What is Functional Safety?
The safety of products, systems and installations can be split into two parts:
i) ‘Basic’ safety: electric shock, excessive temperatures, excessive radiation, fire, explosion, implosion, bruising, pinching, crushing, cutting, emissions of toxic fumes, etc.
ii) ‘Functional’ safety: when things being controlled don’t function correctly and this can cause increased risks to health.
Functional Safety has always existed in mechanical, pneumatic and hydraulic control systems, and also in electro-mechanical, electro-pneumatic, and electro-hydraulic control systems. But it only became a topic worthy of its own IEC and ISO standards when microprocessors started to be used to control things.
This is because there is no way of testing all possible ways that a microprocessor (or microcontroller or FPGA etc., etc) and/or its software can fail. There simply isn’t enough time available, for example, some modern ‘computerized’ control systems, e.g. for self-driving cars, would require longer than the age of the universe (about 15 billion years) to perform a single test on each of their possible digital states, even at 1 microsecond per test!
This is a problem because digital systems are inherently non-linear – which means that even if we could test 99% of their possible states ( which we can’t), the results we got would tell us nothing whatsoever about the 1% of states that had not been tested.
This was realized in the early 1970s, after which a large international effort on how to ensure that ‘programmable electronic systems’ could be proven to be safe enough resulted in IEC 61508 in 2000
the IEC’s Basic Safety Standard on the Functional Safety of programmable electronic systems.
IEC Basic Safety standards are created by experts and can be used on their own, but are mainly intended to guide standards teams creating generic or product-family standards.
Standards that have been developed from IEC 61508 include:
- IEC 61511, Safety Instrumented Systems for the Process Industry Sector (in USA: ANSI/ISA S84)
- IEC 62061, Safety of Machinery
- IEC 62278 / EN 50126, Railways – Specification and Demonstration of Reliability, Availability, Maintainability and Safety
- IEC/EN 50128, Software, Railway Control and Protection
- IEC/EN 50129, Railway Signalling
- IEC 61513, Nuclear Power Plant Control Systems
- RTCA DO-178B, North American Avionics Software
- RTCA DO-254, North American Avionics Hardware
- EUROCAE ED-12B, European Flight Safety Systems
- ISO 26262, Automobile Functional Safety
- IEC 62304, Medical Device Software
- IEC/EN 50402, Fixed Gas Detection Systems
- DEF STAN 00-56, Accident Consequence (UK military)
How does Risk Management fit in?
IEC 61508 employs a Risk Management approach.
Risk Management is a general methodology based on statistical analysis, quite unlike any standards for dealing with basic safety. It can be used for controlling exposure to any kinds of risks that can be quantified, e.g. financial risks, mission risks, security risks, etc., and of course in IEC 61508 it is used to control functional safety risks.
And what does all this have to do with EMC or EMI?
All electronics, without exception, can be affected by electromagnetic interference (EMI).
The engineering discipline of controlling both electromagnetic emissions and immunity to avoid EMI, is called electromagnetic compatibility (EMC).
Where errors, malfunctions or failures in electronic circuits or systems can increase functional safety risks, EMC testing cannot be sufficient to prove that functional safety risks are low enough. After all, since it is impossible to test all possible states of a modern digital system just once, it is even more impossible to test all of its states when the system is exposed to a variety of frequencies or transients in turn, during EMC immunity testing.
The European EMC Directive covers functionality but does not cover functional safety (it says so right there in its text). We might expect that properly complying with the EMC Directive would somewhat reduce the functional safety risks that can be caused by EMI, but we can’t say by how much, and it can’t reduce them by enough.
So how can we apply Risk Management to electronic systems to prove that EMI will not cause unacceptable levels of Functional Safety risks?
Keith Armstrong has been heavily involved with this issue for 20 years (since 1998), chairing a number of IEE, IET and IEEE Working Groups on it, and being the UK’s representative on two different IEC standards teams on it (covering IEC 61000-1-2, IEC 61000-6-7, and IEC 60601-1-2).
We did not develop a practical, usable approach to the problem until 2010, and it first published anywhere in the world by the IET in 2013.
The 2013 publication was improved and updated as the IET’s “Code of Practice for Electromagnetic Resilience”, published in 2017 and available from: https://www.theiet.org/publishing/iet-standards/?utm_source=redirect&utm_medium=legacyredirects&utm_campaign=2019relaunch