Particular c nsiderations for IEC 610 0-1-2 The aim of this international stan ard with regard to EMC an fu ctional safety is to ad res the p s ible efects of electromag etic disturb n e
Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 60050-1 61 as well as the following apply
3.1 1 degradation (of performance) undesired departure in the operational performance of any device, equipment or system from its intended performance
Note 1 to entry: The term "degradation" can apply to temporary or permanent failure
E/E/PE based on electrical and/or electronic and/or programmable electronic technology
Note 1 to entry: The term is intended to cover any and all devices or systems operating on electrical principles
EXAMPLE Electrical/electronic/programmable electronic devices include
– solid-state non-programmable electronic devices (electronic);
– electronic devices based on computer technology (programmable electronic)
EMC ability of an equipment or system to function satisfactorily in its electromagnetic environment without introducing intolerable electromagnetic disturbances to anything in that environment [SOURCE: IEC 60050-1 61 :1 990, 1 61 -01 -07]
EMC planning engineering method by which EMC aspects of a project are systematically considered and investigated in order to achieve EMC
Note 1 to entry: All activities connected to EMC planning are described in an EMC plan
The E/E/PE system is designed for control, protection, or monitoring, utilizing one or more programmable electronic devices This system encompasses all components, including power supplies, sensors, input devices, data highways, communication paths, actuators, and output devices.
E/E/PE system safety integrity requirements specification specification containing the safety integrity requirements of the safety functions that have to be performed by the safety-related systems
Note 1 to entry: This specification is one part (the safety integrity part) of the E/E/PE system safety requirements specification (see 7.1 0 and 7.1 0.2.7 of IEC 61 508-1 :201 0)
E/E/PE system safety requirements specification
The SSRS specification outlines the requirements for each safety function, detailing both the operational expectations of the function and the necessary safety integrity requirements, which indicate the probability of the safety function being executed successfully by the safety-related systems.
Note 1 to entry: This note applies to the French language only
(electromagnetic) compatibility level specified electromagnetic disturbance level used as a reference level for co-ordination in the setting of emission and immunity limits
The compatibility level is typically set to ensure a minimal chance of being surpassed by actual disturbance levels Electromagnetic compatibility is attained when both emission and immunity levels are regulated, ensuring that the cumulative disturbance levels at any location remain below the immunity levels of all devices, equipment, and systems present.
Note 2 to entry: The compatibility level may be phenomenon, time or location dependent
3.1 9 electromagnetic disturbance any electromagnetic phenomenon which may degrade the performance of a device, equipment or system
Note 1 to entry: An electromagnetic disturbance may be an electromagnetic noise, an unwanted signal or a change in the propagation medium itself
[SOURCE: IEC 60050-1 61 :1 990, 1 61 -01 -05, modified – the words " or adversely affect living or inert matter" have been deleted]
3.1 1 0 electromagnetic environment totality of electromagnetic phenomena existing at a given location
EMI degradation of the performance of an equipment, transmission channel or system caused by an electromagnetic disturbance
Note 1 to entry: Disturbance and interference are respectively cause and effect
Note 2 to entry: This note applies to the French language only
3.1 1 2 element part of a system comprising a single component or any group of components that performs one or more element safety functions
Note 1 to entry: An element may comprise hardware and/or software
Note 2 to entry: A typical element is a sensor, programmable controller or final element
[SOURCE: IEC 61 508-4:201 0, 3.4.5, modified – the word "subsystem" has been replaced by
3.1 1 3 element safety function that part of a safety function which is implemented by an element
3.1 1 4 equipment general term that refers to a wide variety of possible elements, modules, devices and assemblies of products
EUC equipment, machinery, apparatus or plant used for manufacturing, process, transportation, medical or other activities
Note 1 to entry: The EUC control system is separate and distinct from the EUC
Note 2 to entry: This note applies to the French language only
ERS equipment specification covering safety-related requirements only with regard to electromagnetic phenomena
An equipment requirements specification (ERS) is developed for each piece of equipment in the safety-related system, detailing the electromagnetic characteristics based on the maximum expected electromagnetic environment throughout the equipment's lifespan.
Note 2 to entry: This note applies to the French language only
3.1 1 7 failure termination of the ability of a functional unit to provide a required function or operation of a functional unit in any way other than as required
Note 1 to entry: This is based on IEC 60050-1 91 :1 990, 1 91 -04-01 , with changes to include systematic failures due to, for example, deficiencies in specification or software
Note 2 to entry: See IEC61 508-4 for the relationship between faults and failures, both in the IEC 61 508 series and IEC 60050-1 91
The performance of required functions must exclude specific behaviors, and some functions may be defined by the behaviors that should be avoided The presence of these undesirable behaviors constitutes a failure.
Note 4 to entry: Failures are either random (in hardware) or systematic (in hardware or software), see IEC 61 508-
[SOURCE: IEC 61 508-4:201 0, 3.6.4, modified – in Notes 2 and 4 to entry, the figure and subclause numbers have been replaced by IEC 61 508-4.]
3.1 1 8 fault abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit to perform a required function
According to IEC 60050:1990, a "fault" is defined as a condition where a required function cannot be performed, excluding situations arising from scheduled maintenance, planned activities, or insufficient external resources.
Functional safety is a crucial aspect of overall safety concerning the Equipment Under Control (EUC) and its control system It relies on the proper operation of electrical, electronic, and programmable electronic (E/E/PE) safety-related systems, along with other measures aimed at reducing risks.
In this EMC document, functional safety refers to the aspect of overall safety that pertains to the electromagnetic environment surrounding the safety-related system.
[SOURCE: IEC 61 508-4:201 0, 3.1 1 2, modified – a note has been added.]
3.1 20 installation combination of equipment, components and systems assembled and/or erected (individually) in a given area
The safety function is a critical component of an E/E/PE safety-related system or other risk reduction measures, designed to achieve or maintain a safe state for the equipment under control (EUC) in response to specific hazardous events.
