Drive-by-Wire and Functional Safety Considerations

Drive-by-Wire and Functional Safety Considerations

Dr. William Radasky, Metatech Corporation, Goleta, CA

Introduction

Over the past few months there have been hearings in the U.S. Congress concerning the safety of automobiles, with emphasis on mechanical failures and repairs. On the other hand, there have also been questions raised in general with respect to the rapid replacement of mechanical subsystems in automobiles with those that are electronic in nature (drive by wire). While this author does not wish to predict whether the current discussion regarding one car manufacturer involves an electronics failure or not, it is clear that automobiles and other types of consumer equipment will continually see more computer additions in the future. One major question has arisen, and it is whether these new computerized systems are safe, and also whether they are safer than the mechanical subsystems that they are replacing.  A further question of interest to this author and hopefully the readers of this magazine is whether there are any electromagnetic disturbance aspects to this problem.In the recent past there have been examples of electronic controls malfunctioning due to electromagnetic influences:

1) Early automobile computer ignition systems were disabled by fast transients produced near high voltage power lines;

2) Slot machines in gambling casinos occasionally paid off due to the use of walkie-talkies by security personnel;

3) Security access systems opened doors without a key-card due to electrostatic discharge near the opening relay;

4) Some of the early pacemakers malfunctioned when the patient put their cell phone in their pocket and a call was received;

5) A gas stove in New York City turned on due to a cellular phone placed on the top of the stove that received an incoming call.

In the case of the gas stove malfunction that was repeatable and was well documented, the effect occurred for one stove manufacturer, but with several different cellular phones. The phone effect was tested and replicated for other owners of this gas stove in the New York apartment building. This is a clear case where mechanical buttons and switches have been replaced by a computer system that sends a signal down a wire to turn on the broiler. Clearly the transmitting cellular phone was able to couple EM fields to the “computer” that either generated a turn on order, or possibly a voltage was coupled to a wire that created a false turn-on signal. According to the New York Times, the manufacturer had never heard of this problem before, although the repair technician was quoted as saying that possibly a suppressor would eliminate the problem.

While it is hoped that these types of problems are not widespread, there is a danger that impacts due to electromagnetics are very difficult to recognize by the general public, and even by engineers not trained in electromagnetics. Typically there is no sign of the effect in the diagnostics of the equipment, so forensics is nearly impossible. In the case of the gas stove in New York City, this effect was discovered because it happened while someone was present. If the cellular phone had been laid down and the person left the room when the call came in, this malfunction may not have been discovered at all.This brings us to the purpose of this article and the question at hand. How can we achieve functional safety and, in particular, what should be done concerning electromagnetic influences?

History of Functional Safety and Electromagnetic Influences

The International Electrotechnical Commission (IEC) began its development of standards dealing with functional safety in the 1990s, due to the increased involvement of computers in our daily lives and their potential impact on safety. The early work was difficult due to the rapid changes in electronics and how safety aspects of equipment and systems were evaluated in a technical sense at that time. The latest versions of the IEC 61508 series of functional safety standards were published in 2007.In the late 1990s, the then Chairman of TC 77 (EMC), Georges Goldberg of Switzerland, started an effort within TC 77 to examine the issue of functional safety with regard to EM influences. In fact, he was the convenor of the working group that developed the first edition of IEC 61000-1-2. This writer had the privilege of being a member of the working group, which developed the document; this effort was very difficult as we were trying to work in parallel with the update to IEC 61508, to ensure that we were fully compatible with their terminology and their overall approach. In the end, we were not completely successful, so the first edition became a technical report instead of a standard.In 2003, it was decided by IEC TC 77 that IEC 61000-1-2 should be updated due to the completion of the major changes in IEC 61508 and in recognition that the EM environment was changing. This work began in early 2004 under the convenorship of Dr. Bernd Jaekel of Germany, and this writer has represented the U.S. as one of two members on TC 77/MT 15 (with Dr. Ray Turk).Since IEC 61000-1-2 Ed. 2 has been published, there has been an effort to publicize this document through articles such as this one and through workshops at technical conferences throughout the world. Over the last two years, Keith Armstrong of England, Jacques Delaballe of France and this author have presented workshops and tutorials at two annual IEEE PSES Conferences and at EMV in Germany in 2010. A workshop is also planned for the Asia-Pacific EMC Conference in April in Beijing, China.

