to corrupt the system itself. This is of particular concern for
33 operational systems when memory tests are periodically scheduled as background activities to
34 check on-going system integrity.

35 Detection: The memory test can be run:

36 i) during the initialization of the system and after any reset of the system; i.e. before operational use
37 of the system starts; and/or
38 j) during the real-time operation of the system.

39 Mitigation: Analysis and diagnosis of the memory test result data can be used to identify specific kinds of
40 common faults in the memory system efficiently.

41 Future designs, or modifications to the existing design, should take the resulting information into account to
42 keep pace with the changes in memory technology, in particular its susceptibility to EMI as memory cell
43 sizes continue to be reduced, compounded by the worsening of the electromagnetic environment.

71
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Note: Also apply other electromagnetic resilience techniques and measures as appropriate for
2 testing memories and achieving the aims of this subclause.

3 References: [B116]18, [B117]18, [B118]18, [B136]18.

4 A.3.13.2 One-bit redundancy

5 Aim: To detect some changes in the content of a memory location, bus or I/O register.

6 Description: Every data word is extended by a single bit, often called the parity bit, based on the binary
7 value of the data.

8 Identification: The parity bit of the data word is set when it is stored, and then checked each time it is read.

9 If an invalid parity value is detected it indicates that the content has been corrupted. A failure action can
10 then be activated.

11 If the parity value is correct then there might have been no error, however, there might have been multiple
12 bit changes to the content resulting in the same parity value.

13 Mitigation: Upon detection, apply an appropriate response as defined in the safety documentation.

14 Where a safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it to
15 allow its correct use by a safety system’s designer.

16 References: [B144]18

17 A.3.13.3 Block replication with inversion to detect all bit failures

18 The techniques and measures in A.3.10.2 for invariable memory also apply here.

19 A.3.13.4 Memory boundary protection

20 The techniques and measures in A.3.10.3 for invariable memory also apply here.

21 A.3.14 Error detecting/correcting coding for ROM, RAM, buses and interfaces

22 Aim: To help detect and/or correct one or more bit failures in a word.

23 Description: The memory, or the content of a data stream, is extended by one or more bits. Data code
24 protection provides for dataflow-dependent failure detection, based on information redundancy (for
25 example, CRC or Hamming codes) and/or time redundancy.

26 Identification: Every time data is handled, either hardware or software can determine whether a corruption
27 has taken place by checking the additional bits. The number of additional bits establishes the number of bit
28 errors in the data word that can be detected and/or corrected.

29 Mitigation: If a difference is found, corrective action can be taken (or a failure indication produced) as
30 defined in the safety documentation.

18
For the corresponding reference number in IET 2017 [B8], see Annex G

72
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Where a safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it to
2 allow its correct use by a safety system’s designer.

3 Correction of the data can be used to maintain the correct operation of the safety function. The strength of
4 the technique used shall be justified in the safety documentation.

5 References: [B100]20 [B115]20, [B121]20

6 A.3.15 Error detection and correction for logic and data processing

7 Overall aim: To assist in the recognition of any failures that could lead to incorrect results in processing
8 units.

9 Overall description: All the techniques and measures listed in this subclause are concerned with detecting
10 failures in the processing units and soft failures (bit flips) in memories and registers, and are therefore
11 useful for detecting damage caused by lightning (or other) surges and electrostatic discharges, as well as
12 soft failures such as those caused by ionizing radiation etc.

13 A.3.15.1 Self-test supported by hardware (one-channel)

14 Description: Additional special hardware supports self-test functions, for example, it monitors the output
15 of a certain bit pattern, often referred to as a ‘signature’. It is a form of watchdog that relies on data content
16 rather than time.

17 Identification: Used for detecting disruption of program execution.

18 Coverage depends on the extent of the software functions generating the bit pattern signature.

19 Mitigation: Corrective action can be taken, or a failure indication produced, as defined in the safety
20 documentation.

21 Where a safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it to
22 allow its correct use by a safety system’s designer.

23 The additional hardware could, for example, drive a safety-related system to a safe state and/or restart it (if
24 it is safe to do so).

25 It is usual for the additional hardware to be low technology (i.e. not programmable, electronic or
26 electromechanical); preferably mechanical, pneumatic or hydraulic because they are completely unaffected
27 by electromagnetic disturbances.

28 A.3.15.2 Coded processing (one-channel)

29 Description: Processing unit designed with special failure-recognition or failure-correction circuit

30 techniques.

31 Typically, a detection mechanism, such as a watchdog timer, can be used to detect a malfunction affecting
32 the safety of the system. In response the system can be reset to a known state, often referred to as a ‘restore
33 point’, and the continuation of operation of the system attempted.

20
For the corresponding reference number in IET 2017 [B8], see Annex G

73
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Identification: The detection of safety or operational malfunction shall be independent of the main
2 processing system.

3 For example, a watchdog timer that is implemented by a separate piece of hardware in such a way as to be
4 itself electromagnetically resilient, otherwise false system resets and restores would be triggered.

5 Mitigation: The system-level implications of resetting to each reachable restore point before continuation,
6 at any time during system operation, need to be considered.

7 When used, the benefits to electromagnetic resilience should be assessed for the particular implementation,
8 and the analysis recorded in the safety documentation.

9 Where a safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it to
10 allow its correct use by a safety system’s designer.

11 References: [B119]21, [B120]21, [B137]21, [B139]21 and [B133]21.

12 A.3.15.3 Reciprocal comparison by software

13 Description: Two or more electromagnetically diverse processing units exchange data (results,
14 intermediate results and test data) and cross-check at defined ‘restore points’ from which system operation
15 could be continued in the event of a discrepancy. Detected differences indicate a failure.

16 Identification: Coverage of data discrepancies is high, and detection can be fast.

17 Excellent against hard failures and can be good against soft and transient failures too.

18 Mitigation: If the diagnostic test interval is short compared to the process safety time, a restart may be
19 possible while keeping the process running. If the failed unit can be identified, continued operation with the
20 healthy unit may be possible. Otherwise, the safety function needs to achieve a safe state.

21 Where a safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it to
22 allow its correct use by a safety system’s designer.

23 Note: Hardware and/or software diversity (see A.2.3) shall be used to greatly improve coverage
24 of the common-cause errors, malfunctions and failures typical of EMI.

25 A.3.15.4 Self-test by software during operation

26 Description: Standard processing unit hardware with additional software functions that run self-tests.

27 Identification: Can detect some failures but coverage is low. The self-test might also be affected by the
28 failure.

29 Mitigation: Might require additional monitoring circuitry to achieve a safe state on failure.

30 Where a safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it to
31 allow its correct use by a safety system’s designer.

32 References: [B133]21 and A.3.13.1.

21
For the corresponding reference number in IET 2017 [B8], see Annex G

74
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.3.16 Error detection and correction for electrical and electromechanical components

2 Aim: To help control failures in electromechanical components, such as relays, actuators, magnetic logic
3 devices etc.

4 Description: Electrical and electromechanical components are generally less susceptible to EMI-induced
5 failure than electronic components as their operating signal levels are usually much higher, but they are
6 never totally immune.

7 Direct failures due to gross overload causing contact welding or coil burnout are possible in some
8 applications.

9 EMI to circuits that control electromechanical devices can cause failures due to:
10 a) chatter (unintended repeated operation causing early wear-out);
11 b) generation of additional electromagnetic disturbances via arcing or sparking at electrical contacts;
12 or
13 c) paralysis (device physically stuck).

14 Identification: Electromechanical components can be monitored as part of loop, for example, by relay
15 contact monitoring, by actuator position monitoring, or by the effects on the EUC (on-line monitoring).
16 Care should be taken that such monitoring will detect chatter (especially in relays) or partial operation in
17 actuators.

18 The use of electromagnetically diverse technologies (see A.2.3) is recommended when performing parallel
19 functions to help deal with the common-cause effects of electromagnetic disturbances.

20 Mitigation: Burn-out or paralysis failures should be designed to achieve a safe state.

21 Where a safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it to
22 allow its correct use by a safety system’s designer.

23 Multi-channel systems might be able to tolerate a single-channel failure, but the likelihood of common
24 mode failures needs to be considered.

25 Examples are suppression of arcing and proper termination of inductive loads to avoid induced spikes.

26 A.3.17 Caution when using hardware or software libraries

27 Aim: To confirm that the electromagnetic resilience measures are applied and verified throughout the
28 whole software design and implementation of a safety related system.

29 Description: Software development relies more and more on ‘standard’ components encapsulated in
30 libraries, for example, a TCP-IP stack, a matrix multiplication package etc. They are the software
31 equivalent of COTS hardware. The overall software is as strong as its weakest part and so it is essential for
32 safety related systems that any library software used should be designed to the appropriate guidelines, such
33 as those described in this Standard.

34 Identification: The source code of all library code needs to be audited to help confirm that all relevant
35 electromagnetic resilience techniques have been competently and adequately applied.

36 Mitigation: Any hardware or software components or modules copied from any library needs to comply
37 with this Standard before being incorporated into an operational system.

75
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Note: Hardware specification is now often implemented algorithmically (for example, IEEE
2 Verilog, IEEE Standard 1364-2005) for FPGAs.

3 A.3.18 Error detection and correction for electronic components

4 Overall aim: To help control failures in solid-state active and passive components.

5 A.3.18.1 Tests by redundant hardware

6 Aim: To use additional hardware to monitor the operation of the relevant function (for example, a safety
7 function, in a safety-related system).

8 Description: Redundant hardware can be used to provide diagnostic testing for safety functions.

9 Identification: Good for detecting failed states, but might be poor at detecting transient failures.

10 Coverage depends on the rate of test compared to the process periodicity.

11 Mitigation: Effectiveness depends on diagnostic coverage and diagnostic test interval compared to the
12 process periodicity. If/when used, the benefits to electromagnetic resilience should be assessed for the
13 particular implementation and the analysis recorded in the safety documentation.

14 Where a safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it to
15 allow its correct use by a safety system’s designer.

16 A.3.18.2 Using dynamic signaling techniques

17 Aim: To help detect static failures by dynamic signal communications and processing.

18 Description: A forced change of otherwise static signals helps to detect static failures.

19 For example, alternating voltage signals are less vulnerable to stuck-at faults than static (direct voltage)
20 signals.

21 Identification/mitigation: Good at detecting failed states, but poor at detecting transient failures. If/when
22 used, the benefits to electromagnetic resilience should be assessed for the particular implementation, and
23 the analysis recorded in the safety documentation.

24 Where a safety manual for a sub-system or element includes a DS, it shall provide sufficient detail on it to
25 allow its correct use by a safety system’s designer.

26 A.3.18.3 Caution with use of test access and real-time trace ports, and boundary-scan

27 Aim: To help prevent any added test/diagnostics, especially real-time trace ports and boundary-scan (such
28 as JTAG) from making the system more susceptible to electromagnetic disturbances.

29 Description: The added interconnections can make susceptibility worse, especially boundary scan (which
30 adds logic between the I/O buffers and the IC’s core logic to allow testing the core logic, creating a
31 possible path for electromagnetic disturbances right into the ‘heart’ of any electronics).

76
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 On some processors the real-time trace port can be a real problem if it is not removed from the PCB for
2 release into production. Indeed, the large number of signals (8, 16, 32), fast and sensitive signals connected
3 directly to the core, high density connectors and a large surface taken on the PCB, can increase the radiated
4 emissions and / or degrade the immunity to electromagnetic disturbances.

5 All test access ports, and their connections need to be electromagnetically resilient to avoid the system
6 being made more susceptible instead of less. Using a low-profile PCB-surface-mounted connector for the
7 JTAG access port, and ensuring that no cable is ever left attached to it, is very helpful in achieving
8 electromagnetic resilience.

9 Identification/Mitigation: Where used, their effectiveness against electromagnetic disturbances should be

10 determined taking into account the particular design features, and this analysis recorded in the safety
11 documentation.

12 Real-time trace ports should be kept only in the development and debugging phase of functional
13 prototypes; pre-production and production versions should remove this feature.

14 References: –[B106]22 and [B125]22

15 A.3.18.4 Monitored redundancy

16 Aim: To compare the behavior of two or more channels in a multi-channel system, to help detect errors
17 and/or to correct them.

18 Description: The safety function is executed by at least two electromagnetically-diverse hardware channels
19 (see A.2.3). The outputs of these channels are monitored and if the output states differ a suitable action is
20 initiated to maintain the safety integrity level/systematic capability.

21 Identification: Effective against static and transient failures, provided the monitoring system is not itself
22 prone to EMI.

23 Mitigation: For a safety-related system: transition to a safe state as recorded in the safety documentation.

24 For a sub-system or element: transition to a DS as recorded in the safety manual, which shall provide
25 sufficient detail on it to allow its correct use by a safety system’s designer.

26 However, with three or more channels and a voting function, error correction (isolation of the faulty
27 channel and continued operation) can be practicable (see A.2.3).

28 A.3.18.5 Hardware with automatic self-test

29 Aim: To detect faults by periodic checking of the safety functions using automatic self-tests.

30 Description: The hardware tests itself repeatedly at suitable intervals.

31 Identification: Will only detect failed states, not the transient failures that might have caused them.

32 Mitigation: For a safety-related system: transition to a safe state as recorded in the safety documentation.

33 For a sub-system or element: transition to a DS as recorded in the safety manual, which shall provide
34 sufficient detail on it to allow its correct use by a safety system’s designer.

22
For the corresponding reference number in IET 2017 [B8], see Annex G

77
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 However, by using redundant electromagnetically-diverse-technology channels (see A.2.3) it might be

2 practicable to continue safe operation by switching from a failed channel to one that is still operating
3 correctly.

4 A.3.18.6 Analogue signal monitoring

5 Aim: To improve confidence in signals and controls.

6 Description: Analogue signals are used in preference to digital on/off states.

7 Trip or safe states are represented by analogue signals, which can be continuously monitored for credibility
8 (for example, by using window comparators for amplitude ranges; high-pass, band-pass and low-pass filters
9 for frequency ranges, etc.).

10 Identification: Can be effective against EMI, especially if unusual signals are detected, logged and
11 investigated.

12 Mitigation: Upon detection of an anomaly, apply an appropriate response as defined in the safety
13 documentation.

14 For a safety-related system, transition to a safe state as recorded in the safety documentation.

15 For a sub-system or element: transition to a DS as recorded in the safety manual, which shall provide
16 sufficient detail on it to allow its correct use by a safety system’s designer.

17 However, by using redundant electromagnetically-diverse-technology channels (see A.2.3) it might be

18 practicable to continue safe operation by switching from a failed channel to one that is still operating
19 correctly.

20 Signals can also be ‘smoothed’ in hardware and/or software up to the maximum permitted for the accuracy
21 and responsiveness required.

22 Information on signal anomalies from event logs might be able to be used to improve long term
23 electromagnetic resilience and future designs.

24 A.3.18.7 ‘Data assurance’ (content credibility checking)

25 Aim: To use known relationships within datasets to detect corruption due to EMI.

26 Description: The notion of data may include individual data values and also collections of data items, such
27 as lists, arrays, records and sets. The credibility checking can include range checking, and consistency of
28 values between related data, such as by using the technique known as ‘median filtering’.

29 There are several aspects to consider such as static (compile time) data typing, static range checking and
30 dynamic (at runtime) value range checking, both on assignment and during the evaluation of arithmetic
31 expressions.

32 Identification: Various checking schemes can be used to enable detection of corruption, for example,
33 checksums or CRCs.

34 Various techniques described in this subclause can be used at the hardware level to implement an
35 acceptable solution.

78
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Mitigation: Upon detection of an anomaly, apply an appropriate response as defined in the safety
2 documentation.

3 For a safety-related system, transition to a safe state as recorded in the safety documentation.

4 For a sub-system or element, transition to a DS as recorded in the safety manual, which shall provide
5 sufficient detail on it to allow its correct use by a safety system’s designer.

6 However, by using redundant electromagnetically-diverse-technology channels (see A.2.3) it might be

7 practicable to continue safe operation by switching from a failed channel to one that is still operating
8 correctly.

9 Reference: [B130]23

10 Note: The importance of this technique depends on whether the safety function is intended for
11 continuous operation or on demand.

12 A.3.19 Error detection/correction by monitoring program sequence (i.e. watchdogs)

13 Overall aim: To help detect a defective program sequence or timing and either take appropriate actions to
14 maintain the safety integrity level/systematic capability; or restart the correct sequence if this is appropriate
15 for maintaining the safety integrity level/systematic capability.

16 There could be several watchdogs, each monitoring different points in the program’s execution sequence.

17 Overall description: A defective program sequence exists if the individual elements of a program (for
18 example software modules, subprograms or commands) are processed in the wrong sequence or period of
19 time, or if the clock of the processor is faulty.

20 Overall mitigation: Upon detection, apply an appropriate response as defined in the safety documentation.

21 For a safety-related system, transition to a safe state as recorded in the safety documentation.

22 For a sub-system or element, transition to a DS as recorded in the safety manual, which shall provide
23 sufficient detail on it to allow its correct use by a safety system’s designer.

24 However, by using redundant electromagnetically-diverse-technology channels (see A.2.3) it might be

25 practicable to continue safe operation by switching from a failed channel to one that is still operating
26 correctly.

27 A.3.19.1 Watchdog with separate time base without time-window

28 Description: External timing elements with a separate time base (for example, watchdog timers) are
29 periodically triggered to monitor the computer’s behavior and the plausibility of the program sequence. It is
30 important that there is a clear design justification for the placement of triggering points in the program.

31 The watchdog is not triggered at a fixed period, but a maximum interval is specified.

32 The watchdog(s) should be designed using appropriate electromagnetic resilience techniques and measures
33 that comply with this Standard.

23
For the corresponding reference number in IET 2017 [B8], see Annex G

79
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Identification: When the program fails to trigger any watchdog, a failure is indicated.

2 A.3.19.2 Watchdog with separate time base and time-window

3 Description: Timing elements physically separate from the computer, with a separate time base (watchdog
4 timers), are periodically triggered to monitor the computer’s behavior and the plausibility of the program
5 sequence.

6 It is important that there is a clear design justification for the placement of triggering points in the program.

7 Lower and upper time limits shall be specified for the watchdog.

8 This technique is preferred over A.3.19.1.

9 Identification: If the program sequence takes a longer or shorter time than expected, a failure is indicated.

10 A.3.19.3 Logical monitoring of program sequence

11 Description: The correct sequence of the individual program sections is monitored using software (for
12 example, counting procedure, key procedure) or using external monitoring facilities.

13 It is important that there is a clear design justification for the placement of triggering points in the program

14 This technique is preferred over A.3.19.1 above.

15 Identification: If the correct program sequence does not occur, a failure is indicated.

16 A.3.19.4 Combination of temporal and logical monitoring of program sequences

17 Description: A temporal facility (such as a watchdog timer with a time-window) monitoring the program
18 sequence is retriggered only if the sequence of the program sections is also executed correctly.

19 This technique is preferred over any of the three techniques in A.3.19.1, A.3.19.2 or A.3.19.3 above. It is
20 also preferred over the application of both A.3.19.2 and A.3.19.3 at the same time but independently.

21 Identification: If the temporal facility monitoring the program sequence is not retriggered as required, a
22 failure is indicated.

23 A.3.20 Error detection and correction using multi-channel input/output interfaces

24 Aim: To help detect random hardware failures (stuck-at failures), failures caused by external influences
25 (such as EMI), timing failures, addressing failures, drift failures and transient failures (such as
26 intermittency).

27 Description: This is a dataflow-dependent multiple-channel technique with independent inputs and/or

28 outputs for the detection of random hardware failures and systematic errors.

29 Identification: Failure detection is carried out by comparing the signals with each other.

30 The comparator (the circuit used to compare channels and detect errors) is a weak point and so needs to be
31 designed to have considerably greater electromagnetic resilience for this technique to be effective (for

80
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 example, very frequent dynamic testing). The technology used and the reliability and resilience of the
2 comparator needs to be justified in the safety documentation.

3 Mitigation: If a signal corruption is detected by the communicating partner(s), retransmission of the input
4 or output data is requested. If the failure clears, continue operation as usual.

5 However, if during the time available the failure does not disappear, apply an appropriate response as
6 defined in the safety documentation.

7 For a safety-related system, transition to a safe state as recorded in the safety documentation.

8 For a sub-system or element, transition to a DS as recorded in the safety manual, which shall provide
9 sufficient detail on it to allow its correct use by a safety system’s designer.

10 However, by using redundant electromagnetically-diverse-technology channels (see A.2.3) it might be

11 practicable to continue safe operation by switching from a failed channel to one that is still operating
12 correctly.