EXAMPLE Examples of safety functions include:
• functions that are required to be carried out as positive actions to avoid hazardous situations (for example switching off a motor); and
• functions that prevent actions being taken (for example preventing a motor starting)
The Safety Integrity Level (SIL) system consists of four discrete levels, each representing a range of safety integrity values Among these, SIL 4 signifies the highest level of safety integrity, while SIL 1 indicates the lowest.
Note 1 to entry: The target failure measures for the four safety integrity levels are specified in Tables 2 and 3 of IEC 61 508-1 :201 0
Note 2 to entry: Safety integrity levels are used for specifying the safety integrity requirements of the safety functions to be allocated to the E/E/PE safety-related systems
A safety integrity level (SIL) is not an inherent characteristic of a system, element, or component Instead, the term “SIL n safety-related system” (where n can be 1, 2, 3, or 4) indicates that the system has the potential to support safety functions with a safety integrity level of up to n.
Note 4 to entry: This note applies to the French language only
The safety manual for compliant items is a crucial document that outlines all necessary information regarding the functional safety of an element It details the specified safety functions required to ensure that the system adheres to the standards set by the IEC 61508 series.
3.1 24 safety-related system designated system that both
– implements the required safety functions necessary to achieve or maintain a safe state for the EUC; and
– is intended to achieve, on its own or with other E/E/PE safety-related systems and other risk reduction measures, the necessary safety integrity for the required safety functions
A safety-related system encompasses all essential hardware, software, and supporting services, such as power supplies, required to perform a designated safety function This includes components like sensors, input devices, actuators, and other output devices integral to the system's operation.
Note 2 to entry: For further information, see IEC 61 508-4
[SOURCE: IEC 61 508-4:201 0, 3.4.1 , modified – the original note 2 has been modified.]
The systematic capability measure, rated on a scale from SC 1 to SC 4, reflects the confidence that the systematic safety integrity of an element fulfills the requirements of the designated Safety Integrity Level (SIL) This assessment pertains to the specific safety function of the element when it is utilized according to the guidelines outlined in the compliant item safety manual.
Note 1 to entry: Systematic capability is determined with reference to the requirements for the avoidance and control of systematic faults (see IEC 61 508-2 and IEC 61 508-3)
The relevant systematic failure mechanisms depend on the element's nature For elements consisting solely of software, only software failure mechanisms are relevant In contrast, for elements that include both hardware and software, it is essential to consider both systematic hardware and software failure mechanisms.
Abbreviations 1 4
DS (performance criterion) “defined state”, see 8.4.2
FMEA Failure modes and effect analysis
FMECA Failure modes effects and criticality analysis
HEMP High altitude electromagnetic pulse
ISM Industrial, scientific and medical
SSRS System safety requirement specification
General 1 5
Electrical and electronic safety-related systems must remain unaffected by external influences to prevent unacceptable risks to individuals and the environment Ensuring acceptable performance against electromagnetic disturbances is essential, and a thorough safety analysis should encompass the impacts of these disturbances.
IEC 61508 is recognized as a fundamental safety publication under IEC Guide 104, focusing on the functional safety of electric, electronic, and programmable electronic safety-related systems It outlines the essential requirements for achieving functional safety but does not provide specific guidelines regarding electromagnetic disturbances To address these concerns, IEC 61000 offers guidance on managing the effects of electromagnetic disturbances on safety-related systems and equipment designed for such applications.
The IEC 61508 standard is founded on a safety lifecycle model that encompasses various activities throughout application-specific phases, including design, implementation, operation, maintenance, and decommissioning of safety-related systems A critical component of this model is the E/E/PE system safety requirements specification (SSRS), which serves as the interface between the application-specific phases and the design phase The SSRS must detail all relevant requirements for the intended applications to ensure the achievement of the necessary functional safety.
The safety-related system designed to execute the designated safety functions must adhere to the SSRS requirements Additionally, the equipment or elements intended for use within this system must meet the relevant criteria outlined in the SSRS, as specified in the ERS (refer to Table 1).
Table 1 – E/E/PE system safety requirements specification, interfaces and responsibilities according to IEC 61 508
The specification of safety requirements for E/E/PE systems at the application level involves several key steps First, it is essential to define the safety-related functions through a thorough risk assessment of the intended application, as outlined in IEC 61508, identifying functions that may lead to dangerous failures Next, the appropriate Safety Integrity Level (SIL) must be selected based on this risk assessment to ensure adequate safety measures are in place Finally, it is crucial to define the operational environment of the system, adhering to standards such as IEC 61508 and IEC 61000-2-5, to ensure reliable performance under specified conditions.
E/E/PE equipment intended for use in a safety-related system The equipment manufacturer shall fulfil the relevant requirements of the ERS
It is essential to ensure sufficient confidence that electromagnetic disturbances will not lead to hazardous systematic failures, demonstrating systematic capability in this regard Additionally, it is important to provide evidence that suitable methods and techniques have been utilized.
The diagram illustrates the relationship between IEC 61508 and IEC 61000-1-2, highlighting the importance of addressing electromagnetic disturbances throughout various safety lifecycle stages It is essential to consider maintenance activities related to electromagnetic characteristics during the "use-of-equipment" phase to ensure ongoing safety-related system performance.
NOTE 2 Verification and management of functional safety are not shown in the diagram but it is relevant to all lifecycle phases
Figure 1 – Relationship between IEC 61 000-1 -2 and the simplified safety lifecycle as per IEC 61 508
System/ equipment/ element design phase
Considerations with regard to electromagnetic phenomena 1 8
The effective functioning of safety-related systems relies on multiple factors, as outlined in IEC 61508, which provides comprehensive guidelines for these systems This standard specifically addresses the impact of electromagnetic disturbances on safety-related systems.