Features of 61000-1-2 Ed. 2

IEC/TS 61000-1-2, Edition 2 was published in November 2008 and titled, “Electromagnetic Compatibility (EMC) – Part 1-2: General – Methodology for the achievement of functional safety of electrical and electronic systems including equipment with regard to electromagnetic phenomena.” This publication is a “Basic Safety Publication,” which is a new designation due to a recent change of the rules in the IEC regarding basic publications. Publications can only be designated as a basis safety or a basic EMC publication, but not both.There were several big changes from Edition 1 of this publication. For example, the reliance on higher level (compared to EMC levels) electromagnetic testing to assure functional safety was reduced, with more emphasis variations in testing and on life-cycle design aspects; this will be discussed a bit more later in this article. The second big change was to completely align the publication with the newly published series of functional safety standards in the IEC. These are published as IEC 61508 (all parts), “Functional safety of electrical/electronic/programmable electronic safety-related systems.” The next significant change was to increase the discussion concerning how to survey the electromagnetic environments that would be present during the operation of the equipment, and lastly to eliminate specific examples involving fault tree analysis in favor of referencing the appropriate publications dealing with these types of evaluations.

Scope of IEC 61000-1-2, Ed. 2

In the introduction of the publication, the main problem is identified. “The function of electrical or electronic systems should not be affected by external influences in a way that could lead to an unacceptable risk of harm to the users, other persons, animals or property. A comprehensive safety analysis should consider various factors of climatic, mechanical, electrical nature and reasonably foreseeable misuse. Electromagnetic disturbances are present in most environments and should therefore be considered during such an analysis. The purpose of this document is to provide guidance relating to the achievement of functional safety of electrical or electronics systems exposed to electromagnetic disturbances.”It is important to note that IEC 61000-1-2 is fully coordinated with the IEC 61508 series of publications, and those publications are based on a lifecycle model. In the simplest of terms, the equipment or system must remain safe through its intended lifecycle. This means that from an electromagnetics point of view, the developers of a safety-related product must be sure that from an electromagnetics point of view there are no safety impacts created during the entire lifecycle. While those who design products for EMC purposes intend that their product continue to operate over the intended lifetime, generally conformance testing is performed before the product is placed on the market. In addition, the EMC test levels developed for various products are not expected to cover the highest possible levels of EM environments. It is for this reason a different approach is required for functional safety and EM influences.As IEC 61508 does not deal in detail with all types of initiating events, including electromagnetic disturbances, IEC 61000-1-2, Ed. 2 was designed to be complementary. Figure 1 illustrates how this was done in a general way [1].

Figure 1. Relationship between IEC 61000-1-2 and the simplified lifecycle as per IEC 61508 [1]

Topics Covered in IEC 61000-1-2, Ed. 2

This document covers mainly the electromagnetic aspects of functional safety for safety-related systems and equipment, although there is some discussion of the general topic of functional safety as it is a complex subject itself. The main topic areas include:

1. Basic concepts of functional safety
2. EM steps to achieve and manage functional safety
3. How to assess the EM environment
4. EM safety planning at the system and equipment level (including design and integration
5. Validation and verification processes to establish EM immunity
6. Performance criteria and test philosophy considerations
7. Special aspects for testing the immunity of safety-related systems and equipment against EM disturbances

In the rest of this article a few major points will be discussed in more detail. It is strongly suggested that those interested in this subject obtain and read IEC 61000-1-2, Edition 2.