13 Reference: [B132]24

14 A.3.21 Using test patterns: static and dynamic

15 Aim: To help detect static failures (‘stuck-at’ failures) and cross-talk, particularly in input and output units
16 (digital, analogue, serial or parallel), and to help prevent the sending of inadmissible inputs or outputs to
17 the process.

18 Description: This is a dataflow-independent cyclical test of input and output units. It uses a defined test
19 pattern to compare observations with the corresponding expected values.

20 The test pattern information, the test pattern reception, and test pattern evaluation all need to be
21 independent of each other. The test pattern should not interfere with the correct operation of the safety
22 function.

23 Useful for increasing electromagnetic resilience by detecting damage caused by over-voltages from
24 lightning, electrostatic discharges or other sources.

25 Identification: When the observations do not correspond with the expected values for the test pattern, a
26 failure is indicated.

27 Mitigation: Repeat the test pattern as many times as there is time for, without unacceptably degrading the
28 safety integrity.

29 If during the time available the failure clears, log in the EDR (if one is available) and continue operation as
30 usual.

31 If during the time available the failure does not clear, log in the EDR (if one is available) and apply an
32 appropriate response as defined in the safety documentation.

33 For a safety-related system: transition to a safe state as recorded in the safety documentation.

34 For a sub-system or element: transition to a DS as recorded in the safety manual, which shall provide
35 sufficient detail on it to allow its correct use by a safety system’s designer.

24
For the corresponding reference number in IET 2017 [B8], see Annex G

81
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 However, by using redundant electromagnetically-diverse channels (see A.2.3) it might be practicable to

2 continue safe operation by switching from a failed channel to one that is still operating correctly.

3 A.3.22 Using metal-free fiber-optic cables for signals and data communications

4 Aim: To avoid the effects of electromagnetic disturbances on communications media by using metal-free
5 fiber-optic cables (no external metal/conducting armor or strengthening elements), which do not conduct
6 electromagnetic disturbances.

7 Description: Optical fibers in themselves are unaffected by electromagnetic disturbances, however: they
8 require protection from the thermal effects of lightning strikes, if exposed to them. With suitable
9 environmental protection they can be used in all applications, including the most arduous.

10 Fiber-optic cables and their electronic interfaces (transmitters and receivers) are available in a wide range
11 of types (and costs) to carry analogue signals from DC up to several GHz and data at up to hundreds of
12 GBaud.

13 Where electrical power requirements are under 5 Watts, it is also practicable to carry AC or DC power over
14 ordinary fiber-optics, converting the optical power into electrical power by using a photovoltaic cell instead
15 of a signal/data receiver.

16 Mitigation: Optical fiber transmitters and receivers themselves are affected by electromagnetic
17 disturbances, and so need to employ the good electromagnetic design techniques described in A.3.26

18 However, they are very small, making it much easier and less costly to achieve a given level of risk-
19 reduction in communications than when using metal cables.

20 Metal-free optical fibers are a good choice for at least one of the channels when designing an
21 electromagnetically diverse multi-channel redundant communication link (see A.2.3).

22 Note: Certain types of optical cables use metal foils as moisture barriers, metal wires as
23 drawstrings, and/or metal armor. These all conduct electromagnetic disturbances, and
24 they can worsen the thermal effects if the optical cable is struck by lightning.
25 Consequently, this technique recommends the use of metal-free optical cables.

26

82
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.3.23 Techniques and measures for AC and DC power supplies/power converters

2 Overall aim: To help detect or tolerate failures caused by degradations or defects in any of the electrical
3 power supplies.

4 Overall description:

5 Degradations and defects in both DC and AC supplies:

6 Under voltages, over-voltages, sags, swells, and interruptions lasting from less than one microsecond to
7 many hours, days, even months in some cases. AC ripple and noises with any frequency range and level.

8 Transients, ‘spikes’ and surges lasting from less than one microsecond to hundreds of milliseconds.

9 Degradations and defects in AC supplies only:

10 Waveform distortions, frequency perturbations and, in multi-phase supplies, phase and/or voltage
11 imbalances, all with any amplitudes and lasting from less than one second to many hours, days, even
12 months in some cases. Includes incorrect phase rotation.

13 A.3.23.1 Detecting degradations and defects

14 Identification: Various devices and circuit techniques are readily available for detecting any/all defects in
15 AC or DC power supplies. For detecting excessive RF noise, see A.3.23.3.

16 Mitigation: Upon detecting a degradation or defect in a power supply, apply an appropriate response as
17 defined in the safety documentation.

18 For a safety-related system, transition to a safe state as recorded in the safety documentation. For a sub-
19 system or element, transition to a DS as recorded in the safety manual, which shall provide sufficient detail
20 on it to allow its correct use by a safety system’s designer.

21 May usefully be combined with mitigation in A.3.23.2 and/or A.3.23.4.

22 A.3.23.2 Power hold-up

23 Aim: To maintain the power supply for long enough during and/or after any transient or short-term
24 deficiencies in the electrical power supply (such as dips, dropouts interruptions, under voltages, sags, etc.)
25 to avoid a dangerous failure.

26 The energy storage should have a sufficient lifetime, so e.g. electrolytic capacitors with liquid electrolytes
27 might not be a good choice for some applications, especially those with high operating temperatures.

28 Description: Sufficient energy is stored in capacitors, supercapacitors, batteries, etc., to help ensure the
29 above aims are met.

30 In the case of long sags, under voltages or interruptions, the energy storage should be sufficient to continue
31 correct (safe) operation while the EUC is put into a safe state or some other action taken to maintain the
32 safety integrity as described in the safety documentation.

83
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 EUCs with high power requirements and/or requiring a long time to be put into a safe state despite lack of
2 power for the safety-related system might use large battery banks (for example either directly or as part of a
3 UPS) and/or rotating reserve power generators.

4 Identification: Analysis and testing of the worst possible combinations of circumstances, including a
5 continuous low and/or distorted supply voltage, components tolerances and the effects of ageing, to help
6 ensure that the above aims are reliably met.

7 Mitigation: Improvement of the design, for example, by adding more energy storage of an appropriate
8 type.

9 Before the energy storage becomes exhausted to the point where errors, malfunctions or failures could
10 possibly occur, appropriate action shall be taken to maintain the safety integrity level/systematic capability.

11 For a safety-related system, transition to a safe state as recorded in the safety documentation.

12 For a sub-system or element, transition to a DS as recorded in the safety manual, which shall provide
13 sufficient detail on it to allow its correct use by a safety system’s designer.

14 May usefully be combined with A.3.23.4.

15 A.3.23.3 Detecting excessive radio frequency noise on power supplies

16 Aim: To detect the presence of excessive noise on power supplies, whether caused by failed/degraded
17 decoupling capacitors, shielding, filtering, etc., or by EMI.

18 Description: Simple broadband radio frequency (RF) detectors can readily be created using ordinary
19 circuit techniques (for example, a resistor, Schottky diode, capacitor, and operational amplifier) that will
20 reliably detect frequencies up to tens of MHz, if they have sufficient amplitude. Some semiconductor
21 manufacturers make single-chip RF detectors to detect up to many GHz.

22 It will generally be necessary to set the sensitivity of the detector so that it does not trigger on the normal
23 systematic noises made by the equipment or system itself in any operating mode when operating correctly.

24 Identification: Excessive levels of RF on AC power lines or DC power rails cause the RF detector to
25 trigger.

26 Mitigation: Apply an appropriate response as defined in the safety documentation.

27 For a safety-related system, transition to a safe state as recorded in the safety documentation.

28 For a sub-system or element, transition to a DS as recorded in the safety manual, which shall provide
29 sufficient detail on it to allow its correct use by a safety system’s designer.

30 A.3.23.4 Redundant electromagnetically diverse power supplies

31 Aim: To maintain the required safety integrity level/systematic capability despite any of the problems
32 detected by A.3.23.1, A.3.23.2 and A.3.23.3, by providing alternative power supplies.

33 Description: Providing alternative power supplies to replace failed ones.

34 Identification: Problems with power supplies may be detected using the techniques and measures
35 described in A.3.23.1, A.3.23.2 and A.3.23.3 above.

84
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Mitigation: The availability of redundant electromagnetically diverse power supplies (see A.2.3) allows
2 safe operation by switching from a failed power supply to one that is still operating correctly. The switch
3 needs to be very electromagnetically robust as described in the safety documentation.

4 A.3.24 Monitoring of ventilation, cooling and heating

5 Aim: To help confirm that ventilation, cooling and heating systems are appropriately monitored to assist in
6 the prevention of malfunctions caused by electromagnetic disturbances.

7 Description: Failures of the ventilation, cooling or heating might expose the safety-related system to
8 excessive environmental conditions, possibly increasing the rate of dangerous failure to an unacceptable
9 level. Such failures could be caused by electromagnetic disturbances.

10 Identification: Ventilation, cooling and heating systems are monitored for correct operation.

11 Mitigation: When a failure is detected, an appropriate response is made as defined in the safety
12 documentation, before the EUC or its safety-related system is adversely affected.

13 For a safety-related system, transition to a safe state as recorded in the safety documentation.

14 For a sub-system or element, transition to a DS as recorded in the safety manual, which shall provide
15 sufficient detail on it to allow its correct use by a safety system’s designer.

16 However, by using redundant electromagnetically diverse ventilation, cooling or heating systems (see
17 A.2.3) it might be practicable to continue safe operation by switching from a failed one to one that is still
18 operating correctly.

19 A.3.25 Careful use of wireless (radio) data communications

20 Aim: To help confirm that any wireless malfunction due to unwanted (in-band) and/or co-channel
21 interference will not cause an unsafe failure, and that the introduction of a wireless function does not
22 adversely impact upon other safety related parts of the system.

23 Description: As many products now include an element of wireless functionality, it is conceivable that
24 they will be required to contribute to the level of safety. A ‘heart beat’ signal is typically employed in
25 wireless design to confirm that there is continuous communication between the transmitter and receiver.

26 Identification: Selection of suitable frequencies that support continuous transmission is required since
27 many frequency allocations do not allow for this type of transmission. Reference [B101]25 provides
28 recommendations on suitable frequencies, power levels and modulation techniques for short-range wireless
29 systems with implications for the safety of human life. The introduction of a wireless function can change
30 the electromagnetic environment and the compatibility of other safety-related parts of the system needs to
31 be confirmed to have sufficient immunity at the frequencies of wireless operation, plus techniques and
32 measures such as those in this Standard, which help ensure that even if the immunity is insufficient for any
33 reason, safety integrity level/systematic capability is maintained.

34 As regards wireless coexistence: At this time there are limited consensus standards addressing the risks
35 associated with wireless coexistence. Most current methods of evaluating wireless coexistence use test
36 methods (in-situ or special tests) that vary widely among device manufacturers. Moreover, current
37 electromagnetic compatibility (EMC) standards often do not define requirements or test procedures to
38 assess the performance of systems containing RF receivers in the presence of in-band interference.

25
For the corresponding reference number in IET 2017 [B8], see Annex G

85
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Mitigation: Where the ‘heart-beat’ signal is lost, a defined signal is generated and fed into the system. If
2 during the time available the heart-beat signal is re-established, log this in the EDR (if one is available) and
3 continue operation as usual.

4 If during the time available the ‘heart-beat’ signal is not re-established, log in the EDR (if one is available)
5 and apply an appropriate response as defined in the safety documentation. For a safety-related system,
6 transition to a safe state as recorded in the safety documentation. For a sub-system or element, transition
7 to a DS as recorded in the safety manual, which shall provide sufficient detail on it to allow its correct use
8 by a safety system’s designer.

9 However, by using electromagnetically-diverse redundant channels (see A.2.3) it might be practicable to

10 continue safe operation by switching from the failed wireless link to another data communication link that
11 is still operating correctly.

12 Successful coexistence among wireless devices is dependent on three main factors: time, frequency and
13 space. In terms of time, the probability of coexistence increases as the overall channel occupancy of the
14 wireless channel decreases. In terms of frequency, the probability of coexistence increases as the frequency
15 separation of channels increases between wireless networks. In terms of space, the probability of
16 coexistence increases as the signal-to-noise ratio (SNR) increases.

17 To achieve a successful coexistence, it is necessary to at least control one of the three parameters, two is
18 even better, while controlling all three is ideal.

19 The ANSI C63.27 standard [B551]26 provides an evaluation procedure and supporting test methods for
20 wireless coexistence and evaluation of key performance indicators (KPI). The standard will provide
21 evaluation procedures, test methods and other guidance necessary for performing the evaluation. The
22 AAMI TIR 69-2017 guide [B550]26 complements C63.27 for risk assessment and management.

23 Note: Also see A.6

24 A.3.26 Good electromagnetic engineering at every level of design

25 Aim: To use accepted, good electromagnetic engineering practices at the time of system implementation so
26 that a first line of defense against electromagnetic disturbances is provided.

27 Description: Well-proven and widely-accepted good electromagnetic engineering design practices at the
28 time of system implementation are applied at every level of design as appropriate, including (but not
29 limited to) partitioning printed circuit boards (PCBs), units/modules/subassemblies/products, systems,
30 installations, networks, etc. into different electromagnetic zones (see [B28]26), and also into lightning
31 protection zones (usually the same as the electromagnetic zones) see [B25]26, segregated from each other
32 and from the ‘outside world’ by physical space and/or other electromagnetic mitigation techniques.

33 Identification: Design assessment by persons competent in the relevant electromagnetic design issues.

34 Mitigation: By competent correction of the design, where required. Examples include:

35 a) electronic/electrical design appropriate for each electromagnetic zone;
36 b) selection of electronic, electromechanical and electrical components appropriate for each
37 electromagnetic zone;
38 c) communications design (within and between electromagnetic zones);
39 d) PCB design and layout (often incorporates several electromagnetic zones);

26
For the corresponding reference number in IET 2017 [B8], see Annex G

86
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 e) power converter design e.g. AC-DC, DC-DC, DC-AC, AC-AC (generally located at
2 electromagnetic zone boundaries);
3 f) enclosure design for units/modules/subassemblies and products (could incorporate several
4 electromagnetic zones);
5 g) mitigation techniques such as filtering, shielding, galvanic isolation, surge and transient
6 suppression, etc. (located at electromagnetic zone boundaries);
7 h) system design (generally incorporates several electromagnetic zones); and
8 i) installation and network design (always incorporating several electromagnetic zones).

9 References:
10 For circuits, units, modules, subassemblies, products, etc., see Annex B.3.

11 For cabinets, systems, installations, networks, etc., see Annex B.2.

12 The ‘Electromagnetic Zoning’ technique [B28]27 and guides based upon it: [B36]27 - [B38]27.

13 A.3.27 Design to comply with EMC test specifications as set out in A.1.3
14 and A.1.4

15 Aim: To help ensure that the safety-related system, or sub-systems or elements intended to be used in a
16 safety-related system, will comply with the EMC test specifications as set out in A.1.3 and, if relevant,
17 A.1.4, during verification and validation (see A.5.2) if/when they are tested.

18 Description: The design of the safety-related system, or of sub-systems or elements intended to be used in
19 a safety-related system, shall aim to comply with the EMC test specifications as set out in A.1.3 and, if
20 relevant, A.1.4, when the verification and validation tests (see A.5.2) are performed.

21 Identification: Achieved through regular assessment by personnel who are competent in the
22 electromagnetic design of the relevant hardware and/or software, commensurate with the safety integrity
23 level/systematic capability.

24 Mitigation: Modification of the design, followed by re-assessment, until the appointed assessors are
25 satisfied.

26 Reference: See Clause 8 of IEC 61508-1 for guidance on the degree of independence required for the
27 assessors.

28 A.3.28 De-rating of hardware components, where appropriate

29 Aim: To increase the reliability of hardware components, particularly those used for the suppression of
30 electromagnetic disturbances or protection against their effects.

31 Description: Hardware components are operated at levels well below their specified maximum ratings or
32 stress levels, so as to help ensure their correct function despite aging/degradation of performance.

33 EMI suppression/protection components shall be especially conservatively rated to survive repeated stress
34 levels considerably higher than the worst anticipated, taking into account the full range of all reasonably
35 foreseeable physical and climatic environments over the lifecycle (such as vibration, shock, humidity,
36 extremes of ambient temperature (for example, when the air-conditioning has failed), overvoltages, etc.).

27
For the corresponding reference number in IET 2017 [B8], see Annex G

87
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Identification: Achieved through independent assessment of the design by personnel who are competent
2 (as required for the safety integrity level/systematic capability) in the field reliability of the hardware
3 components concerned.

4 Mitigation: By modification of the design, followed by re-assessment, until the appointed assessors are
5 satisfied.

6 References: See Clause 8 of IEC 61508-1 for guidance on the degree of independence required for the
7 assessors.

8 A.3.29 Improve robustness of interrupts

9 Aim: To help reduce the impact of CPU saturation and program execution lock-up due to EMI through
10 interruptions.

11 Description: Interrupts are provided by circuits external to the processor running the software, and as such
12 are liable to suffer sufficient coupling of electromagnetic disturbances to cause a false signal. Where an
13 interrupt is not masked or otherwise disabled, such EMI will have an immediate effect on the software.

14 Because of its effect on software execution, a false signal (e.g. due to EMI) on an interrupt pin of a
15 processor is very much more liable to cause EMI than similar false signals on most other types of processor
16 inputs, all outputs and power supply pins.

17 Identification: While most of the advantages of using interrupts are associated with optimization of the
18 hardware resources and achieving consistent response times, some benefits in robustness, and reliability,
19 can also be attained by effective use of the internal interrupt mechanisms, which are sometimes called
20 exceptions and traps.

21 EMI can potentially increase the input data rate, which can saturate and lock-up the CPU, causing loss or
22 corruption of data, inhibiting other part of system from executing failure modes, fallback operation or the
23 normal control operations. In effect, EMI can potentially cause a ‘denial of service’ to the interrupt
24 servicing.

25 Mitigations:
26 a) Limit the use of interrupts only to what is necessary: reduce external interrupt inputs, reduce levels
27 of interrupts, and reduce the rates of interrupts.
28 b) Provide electronic filtering (analogue and/or digital) to control slew-rate, de-bounce and reduce the
29 bandwidth of potential interrupts.
30 c) Use edge or level triggering in conjunction with a level control at the beginning of interrupt routine
31 to filter the unwanted / parasitic interrupts.
32 d) Use memory protection and user / supervisor mechanism; interruption routines need to be executed
33 only in privileged supervisor / system / kernel mode.
34 e) Control the use of the Enable and Disable interrupt instructions and use only matched pairs.
35 f) Disable interrupts during power-up initialization.
36 g) Disable and mask-out unused interrupt vectors. Unused vectors should point to an error handling
37 routine or reset, as appropriate.
38 h) Use ‘atomic’ Test-and-Set instructions or signaling mechanism, such as semaphores, to protect and
39 mark as ‘in-use’ any common resources.
40 i) Confirm that each interrupt and all interrupts together will not deadlock the system and inhibit the
41 liveliness of the system.
42 j) Use an independent observation technique to detect and react to a lock-up.

88
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 k) Use a watchdog timer to free lock-up situations: the watchdog should never be ‘kicked’ from an
2 interrupt routine.
3 l) Confirm that calculations of CPU usage level and the specific impact of all the expected worst-case
4 instances of all interrupt servicing can be met, with a safe margin of spare CPU capacity (typically
5 of the order of 30%).

6 A.4 Techniques and measures for implementation, integration, installation and

7 commissioning

8 A.4.1 Providing information on constraints and additional measures

9 Aim: To aid procurement, installation and commissioning in accordance with the relevant design
10 requirements specification for electromagnetic resilience.

11 Description: The design specification for a safety-related system, or subsystems or elements intended for
12 use in safety-related systems, should have been based upon their eventual operation in a specified
13 electromagnetic environment (or one that is less severe). The actual achievement of that specified
14 electromagnetic environment, or one that is less severe, might rely on certain constraints or additional
15 measures being employed during installation. Improvements to the lightning protection system of the site
16 are a common example.

17 Identification: Achieved through the assessment of the intended operational site and its characteristics by
18 personnel who are competent in the relevant site-related issues, commensurate with the safety integrity
19 level/systematic capability.

20 Mitigation: By modification of the design, followed by re-assessment, until the appointed assessors are
21 satisfied.

22 Measures required include, but are not limited to, the provision of information on:
23 a) any constraints on the physical positioning of the items of equipment that comprise the safety-
24 related system;
25 b) any constraints on types, lengths and routing of power, control and signal interconnecting cables;
26 c) the methods to be used when terminating any cable screens (shields);
27 d) the types of connectors to be used and any special assembly requirements;
28 e) the electrical power supply requirements (power quality);
29 f) any additional screening (shielding) required, and how it should be installed;
30 g) any additional filtering required, and how it should be installed;
31 h) any additional overvoltage and/or overcurrent protection required, and how it should be installed
32 (for example, by referencing the appropriate requirements in all applicable parts of IEC 62305);
33 i) any additional power conditioning required (such as a reliable UPS);
34 j) any additional electrostatic discharge protection requirements (such as control of humidity);
35 k) any additional physical protection required (for example, against the possibility of unusual physical
36 and/or climatic conditions);
37 l) the earthing (grounding) and bonding requirements for the installation;
38 m) the procedures and materials to be used;
39 n) any protection that is required against corrosion and its effects over the lifecycle; and
40 o) any operator/maintainer constraints, for example, the use of mobile phones or cellphones while
41 performing commissioning or maintenance.