– the electromagnetic environment (see Clause 6)
• deriving test levels and methods,
• considerations on electromagnetic phenomena and safety integrity levels (SILs); – the electromagnetic aspects of the design and integration processes (see Clause 7)
– verification/validation for functional safety with respect to electromagnetic phenomena (see Clause 8)
• performance criteria and test philosophy;
– immunity testing with regard to functional safety (see Clause 9)
• considerations on test methods and levels,
• considerations on immunity testing with regard to systematic capability
Figure 2 illustrates the interconnection between various aspects outlined in IEC 61508 While the safety requirements specification for E/E/PE systems is a key component of IEC 61508, it must also take into account the results of an evaluation of the electromagnetic environment where the safety-related system will function.
NOTE (Reference no.) refers to related clauses/subclauses in this document
Figure 2 – Basic approach to achieve functional safety only with regard to electromagnetic phenomena
General 1 9
The achievement of functional safety requires an understanding of some basic terms and concepts within the area of functional safety, these being:
The safety lifecycle encompasses essential activities required for the implementation of safety-related systems, beginning from the concept phase and concluding when the system is no longer in use.
Items of electrical and electronic equipment designed and tested by their manufacturers
Assess suitability of manufactured equipment (D.2.3, D.2.4)
Overall verification or validation against the electromagnetic requirements (8.1 to 8.3, Clause 9)
Design aspects of system integration and installation of equipment to achieve the required electromagnetic characteristics
System safety requirements specification (SSRS) (D.2.1 )
Overall hazard analysis and risk assessment
– safety integrity: it is the probability of a safety-related system to satisfactorily perform the required safety functions under all stated conditions within a stated period of time (see 5.3)
NOTE IEC 61 000-1 -2 does not deal with all phases of the whole lifecycle (see also Figure 1 ).
Safety lifecycle
The overall lifecycle relevant for the functional safety of safety-related E/E/PE systems is defined in IEC 61 508, and Figure 1 shows a simplified version
The safety requirements specification for safety-related E/E/PE systems falls under the guidelines of IEC 61508, while also partially adhering to IEC 61000-1-2, which outlines the specifications for electromagnetic environmental conditions.
The design process and essential features for ensuring functional safety in safety-related E/E/PE systems are outlined in IEC 61508 This standard specifies requirements for design elements that enhance the system's resilience to electromagnetic disturbances.
The design, implementation, validation, commissioning, and modification phases of safety-related E/E/PE systems are addressed by IEC 61508 and IEC 61000-1-2 While IEC 61508 focuses on all aspects of functional safety, IEC 61000-1-2 pertains to issues related to electromagnetic phenomena.
Operation, maintenance and decommissioning of safety-related E/E/PE systems are within the scope of the IEC 61 508 series
In safety-related systems governed by IEC 61508, the handling of electromagnetic phenomena for E/E/PE equipment differs significantly from the methods applied in other safety-related systems.
The desired state that equipment should achieve or maintain when a fault occurs must be clearly defined For instance, this could be articulated as a requirement for the equipment to deliver a specific output signal upon the detection of a fault.
The specified behavior of equipment must be taken into account throughout various lifecycle phases, including concept, planning, design, development, integration, operation, maintenance, validation, and modification However, the phases of hazard and risk analysis, overall safety requirements, and safety requirements allocation are not applicable at the equipment level.
Safety integrity
The systematic failure of safety-related systems can occur due to electromagnetic disturbances of specific strength To mitigate EMC-related dangerous failures, it is essential to implement control measures that are considered part of the system's systematic capability These measures should be integrated into the IEC 61508 lifecycle as required.
An element that meets the IEC 61508 series requirements for systematic safety integrity related to a specific safety function is recognized for its systematic capability (SC) This recognition is valid only when the element is utilized according to the guidelines provided in its safety manual for compliant items.
The EMC information necessary to integrate elements into the intended application shall be included in their safety manuals for compliant items
Specific steps for the achievement of functional safety with regard to
To ensure functional safety in safety-related systems, it is essential to undertake several key actions regarding electromagnetic influences First, assess the structure, design, and intended functions of the system Next, describe the electromagnetic environment in which the system will operate throughout its lifecycle Additionally, evaluate the physical and climatic conditions, as well as potential degradation from normal use and foreseeable misuse related to electromagnetic factors Incorporate electromagnetic compatibility (EMC) considerations into the design process and conduct thorough verification and validation against electromagnetic disturbances If necessary, modify the design or installation measures, and create specific operation and maintenance instructions to maintain functional safety over time, which should be included in the safety manual for compliant items.
Management of EMC for functional safety
General
The requirements of 5.5 outline essential activities for managing the functional safety performance of safety-related systems in relation to electromagnetic phenomena While these management activities are primarily detailed at the system level, element-level activities are also addressed when necessary.
Management of functional safety performance with respect to
An organization responsible for demonstrating the Electromagnetic Compatibility (EMC) of safety-related systems or equipment must designate one or more individuals to oversee this responsibility.
• the system or element, or for all relevant activities;
• coordinating activities for performance with respect to electromagnetic disturbances;
• the interfaces between those activities and other activities carried out by other organizations;
• carrying out all the requirements of 5.5; and
• ensuring that EMC is sufficient and demonstrated in accordance with the objectives and requirements of this document
Effective coordination and overall EMC for functional safety should be assigned to one or a few individuals with adequate management authority Responsibilities for specific sub-aspects can be delegated to others, especially those possessing relevant expertise in those areas.
The organization must establish a detailed plan outlining the policy and strategy for achieving functional safety concerning electromagnetic phenomena This plan should include methods for evaluating success and effective communication channels within the organization.
It is essential to identify all individuals, departments, and subcontractors involved in safety-related activities concerning electromagnetic phenomena Their responsibilities must be clearly communicated, and relevant parties that could impact the system's safety performance should also be informed of these responsibilities.
