Welcome

To a presentation on role of EMI /EMC

and its impact on functional safety

Bopparaju Surendranath, Mahajin

Engineering, Hyderabad
31st July 2018, [email protected] ,
+91 96185 70834
 About Me
• Bopparaju Surendranath, Mahajin Engineering India (P) Limited
• M Tech – 1992
• 5 Years in IT education
• 5 Years in Web based application development
• 16 years in Railway Signalling product development
• Product Manager for delivery of 7 products
• EIS, AFTC, HFTC, Data Logger, TAWD, Train Charting, DAC
• Co patented 5 ideas and one granted as on date
• Currently on consulting mode for 3 Major IT companies
• Interests in Safety Critical Products design, development and management
• Authoring a series of books – On Temples. First release by Dec 2018
Safety is only as strong as its weakest link
 Presentation Scope and
Objectives
1. What is functional safety
2. What is EMI
3. What is EMC
4. How can EMI impact a system
5. What are some examples of EMI related
failures – critical
6. What precautions need to be taken to
ensure safety of a system

Impact of EMI on Functional Safety and

Safety Management Life Cycle
Problem – Solution approach
Background
Safety-implicated, safety-related, and safety-critical systems are
increasingly using electrical, electronic and programmable electronic
devices. All such devices can suffer malfunctions or damage due to
electromagnetic interference. Safety systems have safety integrity
requirements (defined by IEC 61508) - but their EMC aspects are not
adequately controlled by either safety or EMC standards. The core of
the problem is that EM environment is not quantifiable , so difficult to state
the requirements as numeric values.

Functional safety definition

Technically speaking….A safety system is functionally safe if
and if only if the Random, systematic and common cause
failures do not lead to a loss of the safety system and do not
result in: Injury or death to people. Also
What is EMI
Electro-Magnetic Interference… A range of frequencies
that is equivalent of a noise and that can be based on
Radio, Terrestrial, electrical , lightning, power surges,
spikes, harmonics, and many others and are
undesirable

EMI does not alter the potential hazards or the severity

What can EMI do ?
of their harms but it can affect their probability of
occurrence and therefore their risk levels
EMI is a cause of errors, malfunctions and failures in
all electronic technologies... – so must be taken into
account where the risks caused by errors,
malfunctions or faults in electronic hardware or
software must be controlled over the anticipated
lifecycle
EMI can happen in
three ways EMI effect
1. Conduction 1. Hardware malfunction
2. Coupling 2. Software malfunctions
3. Induction ( or radiation) 3. System malfunctions

The main concern is the ability to handle

Note: The technologies to contain the disturbance created by radiated signals on
damage for conduction and coupling software or on the Data, that is in general
type of EMI is substantially matured and the transmission and communication
is available in the form of various within a critical system
shielding techniques or filters – that are
applied at both input stage or at the
output stage
 What exactly is the problem?
1. Most of the times, the engineering community expect the subject of functional
safety arsing out of EMI or EMC to be considered only as a domain of test labs.

2. Yes these tests ( called directive immunity tests) achieve coverage of 80% of the
situations.

3. This essentially means – low probability situations are generally ignored and not
even considered as a test case. But if one needs to qualify the system as SIL -1 to 4,
then it is absolutely necessary to deal with the issue at development life cycle stage

Absence of evidence is not evidence of absence = Carl Sagan

Problem is EMI related or induced failures are difficult to detect usually
leaves no trace, and is very difficult to duplicate and because most
people aren’t trained in EMI

It is sometimes said that the absence of evidence of EMI, is proof that

EMI can not be a significant cause of failure but such types of arguments
have been known to be logically defective

Functional Safety can be enhanced by using at least one inductive

method, plus at least one deductive method, plus at least one
brainstorming method.

More on problem
 Precautions or rather provisions are needed at
every stage of the Safety life cycle.

At requirements – it is imperative to define an

exhaustive list of harmful conditions that can be
EMI – what can go wrong foreseen

At design stage – tolerance to the Induction

I. Hardware misbehaviour need to be included – defining the level of
II. Software misbehaviour tolerance is the key
III. System performance
IV. Data corruption At testing stage – worst case scenarios of more
than one induced faults to be created ( think
pareto rule – 80:20 – 20 is the key and not 80

At implementation stage – ensure standards are

adhered to rigidly

At validation stage use of traceability

techniques, test case scenarios ( robustness)
Safety Definition Computer based systems used in Transport ( especially railways),
avionics, chemical process and nuclear power plants. A failure in the
system endangers human lives directly or through environment
pollution. Large scale economic influence.

Safety is a property of a system that it will not endanger human

life or the environment.