89
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 In addition: proper installation and commissioning, having regard to the constraints and additional
2 measures listed above (and any others not listed above), should be competently verified before the system
3 is first operated (see A.5.4) and thereafter checked regularly during its lifecycle, depending on the safety
4 integrity level/systematic capability (see A.6.2).

5 References: See Clause 8 of IEC 61508-1 for guidance on the degree of independence required for the
6 assessors.

7 A.4.2 Procuring materials, components and products

8 Aim: To help confirm that all materials, components and products are procured according to their
9 specifications for achieving electromagnetic resilience, which will help to confirm that the safety-related
10 system will comply with the EMC test specifications from A.1.3 and A.1.4, during verification and
11 validation (see A.5.2).

12 Description: Substandard or counterfeit materials, components and products are increasingly appearing in
13 supply chains, especially when purchased on the ‘grey market’ (an activity that this Standard does not
14 recommend). Such components can threaten the overall electromagnetic resilience of the safety-related
15 system.

16 Identification: By regular quality audits on goods received during the project.

17 Audits shall be carried out by personnel who are competent in the relevant quality control issues for the
18 types of goods concerned in each case, commensurate with the safety integrity level/systematic capability.

19 Appropriate tests (see A.5.2 and, if appropriate, A.5.3) should be applied to verify suppliers’ claims of
20 compliance with specifications, the rate of which depends on the acceptable quality level (AQL) chosen in
21 each case.

22 Such tests are recommended in general to avoid substandard or counterfeit materials, components and
23 products from being incorporated in the safety-related system.

24 Example 1 In the military avionics industry, it is not unknown to hear claims that suppliers’ build
25 quality slips by enough to cause failure to meet specifications after seven units have been
26 manufactured. Detecting the failure and ensuring that the supplier corrects the problem is
27 claimed to typically result in a further failure to meet specification, another seven units
28 later.

29 Example 2 The US Department of Defense has found counterfeit components in every weapons
30 system; and in response has created a Regulation which all its suppliers are now required
31 to comply with, to try to prevent counterfeits from entering the military supply chain
32 [B2]28.

33 Mitigation: Replacement of the out-of-specification materials, components or products with in-

34 specification materials, components or products that satisfy the appointed inspectors, before they are
35 assembled.

36 References: See Clause 8 of IEC 61508-1 for guidance on the degree of independence required for the
37 assessors.

38

28
For the corresponding reference number in IET 2017 [B8], see Annex G

90
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.4.3 Assemble/integrate according to the electromagnetic resilience design

2 Aim: To help confirm that the correct materials, components and products are used in the correct ways so
3 that the safety-related system and its sub-systems and elements are assembled and integrated according to
4 their design requirements specifications for achieving electromagnetic resilience.

5 To help confirm that good electromagnetic engineering practices are employed (see A.3.26) as appropriate
6 during assembly and integration.

7 To help confirm that the safety-related system will comply with the EMC test specifications as set out in
8 A.1.3 and A.1.4, during verification and validation (see A.5.2).

9 Identification: By regular quality audits and/or assessments by personnel who are competent in the
10 assembly/integration activities concerned, commensurate with the safety integrity level/systematic
11 capability.

12 Mitigation: Replacement of incorrect materials, components or products, and/or reworking of incorrect

13 assembly or integration, as required, to satisfy the appointed assessors.

14 References: See Clause 8 of IEC 61508-1 for guidance on the degree of independence required for the
15 assessors.

16 A.4.4 Install/commission according to the design for achieving electromagnetic resilience

17 Aim: To help confirm that the correct installation and commissioning methods are used for the safety-
18 related system and its sub-systems and elements, according to their associated design requirements
19 specifications for achieving electromagnetic resilience.

20 To help confirm that good electromagnetic engineering practices are employed (see A.3.25) as appropriate
21 during installation and commissioning.

22 To help confirm that the safety-related system will comply with the EMC test specifications from A.1.3 and
23 A.1.4 during verification and validation (see A.5.2).

24 Description: The design of a safety-related system, or of its subsystems or elements, will have assumed or
25 specified that its installation and commissioning will be performed in a certain way, to help achieve
26 electromagnetic resilience. Consequently, it is important for the achievement of electromagnetic resilience
27 that installation and commissioning are performed as was assumed or specified by its designers.

28 Identification: By regular quality audits and/or assessments by personnel who are competent in the
29 installation/commissioning activities concerned, commensurate with the safety integrity level/systematic
30 capability.

31 Mitigation: Reworking of incorrect installation or commissioning as required to satisfy the appointed

32 assessors.

33 References: See Clause 8 of IEC 61508-1 for guidance on the degree of independence required for the
34 assessors.

35

91
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.5 Techniques and measures for verification and validation (including testing)

2 A.5.1 Applying verification and/or validation techniques and measures

3 Aim: To verify and/or validate as far as is practicable that the design techniques and measures that have
4 been applied function according to the relevant design requirements specification created as described in
5 A.1.

6 Description: The verification and validation of a safety-related system, or of its subsystems or elements,
7 will have been specified by the designers as described in A.1, to help achieve electromagnetic resilience.
8 Consequently, it is important for the achievement of electromagnetic resilience that all verification and
9 validation activities are performed exactly as was specified in A.1.

10 Identification: By performing a sufficient number of techniques listed below, or equivalent techniques

11 described in the safety documentation, to enable different types of weaknesses or omissions in the design to
12 be discovered.

13 The competency, measurement accuracy and measurement uncertainty required for each verification or
14 validation technique shall be commensurate with the safety integrity level/systematic capability.

15 Verification applies these techniques to all components, sub-assemblies, etc. of the safety-related system.

16 Where the component or sub-assembly is a third-party item, its manufacturer might have performed some
17 or all of these techniques and documented their results in the item’s safety manual.

18 Validation applies these techniques at the highest practicable level of assembly of the safety-related
19 system.

20 Failure prediction techniques can be helpful for quantitative risk assessment, when the risk cannot be
21 shown to be tolerable through other qualitative means.

22 Typical quantitative techniques include:

23 a) failure modes and effects analysis (FMEA);
24 b) failure modes, effects and criticality analysis (FMECA);
25 c) cause-consequence diagrams;
26 d) event tree analysis (ETA);
27 e) fault tree analysis (FTA); and
28 f) fault tree models.

29 Examples of verification and validation techniques include:

30 g) demonstrations, such as demonstrating that the functional safety requirements have been correctly
31 implemented, using any appropriate methods.
32 h) checklists, to help confirm that design techniques and measures have been observed, applied and
33 implemented correctly.
34 i) inspections, to help confirm that the designs for assembly and installation have been correctly
35 followed.
36 j) reviews and assessments, to help confirm compliance with the objectives of each phase of the
37 lifecycle. These are usually performed by competent persons on each phase of the lifecycle and the
38 various stages of the activities within each phase.

92
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 k) independent reviews and assessments. As for (j), with the degree of independence being related to
2 the safety integrity level/systematic capability (see Clause 8 of IEC 61508-1).
3 l) audits, which include verification processes for specification, design, assembly and installation.
4 m) ‘walk-throughs’ of normal operation and plausibly abnormal operations (sometimes called ‘devil’s
5 advocacy’).
6 n) individual and/or integrated hardware tests. Different parts of the final assembly or system are
7 assembled step by step, with checks and tests applied to help confirm that they function correctly at
8 each step.
9 o) validated computer modelling, simulation, etc.
10 p) the normal EMC tests applied in accordance with A.5.3 can be modified to provide greater
11 coverage of the possible effects of EMI, as described in [B655]29 [B600]29 and [B603]29; also see
12 A.5.4.
13 q) third party safety certification complying with the requirements of this standard, at component,
14 module, product or system level, examples: SIL, Systematic Capability level, integrity of data,
15 wireless standard, encryption etc.

16 Mitigation: Changes are made to the design or operation to eliminate the weaknesses or omissions, and the
17 relevant verification or validation re-applied.

18 Preceding lifecycle phases should be reviewed if they can be affected by the changes. Consideration should
19 be given as to whether similar weaknesses or omissions might be present in other, similar safety functions.
20 If so, similar changes should be carried out to those safety functions.

21 This process is repeated until the appointed assessors are satisfied. The decisions made and actions taken in
22 this regard should be described in detail in the safety documentation.

23 Note 1: These quantitative techniques were not originally developed to deal with the effects of
24 EMI, so they will need to be competently modified to take into account the issues
25 mentioned in A.1.2.

26 Note 2: Because there can be multiple orthogonal (i.e. independent) effects acting on equipment,
27 Taguchi's ‘Design of Experiments’ approach can help improve tests for robustness by
28 quickly determining the worst cases to be tested.

29 References: See the list in Annex B.15, especially [B703]29.

30 A.5.2 Verification testing to the EMC test plan from A.1.3 and A.1.4

31 Aim: To help confirm that the safety-related system complies with the EMC test specifications from A.1.3
32 and, if appropriate, A.1.4.

33 Description: An EMC test plan that helps to achieve electromagnetic resilience will have resulted from the
34 activities described in A.1.3, and perhaps A.1.4 too. Consequently, it is important for the achievement of
35 electromagnetic resilience that these test plans are performed exactly as specified.

36 Identification: By performing tests in accordance with the EMC test plan(s) created by applying A.1.3 and
37 (if appropriate) A.1.4, using competent test personnel using calibrated test equipment and facilities.

29
For the corresponding reference number in IET 2017 [B8], see Annex G
93
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Manufacturers are not necessarily precluded from doing these tests themselves or constrained from using
2 certain types of third-party test laboratories.

3 Care shall be taken over the order of tests, for example, performing emissions after immunity to reveal
4 whether seals or protection have been ‘softened’ during the immunity test.

5 The degree of accuracy, confidence, test accreditation and independence required for these tests is – like
6 most functional safety issues – generally dependent on the safety integrity level/systematic capability.

7 Mitigation: Modification of the safety-related system, followed by re-verification and/or re-validation of

8 the failed tests.

9 Depending on the tests which were failed, and the modifications required to achieve passes to them, it
10 might be necessary to redo other EMC tests, possibly all of them.

11 This process is repeated until the appointed assessors are satisfied.

12 The decisions made and actions taken in this regard should be described in detail in the safety
13 documentation.

14 Note: Complying with the conventional test standards alone is insufficient for EMI resilience
15 (see Clause 1 and References [B14]30 and [B15]30).

16 A.5.3 Using non-standardized ad hoc checks or tests

17 Aim: To help confirm that the safety-related system or any component part of it has sufficient
18 electromagnetic resilience, for the safety integrity level/systematic capability.

19 Description: Complying with the EMC tests specified by A.1.3 and (if appropriate) A.1.4 is necessary for
20 maintaining sufficiently high levels of EUC availability so that operators or owners are not inclined to
21 modify or degrade the safety-related systems to achieve their productivity targets.

22 Of course this is very important for electromagnetic resilience, but no affordable or practicable EMC test
23 plan can possibly demonstrate that electromagnetic disturbances cannot degrade the safety integrity
24 level/systematic capability, even at level 1.

25 Employing a suitable number of design techniques and measures is what makes it possible for a safety
26 integrity level/systematic capability not to be degraded by electromagnetic disturbances over the lifecycle.
27 A.5.12 lists techniques and measures that may be used to verify or validate this.

28 Non-standardized or ad hoc checks or tests can be used in addition to the list in A.5.2 to help achieve the
29 necessary confidence in the electromagnetic resilience design, according to the safety integrity
30 level/systematic capability.

31 In many situations they can prove very useful in assessing electromagnetic resilience design.

32 Identification: By performing non-standardized or ad hoc checks or tests.

33 Non-standard ad hoc test methods shall be justified by recording the following in the safety documentation:
34 a) Rationale.
35 What needs to be measured? What is the purpose of measuring it? Why is a non-standard ad hoc
36 test being proposed rather than a standards-based method?

30
For the corresponding reference number in IET 2017 [B8], see Annex G

94
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 b) A detailed explanation of the test method.

2 Including figures or photographs and its theoretical underpinning
3 c) A demonstration of validity of this non-standard ad hoc test.
4 (If it is not immediately obvious to an engineer competent in testing the issue concerned).

5 Examples of some non-standard ad hoc checks and tests include:

6 d) significantly increasing the test levels of standard immunity tests;
7 e) modulating continuous wave (CW) disturbances with frequencies, pulse shapes or patterns, or wave
8 shapes to which a design might be especially susceptible (from inspection/investigation of the
9 design);
10 f) applying two or more disturbances at once (for example, multiple frequencies during conducted or
11 radiated tests to cause intermodulation in the tested design);
12 g) applying different wave shapes on transient tests (such as surge, ESD, etc.);
13 h) performing significantly larger numbers of transient tests to cover a greater proportion of the range
14 of possible equipment states;
15 i) checks on earthing, grounding and bonding by, for example, measurement with appropriate DC
16 meters and/or visual inspections;
17 j) checking that temperature and humidity sensors are functioning correctly (to help prevent corrosion
18 of shielding, overheating of filters, etc.);
19 k) checking the behavior of shielding joints and gaskets during physical stress (for example, non-flat
20 mounting surface), mechanical shocks, vibration, temperature changes, temperature extremes,
21 condensation, icing, changes in air pressure (or water pressure for underwater equipment), etc., for
22 example, by using battery-powered ‘comparison noise emitters’ inside an enclosure, and close-field
23 probes outside it, within an environmental test chamber.
24 l) quick checks of emissions and immunity performance for units that have undergone highly-
25 accelerated simulations of their lifecycle exposure to mechanical, climatic, chemical, etc.,
26 environments and/or user interactions (for example, opening/closing doors, hatches, inspection
27 panels, etc.).

28 Mitigation: Modification of the safety-related system, followed by re-verification and/or re-validation of

29 the failed checks or tests.

30 Depending on which checks or tests were failed, and the modifications required to achieve passes to them,
31 it might be necessary to redo other checks or tests, or even standards-based testing.

32 This process is repeated until the appointed assessors are satisfied. The decisions made and actions taken in
33 this regard should be described in detail in the project documentation.

34 References: [B600]31 - [B604]31 in Annex B.13.

35 Note: A manufacturer is not precluded from doing these tests personally or constrained to use
36 certain types of third-party test laboratories.

37 The degree of accuracy, confidence, and independence required for these non-standard ad hoc checks and
38 tests is – like most functional safety issues – generally dependent on the safety integrity level/systematic
39 capability.

40

31
For the corresponding reference number in IET 2017 [B8], see Annex G
95
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.5.4 Verifying correct installation and commissioning

2 Aim: To help confirm proper installation and commissioning having regard to the constraints and
3 additional measures listed as the result of applying A.4.1 and A.4.2, and any others not listed in those
4 subclauses.

5 This is essential for ‘version control’ of the finished as-built system, listing all the hardware and software
6 parts that have to be used together as a ‘working set’ to fulfil the initial functional safety objectives during
7 the anticipated lifecycle.

8 Description: The designers of a safety-related system, or of its subsystems or elements, will have specified
9 that its correct installation and commissioning will be verified in a certain way, to help confirm the
10 achievement of electromagnetic resilience. Consequently, it is important for the achievement of
11 electromagnetic resilience that the installation and commissioning are verified exactly as specified by its
12 designers.

13 Identification: Inspection by competent personnel before the system is first operated and checked regularly
14 during its lifecycle.

15 Mitigation: Modification of the safety-related system, followed by re-inspection, repeated until the
16 appointed assessors are satisfied.

17 The decisions made and actions taken in this regard should be described in detail in the safety
18 documentation.

19 A.5.5 EMC tests before and after accelerated life tests

20 Aim: To help confirm that EM Resilience is effective during and after accelerated life tests.

21 Description: Testing environments that simulate the reasonably foreseeable locations of use of an EUC are
22 recommended to verify that EM resilience is maintained throughout the anticipated lifecycle.

23 Identification: When these tests are carried out, the EM resilience needs to be evaluated both before and
24 after the life tests; and some EMC tests might be able to be combined with the lifetime tests. Following the
25 tests, it is necessary to evaluate whether the EMC performance has not been degraded, which might lead to
26 an unacceptable risk in the sense of the risk analysis.

27 Mitigations:
28 a) Link to calculations of reliability on sensitive components whose characteristics can vary over time
29 (e.g. capacitors)
30 b) Selection of components with appropriate electrical and thermal properties.
31 c) The tolerance of the components (e.g. value, voltage) needs to be chosen carefully taking aging into
32 account.
33 d) Particular attention should be paid to the EMC seals of cabinets, racks, doors, connectors and
34 openings; repeated handling can degrade EMC performance over time.
35 e) The fixing points and electrical connection undergoing corrosion need to be adapted and protected.
36 f) The life test profiles need to take into account the environmental constraints of the intended or
37 foreseeable environment(s).
38

96
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.6 Techniques and measures for operation, maintenance, repair, overhaul,

2 refurbishment and upgrade

3 A.6.1 Assessment of changes in the electromagnetic environment

4 Aim: To discover new electromagnetic environment conditions that were not taken into account in the
5 original design.

6 To modify/upgrade as required so that availability is maintained at a high level (as discussed in A.1.3).

7 Description: The design specification for a safety-related system, or subsystems or elements intended for
8 use in safety-related systems, should have been based upon their eventual operation in a specified
9 electromagnetic environment (or one that is less severe) over its anticipated lifecycle.

10 The achievement of that specified electromagnetic environment, or one that is less severe, throughout the
11 lifecycle is important for availability, and requires electromagnetic environment to be managed,
12 specifically in this case to identify and assess any changes in it. Ideally, proposed changes would be
13 assessed before they were implemented, and modified if necessary, so as not to degrade the availability.

14 Identification: This is achieved by analyzing the following, at least:

15 a) changes in the EMC test standards used in the specification (see A.1.3 and A.1.4).
16 b) changes in the standards listed in Annex B.14.
17 c) results from independent detection of electromagnetic disturbances as described in A.2.9.
18 d) results recorded as described in A.2.5, and then analyzed.
19 e) the assessment techniques described in A.1.3 and [B651]32.
20 f) proposed changes in the EUC, the safety-related system, or other equipment/systems that could
21 affect inter-system or intra-system electromagnetic energy couplings into the safety-related system.
22 These proposed changes could be upgrades, repairs, overhauls, or any modifications for any
23 reasons.
24 It may be useful to perform a ‘gap analysis’, comparing the electromagnetic environment that was the basis
25 of the original design requirements specification (see A.1), with the current electromagnetic environment.

26 Mitigation: By re-applying the appropriate parts of the process described in this Standard, as appropriate to
27 the changes in the electromagnetic environment, in accordance with the approach taken by the applicable
28 parts of IEC 61508 in such circumstances.

29 This process is repeated until the appointed assessors are satisfied.

30 The decisions made and actions taken in this regard should be described in detail in the safety
31 documentation.

32

32
For the corresponding reference number in IET 2017 [B8], see Annex G
97
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.6.2 Assessment of continuing correct installation

2 Aim: To help confirm the maintenance of proper installation and commissioning having regard to the
3 constraints and additional measures listed as the result of applying A.4.1, and any others not listed in that
4 subclause.

5 Description: The design of a safety-related system, or of its subsystems or elements, will have assumed or
6 specified that its installation be performed in a certain way, to help achieve electromagnetic resilience. As
7 electromagnetic resilience is a requirement throughout the anticipated lifecycle, it is important that
8 installation continues to have the same characteristics, throughout the lifecycle, as were assumed or
9 specified by its designers for its initial installation.

10 Identification: Regular inspections by competent personnel during the lifecycle.

11 These inspections may include, for example: grounding/bonding; shielding effectiveness; filter insertion
12 loss; the condition of surge protection components/devices and electromagnetic shielding gaskets;
13 unapproved modifications (including cable/connector replacements and/or additions, software upgrades or
14 other changes); etc.

15 Examples: A common example is conductive gaskets used to seal apertures in shielding enclosures,
16 and dissimilar metal bonds (such as earth/ground connections). These are often subject to
17 corrosion that progresses over time until they no longer function as well as required for
18 electromagnetic resilience.

19 Another example is surge protection components and/or devices, which generally degrade
20 as time progresses due to the surges they experience, until they can no longer provide
21 adequate protection.