Individuals responsible for activities outlined in this document must define all necessary management and technical actions to achieve and demonstrate functional safety performance concerning electromagnetic phenomena in safety-related systems This encompasses the chosen measures, techniques, and tests required to fulfill the document's requirements.
To ensure functional safety management, it is essential to establish procedures that guarantee all personnel involved possess the necessary training, technical knowledge, experience, and qualifications relevant to their specific duties These procedures should outline the required information exchange between interfaces and the format of communication Additionally, they must document the analysis of reported electromagnetic disturbances affecting safety-related systems and provide recommendations to reduce the likelihood of recurrence Prompt follow-up and satisfactory resolution of safety-related recommendations, including those from verification, validation, and incident reporting, are also critical components of these procedures.
Organizations must establish a system to implement changes due to detected defects related to electromagnetic phenomena in safety-critical systems or equipment If they cannot make these changes, they are required to notify users about necessary modifications to ensure safety.
NOTE More information on management of functional safety is given in IEC 61 508-1
Management of functional safety performance with respect to
phenomena at element supplier level
A safety-related system consists of various integrated elements that deliver safety functions, along with potential non-safety-related functions Each element's functional and performance requirements can be custom-designed or sourced as commercial off-the-shelf products Suppliers must provide products or services according to the specifications set by the organization responsible for the relevant activities.
Where the element is bespoken, the overall responsibility for management of performance with respect to electromagnetic phenomena of the element safety function is that defined in 5.5.2
The supplier must evaluate and specify the performance of non-bespoken elements according to the established standards The organization is required to establish procedures to ensure that the performance data, obtained through validation, is properly documented in a safety manual and accessible to all potential users of the product.
General
The electromagnetic environment encompasses all electromagnetic phenomena present at a specific location, which can change over time Details regarding the electromagnetic environment are outlined in the E/E/PE system safety requirements specification Factors such as various external influences can affect the electromagnetic environment.
• fixed and moving sources of electromagnetic energy,
• low, medium and high voltage equipment,
• control, signalling, communication and power systems,
• physical processes (e.g atmospheric discharges, switching actions),
• random or infrequent transients, which all can produce disturbances that adversely impact the safety-related system or element under consideration
Table 2 outlines key electromagnetic phenomena relevant to achieving functional safety in safety-related systems While this list may not be exhaustive, it serves as a starting point for evaluating electromagnetic environments that could affect functional safety.
When considering electromagnetic phenomena, it is essential to account for occurrences such as harmonics and unidirectional transients, as well as radiated fields and electrostatic discharge (ESD) However, simultaneous testing is not always necessary; alternative techniques and measures may be more effective (refer to Annex B).
Table 2 – Overview of electromagnetic phenomena
Electromagnetic phenomena Sources and characteristics
Signalling voltage 0,1 kHz to 3 kHz
Radiated CW (AM and PM)
Electromagnetic phenomena Sources and characteristics High altitude electromagnetic pulse (HEMP) b
When addressing intentional electromagnetic interference (EMI), it is essential to consider specific conditions outlined in IEC 61000-2-1 and IEC 61000-2-9 These standards provide guidance for evaluating EMI in unique scenarios.
Electromagnetic environment information
Many publications provide fundamental descriptions of electromagnetic environments, focusing on expected electromagnetic phenomena and disturbance levels For general information on these disturbances across different locations, refer to the IEC 61000-2 series standards or technical reports Specific examples of various environments are detailed in IEC 61000-2-5, although these descriptions are framed in terms of compatibility levels.
IEC 61 000-4-1 offers guidance on selecting appropriate tests outlined in the IEC 61 000-4 series It highlights that standards aimed at ensuring electromagnetic compatibility (EMC), which focus mainly on technical and economic considerations, may not sufficiently address the electromagnetic environment necessary for achieving functional safety in safety-related systems.
Table A.1 illustrates the selection of electromagnetic phenomena relevant for specifying requirements The electromagnetic environment remains consistent regardless of the Safety Integrity Level (SIL) of systems within an installation, necessitating that the most severe electromagnetic environments be taken into account for all electromagnetic functional safety scenarios.
To ensure the safety-related system operates effectively, it is crucial to identify the most severe electromagnetic environment through measurements and assessments conducted by designers, manufacturers, installers, or users All electromagnetic phenomena must be taken into account, as outlined in Table 2 While IEC 61 000-2-5 provides guidance in Table A.1, it does not address higher disturbance levels that may be present in certain locations Once the maximum electromagnetic environment is established, designers must select equipment specified by manufacturers for environments equal to or more severe than the identified conditions Manufacturers typically confirm that their equipment meets applicable EMC standards at designated levels If the application environment surpasses these specifications, additional measures, such as shielding enclosures, should be implemented to ensure adequate performance, as detailed in Annex B.
When considering electromagnetic disturbances in relation to functional safety, it is crucial to approach the levels indicated in various EMC standards and technical specifications with caution These disturbance levels can vary based on statistical distributions, and while examples in Table A.1 may serve as a reference, they can be exceeded under specific, albeit infrequent, circumstances Therefore, it is essential to accurately establish these disturbance levels for functional safety Additionally, standardized immunity test methods and performance criteria are designed for operational requirements rather than functional safety; thus, safety-related test levels must be defined for each electromagnetic phenomenon, as outlined in standards like IEC 61 000-6-7.
The electromagnetic characteristics of components and systems may deteriorate over time due to factors such as the physical degradation of protective measures It is essential to consider this lifecycle aspect when evaluating electromagnetic influences.
Methodology to assess the electromagnetic environment
Relevant and significant information exists within the EMC body of publications regarding the electromagnetic environment where most electrical or electronic equipment operates
When EMC publications lack sufficient information, alternative activities should be conducted to gather relevant knowledge about the electromagnetic environment in specific locations These activities may encompass various methods to ensure comprehensive understanding.
