Risk-Based EMC and EM Resilience: Necessities for Safe and Reliable
Electronic Systems!Prof. D. Pissoort, M-Group, KU Leuven
Before we start…
Clear definitions make good friends…
Electromagnetic environment = totality of electromagnetic phenomena
existing at a given location
Electromagnetic disturbance = electromagnetic phenomenon that can degrade
the performance of a device, equipment or system, or adversely affect living or inert
matter
Electromagnetic interference = degradation in the performance of equipment or transmission channel or a system caused by
an electromagnetic disturbance
Cause
Effect
“The reason why something happens”
“What happens because of the cause”
EM Disturbance
EM Interference
How do we often deal with EMC?
(Harmonized) standards And a lot of testing…
But does it really solve all problems in practice?
Medical Devices Failures due to EMI
Medical Devices Failures due to EMI
Dream vs Reality
The Exploding Testplan
Risk-Based EMC
Risk-Based EMC• Follows a thorough systems-engineering approach
• Assessment of:
• the expected actual EM environment
• immunity and emission characteristics of equipment
• Then: Implement necessary measures (incl. non-technical)
• Some parts/equipment will be hardened more, some others less compared to the “rule-based EMC-approach”
Risk-Based EMC
• EMC Management (what, when, who)
• EMC Control (risk management)
• EMC Implementation (how)
• EMC Verification (check)
Risk-Based EMC
The electronic applications of the very near future
Autonomous Vehicles
Vehicle-to-X Communication
• Car-to-car
• Car-to-infrastructure
• Car-to-pedestrian
• Etc.
• Robust wireless communication (5G) is key element!
Industry 4.0 - Smart Manufacturing
Industry 4.0 - Smart Manufacturing
Medical & Healthcare
A short introduction to Functional Safety
Functional Safety = the part of the overall safety that depends on an (electronic/electrical)
system or equipment operating correctly in response to its inputs.
Functional Safety ensures that errors, malfunctions or faults do not cause unacceptable
safety risks to people or the environment
!This includes errors, malfunction or faults
caused by EM disturbances, i.e. EMI
!
Functional Safety ensures that errors, malfunctions or faults do not cause unacceptable
safety risks to people or the environment
Functional Safety Standards
IEC 61508 Fundamental
Safety Standard
ISO 26262
ISO 61511
ISO 62061
ISO 5012x
ISO 61513
ISO 10128
ISO 15998
ISO 25119ISO 60601
From Cradle to Grave
VSafety Requirements Released Product
Risk Reduction Techniques & Measures
Risk & Hazard
Identification and
Analysis
Verifi
catio
n &
Valid
atio
n
Risk Reduction Techniques & Measures
The Hazards
!
Equipment under control
Safety-Related Systems
External Safety Measures
Emergency Responses
Safety-Related Systemsmust comply with IEC 61508
Nothing Can Be Made “100% Safe”Unacceptable risk
Probability of death: 10-3 (worker), 10-4 (public)
Broadly acceptable risk
Probability of death: 10-6 (all) 1 in a million, per person, per year
Risk
Risk reduction until cost of further reduction is grossly disproportionate (10x) to the value of the lives saved
Tolerable region
Original risk
Risk Reduction A
Risk Reduction B
Risk Reduction C
Residual risk
Safety Integrity = probability of a safety-related system satisfactorily performing the
specified safety functions under all the stated conditions within a stated period of time
Safety Integrity Level (SIL) = discrete level (one out of a possible four), corresponding to a range of safety integrity values, where safety integrity level 4 has the highest level of safety integrity
and safety integrity level 1 has the lowest
Safety Integrity Level (SIL)
Safety Integrity Level (SIL)
Safety Integrity
Level (SIL)
Average probability of a
dangerous failure, “on demand”
or “in a year*”
Equivalent mean time to
dangerous failure,
in years*
Equivalent confidence factor required for each “demand” on the
function
4 ³10-5 to <10-4 >104 to £105 99.99 to 99.999%
3 ³10-4 to <10-3 >103 to £104 99.9 to 99.99%
2 ³10-3 to <10-2 >102 to £103 99% to 99.9%
1 ³10-2 to <10-1 >10 to £102 90 to 99%
* Approximating 1 year = 104 hrs of operation
Safety Integrity Levels (SIL)
Safety Integrity
Level (SIL)
Average dangerous
failure rate, per hour
Equivalent mean time to
dangerous failure, in hours
Equivalent confidence factor required for every
10,000 hours of continuous operation
4 ³10-9 to <10-8 >108 to £109 99.99 to 99.999%
3 ³10-8 to <10-7 >107 to £108 99.9 to 99.99%
2 ³10-7 to <10-6 >106 to £107 99% to 99.9%
1 ³10-6 to <10-5 >104 to £105 90 to 99%
What does IEC 61508 mention about EMI?
Unfortunately, often safety practitioners and safety assessors misinterpret this as:
“if it is CE marked, it has been tested for EMC and, hence, no EMI can happen”
But Remember…
But Remember…
But Remember…
But Remember…
But Remember…
Approved for publication as a full
IEEE Standard in 2020: ‘IEEE Std
1848:2020’
Electromagnetic resilience?
Electromagnetic resilience?
–Erik Hollnagel, author of the book “Resilience Engineering”
“A system is resilient if it can adjust its functioning prior to, during, or following events (changes, disturbances, and opportunities), and
thereby sustain required operations under both expected and unexpected conditions.”
Resilience of a safety-related system = the ability of the system to remain acceptably
safe despite unforeseeable events
Electromagnetic resilience is the term given to the new functional safety risk-management
discipline that describes how to use techniques and measures to manage functional safety risks
as regards of electromagnetic disturbances
IEEE 1848’s EM Resilience Approach
EM ResilienceRisk-Based EMC
So for me…
Think of EM Resilience like this• Application of Risk-Based EMC ensures (in a cost-effective way) that most EM
disturbances don’t cause actual EMI
• But extreme, unusual, unforeseen EM disturbances and/or degradations in EM mitigations mean that EMI can still occur during the full lifetime
• EM Resilience means additional techniques & measures to:
• Detect EMI-induced errors, malfunctions, or faults in signals, data, control,…
• Correct these errors so that operation continues safely-enough, perhaps with some functional degradation
• Or switch the system into a safe / minimum risk state
IEEE 1848 lists EM Resilience T&Ms for …• Project management, planning and specification
• System design
• Operational design
• Implementation, integration, installation and commissioning
• Verification and validation (including testing)
• Operation, maintenance, repair, overhaul, refurbishment, upgrade
• Maintaining EM resilience during decommissioning
• Integrating third-party items (e.g. COTS) into safety-related systems
Example: Diverse Redundancy• A commonly used technique in a safety-related system is hardware
redundancy
• This means using different parallel channels to send the same data or perform the same operation
• At the end, a majority voter will decide on the final outcome
• However, EMI will likely affect all redundant channels in the same way and, hence, the majority voter will make the “wrong” decision
• So, we need electromagnetically diverse redundant systems…
Thank you! Comments or Questions?