22 Note that these surge protection components/devices and earth/ground bonds might be
23 located remotely from the electronics of the EUC and its safety system – for example,
24 they may be installed as part of a site or vehicle’s lightning and/or EMP protection
25 system, and yet the electromagnetic resilience of the safety related system and/or its sub-
26 systems or elements might still rely on the protection they provide.

27 Mitigation: Modification of the safety-related system, followed by re-inspection, until the correct
28 constraints and additional measures are once again satisfied.

29 Preventative maintenance shall also be employed wherever any aspect of the installation appears to be
30 suffering from degradation of its electromagnetic characteristics at such a rate that they could become
31 unacceptable before the next planned inspection.

32 Where the periodicity of the planned inspections is found to be inadequate to prevent certain
33 electromagnetic characteristics from degrading by too much, the planning should be changed to inspect at
34 least those characteristics sufficiently often that their degradation is corrected before they have degraded to
35 the point of unacceptability.

36 Note: This activity is another essential for the ‘version control’ of the as-built system (see
37 A.5.4).

38

98
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.6.3 Maintaining electromagnetic resilience despite modifications or changes

2 Aim: To help ensure that repairs, modifications, overhauls, upgrades, refurbishment, etc. do not
3 unacceptably degrade the electromagnetic resilience of the safety-related system

4 Description: Repairs, modifications, overhauls, upgrades, refurbishments, etc. can cause significant
5 degradations to the electromagnetic resilience of a system. For example, even replacing a cable with a
6 different one, even if supposedly of the same type, can cause unacceptable degradation of electromagnetic
7 emissions and/or immunity.

8 However, such issues should have been foreseen and taken care of in the planning (see A.1.2), so that even
9 if the EUC becomes unavailable as a result, it does not become unsafe.

10 This activity is another essential for the ‘version control’ of the as-built system (see A.5.4).

11 Identification: By re-applying the parts of the process described in this Standard that are appropriate to the
12 proposed changes to the safety-related system (this is in accordance with the approach taken by the
13 applicable parts of IEC 61508 in such circumstances).

14 Mitigation: Implement whatever the above process shows to be necessary – whether in specifications,
15 system design, detailed techniques and measures, verification/validation, etc. – to help ensure that the
16 repairs, modifications, upgrades, refurbishment, etc. do not unacceptably degrade the electromagnetic
17 resilience of the safety-related system.

18 A.6.4 Batch (lot) traceability

19 Aim: to help analysis of the root cause of the problem caused by EMI events and containment by
20 identifying product at risk.

21 Description: Critical components for EM resilience should be identified and their manufacturers /
22 distributors provide traceability for them; this concerns electronic components, printed circuit boards,
23 power modules, displays, cables, specific electronic modules, etc.

24 Identification: If a concern does arise in volume production, it is essential to contain the situation by being
25 able to identify the product at risk efficiently.

26 A requirement of ISO 9000 and other industry quality standards is to be able to trace all materials through
27 the production process.

28 Mitigation: The manufacturer / distributor of the component should code (barcode, RFID tag, silicon fuses,
29 embedded memory, DNA, etc.) all products such that the component parts can be tracked back to their
30 respective delivery dates. These should be able to provide sufficient information to the manufacturer to able
31 to trace the parts through its system.

32

99
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.6.5 Component changes, new supplier, dual / alternate source

2 Aim: To preserve electromagnetic resilience design when replacing components due to changes in
3 specifications or process, a reference change, a change of supplier, or obsolescence.

4 Description: Assess the EMC criticality of the component and if critical request samples and perform the
5 following tests at component or assembly level before using it:
6 a) High temperature and/or humidity functional test
7 b) Low temperature and/or humidity functional test
8 c) Ramp between temperature extremes
9 d) Vibrations
10 e) High supply voltage
11 f) Low supply voltage
12 g) Electromagnetic emission test
13 h) Electromagnetic immunity test

14 Combine the tests if necessary.

15 Identification: These unit tests of characterization do not replace tests on the final product; they help to
16 confirm that the new component conforms to equivalent, or better specifications, and help to confirm a
17 sufficient level of confidence about the complete product before re-test if necessary.

18 See also Reference [B745]33 on obsolescence management.

19 Mitigation: If a changed or new component, or the same component from a new supplier or alternate
20 source fails to comply with all of the test specifications for a component that is critical for achieving
21 electromagnetic resilience, that component shall not be purchased or used but an alternative sought that
22 does comply with all of the test specifications.

23 Where an alternative is not available, it might be possible to redesign so that an available component can be
24 used while still achieving the necessary electromagnetic resilience. Such redesign should go back to the
25 earliest stage in the overall project process to confirm that all necessary changes to any/all related aspects
26 of the design; specifications; test plans; verification and validation methods; maintenance; overhaul, and
27 repair techniques, etc., are made to accommodate the component concerned to achieve the necessary
28 electromagnetic resilience and help confirm that it should be maintained throughout the anticipate lifecycle.

29

33
For the corresponding reference number in IET 2017 [B8], see Annex G
100
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.7 Maintaining electromagnetic resilience during decommissioning

2 Aim: To help ensure the electromagnetic resilience of a product throughout the dismantling/disposal
3 process.

4 Description: Functional safety, as defined in IEC 61508-1, covers the entire lifecycle including
5 decommissioning (see Figure 3), so it is necessary to help ensure that dismantling and/or disposal does not
6 cause unacceptable functional safety risks due to the electromagnetic resilience of the relevant safety
7 functions when a safety-related system is being degraded by the dismantling and/or disposal process even
8 while those functions are still required.

9 Where it is not practicable to remove all power supplies (of any type: electrical, pneumatic, hydraulic, etc.)
10 from an EUC, or when the EUC itself contains significant amounts of stored energy (electrical, pneumatic,
11 hydraulic, nuclear fissionable or explosive materials, etc.), the relevant safety functions of its safety-related
12 systems might need to be maintained in full operation until safe disposal has been achieved.

13 Example: Certain types of batteries need controlled rates of charge and discharge if they are not to
14 overheat and rupture, which would cause various kinds of safety hazards. In smaller
15 batteries (such as laptop computers) these safety-related systems are built-into the battery,
16 but for example in an electric traction vehicle they may be external items.

17 Dismantling of such a vehicle might require that the charge/discharge safety-related

18 system remains in full working order at all times for functional safety reasons, right up to
19 the point of final disposal.

20 Identification: By re-applying the appropriate parts of the process described in this Standard to the
21 proposed dismantling and/or disposal project. (This is in accordance with the approach taken by IEC 61508
22 in such circumstances.)

23 Mitigation: Implement whatever the above process shows to be necessary – whether in specifications,
24 system design, detailed techniques and measures, verification/validation, etc. – to help ensure that the
25 dismantling and/or disposal project does not unacceptably degrade the electromagnetic resilience of each
26 safety-related system concerned.

27 Note: Dismantling and disposal might mean that the exposure of workers and/or the public to
28 the foreseeable functional safety hazards is different from the operational stage of its
29 lifecycle, and this might affect its safety integrity level/systematic capability. Its safety
30 integrity level/systematic capability for the decommissioning stage might be higher or
31 lower than during operation, for example.

32 Example: When a nuclear submarine or electronically-fused munition is removed in its entirety to a

33 breaker’s yard that has special protection measures and is far away from both military
34 personnel and the public.

35 A changed safety integrity level/systematic capability will (of course) influence the process described in
36 this Standard.

37

101
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 A.8 Integrating third-party items into safety-related systems

2 A.8.1 The general iterative approach

3 Figure 4 shows an example of the iterative process by which volume-manufactured commercially-available

4 standard products, used as elements of a safety-related system, are chosen based upon the electromagnetic
5 resilience specifications of the safety-related system and/or its sub-systems or elements (see A.1).

6 As Figure 4 shows, it might be necessary for the designer(s) to iterate the design of the electromagnetic
7 mitigation measures, or even add new electromagnetic zones to create suitable electromagnetic
8 environments for the chosen standard products.

9 In practice, this means that the detailed design of the safety-related system’s electromagnetic resilience
10 might have to be modified to achieve the specified safety integrity due to the characteristics of the chosen
11 elements.

12 It should always be remembered that designing and realizing any safety-related system is usually not a
13 linear progression of steps – iteration (looping back to an earlier project stage) is often required as the real
14 characteristics become apparent during the design, integration, implementation, installation, verification
15 and validation stages.

16 Figure 4 shows:

17 Step 1: The electromagnetic resilience specifications for the safety-related system are developed using the
18 techniques and measures in A.1, comprising the list of EMC tests to be complied with plus a non-
19 exhaustive list of appropriate electromagnetic resilience techniques and measures to be used.

20 Step 2: The electromagnetic resilience specifications for each of the sub-systems or elements to be used in
21 the safety-related system are then developed from the electromagnetic resilience specifications created in
22 Step 1. These comprise a specification for the EMC tests to be complied with, plus a list of electromagnetic
23 resilience techniques and measures, taking into account any electromagnetic mitigation provided by the
24 electromagnetic zone in which the sub-system or element will be located.

25 Step 3: The electromagnetic resilience specification for an individual sub-system or element is compared
26 with the information provided by commercial suppliers in their products’ safety manuals. These safety
27 manuals should include details of the EMC tests that were complied with, the electromagnetic resilience
28 techniques and measures employed, and (where continual error-free performance is not confirmed) any
29 DSs.

30 Step 4: The standard volume-manufactured sub-systems and elements to be incorporated into the safety-
31 related system are chosen from the list of commercial products whose safety manuals meet the required
32 specifications and have acceptable DSs.

33 Note that the required electromagnetic specifications should be included, in full detail, in the purchasing
34 contract.

35 Also note that no reliance should be placed on CE marking or manufacturers’ certificates/declarations of

36 conformity.

37 Step 5: Where suitable commercially available products do not comply with the required specifications,
38 electromagnetic mitigation measures and/or electromagnetic resilience techniques and measures may be
39 applied, or existing mitigation, techniques or measures modified, at any level of assembly and in any

102
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 electromagnetic zone in order to change the electromagnetic resilience specification for the individual sub-
2 system or element in Step 2.

3 Step 6: Steps 2-4 are iterated for each sub-system and element until compliance is achieved with the
4 electromagnetic resilience specifications for the safety-related system in Step 1.

5 Step 7: The same process is repeated for every sub-system or element in the safety-related system.

STEP 1 STEP 7
Create the EM Resilience specifications Repeat Steps 2-6 for all other
for the complete safety-related system subsystems and elements

STEP 2 Select all the other commercial

products to be incorporated into
Define the EM Resilience Specifications the safety-related system
for a sub-system or element

STEP 3
Compare Step 2’s specification with the STEP 5
specifications of commercial products
If necessary, apply or
modify mitigation and/or
STEP 4 techniques and measures
Iterate Steps 2-5 until compliance is
achieved for the sub-system or element

STEP 6
Select the commercial product to be
incorporated into the safety-related
system

6 Figure 4 — Choosing standard volume-manufactured sub-systems and elements

7 for a safety-related system

8 A.8.2 Suppliers’ certifications and electromagnetic performance

9 Suppliers’ markings, certifications, and declarations (including CE marking with respect to the EMC
10 Directive [B1]34) result from a ‘self-declaration’ process. Accordingly, it is recommended that companies
11 involved with integrating any electronic equipment or system should take reasonable steps to check
12 whether any markings, certificates or declarations issued by suppliers are reliably correct.

13 There are many independent assessment bodies that will validate and certify customer’s products against
14 their specifications. Using products whose EMC performance specifications are validated by independent
15 assessment bodies is one way of achieving due diligence. Some suppliers are known to forge third-party
16 assessment documents, so it is always a good idea to confirm them with the body purported to be the issuer.

17 Another way is to investigate suppliers’ claims yourself, for example, by requesting test certificates or test
18 reports; checking that they indicate the desired performance; and checking with the test laboratory to see
19 how independent they are. Alternatively, you could perform simple checks, or even full tests, to verify
20 suppliers’ performance claims.

34
For the corresponding reference number in IET 2017 [B8], see Annex G

103
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 The higher the safety integrity level/systematic capability to be achieved, the more work is required to
2 achieve the assurance that purchased or free-issued elements have the electromagnetic characteristics their
3 manufacturers claim.

4 A.8.3 Custom-manufactured elements

5 In some cases, it could be a quite reasonable solution to pay a supplier of standard products to produce a
6 custom-engineered version that meets the safety-system designers’ electromagnetic specification and is
7 provided with believable test results.

8 A product manufacturer might even be persuaded to make a completely new type of product for use as an
9 element in a certain safety-related system.

10 This is typical of safety-related systems in automobiles (for example, anti-lock braking, engine
11 management, etc.) where product volumes are high, justifying considerable investment in elements that can
12 be incorporated by the safety-related system integrator without having to create special electromagnetic
13 zones for the elements using electromagnetic mitigation.

14 The same ‘custom-designed element’ approach may also be appropriate where the safety-related systems
15 are individually unique or only made in small quantities, for example, SIL 4 systems for nuclear power
16 generating plant, nuclear fuel rod reprocessing, railway signaling and control, etc., which are not very
17 price-sensitive.

104
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Annex B Bibliography

2 Bibliographical references are resources that provide additional or helpful material but do not need to be
3 understood or used to implement this standard. Reference to these resources is made for informational use
4 only.

5 B.1 General references

6 Note: This is not an exhaustive list, and new standards and other documents (and new versions
7 of existing material) are constantly being created.

8 [B1] 2014/30/EU, the European Union’s Directive on EMC, the “EMC Directive”,
9 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32014L0030.
10 [Note: this directive specifically does not cover any functional safety issues]

11 [B2] Defense Acquisition Regulations System, Department of Defense. 48 CFR Parts 202,
12 231, 244, 246, and 252, RIN 0750–AH88, Defense Federal Acquisition Regulation
13 Supplement: Detection and Avoidance of Counterfeit Electronic Parts (DFARS Case
14 2012–D055), published in the Federal Register / Vol. 79, No. 87 / Tuesday, May 6, 2014 /
15 Rules and Regulations.

16 [B3] IEC 61000-6-7:2014 Electromagnetic compatibility (EMC) – Part 6-7: Generic standards
17 – Immunity requirements for systems, equipment and products intended to perform
18 functions in a safety-related system (functional safety) in industrial environments,
19 http://webstore.iec.ch

20 [B4] IEC 61326 Part 3-1: Immunity requirements for safety-related systems and for equipment
21 intended to perform safety-related functions (functional safety) – General industrial
22 applications, http://webstore.iec.ch

23 [B5] IEC 61326 Part 3-2: Immunity requirements for safety-related systems and for equipment
24 intended to perform safety-related functions (functional safety) – Industrial applications
25 with specified electromagnetic environment, http://webstore.iec.ch

26 [B6] IEC TR 62366-2, Edition 1.0 2016, Technical Report, Medical devices – Part 2: Guidance
27 on the application of usability engineering to medical devices, http://webstore.iec.ch[B7]
28 IET, Guides on EMC for functional safety published by the IET in 2008 and 2013, from
29 http://www.theiet.org/factfiles/emc; www.theiet.org/factfiles/emc/emc-overview.cfm, or
30 www.emcstandards.co.uk/additional-resources5.

31 [B8] IET Code of Practice on Electromagnetic Resilience, The IET, London, UK, 2017, ISBN:
32 978-1-78516-324-1 (paperback), ISBN: 978-178516-325-8 (electronic),
33 https://shop.theiet.org/code-of-practice-for-electromagnetic-resilience; or
34 https://www.amazon.co.uk/Code-Practice-Electromagnetic-Resilience-
35 Standards/dp/1785163248

36 [B9] Not used in this Standard

37 [B10] Not used in this Standard

38 [B11] ISO 14971 Medical devices - Application of risk management to medical devices

105
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 [B12] Testing for immunity to simultaneous disturbances and similar issues for risk managing
2 EMC, Keith Armstrong, IEEE 2012 International Symposium on EMC, Pittsburgh, PA,
3 August 5-10, ISBN: 978-1-4673-2059-7

4 [B13] UKAS document LAB 34 The expression of measurement uncertainty in EMC testing,
5 2002: www.ukas.com/download/publications/publications-relating-to-laboratory-
6 accreditation/Lab34.pdf

7 [B14] Why Do We Need an IEEE EMC Standard on Managing Risks?, Keith Armstrong, 2016
8 IEEE Electromagnetic Compatibility Magazine – Volume 5 – Quarter 1, pages 81-84,
9 http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7477140

10 [B15] Why EMC Immunity Testing is Inadequate for Functional Safety, Keith Armstrong, IEEE
11 2004 International Symposium on EMC, Santa Clara, CA, August 9-13, ISBN: 0-7803-
12 8444-X

13 [B16] Why increasing immunity test levels is not sufficient for high-reliability and critical
14 equipment, Keith Armstrong, IEEE 2009 International Symposium on EMC, Austin, TX,
15 August 17-21, ISBN: 978-1-4244-4285-0

16 B.2 Good EMC engineering for systems and installations

17 Note: This is not an exhaustive list, and new standards and other documents (and new versions
18 of existing material) are constantly being created.

19 [B20] IEC 364-4-444:1996 Electrical Installations of Buildings – Part 4: Protection for safety –
20 Chapter 44: Protection against overvoltages- Section 444: Protection against
21 electromagnetic interference (EMI) in installations of buildings, http://webstore.iec.ch

22 [B21] IEC 61000-5-2 ed 1.0, November 1997 Electromagnetic compatibility (EMC) – Part 5:
23 Installation and mitigation guidelines – Section 2: Earthing and cabling,
24 http://webstore.iec.ch

25 [B22] IEC 61000-5-5 Installation and mitigation guidelines – Specification of protective devices
26 for HEMP conducted disturbance

27 [B23] IEC 61000-5-8 HEMP protection measures for the distributed infrastructure

28 [B24] IEC 61000-5-9 Installation and mitigation guidelines – System-level susceptibility

29 assessments for HEMP and HPEM.

30 [B25] IEC 62305 Protection against lightning;

31 Part 1: General Principles
32 Part 2: Risk Management,
33 Part 3: Physical damage to structures and life hazard
34 Part 4: Electrical and electronic systems within structures connected to
35 telecommunications and signalling networks –
36 Performance requirements and testing methods

37 [B26] IEC/TR 61000-1-5, High power electromagnetic (HPEM) effects on civil systems

38 [B27] IEC/TR 61000-5-3 Installation and mitigation guidelines – HEMP protection concepts

106
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 [B28] IEC/TR 61000-5-6 Electromagnetic Compatibility (EMC) – Part 5: Installation and

2 mitigation guidelines – Section 6: Mitigation of external influences, http://webstore.iec.ch

3 [B29] IEC/TS 61000-5-4 Installation and mitigation guidelines – Immunity to HEMP –

4 Specifications for protective devices against HEMP radiated disturbance

5 [B30] ORNL/Sub/91-SG9131/1:1992 Recommended engineering practice to enhance the

6 EMI/EMP immunity of electric power systems, Oak Ridge National Laboratory, USA.

7 [B31] Analysis of Electromagnetic Shielding of Cables and Connectors (keeping

8 currents/voltages where they belong), Lothar O. (Bud) Hoeft, PhD, IEEE, 2002,
9 http://simbilder.com/ieee/34/EMag_Shielding_of_Cables_and_Connectors.pdf

10 [B32] Combined Effects of Several, Simultaneous, EMI Couplings, Michel Mardiguian, 2000
11 IEEE International Symposium on EMC, Washington D.C., August 21-25, 2000, ISBN 0-
12 7803-5680-2, pp. 181-184

13 [B33] Complying with IEC 61800-3 – Good EMC Engineering Practices in the Installation of
14 Power Drive Systems, Keith Armstrong, REO (UK) Ltd.,
15 www.reo.co.uk/technical_resources

16 [B34] Design Philosophy for Grounding, M A van Houten and P C T van der Laan (Eindhoven
17 University of Technology), Proc. 5th Int. Conf. on EMC, York, UK, IERE Publication
18 No. 71 (1986) p 267-272

19 [B35] Designing Electronic Systems for EMC, William G Duff, 2001, ISBN: 978-1-891121-42-
20 5, Scitech Publishing, Inc., wwwscitechpublishing.com

21 [B36] EMC for Systems and Installations, Tim Williams and Keith Armstrong, Newnes 2000,
22 ISBN 0-7506-4167-3, www.bh.com/newnes, RS Components Part No. 377-6463

23 [B37] Good EMC Engineering Practices in the Design and Construction of Industrial Cabinets
24 (relevant for all types of electrical/electronic equipment), Keith Armstrong, REO (UK)
25 Ltd., www.reo.co.uk/technical_resources

26 [B38] Good EMC Engineering Practices in the Design and Construction of Fixed Installation,
27 Keith Armstrong, REO (UK) Ltd., www.reo.co.uk/technical_resources

28 [B39] Grounds for Grounding, Elya B Joffe and Kai-Sang Lock, IEEE Press, John Wiley &
29 Sons, Inc., 2010, ISBN 978-04571-66008-8

30 [B40] Mains Harmonics (problems and solutions), Keith Armstrong, REO (UK) Ltd.,
31 www.reo.co.uk/technical_resources

32 [B41] Power Quality (problems and solutions), Keith Armstrong, REO (UK) Ltd.,
33 www.reo.co.uk/technical_resources

34 [B42] Protection of Electronics in High-Power Installations: Theory, Guidelines and

35 Demonstrations, P C T van der Laan and A P J van Duerson (Eindhoven University of
36 Technology), CIGRÉ Symposium, Lausanne, 1993, paper 600-08

37 [B43] Protection of Cables by Open-Metal Conduits, S Kapora, E Laermans, A P J van

38 Duerson, IEEE Trans. EMC, Vol. 52, No. 4, Nov. 2010, pp 1026 – 1033

107
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 [B44] Reliable Protection of Electronics Against Lightning: Some Practical Examples, P C T

2 van der Laan and A P J van Duerson (Eindhoven University), IEEE Trans. EMC, Vol 40,
3 No 4, November 1998, pp 513-520

4 [B45] The Development of High-Power Electromagnetic (HPEM) Publications in the IEC:

5 History and Current Status, Dr. William A. Radasky, IEEE EMC Society Newsletter,
6 Issue No. 216, Winter 2008,
7 www.ieee.org/organizations/pubs/newsletters/emcs/winter08/hpem.html

8 B.3 Good EMC engineering for individual items of equipment

9 Note: This is not an exhaustive list, and new standards and other documents (and new versions
10 of existing material) are constantly being created.