• undertake literature review of other EMC resources to ascertain the electromagnetic characteristics of similar locations of interest,
Conduct an electromagnetic survey at the specified location of interest, which includes a measurement campaign to identify the characteristics of existing electromagnetic phenomena Additionally, perform an electromagnetic analysis to evaluate the data and characteristics generated by known emitters.
The information obtained about the electromagnetic environment shall be assessed such that data can be derived regarding
• the electromagnetic phenomena that could possibly occur at the locations of interest,
• the characteristics of those electromagnetic phenomena, for example their levels, frequency, modulation, rise time, etc
For automotive and aerospace applications, ISO working groups have developed valuable information on electromagnetic compatibility (EMC) This information serves as a foundation for defining electromagnetic environments that are essential for ensuring functional safety.
Surveys are inherently constrained by their temporal and geographical scope To enhance the reliability of assessments regarding the most extreme electromagnetic environments, long-term monitoring and data logging are essential.
Deriving test levels and methods
Once the electromagnetic characteristics of a specific environment are determined, they will guide the design of safety-related systems Effective design is essential, but it is equally important to conduct realistic tests to verify that these systems meet their Safety System Requirements Specifications (SSRS) The IEC EMC community has created numerous immunity tests for equipment and systems, which should serve as a foundational reference for assessing the electromagnetic characteristics necessary for functional safety.
The safety-related system specifier must incorporate each electromagnetic phenomenon relevant to a specific environment into the E/E/PE system safety requirements specification It is essential to evaluate the existing IEC immunity test methods, starting with IEC 61 000-4-1, to assess their suitability Additionally, the system specifier should verify that the parameters necessary for testing the electromagnetic characteristics of the environment fall within the recommended ranges outlined in the basic immunity test standards, specifically the IEC 61 000-4 series.
Immunity requirements, as outlined in the IEC 61 000-6-2 standard, are designed to ensure reliable operation under normal conditions by establishing immunity test levels based on common electromagnetic phenomena and a technical/economic perspective While this framework acknowledges that equipment may experience disturbances occasionally, it is insufficient for safety-related functions Therefore, functional safety aspects are not adequately addressed by standard immunity requirements without specific consideration of the electromagnetic environment in which the equipment or system operates.
To justify the test method and parameters, safety-related system designers must recognize the inherent uncertainty in immunity testing, as outlined in IEC 61 000-1 -6 This uncertainty can be quantified using data from the test equipment, while also considering environmental conditions not specified by standards After assessing the uncertainty, various approaches can be employed to mitigate it If the immunity test equipment is adequate and testing exceeds the electromagnetic disturbance level, the SSRS (or ERS) should identify the margin to failure and describe the safety-related system's response to electromagnetic-induced failures Conversely, if the test equipment is inadequate due to missing required parameters such as amplitude, frequency, modulation, or repetition rate, alternative strategies must be considered.
1 ) the safety-related system designer shall request the appropriate test equipment be obtained and used; and/or
The safety-related system designer must ensure the implementation of electromagnetic mitigation methods at the system level, allowing for a reduced electromagnetic specification for safety-related equipment that can be tested with available equipment Techniques such as shielded racks, surge protection devices for wire and cable entries, fiber optic data lines, and power line isolation are recommended, as outlined in IEC 61 000-5-6 These mitigation methods, including shields and isolation techniques, should be integrated into the system design and subjected to separate testing to confirm their effectiveness in reducing external electromagnetic environments to the specified test levels.
7 EMC aspects of the design and integration process
General
EMC safety planning shall be performed taking into account functional safety considerations
EMC safety planning is essential for ensuring the electromagnetic compatibility of safety-related systems with nearby systems and the external environment The goal is to achieve EMC at a reasonable cost while meeting target requirements throughout all development stages of the project This involves thorough consideration, investigation, and assessment of potential EMC issues that may arise during the project timeline An EMC safety plan must detail all activities and steps taken, with the depth of planning tailored to the system's complexity and the required Safety Integrity Level (SIL) specified in the safety requirements for electronic, electrical, and programmable electronic systems.
EMC planning often addresses needs beyond safety, and it can be expanded to incorporate elements of functional safety For more details on the EMC safety planning process, refer to Annex F.
In electromagnetic design management, designated individuals are responsible for developing and implementing the EMC safety plan, which must ensure the electromagnetic characteristics of the equipment or system are maintained throughout its lifecycle, including decommissioning Compliance with EMC requirements must be documented in the safety manual, which should provide essential information for users to maintain, repair, and refurbish the system if not handled by the manufacturer Additionally, the safety manual must outline any restrictions related to future modifications of the electromagnetic environment.
EMC aspects on system level
The electromagnetic environment must not adversely affect the functional safety of a safety-related system To ensure this, the system's performance must meet the required safety integrity and withstand the electromagnetic conditions throughout its lifetime Additionally, the design of the system should clearly document its expected lifespan and the anticipated environmental factors.
All electromagnetic disturbances generated within the safety-related system shall not unacceptably impact the functional safety of the other parts of the safety-related system
Electromagnetic disturbances can lead to systematic or "common cause" faults, impacting multiple pieces of equipment within a safety-related system This susceptibility is linked to the system's design and must be mitigated through the measures and techniques outlined in this document and Annex B.
All EMC measures must be effectively designed and implemented to ensure their efficacy throughout the system's lifetime, considering various physical environmental factors such as mechanical, climatic, chemical, and biological stresses These environmental exposures can impact both the electromagnetic emissions and the system's response to electromagnetic disturbances Therefore, the design of safety-related systems should ensure the maintenance of their required electromagnetic characteristics over their entire operational lifespan.
The electromagnetic characteristics of a safety-related system are influenced by, but not solely dependent on, the electromagnetic properties of each individual piece of equipment To assess this, a specific procedure must be followed.
• The entire system is formally divided into items of equipment
All system equipment must be detailed regarding their electromagnetic compatibility (EMC) characteristics Each piece of equipment may include multiple components, such as power supplies, printed circuit boards, and displays, along with a specific cabling scheme.