Safety-Critical System is a system that is intended to achieve,

on its own, the necessary level of safety integrity for the
implementation of the required safety functions. (Never
expected to fail, if it does it then must transit into an
acceptable safe state)
Some time on this is worth it ……
Concepts generally we tend to accept

• Design
• Systemic faults
Challenge:
• Random faults Can someone
define design?
• Real time / Online
What then
• Hot standby and Warm standby qualifies good and
bad designs ?
Hazard Analysis
• A Hazard is situation in which there is actual or potential danger to
people or to environment.
• Analytical techniques:
- Failure modes and effects analysis (FMEA)
- Failure modes, effects and criticality analysis (FMECA)
- Hazard and operability studies (HAZOP)
- Event tree analysis (ETA)
- Fault tree analysis (FTA)
-Failure Modes, Effects, and Diagnostic Analysis (FMEDA)
Hazard and Risk management

• Problem Side • Solution Side

• Hazard • Redundancy
• Failure • Diversity
• Fault • V&V
• Detection • C&C
• Health • Detection and Negation
• Diagnostics – Periodic and Need based • Graceful degradation
• Safety , Reliability • ALARP
• Consistency • Fault tree analysis
• Tolerance • Reverse Trace ( F & R )
• Fai Safe /Safety critical • Simulation
• THR • Tests and Trials
• Distributed or centralised
• Software or hardware
• Right side failure and wrong side failure
• Standardss
Design is always a trade off. So we make an
affordable test plan ( cost and time budget) and
then leave out those cases which are either
untenable or considered a rarity
Two things are worrisome
1. Extreme conditions – that might rarely occur but certainly can
2. Simultaneous occurrence of multiple conditions
Example: Use case situations Walkie talkie - + mobile phone +
remote for a device + + X ray machine – in a critical operating
theatre
1. Immunity capability of the IC chips could bad
within few years of operation
2. Even best of the breed IEC-compliant capacitors
lose 10% value every 1000 hours operation, e.g.
100nF can be 9nF after 3 years continuous use,
completely altering the performance of filters or
transient suppression…
3. Shielding can degrade by 60dB in less than a
year, due to corrosion in a harsh climatic
environment
Solution: Accelerated life cycle test.
Test plan must contain use of aged
components or number of times over
use
Design verification and design
validation for extreme conditions
What must each of the personnel involved
safe systems must do for seeking EMC
1. Planner
2. Analyst
3. Designer
4. Programmer For a debate on this ………
5. Tester
6. Validator
7. Maintainer
8. Installation engineer
9. Approving Authority
10. Documentation specialists
11. Other stakeholders
 Possible solutions
Problems List:
1. Redundancy
1. Common cause errors mainly by EMI 2. Diversity
2. EMI risk assessment is not a matured 3. Standards
subject as yet 4. Hazard analysis
3. We have rely on the old wine such as 5. Design techniques
FTA, FEMA, SWIFT, 6. Validation techniques
4. EMI can cause infinite varieties of
distortions, create false signals, over
voltage etc so FMEA is an incomplete
approach. Because multiple points or
ports, that are not protected at a time
5. Unpredictable time or sequence is the
biggest worry
Worst case Scenarios
Example: Two or more strong radio transmitter
signals… one or more radio signals plus an ESD,
transient or surge event… – ESD and/or transients
and/or surges… – any/all of the above plus
intermittent and finally when a EMI protection has
degraded.
Solutions
Under normal circumstances during the testing we
cover few angles of incidence – few angles of Special modulations, have been developed
polarisations – Single test frequency. Anechoic Example: A radio field is ‘chirp modulated’ (e.g. from
environment whereas the real-life is almost always 10 Hz to 30 kHz), and also pulsed OFF for 1 s, then
reverberant ON again (unmodulated) for 1 s
Use reverberation chamber rather than anechoic
But to plan and execute such a test cases is nearly chambers
impracticable and not feasible. So what to do ? Trade There are two well-proven methods for achieving any
off SIL for all EMI issues
The “EMI Shelter” approach or the error
detection/correction approach
EMI tolerance methods;
Error detection is possible through
Hardware built-in self-testing techniques,
static and dynamic
Data coding techniques, e.g. checksums,
Hamming codes, CRC
Monitoring the correct operation of
software and hardware processes
Comparison techniques employing
redundancy/replication one of a pair of
duplicated data or processes should be
inverted, to help prevent common-cause
failures… Employ diversity in channels –
(Tech point of view) when using 3 or more
“parallel channels to eliminate common
cause failures
Solution
Error detection and correction approach, Is achieved through
use of hardware and software techniques that can be
mathematically proven to detect and/or correct a certain % of
the errors that can occur in signals, data, processing, and
power rails… – chosen to give a % “fault coverage” that is
appropriate for the SIL
On detection of an error… – either activate an alarm, switch the
equipment into a safe state (if it has one)… – or correct the
errors so that normal (low-enough risk) operation continues
Use of Standards
MIL STD 461 and RTCA DO160, IEC 61508
References: IET Working Group has a guidebook on techniques
 Problem: Inadequate protection
can cause semiconductors to “latch-up”, when all of their pins assume uncontrolled static values at
the same time. That is possible to reset only through a power on some EMI can cause permanent
damage. Through electrostatic discharge from lightning, etc.

