Standardization in the field of functional safety

Leonid Kechiev
Standardization in the field of
functional safety
BASIC RESEARCH PROGRAM
WORKING PAPERS
SERIES: Science, Technology, Innovation Economy
This Working Paper is an output of a research project implemented within NRU HSE's Annual Thematic Plan
for Basic and Applied Research. Any opinions or claims contained in this Working Paper do not necessarily
reflect the views of HSE
{SEQ variable1 h {SectionPages}}
{SEQ variable2 h 0}
Leonid Kechiev1
STANDARDIZATION IN THE FIELD OF FUNCTIONAL SAFETY2
The problem of standardization in the field of functional safety of electronic means is considered.
The problem maintenance, the description of risks and hazards of functioning of electronic
equipment is given. Data on a direction of standardization in the field of functional safety are
provided. Base standards in the field of functional safety are considered. Recommendations about
improvement of system standardization directed on the account of requirements of functional safety
are given.
JEL Classification: L63
Keywords: functional safety, electronic means, electromagnetic interference, standardization,
hazard, risk
1
National Research University Higher School of Economics (Moscow, Russia). Department of
Electronic Engeeniring. [email protected]
2
This study (research grant 14-01-0072) supported by The National Research University – Higher School of Economics’ Academic
Fund
Program
in 2014/2015.
{SEQ variable1
h {SectionPages}}
{SEQ variable2 h 0}
Introduction
Information technologies are being more and more widely used in safety applications. Errors
in operation and failures of electronic equipment resulting from violations of requirements lead
electromagnetic compatibility (EMC) to hazardous situations and pose a threat to people’s health,
damage equipment and environment.
Historically, divisions engaged in EMC and safety within an organization have been
operating independently from each other. As a result, safety, defined as EMC (EMC-SAFETY), has
been overlooked. No requirements of functional safety have defined for civil applications which, for
example, conform to EU Directive on EMC [1]. The «CE» mark of conformity to the requirements of
the EMC Directive (or to its harmonised standards), cannot guarantee, that EMC-SAFETY issues are
identified correctly and solved legislatively. Moreover, functional safety is vital for military
applications [2].
Various electronic technologies have different degree of potential preservation of quality
indicators when exposed to electromagnetic interferences (EMI). Many traditional information
technologies, which at a certain stage of the development were not susceptible to EMI, have become
sensitive to them under the complicated electromagnetic conditions and increase in the level of
interference. Besides, the modern element base tends to increase its susceptibility EMI.
Hazard evaluation and risk assessment are necessary to control EMC-SAFETY correctly,
taking into consideration the following [3]:
 Parameters of electromagnetic environment (EME);
 Effects of electromagnetic interferences;
 effects of one device on another;
 Foreseeable safety parameters (risk severeness and scale, level of safety integrity) which can be
affected by EMI;
 Requirements, which are necessary to fulfill in order to provide a desirable level of EMCSAFETY.
Functional safety is a term describing hazards and risks arising from errors or failures in
operation of systems, equipment or devices. It differs from safety which is defined as a device
potential to resist to such dangers as ignition, electric shock and formation of toxic gases. The
3
standards [411] are considered the key documents in the field of functional safety, and they are
harmonized with IEC 61508 international standard. It corresponds to the civil systems and does not
explicitly consider interrelated issues of EMC and functional safety.
It is also necessary to include the analysis of hazards and risks in the design of safety systems
and take into account the following areas:
 Application, random (such, as errors at installation of the equipment or manual errors of the
operator) or deliberate errors (an overload or use for unintended purposes),
 Foreseeable errors of the project,
 Application in the extreme environment, including, among others, electromagnetic effects, heat,
vibration, etc.,
 Consequences of hazards with their risk probabilities caused by the factors noted above.
All personnel responsible for EMC and safety management in the organization should
understand their importance and should be familiar with the corresponding standard documentation,
to be competent to execute its requirements and apply supervising principles in practice correctly.
Terminology
Base terminology in the field of functional safety is summarized in [7, 1114], however the
terms are defined in the framework of a probability approach. Although, when handling the issue of
designing safe equipment, it is obvious, that the basic terms should convey more explicit meaning.
The term «safe system» is generally used for the description of the systems, which require
special functions to reduce risks to the acceptable level. The system requiring resolution of safety
issues can be implemented in any technology, but in terms of EMC framework electrotechnical and
electronic systems (including programmed electronics) are of a great concern. Below are some
examples of the safety infringements of the above systems:
 Burnout or damage of components, aerials etc.,
 Decrease in productivity of special computing signal processing networks,
 Erroneous work of the electromechanical equipment, electronic networks, components etc.,
 Premature explosion or ignition of ammunition and inflammable materials,
 Failure and disruptions in telecommunication systems,
 Radar control and tracking failure,
 Errors in indicators measurements, etc.,
 Personnel injury.