The analysis of the interaction between different combinations of equipment must consider the effects of both external and internal electromagnetic environments This process may lead to a comprehensive assessment of the electromagnetic characteristics of all component combinations, as illustrated in Figure 3.
The analysis of functional performance criteria for various components will focus on their overall impact on the design of safety-related systems when interference occurs Acceptable performance degradations for a component in isolation or within a different system may not be permissible in a specific safety-related context.
Figure 3 – EMC between equipment M and equipment P
Table 3 provides additional guidance on design and design management techniques, graded by Safety Integrity Level (SIL) based on expert judgment It also references technical design measures outlined in Annex B.
Table 3 – Design, design management techniques and other measures
No Design, design management technique or other measures SIL 1 SIL 2 SIL 3 SIL 4
2 Provide the end user with information on restrictions on the application of the system or equipment including those relating to the electromagnetic environment R HR M M
3 Consider lifecycle and technical design measures (see for example
4 Consider the EMC requirements stated in the product safety manual for all purchased products and equipment M M M M
5 Procedures for maintaining lifetime electromagnetic characteristics in operation, maintenance, repair and refurbishment, modifications and upgrades HR HR M M
6 Consider the effects of reasonably foreseeable faults and misuse on the electromagnetic characteristics and mitigation measures M M M M
M The technique or measure is a mandatory requirement and shall be carried out for this safety integrity level (or systematic capability)
For achieving the required safety integrity level, it is essential to implement the recommended technique or measure unless a valid technical justification is provided If the technique is not utilized, a comprehensive rationale must be documented during the safety planning process and approved by the assessor.
R The technique or measure is recommended for this safety integrity level (or systematic capability) and should be carried out as a lower recommendation to a HR recommendation
Recommended techniques or measures are generally more effective in achieving desired results compared to alternatives However, if a technique is not mandatory or strongly advised, using an alternative may be justified.
EMC aspects on equipment level
The electromagnetic performance of a safety-related system is influenced by the equipment's characteristics, the surrounding electromagnetic environment, and the mitigation measures in place It is essential that the system's performance meets the safety requirements specification throughout its expected lifespan Additionally, any electromagnetic disturbances produced by the equipment within the safety-related system must not adversely impact other components of the system.
All EMC measures must be effectively designed and implemented to ensure their efficacy throughout the equipment's lifetime, considering various physical environmental factors such as mechanical, climatic, chemical, and biological stresses This is crucial as emissions and immunity can change over time due to environmental exposure Therefore, the equipment's design should ensure that it retains its essential electromagnetic characteristics for its entire operational life.
Hence immunity against electromagnetic disturbances shall be considered at the equipment level Equipment immunity requirements shall be derived by taking into account
• the external electromagnetic environment the equipment is specified for;
• the local electromagnetic environment the equipment may be exposed to due to other equipment in close proximity;
• requirements derived from system/equipment aspects taking into account any system mitigation measures and;
• any requirements as identified during the process of EMC safety planning
This results in an ERS, which shall include:
• the electromagnetic disturbances which the equipment design may have to withstand, whilst maintaining its desired electromagnetic characteristics;
• the immunity requirements (see IEC 61 000-6-7 for examples);
• any particular test parameter requirements (according to the intended use in the system or in the systems) and;
Performance criteria must define the expected behavior of the equipment under test, particularly by incorporating aspects of functional safety within the overall system For detailed guidance, refer to sections 8.4.1 and 8.4.2.
The ERS evaluates the conditions at a specific installation, which may differ from the product specifications that manufacturers must meet for their market offerings While some specifications may align, additional measures may be required for compliance with the ERS For further details on this process, refer to Annex D and particularly Figure D.2.
To meet the Electromagnetic Resilience Standards (ERS), it is essential to implement effective design management techniques These include assessing electromagnetic susceptibilities, designing characteristics to address potential faults and misuse, employing multiple layers of protection, avoiding components with inadequate electromagnetic properties, and individually verifying electromagnetic design elements For additional guidance, Annex B offers a comprehensive list of potential measures and techniques.
Electromagnetic disturbances and the physical environment typically cause common-cause or systematic effects on equipment of the same design, impacting all items simultaneously.
8 Verification and validation of functional safety performance in respect of electromagnetic disturbances
Verification and validation processes
Verifying the electromagnetic characteristics of safety-related systems in relation to other systems and the external electromagnetic environment is often complex and impractical This complexity arises because not all combinations of operating conditions, modes, and electromagnetic phenomena can be feasibly tested within a reasonable timeframe Therefore, it is advisable to implement well-defined processes at the system or equipment level to ensure compliance with the specified electromagnetic characteristics as outlined in the E/E/PE system safety requirements specification (ERS).
To ensure compliance with the E/E/PE system safety requirements specification, it is essential to conduct verification and validation activities Proper planning for these activities is crucial, and the electromagnetic compatibility (EMC) aspects can be integrated into the EMC planning or addressed separately within the system validation and verification planning, as needed.
The diagram in Figure 4 illustrates the connection between verification and validation processes and their role in the safety lifecycle, focusing specifically on EMC-related aspects It presents a detailed V representation of the lifecycle, contrasting with the sequential model depicted in Figure 1.
A V representation illustrates the lifecycle by integrating a methodology that progresses from the system level to the equipment level and ultimately to the component level of the system.
NOTE 1 Depending on the complexity of the system, more or fewer levels can be employed
The top-down approach focuses on the design and development of safety-related systems, starting from the overall system and refining down to its individual components In contrast, the bottom-up approach pertains to the assembly, manufacturing, and installation of the complete system.
The V representation illustrates the intrinsic connection between acceptance activities and design and development processes, emphasizing that the final design must be verified against the requirements This model effectively highlights the verification and validation tasks throughout the lifecycle and clarifies the levels at which these tasks are assigned.