11 [B60] Ageing of Shielding Joints, Shielding Performance and Corrosion, Lena Sjögren and
12 Mats Bäckström, IEEE EMC Society Newsletter, Summer 2005,
13 www.ieee.org/organizations/pubs/newsletters/emcs/summer05/practical.pdf

14 [B61] Electromagnetic Compatibility Engineering, Henry W. Ott, John Wiley & Sons, 2009,
15 ISBN: 978-0-470-18930-6

16 [B62] EMC and the Printed Circuit Board - Design, Theory and Layout Made Simple, M
17 Montrose, IEEE Press 1998, ISBN 0-7803-4703-X, http://www.ieee.org/ieestore

18 [B63] EMC Design Techniques for Electronic Engineers, Keith Armstrong,

19 Armstrong/Nutwood UK 2010, ISBN: 978-0-9555118-4-4,
20 www.emcacademy.org/books.asp

21 [B64] EMC for Printed Circuit Boards – Basic and Advanced Design and Layout Techniques,
22 Second Edition, Nutwood UK December 2010, ISBN 978-0-9555118-5-1, (the 2nd
23 Edition is identical to the 1st Edition except for the book’s format),
24 www.emcacademy.org/books.asp

25 [B65] EMC for Product Designers, 4th Edition, Tim Williams, Newnes, December 2006, ISBN:
26 0-750-68170-5

27 [B66] High Speed Digital Design: A Handbook Of Black Magic, Johnson, Howard and Graham,
28 Martin, Prentice Hall, 1993, ISBN 0-13-39-5724-1

29 [B67] Improving the shielding effectiveness of a board-level shield by bonding it with the
30 waveguide-below-cutoff principle A Degraeve, D. Pissoort, K. Armstrong, 10th
31 International IEEE Workshop on the Electromagnetic Compatibility of Integrated Circuits
32 (EMC Compo), Edinburgh, UK, 2015

33 [B68] Robust Electronic Design Reference Book, Volumes I and II, John R Barnes, Kluwer
34 Academic Publishers, 2004, ISBN: 1-4020-7739-4

35 [B69] Printed Circuit Board Design Techniques for EMC Compliance, Second Edition, A
36 Handbook for Designers, M Montrose, IEEE Press 2000, ISBN 0-7803-5376-5,
37 http://www.ieee.org/ieestore

108
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 B.4 Software design techniques and measures

2 Note: This is not an exhaustive list, and new standards and other documents (and new versions
3 of existing material) are constantly being created.

4 [B100] 32-Bit Cyclic Redundancy Codes for Internet Applications, Philip Koopman,
5 International Conference on Dependable Systems and Networks, 2002

6 [B101] CEPT ECC Rec 70-03, ERC Recommendation 70-03 Relating to the use of Short Range
7 Devices (SRD), www.erodocdb.dk/docs/doc98/official/pdf/rec7003e.pdf

8 [B102] IEC 61508-2 Ed.2:2010 Functional safety of electrical/electronic/programmable

9 electronic safety related systems – Part 2: Requirements for
10 electrical/electronic/programmable electronic safety related systems, IEC Basic Safety
11 Publication (2010), http://webstore.iec.ch

12 [B103] IEC 61508-3 Ed.2:2010 Functional safety of electrical/electronic/programmable

13 electronic safety-related systems – Part 3: Software requirements, IEC Basic Safety
14 Publication (2010), http://webstore.iec.ch

15 [B104] IEC 61784-3 Ed.1 CDV Digital data communications for measurement and control: Part
16 3: Profiles for functional safety communications in industrial networks

17 [B105] IEEE Transactions on Dependable and Secure Computing (TDSC),

18 www.computer.org/web/tdsc/about

19 [B106] IEEE 1149.6, A Boundary-Scan Standard for Advanced Digital Networks

20 [B107] IEEE Standard 754-2008, Floating-Point Arithmetic, from

21 http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=4610933

22 [B108] RTCA DO-178C North American Avionics Software, Software Considerations in

23 Airborne Systems and Equipment Certification

24 [B109] A microprocessor intentionally designed without any interrupts:

25 https://en.wikipedia.org/wiki/VIPER_microprocessor.

26 [B110] A paper describing the concepts of partitioning operating systems:

27 http://air.di.fc.ul.pt/air-ii/downloads/27th-DASC-Paper.pdf

28 [B111] An operating system that supports partitioning:

29 www.ghs.com/products/safety_critical/arinc653.html

30 [B112] Another operating system that supports partitioning:

31 www.windriver.com/products/platforms/safety_critical_arinc_653/

32 [B113] A Time & Space Partitioned DO-178 Level A Certifiable RTOS, Supports x86, PowerPC,
33 ARM and MIPS processors, www.ddci.com/products_deos.php

34 [B114] Comparison of the software requirements in safety related cases, according to IEC 61508,
35 by Sigita Andrulyte, Josef Börcsök,
36 www.wseas.us/e-library/conferences/2013/Budapest/CSECS/CSECS-33.pdf

37 [B115] Cyclic redundancy check (CRC),

38 http://en.wikipedia.org/wiki/Cyclic_redundancy_check

109
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 CRC is an error-detecting code commonly used in digital networks and storage devices to
2 detect accidental changes to raw data. Blocks of data entering these systems get a short
3 check value attached, based on the remainder of a polynomial division of their contents;
4 on retrieval the calculation is repeated, and corrective action can be taken against
5 presumed data corruption if the check values do not match.

6 CRCs are so called because the check (data verification) value is a redundancy (it
7 expands the message without adding information) and the algorithm is based on cyclic
8 codes. CRCs are popular because they are simple to implement in binary hardware, easy
9 to analyze mathematically, and particularly good at detecting common errors caused by
10 noise in transmission channels. Because the check value has a fixed length, the function
11 that generates it is occasionally used as a hash function.

12 The CRC was invented by W. Wesley Peterson in 1961; the 32-bit polynomial used in the
13 CRC function of Ethernet and many other standards is the work of several researchers and
14 was published during 1975.

15 [B116] Data caching, see https://en.wikipedia.org/wiki/Cache

16 [B117] DDR2 Synchronous Dynamic Data Interface,

17 https://en.wikipedia.org/wiki/DDR2_SDRAM

18 [B118] DDR3 Synchronous Dynamic Data Interface,

19 https://en.wikipedia.org/wiki/DDR3_SDRAM

20 [B119] Defensive Programming,

21 http://www.princeton.edu/~achaney/tmve/wiki100k/docs/Defensive_programming.html

22 [B120] Dependability of Computer Systems, EWICS Technical Committee 7, Elsevier Applied

23 Science1989 ISBN 1851663819

24 [B121] Error Correction: www.wikipedia.org/wiki/Error_correction

25 [B122] Error Correction Coding: Mathematical Methods and Algorithms, Todd K Moon, Wiley
26 2005, ISBN: 0-471-648-00-0.

27 [B123] Exception handling, https://en.wikipedia.org/wiki/Exception_handling

28 [B124] Formal Methods in Safety-Critical Standards, Jonathan Bowen, Oxford University

29 Computing Laboratory, 11 Keble Road, Oxford OX1 3QD, UK.
30 http://reference.kfupm.edu.sa/content/f/o/formal_methods_in_safety_critical_standa_100
31 249.pdf

32 [B125] JTAG101 – IEEE 1149.x and Software Debug, Randy Johnson, Steward Christie (Intel
33 Corp.2009),

34 [B126] Liveness, https://en.wikipedia.org/wiki/Liveness

35 [B127] Microprocessor Based Protection Systems, Churchley, Andrew (1991-11-30), Springer.

36 p.64. ISBN 9781851666119,
37 https://books.google.co.uk/books?id=vNzWLxmzuUsC&pg=PA64&redir_esc=y&hl=en#
38 v=onepage&q&f=false

39 [B128] NASA Software Safety Guidebook from:

40 www.fmeainfocentre.com/handbooks/nasasoftwareguidbook.doc

110
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 [B129] National Conference on Nonlinear Systems & Dynamics, NCNSD-2003, N-Version

2 programming method of Software Fault Tolerance: A Critical Review, Bharathi V,
3 http://ncnsd.org/proceedings/proceeding03/html/pdf/173-176.pdf

4 [B130] Nonlinear Signal Processing: a Statistical Approach, G. R. Arce, Wiley New Jersey
5 November 2004, Print ISBN: 978-0-471-67624-9, Online ISBN: 978-0-471-69185-3

6 [B131] ‘Profisafe - Profile for Safety Technology on Profibus DP and PROFINET IO’, version
7 A.6.1, August 2014, www.profibus.com/nc/download/profiles/downloads/profisafe-on-
8 profibus-dp-and-profinet-io/display/

9 [B132] Reliable/redundant array of independent/inexpensive nodes (RAIN):

10 http://en.wikipedia.org/wiki/Reliable_array_of_independent_nodes

11 RAIN is an architectural approach to computing and network-attached computer storage

12 (or NAS), that combines commodity or low-cost computing hardware with management
13 software to address the reliability and availability shortcomings of non-redundant NAS
14 systems.

15 [B133] Safe Program Execution with Diversified Encoding, Martin Susskraut et al, Embedded
16 World 2015, www.embedded-world.eu

17 [B134] Safety Critical Systems Handbook: A Straightforward Guide to Functional Safety, IEC
18 61508 (2010 Edition) and Related Standards, Including: Process IEC 61511, Machinery
19 IEC 62061

20 [B135] Secure Hashing, CSRC.NIST.gov/groups/ST/toolkit/secure_hashing.html

21 [B136] Software-Based Memory Testing, Barr, Michael, Embedded Systems Programming, July
22 2000, pp. 28-40. [Note that there are some comments in response to this publication
23 which you can find at the end of it on the website: http://www.barrgroup.com/Embedded-
24 Systems/How-To/Memory-Test-Suite-C]

25 [B137] Software Engineering for Real Time Systems, J E Cooling, Pearson Education2003,
26 ISBN 0201596202

27 [B138] Synthesizing optimal fixed-point arithmetic for embedded signal processing, Hass, K.J.,
28 53rd IEEE International Midwest Symposium on Circuits and Systems (MWSCAS), 1-4
29 Aug. 2010, Seattle, WA, pp 61 – 64, ISBN: 978-1-4244-7771-5

30 [B139] System Software Support of Hardware Efficiency, by Thomas Kaegi and Igor Schagaev,
31 an eBook from: www.it-acs.co.uk/book.html

32 [B140] The Ariane 5 accident, Nancy Leveson

33 http://sunnyday.mit.edu/accidents/Ariane5accidentreport.html

34 [B141] The avionics standard based on the concept of partitioning the processor time, memory
35 ranges and I/O access: http://en.wikipedia.org/wiki/ARINC_653, also: ‘ARINC 653 An
36 Avionics Standard for Safe, Partitioned Systems’, www.computersociety.it/wp-
37 content/uploads/2008/08/ieee-cc-arinc653_final.pdf.

38 [B142] The Embedded Reliable Processing System (TERPS) — A Robust Architecture that
39 Achieves Forward Progress in Near-Continuous Electromagnetic Interference, Cagdas
40 Dirik, Amol Gole, Samuel Rodriguez, Hongxia Wang, and Bruce Jacob, Electrical &
41 Computer Engineering Dept., University of Maryland — College Park,

111
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 www.ece.umd.edu/~blj • [email protected], Technical Report UMD-SCA-2004-10-01 —

2 November 2004

3 [B143] The Mars Climate Orbiter failure, https://en.wikipedia.org/wiki/Mars_Climate_Orbiter

4 [B144] Using Software Protocols to Mask CAN BUS Insecurities, B R Kirk, IEE Colloquium on
5 the Electromagnetic Compatibility of Software, Thursday, Savoy Place, London, WC2R
6 OBL, 12 November 1998, IEE document reference 98/471, available from the IEE
7 Library at Savoy Place, [email protected], or [email protected], telephone 020 7344
8 8407, fax: 020 7344 846.

9 [B145] Visit: http://www.qnx.com/content/qnx/en/solutions/industries/defense/index.html

10 B.5 IEC and CISPR standardized EMC test methods

11 Note: This is not an exhaustive list, and new standards (and new versions of existing standards)
12 are constantly being created.

13 [B200] C37.90.1-2002 IEEE Standard for Surge Withstand Capability (SWC) Tests for Relays
14 and Relay Systems Associated with Electric Power Apparatus

15 [B201] CISPR 11 Industrial, scientific and medical equipment — Radio-frequency disturbance

16 characteristics — Limits and methods of measurement

17 [B202] CISPR 13 Sound and television broadcast receivers and associated equipment – Radio-
18 frequency disturbance characteristics — Limits and methods of measurement

19 [B203] CISPR 14-1 Electromagnetic compatibility — Requirements for household appliances,

20 electric tools and similar apparatus — Part 1: Emission

21 [B204] CISPR 14-2 Electromagnetic compatibility — Requirements for household appliances,

22 electric tools and similar apparatus — Part 2: Immunity — Product family standard

23 [B205] CISPR 15 Limits and methods of measurement of radio disturbance characteristics of

24 electrical lighting and similar equipment

25 [B206] CISPR 22 Information technology equipment of radio disturbance characteristics – Limits

26 and methods of measurement

27 [B207] CISPR 32 Electromagnetic compatibility of multimedia equipment — Emission

28 requirements

29 [B208] CISPR 24 Information technology equipment — Immunity characteristics — Limits and

30 methods of measurement

31 [B209] CISPR 35:2016 Electromagnetic compatibility of multimedia equipment – Immunity

32 requirements

33 [B210] IEC 61000-4-2 Immunity to personnel electrostatic discharge (ESD)

34 [B211] IEC 61000-4-3 Immunity to continuous radio-frequency radiation using an anechoic

35 chamber

36 [B212] IEC 61000-4-4 Immunity to electrical fast transients and bursts (EFT/B)

112
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 [B213] IEC 61000-4-5 Immunity to surges

2 [B214] IEC 61000-4-6 Immunity to continuous conducted radio-frequency currents

3 [B215] IEC 61000-4-8 Immunity to power-frequency magnetic fields

4 [B216] IEC 61000-4-9 Immunity to pulsed magnetic fields

5 [B217] IEC 61000-4-10 Immunity to damped oscillatory magnetic fields

6 [B218] IEC 61000-4-11 Immunity to voltage dips, dropouts, short interruptions and voltage
7 variations

8 [B219] IEC 61000-4-12 Immunity to ring wave surges

9 [B220] IEC 61000-4-13 Immunity to distorted AC supply waveforms up to 2kHz

10 [B221] IEC 61000-4-14 Immunity to AC supply voltage fluctuations

11 [B222] IEC 61000-4-16 Immunity to conducted common-mode disturbances DC-150kHz

12 [B223] IEC 61000-4-17 Immunity to voltage ripple on DC electrical power supplies

13 [B224] IEC 61000-4-18 Immunity to damped oscillatory surges

14 [B225] IEC 61000-4-19 (draft) Immunity to conducted differential mode disturbances, 2-150kHz

15 [B226] IEC 61000-4-20 Immunity to continuous radio-frequency radiation using a TEM Cell

16 [B227] IEC 61000-4-21 Immunity to continuous RF radiation using a Reverberation Chamber

17 [B228] IEC 61000-4-23 Test methods for protective devices for HEMP and other radiated
18 disturbances

19 [B229] IEC 61000-4-24 Test methods for protective devices for HEMP conducted disturbances

20 [B230] IEC 61000-4-25 Immunity to HEMP for equipment and systems

21 [B231] IEC 61000-4-27 Immunity to unbalance in three-phase AC power supplies

22 [B232] IEC 61000-4-28 Immunity to variations in AC power supply frequency

23 [B233] IEC 61000-4-31 Immunity to conducted broadband noise

24 [B234] IEC 61000-4-32 HEMP simulator compendium

25 [B235] IEC 61000-4-33 Testing and measurement techniques – Measurement methods for high-
26 power transient parameters

27 [B236] IEC 61000-4-34 Immunity to supply voltage dips, dropouts and voltage variations for
28 equipment consuming more than 16A per phase

29 [B237] IEC 61000-4-35 Testing and measurement techniques – HPEM simulator compendium

30 [B238] IEC 61000-4-36 Immunity to Intentional EMI

113
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 [B239] IEC 61000-4-39 (future) Measuring methods for radiation sources in close proximity,
2 9kHz to 6GHz. (Note that this standard tests Far-Fields, not Near-Fields, see [B315]).

3 [B240] IEC 61000-6-1 EMC Generic standards - Immunity for residential, commercial and light-
4 industrial environments

5 [B241] IEC 61000-6-2 EMC Generic standards – Immunity for industrial environments

6 [B242] IEC 61000-6-3 EMC Generic standards - Emission standard for residential, commercial
7 and light-industrial environments

8 [B243] IEC 61000-6-4 EMC Generic standards - Emission standard for industrial environments

9 [B244] IEC/TS 61000-6-5 EMC Generic standards - Immunity for power station and substation
10 environments

11 [B245] IEC 61000-6-6 HEMP immunity for indoor equipment

12 [B246] IEC 62561 Lightning protection system components (LPSC)

13 B.6 Automotive industry EMC test standards

14 Note: This is not an exhaustive list, and new standards (and new versions of existing standards)
15 are constantly being created.

16 [B300] CISPR 12 Vehicle emissions measurements for the protection of off-board radio
17 communications

18 [B301] CISPR 25 Vehicles, boats and internal combustion engines - Radio disturbance
19 characteristics - Limits and methods of measurement for the protection of on-board
20 receivers

21 [B302] ISO 10605 Immunity to electrostatic discharge (now mostly replaced by IEC 61000-4-2)

22 [B303] ISO 11451-1 Road vehicles -- Vehicle test methods for electrical disturbances from
23 narrowband radiated electromagnetic energy -- Part 1: General principles and terminology

24 [B304] ISO 11451-2 Off-vehicle radiation sources

25 [B305] ISO 11451-3 On-board radio communications equipment

26 [B306] ISO 11451-4 Bulk current injection (BCI)

27 [B307] ISO 11452-1 Road vehicles -- Component test methods for electrical disturbances from
28 narrowband radiated electromagnetic energy -- Part 1: General principles and terminology

29 [B308] ISO 11452-2 Absorber-Lined Shielded Enclosure (ALSE)

30 [B309] ISO 11452-3: Transverse Electromagnetic (TEM) cell

31 [B310] ISO 11452-4 Bulk Current Injection (BCI)

32 [B311] ISO 11452-5 Stripline

114
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 [B312] ISO 11452-6 Parallel plate antenna (withdrawn)

2 [B313] ISO 11452-7 Direct RF Power Injection (DPI)

3 [B314] ISO 11452-8 Immunity to magnetic fields

4 [B315] ISO 11452-9.2 Road vehicles — Component test methods for electrical disturbances from
5 narrowband radiated electromagnetic energy — Part 9: Portable transmitters

6 [This is a Near-Field radiated immunity test based upon the Ford Motor Company’s test
7 method RI115 ‘RF Immunity to hand portable transmitters’ in their EMC-CS-2009.1,
8 ‘EMC Specification For Electrical/Electronic Components and Subsystems’.