4
Safety function should be defined in terms of functionality and safety integrity (probability
of safety function performance is satisfactory when is required). Technical requirements for safety
integrity can be obtained by analyzing hazards and risks and by evaluating the degree of risk
minimization resulting from a specific safety function. The general principle is as follows: the
higher the level of the required safety integrity is the more rigid requirements of the system
engineering are demanded in order to achieve lower occurrence of failures and breakdowns which is
required to attain the acceptable risk level.
Safety requirements for the electric or electronic equipment applied in safe systems should
be specified and defined within the framework of the system danger and risk assessment at a
possibly earlier stage of its life cycle. The safety aspect should be taken into account even in the
course of maintenance and operation therefore; dominating electromagnetic effects are to be
considered at these stages as well. Software modifications and updates can compromise EMC and
functional safety of systems and equipment, so they are be treated in the same way as hardwaretechnical components of systems.
The equipment can radiate electromagnetic fields which can worsen local electromagnetic
conditions considerably, causing probable functionality failure of other equipment. For example,
audio-or radio communication systems can be very susceptible to EMI, and that can lead to safety
risks when these systems are used for transferring emergency information and commands. Thus,
when the new equipment is used, steps ensuring simultaneous concurrent operation of this
equipment and the one established before should be undertaken, so that EMI will not cause marginal
faults of functional parameters. Standard tests for conformity to EMC requirements do not always
provide complete functional safety of the equipment working in real electromagnetic environment.
Therefore within the framework of functional safety EMC maintenance requires special testing
programs.
It is especially important to consider EMC maintenance at early stages of the equipment
design when the most effective measures can be undertaken (they are likely to establish the most
feasible tools to ensure EMC).
In areas, where safety devices are applied (for example, varistors to measurer peak
restriction) to achieve the required immunity level, failure of this device can decrease it and lead to
EMC-SAFETY violation. In this case failure of a safety device should be detected automatically (for
example, by diagnostic subsystems) or by regular examinations to identify faults. Frequency of these
tests should be defined on the basis of an acceptable failure probability of a protective element in
each specific application.
5
It is necessary to make information on methods and ways of EMC maintenance available to
designers, manufacturers, service engineers, operators and installation engineers to ensure
implementation and support of the measures undertaken in the project. This is necessary for
preservation of surge levels and equipment susceptibility in the scope of the limitations established
by the project.
Moreover, the following features of safe systems design can be specified:
 It is not always recognized, that the control system is related to safety. Diagnostic systems of
microprocessors should take into account critical situations leading to safety violations, and
should be supported by hardware and software methods of system design;
 Blocking function for safety provision should be executed by the schemes of proved integrity.
Blocking functions for safety provision should not be provided by microcontrollers,
microprocessors etc. until integrity of these operating networks is formally confirmed against
risks run by an application;
 Stability of electromagnetic interference can be attained using both hardware and software.
It is essential to conduct risks and hazards assessment when upgrading equipment, and carry
out technical projects on safety integrity maintenance after modifications are implemented.
Evaluation of electromagnetic encironment
One of the main objectives of safe system design is to stipulate its electromagnetic
environment (EME) in order to avoid an impact of electromagnetic effects (EE) on the equipment
during all phases of its life cycle. The impact can lead to the system operational failures unless its
level is reduced to the acceptable one.
An impact of a receptor exposure to certain electromagnetic environment depends on the
features of receptor susceptibility, EMI amplitude and frequency as well as environmental aspects
etc. In order to prevent these problems, potential environmental electromagnetic effects have to be
taken into account when designing a new system. EME requirements should be included in the
equipment specification to ensure satisfactory performance in a certain environment.
The following basic aspects are considered when equipment availability and safety
requirements are developed for electromagnetic environment [1517]:
 Environment profile,
 System configuration,
 Viability requirements,
6
 Susceptibility,
 Application prospects.
Configuration of the environment. Any equipment, a subsystem and a system are exposed to
several various electromagnetic effects during their life cycle. It is necessary to define every EME.
For example, a rocket may be in various electromagnetic environments during shipment, storage,
testing, launch and aiming the target.
System configuration. The configuration of equipment, a subsystem and a system can be
modified depending on the location and the stage of its life cycle. As a result the susceptibility to the
electromagnetic environment can also alter. Therefore, when developing performance requirements,
it is important to define operating modes, shielding etc. for every certain environment.
Viability requirements. It is important to distinguish the conditions of availability from those
of viability. There is usually an essential distinction between the levels of environment which
compromise working capacity and the levels which lead to constant failures. It is necessary to be
aware of means and tools, which can be used to protect the equipment from damage when it isn’t
working but which are inexecutable when it is in operation.