The electromagnetic characteristics essential for a safety-related system are influenced by the properties of its individual components Therefore, during the verification process, it is crucial to assess the electromagnetic characteristics of each element to ensure they collectively meet the system's required standards.
Safety-related systems are typically unique, application-specific installations, making it impossible to define concrete electromagnetic compatibility (EMC) requirements in a standard format These requirements must consider the specific electromagnetic environment of each installation Conversely, at the element level, series products are commonly utilized, which cannot be tested against every individual requirement.
Element level tests must adhere to international safety standards such as IEC 61326-3-1 and IEC 61000-6-7 To bridge the gap between system-level requirements and element test requirements, additional measures like filtering, shielded racks, and shielded cables may be implemented It is crucial that user and maintenance instructions clearly indicate the potential safety hazards associated with improper installation, operation, or maintenance of these mitigation measures.
Figure 4 – Example V representation of the lifecycles demonstrating the role of validation and verification for functional safety performance in respect of electromagnetic disturbances
E/E/PE system safety requirements specification
Element tests and other verification activities
Equipment tests and other verification activities
Verification
The purpose of verification is to ensure that the deliverables of each phase fully meet the specific requirements of that phase This process occurs within each individual phase and focuses on the levels beneath the overall system level, such as the equipment or component levels.
The verification process must consider all pertinent electromagnetic disturbances and the necessary electromagnetic characteristics It should establish clear pass/fail criteria, including specific performance standards related to functional safety Additionally, a deliberate selection of verification methods and activities is essential, along with the implementation of specific EMC provisions.
Verification can be conducted through a single activity or a combination of several activities, typically involving testing based on standardized methods and performance criteria that consider functional safety Compliance with these test requirements is shown by meeting the technical, quantitatively defined standards, such as those in the IEC 61 000-4 series, and is documented through test reports, test certificates, or similar documents.
On the element level, any relevant generic, product family or product standard related to functional safety shall be applied
Further verification activities can include:
• reviews on completion of each lifecycle phase to ensure compliance with the objectives and requirements of this phase, taking into account the specific inputs to that phase;
• appropriate non-standardized tests performed on the designed products to ensure that they perform according to their specification;
Individual and integrated hardware tests are conducted by assembling various components of a system in a systematic way These tests include environmental assessments to verify that all parts function together as intended.
The results of verification shall be described in a verification report (which could be for example a test report) or in a technical construction file.
Validation
The goal of validation is to ensure that the safety-related system meets all necessary objectives through a combination of predictions, reviews, and tests To effectively demonstrate compliance with safety requirements, it is essential to strategically plan the structure of these reviews and tests This validation plan, which may be integrated into the EMC plan or exist as a standalone document, is crucial for confirming that all safety criteria have been thoroughly addressed.
Validation must encompass all lifecycle phases and highlight audit points, incorporating specific pass/fail criteria, a strategic selection of validation methods and activities, and a transparent approach to managing non-conformances.
• demonstration that the safety requirements are fully addressed and correctly implemented;
• checklists (e.g to ensure that EMC measures are adequately observed, applied and implemented);
• inspections (e.g concerning observance of the installation guidelines);
• reviews and audits (e.g close-out audit at the completion of the project);
• testing (e.g factory acceptance test or on-site testing)
The validation plan outlines the validation process, detailing the structure and schedule of activities while providing the technical rationale for how these activities ensure compliance with safety requirements.
When there are alterations in the system, its application, or the electromagnetic environment, it is essential to review the relevant phases of the lifecycle and conduct revalidation as needed.
The results of the validation process are described in a validation report.
Test philosophy for equipment intended for use in safety-related systems
General
Safety equipment must operate according to defined standards to ensure safe conditions for both the equipment and its associated systems The behavior of safety-related systems is crucial for achieving and maintaining safety in operations.
To ensure optimal performance, it is essential to understand the equipment's behavior under all specified conditions The safety requirements specification for the E/E/PE system must clearly define the safety functions and the expected responses in the event of a failure or fault occurrence.
Performance criterion DS for safety applications
A specific performance criterion designated as DS and applicable to functions contributing to or intended for safety applications taking into account functional safety aspects is defined as follows:
The functions of the Equipment Under Test (EUT) for safety applications remain unaffected within their specified limits However, they may experience temporary or permanent changes if the EUT responds to disturbances while maintaining or achieving a detectable, defined state within a specified timeframe Additionally, component destruction is permissible as long as a defined state of the EUT is preserved or attained within the stated time.
NOTE 1 In consequence it will be possible for the defined state to be outside normal operating limits or otherwise detectable
NOTE 2 Some EMC publications related to functional safety use the abbreviation FS for this performance criterion
The functions not intended for safety applications may be disturbed temporarily or permanently
NOTE 3 Generalized performance criteria A, B and C as defined in generic EMC standards and also more precise performance criteria as defined in EMC product or product family standards were not specifically created for use in functional safety applications However, performance criterion A is always acceptable.
Application of the performance criterion DS
The performance criterion DS applies exclusively to functions related to safety applications and encompasses all electromagnetic phenomena, without distinguishing between continuous and transient types.
Where a device or system performs both safety and non-safety functions the requirements for functional safety apply in context with the safety functions only
Relationship to “normal” EMC standards
Functional safety necessitates the proper operation of the entire system, which includes sensors, logic solvers, and actuators; however, individual devices can be tested separately To facilitate this, each device intended for a safety-related system must be clearly specified, detailing its intended function and behavior in the event of a failure The purpose of immunity tests is to verify that these specifications are met in the presence of electromagnetic disturbances.
Safety-related systems must include a specification of intended functions in their safety manual While quantifying the impact of disturbed functions can be challenging due to application dependencies, designers must consider all foreseeable uses during the development of the Safety-Security Requirements Specification (SSRS) Testing should demonstrate the equipment's behavior, and any deviations from undisturbed functions must be detectable and documented in the test report.
