Risk-Based EMC and EM Resilience: Necessities for Safe and Reliable

Electronic Systems!Prof. D. Pissoort, M-Group, KU Leuven

Before we start…

Clear definitions make good friends…

Electromagnetic environment = totality of electromagnetic phenomena

existing at a given location

Electromagnetic disturbance = electromagnetic phenomenon that can degrade

the performance of a device, equipment or system, or adversely affect living or inert

matter

Electromagnetic interference = degradation in the performance of equipment or transmission channel or a system caused by

an electromagnetic disturbance

Cause

Effect

“The reason why something happens”

“What happens because of the cause”

EM Disturbance

EM Interference

How do we often deal with EMC?

(Harmonized) standards And a lot of testing…

But does it really solve all problems in practice?

Medical Devices Failures due to EMI

Medical Devices Failures due to EMI

Dream vs Reality

The Exploding Testplan

Risk-Based EMC

Risk-Based EMC• Follows a thorough systems-engineering approach

• Assessment of:

• the expected actual EM environment

• immunity and emission characteristics of equipment

• Then: Implement necessary measures (incl. non-technical)

• Some parts/equipment will be hardened more, some others less compared to the “rule-based EMC-approach”

Risk-Based EMC

• EMC Management (what, when, who)

• EMC Control (risk management)

• EMC Implementation (how)

• EMC Verification (check)

Risk-Based EMC

The electronic applications of the very near future

Autonomous Vehicles

Vehicle-to-X Communication

• Car-to-car

• Car-to-infrastructure

• Car-to-pedestrian

• Etc.

• Robust wireless communication (5G) is key element!

Industry 4.0 - Smart Manufacturing

Industry 4.0 - Smart Manufacturing

Medical & Healthcare

A short introduction to Functional Safety

Functional Safety = the part of the overall safety that depends on an (electronic/electrical)

system or equipment operating correctly in response to its inputs.

Functional Safety ensures that errors, malfunctions or faults do not cause unacceptable

safety risks to people or the environment

!This includes errors, malfunction or faults

caused by EM disturbances, i.e. EMI

!

Functional Safety ensures that errors, malfunctions or faults do not cause unacceptable

safety risks to people or the environment

Functional Safety Standards

IEC 61508 Fundamental

Safety Standard

ISO 26262

ISO 61511

ISO 62061

ISO 5012x

ISO 61513

ISO 10128

ISO 15998

ISO 25119ISO 60601

From Cradle to Grave

VSafety Requirements Released Product

Risk Reduction Techniques & Measures

Risk & Hazard

Identification and

Analysis

Verifi

catio

n &

Valid

atio

n

Risk Reduction Techniques & Measures

The Hazards

!

Equipment under control

Safety-Related Systems

External Safety Measures

Emergency Responses

Safety-Related Systemsmust comply with IEC 61508

Nothing Can Be Made “100% Safe”Unacceptable risk

Probability of death: 10-3 (worker), 10-4 (public)

Broadly acceptable risk

Probability of death: 10-6 (all) 1 in a million, per person, per year

Risk

Risk reduction until cost of further reduction is grossly disproportionate (10x) to the value of the lives saved

Tolerable region

Original risk

Risk Reduction A

Risk Reduction B

Risk Reduction C

Residual risk

Safety Integrity = probability of a safety-related system satisfactorily performing the

specified safety functions under all the stated conditions within a stated period of time

Safety Integrity Level (SIL) = discrete level (one out of a possible four), corresponding to a range of safety integrity values, where safety integrity level 4 has the highest level of safety integrity

and safety integrity level 1 has the lowest

Safety Integrity Level (SIL)

Safety Integrity Level (SIL)

Safety Integrity

Level (SIL)

Average probability of a

dangerous failure, “on demand”

or “in a year*”

Equivalent mean time to

dangerous failure,

in years*

Equivalent confidence factor required for each “demand” on the

function

4 ³10-5 to <10-4 >104 to £105 99.99 to 99.999%

3 ³10-4 to <10-3 >103 to £104 99.9 to 99.99%

2 ³10-3 to <10-2 >102 to £103 99% to 99.9%

1 ³10-2 to <10-1 >10 to £102 90 to 99%

* Approximating 1 year = 104 hrs of operation

Safety Integrity Levels (SIL)

Safety Integrity

Level (SIL)

Average dangerous

failure rate, per hour

Equivalent mean time to

dangerous failure, in hours

Equivalent confidence factor required for every

10,000 hours of continuous operation

4 ³10-9 to <10-8 >108 to £109 99.99 to 99.999%

3 ³10-8 to <10-7 >107 to £108 99.9 to 99.99%

2 ³10-7 to <10-6 >106 to £107 99% to 99.9%

1 ³10-6 to <10-5 >104 to £105 90 to 99%

What does IEC 61508 mention about EMI?

Unfortunately, often safety practitioners and safety assessors misinterpret this as:

“if it is CE marked, it has been tested for EMC and, hence, no EMI can happen”

But Remember…

But Remember…

But Remember…

But Remember…

But Remember…

Approved for publication as a full

IEEE Standard in 2020: ‘IEEE Std

1848:2020’

Electromagnetic resilience?

Electromagnetic resilience?

–Erik Hollnagel, author of the book “Resilience Engineering”

“A system is resilient if it can adjust its functioning prior to, during, or following events (changes, disturbances, and opportunities), and

thereby sustain required operations under both expected and unexpected conditions.”

Resilience of a safety-related system = the ability of the system to remain acceptably

safe despite unforeseeable events

Electromagnetic resilience is the term given to the new functional safety risk-management

discipline that describes how to use techniques and measures to manage functional safety risks

as regards of electromagnetic disturbances

IEEE 1848’s EM Resilience Approach

EM ResilienceRisk-Based EMC

So for me…

Think of EM Resilience like this• Application of Risk-Based EMC ensures (in a cost-effective way) that most EM

disturbances don’t cause actual EMI

• But extreme, unusual, unforeseen EM disturbances and/or degradations in EM mitigations mean that EMI can still occur during the full lifetime

• EM Resilience means additional techniques & measures to:

• Detect EMI-induced errors, malfunctions, or faults in signals, data, control,…

• Correct these errors so that operation continues safely-enough, perhaps with some functional degradation

• Or switch the system into a safe / minimum risk state

IEEE 1848 lists EM Resilience T&Ms for …• Project management, planning and specification

• System design

• Operational design

• Implementation, integration, installation and commissioning

• Verification and validation (including testing)

• Operation, maintenance, repair, overhaul, refurbishment, upgrade

• Maintaining EM resilience during decommissioning

• Integrating third-party items (e.g. COTS) into safety-related systems

Example: Diverse Redundancy• A commonly used technique in a safety-related system is hardware

redundancy

• This means using different parallel channels to send the same data or perform the same operation

• At the end, a majority voter will decide on the final outcome

• However, EMI will likely affect all redundant channels in the same way and, hence, the majority voter will make the “wrong” decision

• So, we need electromagnetically diverse redundant systems…

Thank you! Comments or Questions?