Susceptibility. The susceptibility of equipment, a subsystem or a system may differ
depending on the features of the project. These features just as the integrity of shielding, selection of
components and filtration are necessary to take into consideration when assessing the effects of the
electromagnetic environment on equipment. Moreover, nonmetal materials have promising
application on new platforms. As they provide weak or no shielding, a system, a subsystem or
equipment can experience more intensive EE exposure, than on a platform with conventional metal
materials.
Application prospects. Detection of EE which can affect equipment, subsystems or systems,
should also involve potential applications and changes in the environment. The equipment which
was designed for operation in one environment, can be established in due course in another one, or
used for executing tasks which were not provisioned by the original lay-out. EE intensity increases
even in a permanent location and this is to be taken into consideration when designing long life
systems. For example [18], vulnerability levels for field intensity in avionics (USA) have risen from
1 V/m (1968) to 200 V/m (1986), and the frequency range has extended from 10 GHz to 40 GHz for
the same period. Deliberate electromagnetic effects and the directed energy beam weapon provide
even higher indicators of electromagnetic effects. Therefore, when extreme EE are forecasted within
the framework of potential application, it is important to understand, that in this case the cost of the
7
equipment, subsystems or systems will increase, but this increase will be compensated in the future
applications.
When defining the electromagnetic environment where the system operates during its life
cycle, it is necessary to take into consideration any conditions which can interfere vulnerability to
EE, and any additional information regarding the environment which helps assess the effects
correctly during the present period and in the long term.
Standards which should be used for testing of military equipment are difficult to reproduce;
they also require thorough examination of suitability of the testing equipment and methods.
Numerous alternatives are available for performance assessment, including laboratory research, EE
reproduction in nonreflecting chamber and full-scale tests in the field conditions.
EE parameters should be included in the order documentation to confirm, that the
electromagnetic environment is considered in every case according to the contract. Testing methods
and equipment which will be used for testing should be described and the results should be
registered and analyzed.
Electromagnetic environment
Electromagnetic environment (Electromagnetic Environment, EME) is the resulting product
of the power and time distribution, for various frequency ranges, radiated or conducted
electromagnetic interference that may be encountered by a military force, when performing its
assigned task in the intended operational environment.
Electromagnetic environmental effects, E3, define EME impact on functionality of arms,
equipment, systems and platforms. This phenomenon covers all electromagnetic factors, including:
 Electromagnetic compatibility, EMC,
 Electromagnetic disturbance (electromagnetic noise) (electromagnetic interference, EMI),
 Electromagnetic vulnerability , EMV,
 Electromagnetic pulse, EMP,
 The electrostatic discharge, ESD,
 Lightning,
 Accumulation of a static electricity (precipitation static p-static),
And also, as a result of hazardous impact of electromagnetic radiation on:
 Personnel (hazards of electromagnetic radiation to personnel, HERP),
 ordnance (hazards of electromagnetic radiation to ordnance, HERO),
8
 Flying fuel materials (hazards of electromagnetic radiation to fuel, HERF).
EME results from the power and time distribution, within various frequency ranges, and
includes radiated and conducted EM emission levels which are likely to be encountered. Total EMenergy from technogenic and natural sources in which a platform, a system, a subsystem or
equipment (objects) operate within the limits of any spatial domain (the earth, air, space, the sea),
performing the pre-assigned task during the life cycle. The electromagnetic environment
corresponds to the specific time and location. Certain features of the equipment (such as capacity of
a transmitter, working frequencies and sensitivity of a receptor), operating factors (such, as distance
between platforms, systems etc.) and distribution of frequencies are involved in EME evaluation.
Furthermore, the conditions are determined by transient processes and rising and falling durations
(for example, an electromagnetic pulse, EMP, lightning and p-static).
EM-energy effects on objects which work in certain environment, depend on an element
susceptibility (or noise immunity), amplitudes, frequency and EME features. In order to prevent
negative impact of E3, it is necessary to consider potential troublesome consequences of EM energy
impact on every element working in pre-designed conditions. These estimations should be carried
out for EME conditions with potential hazard to personnel, arms and fuel servicing.
Electromagnetic environment, in which military objects operate, consists of various natural
and technogenic sources. Natural sources consist of galactic, atmospheric and solar noise,
accumulation of static electricity, lightning and ESD.
Technogenic sources produce deliberate, inadvertent and parasitic emissions in the
environment.
Deliberate
emitters
include,
for
example,
the
following
types
of
subsystems/equipment: communication, meteorology, radars, armaments, means of radio-electronic
warfare (EW) and electromagnetic weapon.