The performance criteria for functional safety establish essential requirements for equipment used in safety-related applications, encompassing both standard and specific functional safety requirements Normal immunity tests and EMC safety tests are evaluated separately, which may lead to distinct testing procedures.
Normal immunity tests are conducted based on specifications outlined in generic or product standards, which do not take into account functional safety aspects.
The general approach is shown in Table 4
Figure C.1 illustrates the application of the relevant performance criteria for equipment in more detail by showing which effects due to specific electromagnetic disturbances are allowed
Table 4 – Applicable performance criteria and observed behaviour during test of equipment intended for use in safety-related systems
Normal EMC tests EMC safety tests
B + pre-defined behaviour, detectable and documented + recovery time to be documented
C + pre-defined behaviour, detectable and documented
Performance criterion A is always acceptable The potential of performance criteria B and C to result in misuse of the safety function (for example disablement of the safety function) should be assessed
NOTE 1 The description of the performance criteria A, B and C is given in generic standards such as IEC 61 000-6-1 and adapted accordingly in product standards
NOTE 2 For more detailed information about allowed effects during immunity testing, see Figures C.1 and C.2.
Test philosophy for safety-related systems
The safety-related system is designed with specific intended functions and potential safe states Immunity tests are conducted to verify that the system operates in accordance with the specified requirements outlined in the E/E/PE system safety requirements specification.
Functional safety performance criteria establish extra requirements for safety-related systems Normal EMC tests are evaluated within their specified limits, while EMC safety tests are assessed independently.
Figure C.1 illustrates the application of the relevant performance criteria for functions of safety-related systems in more detail by showing which effects due to specific electromagnetic disturbances are allowed
System testing should be performed at the highest practicable level of assembly, if necessary using appropriate on-site or in-situ test methods
Assessing safety-related functions and normal functions of a system can be challenging When it is impractical to conduct separate EMC tests for these functions, combining the tests for both types is an acceptable solution.
9 EMC testing with regard to functional safety
Electromagnetic test types and electromagnetic test levels with regard to
Verifying the specified electromagnetic characteristics through testing alone is often impractical EMC testing for functional safety necessitates specific considerations to ensure compliance.
Functional immunity tests in product or generic standards often overlook various electromagnetic phenomena, as detailed in Table A.1 Additionally, unaccounted high-level electromagnetic disturbances may pose safety risks.
To ensure safety, it is essential to assess potential disturbances that may not have been addressed in existing product or generic standards If these disturbances are deemed significant, their effects must be analyzed, and appropriate testing should be conducted.
Immunity testing levels specified in the EMC product or generic standards are related to normal environmental disturbance levels
To ensure safety, system designers must define test levels according to the maximum electromagnetic disturbance levels expected in the intended operational environments Product committees or manufacturers are responsible for establishing tests and levels based on the highest disturbances likely to occur in the most probable installation settings, as outlined in IEC 61 000-6-7.
When possible, that is, when the experience or the knowledge of the environment is sufficient, it is recommended to take the statistical distribution of the disturbance levels into consideration
To improve functional immunity test levels, it may be necessary to adjust them based on the electromagnetic environment assessment General recommendations for this adjustment are challenging due to various influencing factors, including uncertainty Consequently, test levels should be determined individually for each case, as they can vary depending on the specific electromagnetic phenomenon and its frequency of occurrence In some situations, it is essential to specify a higher test level to ensure optimal performance.
For equipment or systems with specific safety-related parts, three series of tests may be considered:
• a series of tests for system parts not relevant for safety;
• a series of tests for system parts relevant for safety;
• a series of tests for complete safety-related systems where practical.
Determination of test methods with regard to functional safety
Selecting tests for safety-related systems is challenging due to the diverse equipment and environmental conditions involved It is essential to consider all identified electromagnetic phenomena in the surrounding environment, including both external factors and internal processes within the installation The chosen tests must accurately reflect and simulate the impact of these electromagnetic phenomena on the system and its components.
In certain situations, it may not be feasible to test an entire safety-related system, leading to the necessity of conducting tests on individual components separately These tests are designed to ensure that the effects of electromagnetic phenomena on the individual equipment accurately reflect their impact on the overall safety-related system.
When selecting a test method for an immunity test, it is essential to evaluate and consider the test uncertainty in relation to both the performance of the test and the relevant immunity test parameters.
To determine the appropriate test methods, one can utilize standardized test methods, such as the basic immunity test standards outlined in the IEC 61000-4 series, or consider other relevant standards.
Electromagnetic phenomena, such as electrical fast transients and electrostatic discharges, are common in typical installations and must be considered Additionally, specific conditions at an installation, like strong power frequency magnetic fields or unstable power supplies, may introduce further electromagnetic challenges These phenomena have been extensively studied, and standardized test methods, outlined in the IEC 61 000-4 series, have been developed to assess their impact on equipment Valuable insights have been gained regarding test performance and parameters to ensure realistic representation of disturbances.
Standardized test methods, such as those outlined in the IEC 61 000-4 series, address a broad spectrum of electromagnetic phenomena However, there may be instances where the electromagnetic phenomena encountered in a specific installation differ from those covered by these standardized tests In such cases, it is beneficial to evaluate the discrepancies between the actual phenomena and the standardized test definitions, ensuring the relevance of the test method when appropriately adjusted.
When assessing immunity to power frequency magnetic fields, the test methods outlined in IEC 61 000-4-8 are applicable, primarily focusing on 50 Hz and 60 Hz magnetic fields If the electromagnetic environment reveals significant harmonics, this standard's basic test method can also be utilized to evaluate immunity against magnetic fields at harmonic frequencies Additionally, there may be electromagnetic phenomena that are not addressed by current standards or their variants.
In some particular installations electromagnetic phenomena occur which are neither covered by standardized test methods, such as the basic immunity test standards of the