9 Many EMC test labs around the world are equipped for, and familiar with doing this test.]

10 [B316] ISO 7637-2 Immunity of power lines to conducted transients

11 [B317] ISO 7637-3 Immunity of signal, data and control lines to conducted transients

12 [B318] Ford Motor Company: EMC-CS-2009.1, EMC Specification For Electrical/Electronic

13 Components and Subsystems.

14 B.7 Marine industry EMC test standards

15 Note: This is not an exhaustive list, and new standards (and new versions of existing standards)
16 are constantly being created.

17 [B352] IEC 60945 Maritime navigation and radiocommunication equipment and systems –
18 General requirements – Methods of testing and required test results

19 [B351] IEC 60533 Electrical and electronic installations in ships – Electromagnetic compatibility
20 (EMC) – Ships with a metallic hull

21 [B350] IEC 60092−201 Electrical installations in ships — Part 201: System design — General

22 B.8 Undersea industry EMC test standards

23 Note: This is not an exhaustive list, and new standards (and new versions of existing standards)
24 are constantly being created.

25 [B360] API 17A Recommended Practice 17A, Design and Operation of Subsea Production
26 Systems

27 [B361] API 17F Specification for Subsea Production Control Systems - Petroleum and natural
28 gas industries - Design and operation of subsea production systems -Part 6: Subsea
29 production control systems

30 [B362] ISO 13628-1 Petroleum and natural gas industries -- Design and operation of subsea
31 production systems -- Part 1: General requirements and recommendations

32 [B363] ISO 13628-6 Petroleum and natural gas industries -- Design and operation of subsea
33 production systems -- Part 6: Subsea production control systems

34
115
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 B.9 Rail industry EMC standards and guidance documents

2 Note: This is not an exhaustive list, and new standards (and new versions of existing standards)
3 are constantly being created.

4 [B400] CLC/TS PD 50238-2 Railway applications — Compatibility between rolling stock and
5 train detection systems Part 2: Compatibility with track circuits

6 [B401] CLC/TS 50238-3 Railway applications – compatibility between rolling stock and train
7 detection systems – Part 3 Compatibility with axle counters

8 [B402] EN50121-series Railway Applications – Electromagnetic Compatibility

9 [B403] EN 50121-1 Railway applications – Electromagnetic Compatibility Part 1 General

10 [B404] EN 50121-2 Railway applications - Electromagnetic Compatibility Part 2 Emissions of

11 the whole railway system to the outside world

12 [B405] EN 50121-3-1 Railway applications – Electromagnetic Compatibility Part 3-1 Rolling

13 Stock Train & complete vehicle

14 [B406] EN 50121-3-2 Railway applications – Electromagnetic Compatibility Part 3-2 Rolling

15 Stock Apparatus

16 [B407] EN 50121-4 Railway applications – Electromagnetic Compatibility Part 4 Emission and

17 Immunity of signalling and telecommunications apparatus

18 [B408] EN 50121-5 Railway applications – Electromagnetic Compatibility Part 5 Emission and

19 Immunity of fixed power supply installations and apparatus

20 [B409] EN 50155 Railway applications — Electronic equipment used on rolling stock

21 [B410] EN 50238-1 Incorporating corrigenda May 2010 and November 2014 Railway
22 applications — Compatibility between rolling stock and train detection systems

23 [B411] EN 50592 Railway Applications – Testing of rolling stock for electromagnetic

24 compatibility with axle counters

25 [B412] EN 50617-1 Railway applications — Technical parameters of train detection systems for
26 the interoperability of the trans-European railway system Part 1: Track circuits

27 [B413] EN 50617-2 Railway Applications — Technical parameters of train detection systems for
28 the interoperability of the trans-European railway system Part 2: Axle counters - CORR:
29 February 29, 2016

30 [B414] GE/RT8015 Railway Group Standard, Electromagnetic Compatibility Between Railway

31 Infrastructure and Trains, to be replaced by GE/RT8076 Electromagnetic Compatibility
32 of Train Detection Infrastructure with Rail Vehicles

33 [B415] GE/RT8270 Railway Group Standard, Assessment of Compatibility of Rolling Stock and
34 Infrastructure

35 [B416] LUL Category 1 Standard S1193 Electromagnetic Compatibility with LU Signalling

36 System Assets

116
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 [B417] LUL Category 1 Standard S1222 Electromagnetic Compatibility (EMC)

2 [B418] LUL Guidance Document G222 EMC best practice

3 [B420] NR/GN/SIG/50010 Methodology for the demonstration of compatibility with train

4 detection systems on non-electrified railways

5 [B421] NR/GN/SIG/50014 Methodology for the Demonstration of Compatibility with Lineside

6 Equipment

7 [B422] NR/GN/SIG/50018 Methodology for the Demonstration of Compatibility with

8 Neighbouring Railways

9 [B423] NR/L1/SIG/30040 EMC Strategy for Network Rail

10 [B424] NR/L2/RSE/30041 EMC Assurance Process for Network Rail

11 [B425] NR/L2/TEL/31107 Limits and Test Method of induced voltages on telecommunications

12 cables due to electrification systems

13 [B426] NR/SP/SIG/50002, Methodology for the demonstration of compatibility with single rail
14 Reed Track Circuits on the AC railway

15 [B427] NR/SP/SIG/50004 Methodology for the demonstration of electrical compatibility with

16 DC (AC-immune) Track Circuits

17 [B428] NR/SP/SIG/50005 Methodology for the demonstration of electrical compatibility with 50

18 Hz single rail track circuits

19 [B429] NR/SP/SIG/50006 Methodology for the demonstration of electrical compatibility with 50

20 Hz double rail track circuits

21 [B430] NR/SP/SIG/50007 Methodology for the demonstration of compatibility with HVI Track
22 Circuits

23 [B431] NR/SP/SIG/50008 Methodology for the demonstration of compatibility with TI21 Track
24 Circuits

25 [B432 NR/SP/SIG/50009 Methodology for the demonstration of compatibility with FS2600

26 Track Circuits

27 [B433] NR/SP/SIG/50011 Methodology for the Demonstration of Compatibility with Axle

28 Counters

29 [B434] NR/SP/SIG/50012 Methodology for the Demonstration of Compatibility with TPWS

30 Track Sub-system

31 [B435] NR/SP/SIG/50013 Methodology for the Demonstration of Compatibility with

32 Interlockings

33

117
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 B.10 Civilian avionics and aerospace industry EMC test standards

2 Note: This is not an exhaustive list, and new standards (and new versions of existing standards)
3 are constantly being created.

4 [B480] ED-130 Guidance for the Use of Portable Electronic Devices (PEDS) On Board Aircraft

5 [B481] RTCA DO-160 Environmental Conditions and Test Procedures for Airborne Equipment,
6 Section 16: Power Input

7 [B482] RTCA DO-160 Environmental Conditions and Test Procedures for Airborne Equipment,
8 Section 19: Induced Signal Susceptibility, Section 21: Emission of Radio Frequency
9 Energy 22: Lightning Induced Transient Susceptibility, Section 23: Lightning Direct
10 Effects, Section 25: Electrostatic Discharge (ESD)

11 [B483] RTCA DO-160 Environmental Conditions and Test Procedures for Airborne Equipment,
12 Section 20: Radio frequency susceptibility (Radiated and Conducted)

13 [B484] RTCA DO-294C Guidance on Allowing Transmitting Portable Electronic Devices (T-
14 PEDS) on Aircraft

15 [B485] RTCA DO-307 Aircraft Design and Certification for Portable Electronic Device (PED)
16 Tolerance

17 B.11 Military industry EMC test standards

18 Note: This is not an exhaustive list, and new standards (and new versions of existing standards)
19 are constantly being created.

20 [B500] AECTP-250 Electrical and Electromagnetic Environmental Conditions

21 [B501] AECTP-500 Electromagnetic Environmental Effects Test and Verification

22 [B502] Def-Stan 59-411 Part 1: EMC Management and Planning

23 [B503] Def-Stan 59-411 Part 2: The Electric, Magnetic and Electromagnetic Environment

24 [B504] Def-Stan 59-411 Part 3: EMC Test Methods and Limits for Equipment and Sub Systems

25 [B505] Def-Stan 59-411 Part 4: EMC Platform and System Test and Trials

26 [B506] Def-Stan 59-411 Part 5: EMC Standard for Tri-Service Design and Installation

27 [B507] MIL-STD-461 Requirements for the Control of Electromagnetic Interference

28 Characteristics of Subsystems and Equipment

29 [B508] MIL-STD-464 Electromagnetic Environmental Effects Requirements for Systems

30

118
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 B.12 ITE, Telecommunications and Wireless industry EMC test standards

2 Note: This is not an exhaustive list, and new standards (and new versions of existing standards)
3 are constantly being created.

4 [B550] AAMI TIR 69-2017, Risk management of radio-frequency wireless coexistence for
5 medical devices and systems

6 [B551] ANSI C63.27 – 2017, American National Standard for Evaluation of Wireless
7 Coexistence

8 [B552] EN 50174-2 Information Technology – Cabling Installation Part 2: Installation planning

9 and practice inside buildings, http://shop.bsigroup.com/en

10 [B553] EN 50310 Application of equipotential bonding and earthing at premises with

11 information technology equipment, http://shop.bsigroup.com/en

12 [B554] ETSI EN 300 253 Earthing and bonding of telecommunication equipment in

13 telecommunication centres,
14 www.etsi.org/deliver/etsi_en/300200_300299/300253/02.01.01_60/en_300253v020101p.
15 pdf

16 [B555] ITU-T Recommendation K.27 Bonding configurations and earthing within a

17 telecommunications building, www.itu.int/rec/T-REC-K.27-199605-I

18 [B556] ITU Recommendation K.35 Bonding configurations and earthing at remote electronic
19 sites, www.itu.int/rec/T-REC-K.35-199605-I

20 [B557] ITU-T K.78 High altitude electromagnetic pulse immunity guide for telecommunication
21 centres

22 [B558] ITU-T Handbook, The Protection of Telecommunication Lines and Equipment Against
23 Lightning Discharges, Chapters 1 to 5, www.itu.int/pub/T-HDB-EMC.3-1974-P1/en;
24 Chapters 6 to 8, www.itu.int/pub/T-HDB-EMC.3-1978-P2/en; Chapters 9 and 10,
25 www.itu.int/pub/T-HDB-EMC.3-1994-P3/ento

26 [B559] Many EMC standards published by the European Telecommunication Standards

27 Institution (ETSI), especially for wireless and/or radio communications, visit
28 http://www.etsi.org/standards

29 B.13 Some ‘Ad Hoc’ test methods

30 Note: This is not an exhaustive list, and new standards and other documents (and new versions
31 of existing material) are constantly being created.

32 [B600] Developing Immunity Testing to Cover Intermodulation, W. Grommes and K.

33 Armstrong, IEEE 2011 Int’l EMC Symp. Long Beach, CA, August 15-19, ISBN: 978-1-
34 45770810-7

35 [B601] EMC Testing (in seven parts), ‘Do-It-Yourself’ testing from lowest-cost to fully
36 accredited, Keith Armstrong and Tim Williams, EMC & Compliance Journal, 2001-2002,
37 https://www.emcstandards.co.uk/diy-emc-testing-series-2001

119
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 [B602] On-Site (in-situ) EMC Testing, Technical Guidance Note 49 from the EMC Test
2 Laboratories Association, www.emctla.co.uk/technical-guidance-notes.aspx

3 [B603] Testing for immunity to simultaneous disturbances and similar issues for risk managing
4 EMC, K. Armstrong, IEEE 2012 Int’l EMC Symp. Pittsburgh, PA, USA, August 5-10
5 2012, ISBN: 978-1-4673-2059-7.

6 [B604] Using EMC HALT for risk and fault assessment, Per Thaastrup Jensen, Proceedings of
7 the 2013 International Symposium on Electromagnetic Compatibility (EMC Europe
8 2013), Brugge, Belgium, September 2-6, 2013, ISBN 978-1-4673-4980-2

9 B.14 Assessing the electromagnetic environment, and detecting threats

10 Note: This is not an exhaustive list, and new standards and other documents (and new versions
11 of existing material) are constantly being created.

12 [B650] A Cost-Efficient System for Detecting an Intentional Electromagnetic Interference

13 (IEMI) Attack, J. F. Dawson, I. D. Flintoft, P. Kortoci, L. Dawson, A.C. Marvin, M. P.
14 Robinson, International Symposium on Electromagnetic Compatibility (EMC Europe
15 2014), Gothenburg, Sweden, September (2014).

16 [B651] Assessing an Electromagnetic Environment, Technical Guidance Note 47 from the EMC
17 Test Laboratories Association, www.emctla.co.uk/technical-guidance-notes.aspx.

18 [B652] Autonomous Electromagnetic Attacks Detection considering a COTS Computer as a

19 Multi-Sensor System, C. Kasmi, J. Lopes-Esteves, M. Renard, General Assembly and
20 Scientific Symposium (URSI GASS), 2014 XXXIth URSI, Page(s):1 – 4, 16-23 Aug.
21 (2014).

22 [B653] CIGRE 535, EMC within Power Plants and Substations, Working Group C4.208 April
23 2013 [Note: Section 6.3.1 Power system functions and corresponding acceptable
24 degradation due to electromagnetic disturbances.]

25 [B654] EMC/EMI and Functional Safety: Methodology to characterize effects of interferences on

26 devices, C. Kasmi, J. Lopes-Esteves, K. Armstrong, Asia-Pacific EMC (APEMC)
27 Symposium, Shenzhen, China, May 2016.

28 [B655] Guides on 17 different electromagnetic phenomena and their EMC tests (including how to
29 extend them to provide better ‘coverage’ of real-life electromagnetic disturbances), Keith
30 Armstrong, REO (UK) Ltd., all free from www.reo.co.uk/technical_resources

31 [B656] IEC 61000-2-2 EMC: Description of the environment- Compatibility levels for low-
32 frequency conducted disturbances and signalling in public low-voltage power supply
33 systems – An IEC Basic EMC Publication

34 [B657] IEC 61000-2-4 EMC: Description of the environment - Compatibility levels in industrial
35 plants for low-frequency conducted disturbances - An IEC Basic EMC Publication

36 [B658] IEC 61000-2-9 EMC: Description of HEMP environment – Radiated disturbance

37 [B659] IEC 61000-2-10 EMC: Description of HEMP environment – Conducted disturbance

38 [B660] IEC 61000-2-11 EMC: Classification of HEMP environments

120
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 [B661] IEC 61000-2-13 EMC: High power electromagnetic (HPEM) environments – Radiated
2 and conducted

3 [B662] IEC/TR2 61000-2-5 EMC: Description of the environment - Classification of

4 electromagnetic environments - An IEC Basic EMC publication

5 [B663] IEC/TR3 61000-2-1 EMC: Description of the environment - Electromagnetic

6 environment for low-frequency conducted disturbances and signalling in public power
7 supply systems

8 [B664] IEC/TR3 61000-2-3 EMC: Description of the environment - Radiated and non-network-
9 frequency-related conducted phenomena - An IEC Basic EMC Publication

10 [B665] IEC/TR3 61000-2-6 EMC: Description of the environment - Assessment of the emission
11 levels in the power supply of industrial plants as regards low frequency conducted
12 disturbances

13 [B666] IEC/TR3 61000-2-7 EMC: Description of the environment - Low frequency magnetic
14 fields in various environments

15 [B667] Lessons Learnt From IEMI Detector Deployments, D. Herke, L. Chatt, B. Petit and R.
16 Hoad, 2016 European Electromagnetics (EUROEM) Symposium, London, July 11-14
17 2016.

18 B.15 Verification/validation and other techniques (not specifically related to

19 electromagnetic disturbances)

20 Note: This is not an exhaustive list, and new techniques and standards (and new versions of
21 existing new techniques and standards) are constantly being created.

22 [B700] Brainstorming techniques: https://en.wikipedia.org/wiki/Brainstorming;

23 www.yourarticlelibrary.com/management/4-techniques-for-group-decision-making-
24 process-more-effective/3506

25 [B701] Cause Consequence Diagram Method as a Basis for Quantitative Accident Analysis
26 (The), B. S. Nielsen, Riso-M-1374, 1971.

27 [B702] Cause Consequence Diagrams, also known as Ishikawa or Fishbone diagrams;

28 The Cause Consequence Diagram Method as a Basis for Quantitative Accident Analysis.
29 B. S. Nielsen, Riso-M-1374, 1971, https://en.wikipedia.org/wiki/Ishikawa_diagram

30 [B703] Common Cause (sometimes called Common-Mode) failure analysis, some references:

31 https://en.wikipedia.org/wiki/Common_cause_and_special_cause_(statistics)#Common_
32 mode_failure_in_engineering;

33 Common-Mode Failure Considerations in High-Integrity C&I Systems, Thomson, Jim

34 (February 2012) (PDF). Safety in Engineering;

35 Randell, B. Design Fault Tolerance, in: The Evolution of Fault-Tolerant Computing,

36 (Dependable Computing and Fault-Tolerant Systems, Vol. 1), Avizienis, A.; Kopetz, H.;
37 Laprie, J.-C. (eds.), pp. 251-270. Springer-Verlag, 1987. ISBN 3-211-81941-X;

121
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 SEI Framework: Fault Tolerance Mechanisms. Redundancy Management. NIST High

2 Integrity Software Systems Assurance. March 30, 1995.

3 A Study of Common-Mode Failures, Edwards, G. T.; Watson, I. A. (July 1979). SRD

4 R146 (UK Atomic Energy Authority: Safety and Reliability Directorate).

5 Defences against Common-Mode Failures in Redundancy Systems – A Guide for

6 Management, Designers and Operators, Bourne, A. J.; Edwards, G. T.; Hunns, D. M.;
7 Poulter, D. R.; Watson, I. A. (January 1981). SRD R196 (UK Atomic Energy Authority:
8 Safety and Reliability Directorate).