The Electromagnetic Environment

It is important to recognize that the EMC tests and levels designed for the immunity of electronic products have been developed on a technical/economic basis. This means that the electromagnetic environments used to develop compatibility and immunity levels are not in any way the maximum expected EM environments. While this may be reasonable to ensure that equipment works most of the time without malfunction, there is a different level of performance required for safety-related systems. Another way to say this is that it is more acceptable for your PC to freeze and lose the updates of a working document, than it is for a heart pacemaker to stop working due to a strong electromagnetic signal. For this reason safety-related systems should determine the EM environment that could occur (for each EM phenomena) and then to develop a means to ensure the product can work safely in that environment.Many readers may be familiar with IEC 61000-2-5, Ed. 1, “Classification of electromagnetic environments,” which was published in 1995. Since this document is more than 15 years old, and the number of mobile transmitters has expanded significantly in the intervening years, this document is under extensive revision. The revision is developing a series of tables that indicate the usual and maximum levels of EM disturbances. It is hoped that this revision will help product committees in their efforts to understand the EM environment for EMC and for EM functional safety. This author is a member of this working group and considers this to be a very high priority with IEC TC 77 for the near future.Since the IEC 61000-2-5 update will not be completed until 2013, IEC 61000-1-2, Ed. 2, provides a table in an informative annex, which estimates the maximum electromagnetic disturbance levels for residential and heavy industry locations.

EMC Testing for Immunity against EM Disturbances for Functional Safety?

There is a very important statement in clause 8.1 of 61000-1-2, “In most cases there is no simple or practicable way to check and to verify by means of testing or measuring that immunity is achieved for the safety-related system in its entirety with respect to other systems, equipment or the external electromagnetic environment for all operating conditions and operating modes.” This is because for modern electronic equipment and its software that every combination of operating conditions, operational modes and EM phenomena cannot be replicated in a reasonable way and within a reasonable period of time.  Laxa, sweden is a big player inside the casino market and can present with leading software companies such as Netentertainment, Evolution Video gaming and Play’n GO. Various popular gambling establishment operators, incorporating Mr Green, Unibet and Leo Vegas, also have their particular roots in Sweden, but they have been required to establish their very own headquarter overseas due to the current monopoly scenario. Time will certainly tell just how many providers decide to maneuver home coming from Malta. Sweden’s New Gambling Regulations. With all the upcoming re-regulation Sweden is usually increasing the attractiveness because an igaming hub, numerous international workers showing desire for Stockholm Stock market. Nasdaq’s older vice-president Hersker Kostyal will remind that Brexit also leads to this. For example, we know today that with many mobile transmitters operating in the gigahertz range of frequencies, the coupling of the EM fields to a circuit board inside of a product may require variations in the angle of incidence during a test of equipment to vary at approximately 1 degree if one is interested in the maximum coupling of a given level of EM field. Normal EMC testing in an anechoic chamber (IEC 61000-4-3) only requires that each side of an EUT be exposed (up to 6 illuminations, if possible). This is clearly not sufficient if human safety is a consideration. For these reasons and others, normal EMC testing is not sufficient for functional safety applications.It should be noted that this situation does not necessarily lead to more complicated testing for functional safety, but a stronger reliance on the design and management of a series of well-defined processes that demonstrate that immunity has been achieved in accordance with the safety requirements specficiation (SRS). The details of this approach are too detailed to discuss in this article and can be found in IEC 61000-1-2, Ed. 2.

Considerations on Test Levels, Methods and Performance for Functional Safety

With regard to test levels, it is clear that the testing should be performed up to the maximum levels of each phenomena expected for the location of the safety-related equipment.  It is also possible that tests cannot be conducted at the system level, and therefore a set of equipment level tests need to be performed and the results must be properly “translated” to the system level to determine the overall impact on the system.When performing immunity tests at the maximum level, it is important that measurement uncertainty aspects be properly considered to ensure that the test levels are achieved.While the EMC immunity test methods (IEC 61000-4 Series) defined by TC 77 and its subcommittees are available for use, it is important that one consider that all phenomena be considered for functional safety and not just those that are typically performed for EMC testing. In addition, variants of the EMC test methods should be considered, especially with regard to modulation aspects for radiated fields, burst frequencies of conducted transients, charge voltages for ESD, etc. Table 1 provides some examples that indicate the approach required [1].