Solution: Duplication of Data in two diverse physical locations that are unconnected

Problem: Degradation of the protection provisions for EMI

Solution: Ageing to considered as a design factor while analysing the system performance
Problem: Bit failure in Problem
memory EMI can induce single bit errors in
memory.
Solution: Maintain redundant and physically
separate memory and store data in inverse Solution: Extend data word by one
form bit called parity bit

Problem
Flip side of error detection and “failing-safe”, EMI can induce transient failures in
is that the systems can suffer from too much the data
downtime = Trade off – availability against
Safety – so a design issue Solution: Provide for transmission
redundancy – periodically
Problem: Correctness and
completeness of design
Solution: elaboration of design choices in more
than way so that it is verifiable And Trace the
requirements forward and backward
Problem: Transient
hardware failures caused by
sudden surges
Solution: Two processing units to exchange data,
intermediate results and final results. And
compare them before every decision
Problem: Systematic common
cause failures
Solution: Diversity in almost every aspect of product –
hardware design , software design, implementation etc
Problem: Non safety functions
interlaced with safety related
functions can degenerate the
system functionality
Solution: Define and separate the safety and non safety
related features in separate hardware routes, so errors
out of EMI stand isolated
 1. Shall have redundant hardware
2. Redundant software
3. Data communication has parity checks
4. Has extended word length
5. Diverse implementation of critical software
6. Voting
7. Duplication of data at two physical locations
8. Implements validation through additional test cases
9. Separation of critical and non critical software elements
10. Ingress protection
An EMI proof system 11. Implements standards
12. Designed to tolerate unexpected contexts
13. Modelling of software using multiple techniques – such as
UML…
14. Necessarily implement Health monitoring of every sub system
15. Considers degradation of components as possible reduction in
tolerance whilst designing
16. Data recording by differentiating data health and system
health
Hazard and Risk management
• Solution Side
• Problem Side • Redundancy
• Hazard • Diversity
• Failure • V&V
• Fault Detection • C&C
• Health Diagnostics – Periodic and Need • Standards
based • Detection and Negation
• Safety , Reliability Consistency • Graceful degradation
• Tolerance • ALARP
• Fai Safe /Safety critical • Fault tree analysis
• THR • Reverse Trace ( F & R )
• Simulation
• Tests and Trials
• Distributed or centralised
• Software or hardware
• Right side failure and wrong side failure
 Risk Analysis
• Risk is a combination of the severity (class) and frequency
(probability) of the hazardous event.
• Risk Analysis is a process of evaluating the probability of
hazardous events.
• Quantifying The Value of life??
Value of life is estimated between 0.75M –2M GBP.
 Developing safety-related systems

• To achieve safety:
- Safety requirements (avoiding hazards, risks)
- Quality management (follow up process)
- Design / system architecture (reliability)
- Defined design/manufacture processes
- Certification and approval processes
- Known behaviour of the system in all conditions
Standards International standards framework

IEC 61508 IEC 61511 Process Industry

IEC 61800-5-2 Electrical. Drives
IEC 62061 Machinery
IEC 61513 Nuclear Sector
IEC 50156 Furnaces
EN 50128 Railway applications
 Ten tips for EMI proof system
1. Keep loops small (winding coils)
2. Provide for bypass capacitors
3. Minimise EMI through impedance matching
4. Shielding to provide immunity
5. Shirt ground connections
6. Balance the speed – as high speed logic provides sharp curves and susceptible to EMI
7. Provide inline inductors
8. Reduce peak emissions through use of spread spectrum
9. Reduce dv/dt and/or di/dt wherever possible ( rate of change in voltage or current )
10. A resistor in parallel to the inductor to absorb the energy of the oscillation is a good idea to handle resonances

Source: Ten tips for successfully designing with automotive EMC/EMI requirements By Mark Sauerwald Applications Engineer,
Automotive Connectivity and Ethernet
Thank you for the time spent