9 [B704] Event Tree Analysis, https://en.wikipedia.org/wiki/Event_tree_analysis

10 [B705] Hazard Identification: Review of Hazard Identification Techniques, Health and Safety
11 Executive, 2009, HSL/2005/58,
12 http://www.hse.gov.uk/research/hsl_pdf/2005/hsl0558.pdf

13 [B706] IEC 60300-1 Dependability management - Part 1: Dependability management systems

14 [B707] IEC 60300-2 Dependability management - Part 2: Guidelines for dependability

15 management

16 [B708] IEC 60300-3-1 Dependability management - Part 3-1: Application guide – Analysis
17 techniques for dependability – Guide on methodology

18 [B709] IEC 60300-3-2 Dependability management - Part 3-2: Application guide - Collection of
19 dependability data from the field

20 [B710] IEC 60300-3-3 Dependability management - Part 3-3: Application guide - Life cycle
21 costing

22 [B711] IEC 60300-3-4 Dependability management - Part 3: Application guide - Section 4: Guide
23 to the specification of dependability requirements

24 [B712] IEC 60300-3-5 Dependability management - Part 3-5: Application guide - Reliability test
25 conditions and statistical test principles

26 [B713] IEC 60300-3-7 Dependability management - Part 3-7: Application guide - Reliability
27 stress screening of electronic hardware

28 [B714] IEC 60300-3-9 Dependability management - Part 3: Application guide - Section 9: Risk
29 analysis of technological systems

30 [B715] IEC 60300-3-10 Dependability management - Part 3-10: Application guide –

31 Maintainability

32 [B716] IEC 60300-3-11 Dependability management - Part 3-11: Application guide - Reliability
33 centred maintenance

34 [B717] IEC 60300-3-12 Dependability management - Part 3-12: Application guide - Integrated
35 logistic support

36 [B718] IEC 60300-3-14 Dependability management - Part 3-14: Application guide - Maintenance
37 and maintenance support

122
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 [B719] IEC 60300-3-15 Dependability management - Part 3-15: Guidance to engineering of

2 system dependability

3 [B720] IEC 60300-3-16 Dependability management - Part 3-16: Application guide - Guideline
4 for the specification of maintenance support services

5 [B721] IEC 60410 Sampling plans and procedures for inspection by attributes

6 [B722] IEC 60605-2 Equipment reliability testing - Part 2: Design of test cycles

7 [B723] IEC 60605-3-1 Equipment reliability testing. Part 3: Preferred test conditions. Indoor
8 portable equipment - Low degree of simulation

9 [B724] IEC 60605-3-2 Equipment reliability testing. Part 3: Preferred test conditions. Equipment
10 for stationary use in weatherprotected locations - High degree of simulation

11 [B725] IEC 60605-3-3 Equipment reliability testing - Part 3: Preferred test conditions - Section 3:
12 Test cycle 3: Equipment for stationary use in partially weatherprotected locations - Low
13 degree of simulation

14 [B726] IEC 60605-3-4 Equipment reliability testing - Part 3: Preferred test conditions - Section 4:
15 Test cycle 4: Equipment for portable and non-stationary use - Low degree of simulation

16 [B727] IEC 60605-3-5 Equipment reliability testing - Part 3: Preferred test conditions - Section 5:
17 Test cycle 5: Ground mobile equipment - Low degree of simulation

18 [B728] IEC 60605-3-6 Equipment reliability testing - Part 3: Preferred test conditions - Section 6:
19 Test cycle 6: Outdoor transportable equipment - Low degree of simulation

20 [B729] IEC 60605-4 Equipment reliability testing - Part 4: Statistical procedures for exponential
21 distribution - Point estimates, confidence intervals, prediction intervals and tolerance
22 intervals

23 [B730] IEC 60605-6 Equipment reliability testing - Part 6: Tests for the validity of the constant
24 failure rate or constant failure intensity assumptions

25 [B731] IEC 60706-2, Guide on maintainability of equipment, Part 2 - Section Five:

26 Maintainability studies during the design phase

27 [B732] IEC 60706-3 Guide on maintainability of equipment, Part 3 - Sections Six and Seven,
28 Verification and collection, analysis and presentation of data

29 [B733] IEC 60706-5, Guide on maintainability of equipment - Part 5: Section 4: Diagnostic

30 testing

31 [B734] IEC 60812 Assessment techniques for system reliability – procedure for failure mode and
32 effects assessment (FMEA)

33 [B735] IEC 61025 Fault tree assessment (FTA), also

34 https://en.wikipedia.org/wiki/Fault_tree_analysis

35 [B736] IEC 61069-5 Industrial-process measurement and control – Evaluation of system

36 properties for the purpose of system assessment – Part 5: Assessment of system
37 dependability (for the Fault Insertion Testing method)

123
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 [B737] IEC 61078 Analysis techniques for dependability - Reliability block diagram method

2 [B738] IEC 61160, Design review

3 [B739] IEC 61165 Application of Markov techniques[B740] IEC 61703 Mathematical

4 expressions for reliability, availability, maintainability and maintenance support terms

5 [B741] IEC 61882 Hazard and operability studies (HAZOP studies) - Application guide

6 [B742] IEC 62198 Project risk management – Application guidelines Risk assessment methods

7 [B743] IEC 62308 Reliability assessment methods

8 [B744] IEC 62347 Guidelines for establishing criteria for system dependability specifications

9 [B745] IEC 62402 Obsolescence management - Application guide

10 [B746] Markov Models:

11 https://en.wikipedia.org/wiki/Markov_model
12 https://en.wikipedia.org/wiki/Markov_chain
13 https://en.wikipedia.org/wiki/Markov_process
14 https://en.wikipedia.org/wiki/Layered_hidden_Markov_model
15 https://en.wikipedia.org/wiki/Maximum-entropy_Markov_model
16 https://en.wikipedia.org/wiki/Hierarchical_hidden_Markov_model
17 https://en.wikipedia.org/wiki/Hidden_semi-Markov_model

18 [B747] Monte-Carlo methods, https://en.wikipedia.org/wiki/Monte_Carlo_method

19 [B748] Preliminary Hazard Analysis, Marvin Rausand,

20 http://frigg.ivt.ntnu.no/ross/slides/pha.pdf

21 [B749] Quality Engineering Using Robust Design, Madhav S. Phadke, Prentice Hall, 1989,
22 ISBN: 978-0137451678

23 [B750] Reliability Block Diagrams, https://en.wikipedia.org/wiki/Reliability_block_diagram

24 [B751] Review of human reliability assessment methods, Health and Safety Executive, 2009,
25 http://www.hse.gov.uk/research/rrpdf/rr679.pdf

26 [B752] SWIFT, Structured What-If technique,

27 https://en.wikipedia.org/wiki/Structured_What_If_Technique

28 [B753] Taguchi’s Quality Engineering Handbook, ISBN: 978-0471413349

29 [This is a very large book, about 1600 pages, but covers both concept and case study.
30 It is truly a reference book, and would not be good for learning.]

31 [B754] Task Analysis and Hierarchical Task Analysis (HTA),

32 https://en.wikipedia.org/wiki/Task_analysis

33 [B755] Time and Petri Nets, https://en.wikipedia.org/wiki/Petri_net

34 https://en.wikipedia.org/wiki/Coloured_Petri_net
35 https://en.wikipedia.org/wiki/Stochastic_Petri_net
36 https://en.wikipedia.org/wiki/TAPAAL_Model_Checker (for ‘timed-arc’ Petri nets)
37 Time and Timed Petri Nets, Serge Haddad, http://www.lsv.ens-cachan.fr/~haddad/disc11-

124
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 part1.pdf
2 Introduction to Petri Nets, http://neo.dmcs.p.lodz.pl/oom/petri_nets.pdf

3 [B756] Worst Case Analysis, https://en.wikipedia.org/wiki/Worst-case_circuit_analysis

4 B.16 References associated with Annex E

5 [B800] ‘A brilliant feat of pointless engineering? Guilty as charged’, by Jeremy Clarkson,

6 presenter of the Top Gear TV show, in ‘Driving’, Sunday Times, 12 January 2014, page
7 10, www.thesundaytimes.co.uk/sto/ingear/clarkson/article1360561.ece

8 An extract from the above:

9 ‘If you go to the Museum of Science and Industry in Manchester… …You stand there
10 looking at the rods and the cogs and the flywheels pumping and churning away and you
11 think, ‘That piston will hit that wheel next time round’. But it never does. Everything
12 misses everything else by exactly the same margin every time. For ever.

13 Electrical equipment, however, is different. It can do the same thing over and over and
14 over again, but then one day it will just freeze and you have to turn it off and then on
15 again, or tap the viewing card with your teeth, or unplug the system and leave it be for
16 three minutes.’

17 [B801] ‘A New Accident Model for Engineering Safer Systems’, by Professor Nancy Leveson,
18 Professor of Aeronautics and Astronautics, and Professor of Engineering Systems,
19 Massachusetts Institute of Technology (MIT), USA, in: ‘Safety Science’, Vol. 42, No. 4,
20 April 2004, pp. 237-270: http://sunnyday.mit.edu/accidents/safetyscience-single.pdf

21 An extract from the above:

22 ‘We no longer have the luxury of carefully testing systems and designs to understand all
23 the potential behaviors and risks before commercial or scientific use.’

24 [B802] ‘Car safety and the digital dashboard’ by Chris Edwards, in E&T, the magazine of
25 Institution of Engineering & Technology, vol. 9, iss. 10, 13 October 2014,
26 http://eandt.theiet.org/magazine/2014/10/car-safety.cfm

27 A quote from Michael Bolle, president of Corporate R&D at Robert Bosch, from the
28 above:
29 ‘With autonomous driving new questions arise. To do automated braking you need a
30 certain amount of validation. We have looked at what it takes to validate autonomous
31 driving, and the time needed was estimated at 100,000 years. We need breakthrough
32 solutions from the research community.’

33 [B803] ‘Computer Based Safety-Critical Systems’, The Institution of Engineering and

34 Technology, UK, Sept. 2008: www.theiet.org/factfiles/it/computer-based-
35 scs.cfm?type=pdf

36 An extract from the above:

37 ‘Computer systems lack continuous behavior so that, in general, a successful set of tests
38 provides little or no information about how the system would behave in circumstances
39 that differ, even slightly, from the test conditions.’

40 [B804] HSE publications on Risk Assessment, visit www.hse.gov.uk/pubns and search by

41 ‘ALARP risk assessment’, the most relevant documents will appear on the first and

125
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 second pages of results and can be downloaded as PDFs. (ALARP is an acronym for ‘As
2 Low As Reasonably Practicable’.)

3 [B805] ‘The Quality Attitude’, Watts S. Humphrey (often called ‘The Father of Software
4 Quality’), Senior Member of Technical Staff, Software Engineering Institute, Carnegie
5 Mellon University, USA, in ‘News at SEI’, March 1, 2004:
6 www.sei.cmu.edu/library/abstracts/news-at-sei/wattsnew20043.cfm

7 An extract from the above:

8 ‘Our programs are often used in unanticipated ways and it is impossible to test even fairly
9 small programs in every way that they could possibly be used. With current practices,
10 large software systems are riddled with defects, and many of these defects cannot be
11 found even by the most extensive testing. Unfortunately, it is true that there is no way to
12 prove that a software system is defect free.’

126
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Annex C Some functional safety standards based on applicable parts of

2 IEC 61508
3 IEC 61511 Safety Instrumented Systems for the Process Industry Sector (in USA: ANSI/ISA S84)

4 IEC 62061 Safety of Machinery

5 IEC 62278 / EN 50126

6 Railways – Specification and Demonstration of Reliability, Availability, Maintainability
7 and Safety (RAMS)

8 IEC/EN 50128 Software, Railway Control and Protection

9 IEC/EN 50129 Railway Signalling

10 IEC 61513 Nuclear Power Plant Control Systems

11 RTCA DO-178C
12 North American Avionics Software ‘Software Considerations in Airborne Systems and
13 Equipment Certification’

14 RTCA DO-254 North American Avionics Hardware

15 EUROCAE ED-12C
16 European Flight Safety Systems

17 ISO 25119 Tractors and machinery for agriculture and forestry -- Safety-related parts of control
18 systems

19 ISO 26262 Automobile Functional Safety

20 ISO 26262-1 Road vehicles -- Functional safety -- Part 1: Vocabulary

21 ISO 26262-2 Road vehicles -- Functional safety -- Part 2: Management of functional safety

22 ISO 26262-3 Road vehicles -- Functional safety -- Part 3: Concept phase

23 ISO 26262-4 Road vehicles -- Functional safety -- Part 4: Product development at the system level

24 ISO 26262-5 Road vehicles -- Functional safety -- Part 5: Product development at the hardware level

25 ISO 26262-6 Road vehicles -- Functional safety -- Part 6: Product development at the software level

26 ISO 26262-7 Road vehicles -- Functional safety -- Part 7: Production and operation

27 ISO 26262-8 Road vehicles -- Functional safety -- Part 8: Supporting processes

28 ISO 26262-9 Road vehicles -- Functional safety -- Part 9: Automotive Safety Integrity Level (ASIL)-
29 oriented and safety-oriented analyses

30 ISO 26262-10 Guideline on ISO 26262

31 IEC 62304 Medical Device Software

127
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 IEC/EN 50402 Fixed Gas Detection Systems

2 DEF STAN 00-56

3 Accident Consequence (UK military)

4 -------------

5 IEC 60601-1-2 Edition 4, 2014

6 Medical devices -- Application of risk management to medical devices, (based on ISO
7 14971 instead of IEC 61508, but follows the same general risk management principles as
8 the applicable parts of IEC 61508)

128
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Annex D Glossary

2 Formal definitions for many of the terms in this document may be found in the IEEE Standards Dictionary
3 Online or in IEEE/ANSI C63.14-2014.

4 These descriptions are provided as an aid to understanding this Standard, in addition to those in the
5 Definitions section (Clause 3) or in IEEE/ANSI C63.14-2014.

6 Continuous disturbance
7 An electromagnetic disturbance that cannot be resolved into a succession of distinct
8 events by measuring equipment. For transient disturbances, this term is typically applied
9 to disturbances that occur more than 30 times a minute on average.

10 Dip A momentary reduction in the voltage of an AC or DC electrical power supply, usually

11 for a time period of less than one second.

12 E/EE/PE Electrical, Electronic or Programmable Electronic (from IEC 61508-4:2010 subclause

13 3.2.13).

14 Harmonics Frequencies that are integer multiples of the fundamental frequency. In AC mains
15 electricity supplies they are caused by the power supplies of equipment drawing current
16 in a non-sinusoidal manner, which distorts the waveform. All repetitive non-sinusoidal
17 waveforms can be represented as the sum of a number of its harmonics, with various
18 amplitudes and phases applied to each harmonic.

19 High voltage General electrical power distribution: anything above 1 kV rms AC, or 1.5 kV peak DC.
20 According to IEC standards: anything above 33 kV AC rms or 46 kV DC.

21 HV ‘High voltage’

22 Microwave Typically, the frequency range above 1 GHz.

23 Radiated transients
24 Radiated emissions that are transient (short-term) in their nature, such as ‘spikes’. Usually
25 described in time-domain terms, for example, as a waveform rather than frequency-
26 domain terms (such as a spectrum).

27 Surge protection component

28 A component for suppressing surges, typically by switching to a low-resistance state to
29 shunt surge energy away from a protected circuit, such as a varistor, spark gap, transient
30 voltage suppressor, silicon avalanche diode, etc. Sometimes called a surge arrester.

31 Surge protection device

32 A device for suppressing surges, typically comprising of at least one surge protection
33 component in combination with at least one other electrical, electromechanical or
34 electronic component.

35
36

129
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Annex E General concepts and definitions of ‘Risk’

2 E.1 Different kinds of Risk

3 Risk is an effect of uncertainty on objectives.

4 An uncertainty is a deviation – significantly greater or less – from the expected result. Objectives can have
5 different aspects (such as financial, health and safety, and environmental goals) and can apply at different
6 levels (such as strategic, organization-wide, project, product and process).

7 Risk is often characterized by reference to the likelihood of a specified undesirable event occurring, and the
8 severity of its impact (often referred to as its consequence).

9 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge
10 of, an event, its consequence, or likelihood. (ISO Guide 73, 1.1, page 1)

11 E.1.1 Functional Safety Risks

12 The level of functional safety risk depends on combining the severity of the potential hazard with the
13 likelihood or probability of that hazard occurring (its rate of occurrence).

14 When the severity of the hazard is combined with the rate/probability of the hazard’s occurrence to give the
15 risk level, it is possible for a relatively benign hazard (e.g. a paper cut) that is expected to happen more
16 frequently, to have a higher Risk Level than a more severe hazard (e.g. limb cut off) that is expected to
17 happen less frequently.

18 Functional safety risk is the part of the overall safety of a system that depends on the correct functioning of
19 an electrical and/or electronic equipment. The IEC’s Basic Publication on functional safety is IEC 61508
20 (including all of its parts), first published in 2000 and, at the time of writing, at Edition 2:2010.

21 The following is a partial extraction of text from the Introduction in IEC 61508-1 Ed.2:2010:

22 Systems comprised of electrical and/or electronic elements have been used for many
23 years to perform safety functions in most application sectors.

24 Computer-based systems (generically referred to as programmable electronic systems)

25 are being used in all application sectors to perform non-safety functions and,
26 increasingly, to perform safety functions.

27 If computer system technology is to be effectively and safely exploited, it is essential that

28 those responsible for making decisions have sufficient guidance on the safety aspects on
29 which to make these decisions.

30 This International Standard sets out a generic approach for all safety lifecycle activities
31 for systems comprised of electrical and/or electronic and/or programmable electronic
32 (E/E/PE) elements that are used to perform safety functions.

33 In most situations, safety is achieved by a number of systems which rely on many

34 technologies (for example mechanical, hydraulic, pneumatic, electrical, electronic,
35 programmable electronic). Any safety strategy should therefore consider not only all the
36 elements within an individual system (for example sensors, controlling devices and

130
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 actuators) but also all the safety-related systems making up the total combination of
2 safety-related systems.

3 It is recognized that there is a great variety of applications using E/E/PE safety-related

4 systems in a variety of application sectors and covering a wide range of complexity,
5 hazard and risk potentials. In any particular application, the required safety measures will
6 be dependent on many factors specific to the application.

7 Clause 3 in this Standard includes definitions for all the functional safety terms used in its standard and its
8 figures, with references to aid further research.

9 Functional safety is an increasingly important safety engineering issue that is very different from traditional
10 product safety concerns such as electric shock, fire, heat, etc.

11 Functional safety compliance is a large topic, and the following provides a very brief overview.

12 Most electronic systems these days are digital, but for at least the last 20 years it has been impossible to
13 fully test even a modestly powerful microprocessor, or a software program larger than a printer driver
14 [B801]35, [B805]35, because:
15 • Their complexity creates so many possible states that their system could get into that they
16 can’t all be tested in any reasonable timescale [B801]35, [B802]35 and [B805]35 ; and,
17 • Digital systems are discontinuous, non-linear, and have a large number of discrete states,
18 so testing any percentage of the states that a system could be in cannot predict anything
19 about the untested states [B803]35 and [B800]35.

20 The result of the above two points is that all digital systems can malfunction as the direct result of untested
21 combinations of perfectly valid inputs (i.e., inputs that lie within their specified ranges).

22 In cases in which an electronic system is used in applications where its incorrect functioning could increase
23 safety risks, we say that it presents functional safety risks.

24 The problem of not being able to thoroughly test digital systems was first recognized in the 1970s. So, by
25 the 1980s, a huge international effort was underway to try to establish suitable functional safety
26 engineering techniques – in system, hardware and software design, and in its verification and validation –
27 to help ensure that safety risks could be demonstrated to be acceptably low despite the intractable problems
28 associated with testing.

29 A family of application-oriented functional safety standards have been developed from IEC 61508 (and all
30 of its applicable parts), see Annex C. In cases where a thorough risk analysis shows that imperfect
31 functioning of a digital system could cause unacceptable functional safety risks but there are no relevant
32 product-family standards, all applicable parts of IEC 61508 should be directly applied.

33 All applicable parts of IEC 61508 and its family of functional safety standards deal with the impossibility
34 of testing a sufficient proportion of a digital system’s states, by:
35 a) Defining four Safety Integrity Levels, SILs, corresponding to Tables E.1.and E.2.
36 b) Using the assessment techniques described in IEC 61508-5 to determine the SILs that should be
37 applied to each of the individual safety functions in a safety-related system, then using these SILs
38 as the bases for requirements concerning the product, the development process and the tools to be
39 used therein.
40 c) The appropriate application of a range of well-proven techniques and measures in all system related
41 activities, such as…

35
For the corresponding reference number in IET 2017 [B8], see Annex G

131
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 1) the project management; specification; design; verification; validation; operation;

2 maintenance; repair; overhaul; refurbishment; upgrade, and dismantling / disposal (see Figure
3 3.3 for the lifecycle;
4 2) the systems, and the hardware and software that comprise them, for each Safety Function in
5 the Safety-Related System.
6 d) All of the above justified in detail in the safety documentation, that includes an independent
7 assessment of all of the above items;
8 e) Finally, any iteration necessary for the above, to achieve a satisfactory level of safety, and to satisfy
9 the safety assessor or auditor.

10 The well-proven techniques and measures that are applied to an individual Safety Function depends on how
11 they are graded according to the SIL. Grading is done as follows:
12 Not Recommended = NR
13 Recommended =R
14 Highly Recommended = HR
15 Mandatory =M

16 Clause 5 in this Standard is an example of a table that grades techniques and measures according to SIL.
17 Broadly speaking, the higher the SIL associated with a safety function, the more work and documentation
18 is required to demonstrate an acceptable amount of risk-reduction to the assessor.

19

Average Equivalent Design confidence

Safety
probability of a mean time to
Integrity factor required for
dangerous failure, dangerous
Level each “demand” on
“on demand” failure,
(SIL) the safety function
or “in a year*” in years*

4 10-5 to 10-4 104 to 105 99.99 to 99.999%

3 10-4 to 10-3 103 to 104 99.9 to 99.99%

2 10-3 to 10-2 102 to 103 99% to 99.9%

1 10-2 to 10-1 10 to 102 90 to 99%

* Approximating 1 year = 10,000 hrs of operation

“Failure” includes any error, malfunction or fault that causes a hazard

20 Figure E.1 — SILs for Safety Functions that operate ‘on demand’
21 (developed from IEC 61508-1:2010 Table 2)
22

132
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

Equivalent Design confidence

Safety Average
mean time to
Integrity probability of a factor required for
dangerous
Level dangerous
failure,
every 10,000 hours
(SIL) failure per hour continuous operation
in hours
4 10-9 to 10-8 108 to 109 99.99 to 99.999%

3 10-8 to 10-7 107 to 108 99.9 to 99.99%

2 10-7 to 10-6 106 to 107 99% to 99.9%

1 10-6 to 10-5 105 to 106 90 to 99%

* Approximating 1 year = 10,000 hrs of operation

“Failure” includes any error, malfunction or fault that causes a hazard

2 Figure E.2 — SILs for Safety Functions that operate continuously

3 (developed from IEC 61508-1:2010 Table 3)
4 Even so, electronic complexity still causes difficulties. So, in cases where a control system is very complex,
5 it is normal to identify the functions that are only concerned with managing the functional safety risks, and
6 then removing them into a separate safety-related system (SRS). This is less complex and thus more
7 amenable to using the above process to reduce safety risks to acceptable levels.