Table 1 – Examples of methods to increase the level of confidence for EM functional safety testing [1]

As some of the electromagnetic phenomena may occur on an irregular basis and may not occur during “important” states of equipment operation very often, it may be necessary to consider statistical aspects during EM testing for functional safety. This is especially true when dealing with systems with a higher safety integrity level (SIL), such as the safety-related systems at a nuclear power plant. One may choose to inject a larger number of EFT pulses for example than normally required for EMC testing. Another aspect of functional testing for safety applications involves the performance criteria, which are considerably different than EMC performance criteria. These safety-related criteria must be defined in the SRS. Generally safety-related equipment are not permitted to operate outside of their safety specification or they may be permitted to be affected temporarily or permanently if the impact is detectable and defined states can be maintained or achieved within a particular time.  For example, it may be acceptable to have components of equipment be destroyed if the EUT is able to safely shut down within a defined time window.In Annex C of IEC 61000-1-2, Ed. 2 there are two tables that provide some guidance concerning performance criteria relating to safety and to “normal” EMC (one for equipment and one for systems). Each table considers continuous EM phenomena and transient EM phenomena separately. This table informs the reader when affects are allowed or not due to EMC testing or EM safety testing. This information needs to be considered when developing a product standard dealing with functional safety due to EM influences.

Summary

This article has summarized the second edition of IEC 61000-1-2, which deals with the subject of functional safety and EM influences. As most EMC engineers are familiar with EMC design and testing, the IEC publication and this article try to inform the reader that there are significant differences in achieving EMC and functional safety due to EM.  The emphasis in this article has been aimed at first informing the reader of the new publication and its coverage. Secondly more in depth discussion of the life-cycle aspects of functional safety has been provided. In addition there is emphasis on determining the EM environment for the safety-related product and how the test methods and performance criteria need to be significantly modified to achieve a reasonable functional safety test program.Space did not permit a detailed discussion of the development of the SRS and the strong reliance on EM design to avoid failures of safety-related systems. The reader is encouraged to obtain the document, especially if working in the safety field.Given the discussions that have occurred in the U.S. Congress and in published articles over the past month, it is clear that while companies are producing products that have replaced mechanical subsystems with computerized subsystems, more effort is required to deal with functional safety in a comprehensive fashion. It is critical that those working in fields where safety is important, consult both the IEC 61508 series of functional safety standards and the IEC 61000-1-2 Ed. 2 dealing with functional safety and EM phenomena.

Reference

[1] IEC/TS 61000-1-2 Edition 2 (2008-11), Electromagnetic Compatibility (EMC) – Part 1-2: General – Methodology for the achievement of functional safety of electrical and electronic systems including equipment with regard to electromagnetic phenomena.

William A. Radasky, PhD, PE, received his Ph.D. in Electrical Engineering from the University of California at Santa Barbara in 1981.  He has worked on high power electromagnetics applications for more than 41 years.  In 1984 he founded Metatech Corporation in California, which performs work for customers in government and industry.  He has published over 400 reports, papers and articles dealing with transient electromagnetic environments, effects and protection during his career.  He is Chairman of IEC SC 77C and IEEE EMC Society TC-5.  He is an EMP Fellow and an IEEE Fellow.Dr. Radasky is very active in the field of EM standardization, and he received the Lord Kelvin Award from the IEC in 2004 for outstanding contributions to international standardization.  He was the Chairman of the IEC Advisory Committee on EMC (ACEC) from 1997 to 2008.