8 In industrial control systems, it is important to note that the discipline of functional safety applies to the
9 entire facility, including the management of its personnel. The acceptable safety risk level is met by the
10 combination of several risk-reduction methods, so the electronic systems do not have to shoulder the whole
11 burden of managing the risk. However, the applicable parts of IEC 61508 only provide requirements for the
12 SRS’s electronic systems.

13 A powerful technique in functional safety is to determine one or more ‘safe states’ that the equipment can
14 be switched into by the SRS when it detects the potential for harm. For example, opening a machine guard
15 causes the machine’s SRS to stop the machine sufficiently rapidly to avoid injury.

16 Clearly, there are other applications in which stopping the EUC would not result in a safe state, for
17 example, a medical ventilator, a space-walking astronaut’s space suit, a deep-sea diver’s rebreathing
18 system, a heart pacemaker, etc. Some of these examples count as life-support, and therefore need to keep
19 operating at least well-enough to prevent death or injury. IEC 61508 also includes techniques and measures
20 suitable for this type of application.

21

133
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 E.2 Managing Functional Safety (and Other) Risks Due to EMI

2 All electronics can suffer from errors, malfunctions and/or failures due to electromagnetic interference
3 (EMI), so EMI needs to be taken into account when complying with functional safety. When applying parts
4 of IEC 61508 or its family of functional safety standards (see Annex C), it is understood that it is
5 commonplace to allocate one-tenth of the acceptable risk level to EMI, unless there are special
6 circumstances.

7 Electromagnetic compatibility (EMC) is traditionally partially assured by laboratory testing. Where safety
8 risks are concerned, it is usual to apply the standardized immunity tests at higher levels or for longer times,
9 while ensuring that the equipment continues to operate according to its specification. This method has been
10 recognized as not being adequate, on its own, for achieving functional safety compliance [B16]36. Yet, it is
11 still often relied upon, exposing people to uncontrolled safety risks and manufacturers to uncontrolled
12 financial risks.

13 Immunity testing on its own is no longer adequate for modern digital systems because, as previously
14 discussed, it is physically impossible to test all of its possible states thoroughly enough to prove compliance
15 with functional safety. Remember, it is impossible to predict what an untested state of a digital system will
16 actually do, see [B801]36, [B802]36, [B803]36 and [B805]36.

17 Further, safety risks should be low enough over the whole lifecycle of an SRS. So, trying to prove
18 compliance with functional safety by EMC immunity testing alone needs also to take into account the
19 effects on the equipment’s EM characteristics of the following reasonably foreseeable issues:
20 a) Corrosion, aging, wear, contamination, etc.
21 b) Faults (e.g., a broken filter ground wire)
22 c) Foreseeable use/misuse (e.g., leaving a shielding door open, replacing a shielded cable with a less-
23 well-shielded type)
24 d) Mechanical stresses and strains, and averaged and extreme environmental conditions such as
25 temperature, humidity, pressure, condensation, vibration, etc., that can alter the impedances of
26 electrical bonds, EMC gaskets, etc., degrading the performance of shielding and filtering
27 e) The possible range of variations in: transient/surge levels, waveshapes and repetition rates;
28 variations in RF level plus its modulation type, frequency, depth and burst rate, etc.
29 f) Different types of EMI occurring simultaneously or in some critical time sequence, (e.g., RF fields
30 plus ESD, AC power distortion plus a dropout, etc.)
31 g) Reasonably foreseeable combinations of all of the above independent variables.

32 Even considering just the items in this non-exhaustive list, it is clear that attempting to prove functional
33 safety compliance over the lifecycle by EMC testing would result in an EMC test plan that explodes to an
34 impractically large size, cost and duration [B15]36.

35 The traditional way of achieving functional safety despite any EM disturbances that could foreseeably arise
36 over a lifecycle is to use rugged, ‘high-spec’ EM mitigation (i.e., shielding, filtering, surge protection,
37 galvanic isolation, etc.). As long as it is sufficiently ‘rugged’, it will maintain high levels of EM mitigation
38 over its entire lifecycle, despite all that could possibly be foreseen, and so it requires deliberate over-
39 engineering.

40 The IET’s 2017 Code of Practice on ‘Electromagnetic Resilience’, [B8], employs a different approach to
41 help confirm that hardware and software can be exposed to reasonably foreseeable EM disturbances
42 without affecting functional safety compliance. Figure 3.2 shows the basics of this EM Resilience
43 approach, which builds on the existing expertise in the EMC testing and functional safety communities.

36
For the corresponding reference number in IET 2017 [B8], see Annex G
134
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 The applicable parts of IEC 61508 describe many techniques and measures for use in design, to help reduce
2 risks caused by errors, malfunctions, faults, etc. in hardware and software to the degree required to comply
3 with functional safety. Today, functional safety designers and assessors have become experienced in their
4 use. These techniques and measures operate on the data, signals (analog, digital, etc.) and/or the electrical
5 power supplies (AC, DC, etc.), but were never intended to deal with EMI. However, EMI can only affect
6 data, signals and/or power supplies, so it turns out that many of these design techniques and measures are
7 very effective in dealing with the effects of EMI.

8 Accordingly, the IET’s 2017 Code of Practice [B8] details which of IEC 61508’s existing techniques and
9 measures are effective for dealing with EM disturbances and EMI, as well as how to improve their benefits
10 for EM Resilience, while adding new techniques and measures to cover newly-apparent needs. None of this
11 requires functional safety designers or independent assessors to know a great deal more than what they do
12 at present.

13 E.3 Examples of Techniques and Measures for EM Resilience

14 Most designers find that they have at least a basic familiarity with most of these techniques and measures,
15 and most have been used for decades:

16 Examples of techniques and measures for Redundancy and Diversity

17 a) Multiple sensors sense the same parameters
18 b) Multiple copies of data are stored
19 c) Multiple communications carry the same data, or one communication message is highly redundant
20 d) Multiple processors process the same data
21 e) Comparing one with another out of any multiple can detect the presence of errors
22 f) Voting, for example any two that agree out of three, can correct errors

23 All the above benefit from using a wide range of diverse technologies and techniques among their multiple
24 ‘channels’ to improve their effectiveness against the common-cause failures typically caused by EMI. For
25 example, in a system consisting of two identical channels, one of the channels could be inverted, thereby
26 making EMI more likely to be detected by monitoring the difference between their outputs, at no extra cost.

27 Examples of techniques and measures for Error Detection & Correction Codes
28 g) Error detection coding (EDC) means adding redundant data to make errors detectable.
29 h) Error correction coding (ECC) means adding enough redundant data that corruption is not only
30 detected but the data can be restored to an adequate level of accuracy.

31 Both of the above have been widely used for decades. In fact, it would not be possible for us to have CDs,
32 DVDs, or the Internet without them.

33 Examples of techniques and measures for Static and Dynamic Self-Testing

34 i) Static self-testing checks the hardware and software before operation begins and prevents start-up
35 of a defective system if necessary.
36 j) Dynamic self-testing checks that the operation of the hardware and software is correct during
37 operation, for example by inputting fixed signals/data and checking that the outputs are within the
38 expected boundaries. Critical aspects of data processing might even be checked for correct
39 operation once every second, perhaps even more often.
40

135
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Examples of techniques and measures for Power Supplies

2 k) Window comparators check that external power supplies are within design limits.
3 l) Stored energy (e.g., batteries, supercapacitors) is used when external power supplies are outside
4 design limits. This is a very common technique used in modern portable devices, such as cell
5 phones or tablet PCs, and the technology is very well-developed as a result.
6 m) Multiple power sources (whether external or internal storage) are operated in parallel (e.g., so-
7 called N+1 redundancy) so that the failure of one or more power sources allows normal operation
8 to continue.
9 n) Before all the available sources of power fail, the system switches to a safe state (if it has one). If it
10 doesn’t have one, more energy storage or more redundancy in external supplies is added until the
11 possibility of dangerous failure is as low as required.

12 Choosing techniques and measures for sufficient EM Resilience

13 o) Some EMI resilience techniques and measures will probably have already been chosen for other
14 functional safety reasons, and some of them may be able to be modified to improve their benefits
15 for EMI resilience.
16 p) Additional EMI resilience techniques and measures may need to be employed to achieve sufficient
17 EMI resilience overall.
18 q) In a system, some items of equipment may rely on EMI resilience techniques and measures, while
19 others use the rugged, ‘high-spec’ EM mitigation approach.

136
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Annex F Comparisons with IEC standard

2 Table F.1 shows the relationship between the techniques and measures listed in this Standard with those in
3 IEC 61508-7 Edition 2:2010. Additional techniques or measures that do not occur in IEC 61508-7
4 Ed.2:2010 are shown by an X in the right-hand column.

5 Table F.1—Comparisons with IEC standard

Section Equivalent, Equivalent, Equivalent,

An X in this column means
number in in IEC 61508-7 in IEC 61508-7 in IEC 61508-7
there is no equivalent in IEC
this Ed.2:2010 Ed.2:2010 Ed.2:2010
61508-7 Ed.2:2010
Standard Annex A Annex B Annex C

A.1.1 B.1.1, B.1.2

A.1.2 B.2 C.2

A.1.3 B.3.1

A.1.4 B.3.1

A.2.1 B.1.3

A.2.2 C.5.2

C.3.1, C.3.4,
A.2.3 A.11.4 B.1.4
C.3.5

A.2.4 B.5

A.2.5 X

A.2.6.1 A.6.2 C.3.2

A.2.6.2 C.3.2

A.2.6.3 C.A.5

A.2.7 X

137
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Table F.1—Comparisons with IEC standard (continued)

A.2.8

A.2.9 X

A.2.10 X

A.2.11 X

A.3.1 B.4.1, B.4.2

A.3.2 B.4.3

A.3.3 B.4.4

A.3.4 B.4.6

A.3.5 B.4.8

A.3.6.1 C.2.5

A.3.6.2 C.2.5

A.3.6.3 C.2.5

A.3.7 C.2.6.5

A.3.8 C.2.6.6

A.3.9 C.2.6.7

A.3.10.1 A.4.2, A.4.3, A.4.4

A.3.10.2 A.4.5

A.3.10.3 C.5.4

138
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Table F.1—Comparisons with IEC standard (continued)

A.2.1, A.2.5, A.4.5,

A.3.11 A.5.7, A.6.3, A.7.3,
A.11.4

A.3.12 A.7.5

A.5.1, A.5.2, A.5.3,

A.3.13.1
A.5.4

A.3.13.2 A.5.5

A.3.13.3 A.5.7

A.3.13.4 C.5.4

A.4.1, A.5.6, A.6.2,

A.3.14 C.3.2
A.7.1, A.7.2

A.3.15.1 A.3.3

A.3.15.2 A.3.4

A.3.15.3 A.3.5

A.3.15.4 A.3.1, A.3.2

A.3.16 A.1, A.2

A.3.17 X

A.3.18.1 A.2.1

A.3.18.2 A.2.2

A.3.18.3 A.2.3

A.3.18.4 A.2.5 C.3.4

A.3.18.5 A.2.6

139
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Table F.1—Comparisons with IEC standard (continued)

A.3.18.6 A.2.7

A.3.18.7 C.2.5

A.3.19.1 A.9.1

A.3.19.2 A.9.2

A.3.19.3 A.9.3

A.3.19.4 A.9.4

A.3.20 A.6.3, A.6.4, A.6.5

A.3.21 A.6.1, A.7.4

A.3.22 X

A.3.23.1 A.8.1, A.8.3

A.3.23.2 X

A.3.23.3 X

A.3.23.4 A.8.2

A.3.24 A.10

A.3.25 X

A.11.1, A.11.2,
A.3.26
A.11.3

A.3.27 B.3.1

A.3.28 A.2.8

140
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Table F.1—Comparisons with IEC standard (continued)

A.4.1 B.4.1

A.4.2 B.4.1

A.4.3 B.4.1

A.4.4 B.4.1

A.5.1 B.6 C.5, C.6

B.5.1, B.5.2, B.6.1,

A.5.2
B.6.2

B.5.1, B.5.2, B.6.1,

A.5.3
B.6.2, B.6.8

A.5.4 B.4.1

A.6.1 B.1.1

A.6.2 B.1.1

A.6.3 B.1.1

A.7 X

A.8.1 X

A.8.2 X

A.8.3 X

141
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 Annex G Cross-reference between the reference numbering in this IEEE

2 Standard and that in IET 2017 [B8]
3 It has not been possible to keep the reference numbering – for example: [999] – identical between IET 2017
4 [B8] and this IEEE Standard, so this Annex G has been added to provide a cross-reference between them.

5 This new cross-reference should make it easy for anything referenced in this standard to be directly
6 correlated with the same thing in IET 2017 [B8], and vice-versa.

7 G.1 General references, cross-reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
IEC 61000-1-2:2016 is a Normative reference [2]
in this IEEE Standard, so does not have a
reference number
[B1] [7]
[B2] [9]
[B3] [5]
[B4] [3]
[B5] [4]
[B6] This is a new reference in this IEEE Standard
[B7] [6]
[B8] This is a new reference in this IEEE Standard
IEC 61508-1 Ed.2 is a Normative reference in [8]
this IEEE Standard, so does not have a
reference number
IEC 61508-7 Ed.2 is a Normative reference in [1]
this IEEE Standard, so does not have a
reference number
[B11] This is a new reference in this IEEE Standard
[B12] [13]
[B13] [10]
[B14] [14]
[B15] [11]
[B16] [12]
8

142
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 G.2 Good EMC engineering for systems and installations, cross-reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B20] [35]
[B21] [20]
[B22] [42]
[B23] [43]
[B24] [44]
[B25] [36]
[B26] [38]
[B27] [40]
[B28] [24]
[B29] [41]
[B30] [45]
[B31] [34]
[B32] [37]
[B33] [26]
[B34] [32]
[B35] [25]
[B36] [23]
[B37] [21]
[B38] [22]
[B39] [29]
[B40] [27]
[B41] [28]
[B42] [30]
[B43] [33]
[B44] [31]
[B45] [39]

2 G.3 Good EMC engineering for individual items of equipment, cross-reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B60] [68]
[B61] [67]
[B62] [66]
[B63] [61]
[B64] [60]
[B65] [62]
[B66] [63]
[B67] [69]
[B68] [64]
[B69] [65]

143
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 G.4 Software design techniques and measures, cross-reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B100] [110]
[B101] [140]
[B102] [119]
[B103] [118]
[B104] [109]
[B105] [142]
[B106] [138]
[B107] [120]
[B108] [123]
[B110] [116]
[B111] [114]
[B112] [115]
[B113] [125]
[B114] [127]
[B115] [111]
[B116] [134]
[B117] [135]
[B118] [136]
[B119] [102]
[B120] [101]
[B121] [112]
[B122] [131]
[B123] [141]
[B124] [106]
[B125] [137]
[B126] [128]
[B127] [144]
[B128] [104]
[B129] [105]
[B130] [139]
[B131] [108]
[B132] [117]
[B133] [124]
[B134] [103]
[B135] [132]
[B136] [133]
[B137] [100]
[B138] [121]
[B139] [122]
[B140] [129]
[B141] [113]
[B142] [143]
[B143] [130]
[B144] [107]
[B145] [126]
2

144
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 G.5 IEC and CISPR standardized EMC test methods, cross-reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B200] [225]
[B201] [237]
[B202] [238]
[B203] [239]
[B204] [240]
[B205] [241]
[B206] [242]
[B207] [243]
[B208] [244]
[B209] [255]
[B210] [200]
[B211] [201]
[B212] [202]
[B213] [203]
[B214] [204]
[B215] [205]
[B216] [206]
[B217] [207]
[B218] [208]
[B219] [209]
[B220] [210]
[B221] [211]
[B222] [212]
[B223] [213]
[B224] [214]
[B225] [215]
[B226] [216]
[B227] [217]
[B228] [232]
[B229] [233]
[B230] [218]
[B231] [219]
[B232] [220]
[B233] [221]
[B234] [236]
[B235] [231]
[B236] [222]
[B237] [232]
[B238] [223]
[B239] [224]
[B240] [226]
[B241] [227]
[B242] [228]
[B243] [229]
[B244] [230]
[B245] [234]
[B246] [235]
2

145
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 G.6 Automotive industry EMC test standards, cross-reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B300] [300]
[B301] [301]
[B302] [302]
[B303] [305]
[B304] [306]
[B305] [307]
[B306] [308]
[B307] [309]
[B308] [310]
[B309] [311]
[B310] [312]
[B311] [313]
[B312] [314]
[B313] [315]
[B314] [316]
[B315] [317]
[B316] [303]
[B317] [304]

2 G.7 Marine industry EMC test standards, cross-reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B350] [352]
[B351] [351]
[B352] [350]

3 G.8 Undersea industry EMC test standards, cross-reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B360] [362]
[B361] [363]
[B362] [360]
[B363] [361]

4 G.9 Rail industry EMC standards and guidance documents, cross-reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B400] [411]
[B401] [412]
[B402] [400]

146
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

[B403] [400] first bullet

[B404] [400] second bullet
[B405] [400] third bullet
[B406] [400] fourth bullet
[B407] [400] fifth bullet
[B408] [400] sixth bullet
[B409] [401]
[B410] [410]
[B411] [409]
[B412] [429]
[B413] [430]
[B414] [405]
[B415] [404]
[B416] [408]
[B417] [406]
[B418] [407]
[B419] [415]
[B420] [422]
[B421] [426]
[B422] [427]
[B423] [402]
[B424] [403]
[B425] [428]
[B426] [414]
[B427] [416]
[B428] [417]
[B429] [418]
[B430] [419]
[B431] [420]
[B432] [421]
[B433] [423]
[B434] [424]
[B435] [425]
[B436] [413]

1 G.10 Civilian avionics and aerospace industry EMC test standards, cross-
2 reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B480] [465]
[B481] [462]
[B482] [460]
[B483] [461]
[B484] [463]
[B485] [464]
3

147
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

1 G.11 Military industry EMC test standards, cross-reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B500] [507]
[B501] [508]
[B502] [500]
[B503] [501]
[B504] [502]
[B505] [503]
[B506] [504]
[B507] [505]
[B508] [506]

2 G.12 ITE, Telecommunications and Wireless industry EMC test standards, cross-
3 reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B550] [559]
[B551] [558]
[B552] [554]
[B553] [550]
[B554] [551]
[B555] [552]
[B556] [553]
[B557] [555]
[B558] [556]
[B559] [557]

4 G.13 Some ‘Ad Hoc’ test methods, cross-reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B600] [601]
[B601] [604]
[B602] [600]
[B603] [602]
[B604] [603]

5 G.14 Assessing the electromagnetic environment, and detecting threats, cross-

6 reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B650] [664]

148
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

[B651] [650]
[B652] [666]
[B653] [663]
[B654] [667]
[B655] [651]
[B656] [653]
[B657] [655]
[B658] [659]
[B659] [660]
[B660] [661]
[B661] [662]
[B662] [656]
[B663] [652]
[B664] [654]
[B665] [657]
[B666] [658]
[B667] [665]

1 G.15 Verification/validation and other techniques (not specifically related to

2 electromagnetic disturbances), cross-reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B700] [741]
[B701] [740]
[B702] [751]
[B703] [746]
[B704] [738]
[B705] [753]
[B706] [700]
[B707] [701]
[B708] [702]
[B709] [703]
[B710] [704]
[B711] [705]
[B712] [706]
[B713] [707]
[B714] [708]
[B715] [709]
[B716] [710]
[B717] [711]
[B718] [712]
[B719] [713]
[B720] [714]
[B721] [715]
[B722] [716]
[B723] [717]
[B724] [718]
[B725] [719]
[B726] [720]
[B727] [721]
[B728] [722]

149
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.
 P1848/D6, January 2020
Draft Standard for Techniques & Measures to Manage Functional Safety and Other Risks with Regard to Electromagnetic
Disturbances

[B729] [723]
[B730] [724]
[B731] [725]
[B732] [726]
[B733] [727]
[B734] [736]
[B735] [737]
[B736] [739]
[B737] [733]
[B738] [748]
[B739] [734]
[B740] [728]
[B741] [732]
[B742] [729]
[B743] [735]
[B744] [730]
[B745] [731]
[B746] [749]
[B747] [745]
[B748] [753] (Duplicated reference [753] in [B8])
[B749] [755]
[B750] [750]
[B751] [743]
[B752] [742]
[B753] [754]
[B754] [744]
[B755] [747]
[B756] [752]

1 G.16 References associated with Annex E, cross-reference list

Reference number in this IEEE Standard Corresponding reference number in the

IET 2017 Code of Practice on
Electromagnetic Resilience [B8]
[B800] [805]
[B801] [802]
[B802] [803]
[B803] [804]
[B804] [806]
[B805] [801]
2

150
Copyright © 2020 IEEE. All rights reserved.
This is an unapproved IEEE Standards Draft, subject to change.