Inadvertent emitters include subsystems and equipment which use, transform or generate
undesirable EM-energy as a by-product of their operation. Therefore any electric, electronic,
electromechanical or electrooptical device can be an inadvertent emitter.
The power and the initial location against the object are the two key parameters that are used
for defining the dominating sources of electromagnetic environment. For example, in normal
conditions noncombat primary EM-energy sources define the environment. In combat conditions
special sources of interference may be the dominating factor of electromagnetic environment.
Hence, EME, in which limits the object operates, depends on the executable function and actions
scenario.
EME, where the element is likely to operate, should be defined at possibly earlier stages of
9
the process lay-out. The initial step identifies the main geographical areas in which the system will
operate. The next step specifies certain countries of every area in which, the system is likely to be
deployed. As soon as it is done, a theater of military operations and the system missions are defined.
This procedure will determine the structure of the system and its environment at deployment. The
next step is to identify the types and features of any designed or projected object dependent on a
spectrum which will probably inter-operate with system. This identification refers to the sources and
receptors of both military-oriented and commercial disturbances. The information concerning interoperating objects is used as the initial factor for distribution of E3 frequencies and research.
Though EME is defined at early stages, it is necessary to consider continuous EME updates
during the whole life cycle because the environment is not static. New objects emerge and the used
ones which will work within the same EME framework are modernized. Data concerning these
"new" objects are identified and added to the defined EME. Moreover, the initial mission of an
operating object can be altered and additional geographical areas and the countries can be covered.
New data should be used for updating E3 research and issues of frequency distribution. Absence of
quantitative data about operating EME is one of the main difficulties to be faced when requirements
of system parameters are determined.
Every object is more likely to operate in several various EME levels during its life cycle. If
the specification of EME level is too rigid, it may increase costs of the system which are unlikely to
be justified. Each of various EME in which the object will operate during its life cycle, should be
specified before defining features of the object. It is necessary to ensure that none of EME levels in
which the object will operate, will negatively affect indicators of the system and its functional
safety.
The system should be EMC to all subsystems and the equipment within the system and with
external environments formed by electromagnetic effects. Testing is carried out on industrial
representative systems. Safety of critical functions is tested for EMC within the system and with the
conditions of its operation before the system is used. Testing should involve all aspects of the
system life cycle, including regular operations, control, storage, transportation, processing, packing,
loading, unloading and launch.
Tolerance parameters of objects should be based on the system functional requirements,
tolerance of the system hardware and uncertainties which occur at examinations of the system
requirements of the project. The important parameters of safety and function of continuous system
action should have the tolerance of, at least, 6 dB [12, 14, 17]. The tolerance for ammunition
(electrically initiated devices) is no less than 16,5 dB.
10
Electromagnetic effects (Е3)
The electromagnetic pulse (EMP) [19, 20], is а non-ionized EM-radiation (EMR) from
nuclear explosion (NE). Electric and magnetic fields of NE may interact with electric or electronic
systems and interfaces connected with them, generating destructive current and pressure emissions.
Resulting EMP of EM-field is characterized by a high amplitude, small duration and short rise of a
pulse. In any case effects from EMP exposure can be destructive for many electric and electronic
systems. Nowadays EME levels generated at normal operation of systems, subsystems or equipment
(such as by EM-launchers or electronic guns) have not been specified in the US military standard
specifications.
The Emission control,EMCON. The US Army and Navy define the following standards for
inadvertent electromagnetic radiation: it should not exceed 105 dBm/m2 within one-kilometer
distance from the source with 500 kHz - 40 GHz frequency range [14].
Hazardous electromagnetic radiation (RADHAZ) may harm personnel, damage fuel and
armament if they are not supervised. These effects are discussed below.
HERP [11, 14] is a potential hazard to the personnel, who are exposed to a sufficiently
intensive EM-field able to heat a human body. If the body heat exceeds its ability to sweat off the
superfluous heat the body temperature grows. Therefore, if the essential power is absorbed, the body
temperature increase and that affects metabolic processes with potentially harmful consequences.
Radars and systems of the electromagnetic weapon represent the greatest potential threat for the
personnel because of the high power of their transmitters and special features of the aerials. The
personnel assigned for repair and service, have a high probability to be exposed to considerably
dangerous levels of radiation due to locating near radiating elements and necessity to perform their
work fast.
HERF [11, 14, 16] is a potential hazard which arises, when volatile fuel is exposed to EMfields which energy is sufficient to cause ignition. The fuel gases ignite when they mix with air and
form an inflammable mix exposed to an intensive EM-field. In this case hazard criteria are based on
a condition that the ideal receptive aerial with a sufficient spark interval may occur by accident. The
presence and the degree of fuel hazards are defined, comparing actual radiant flux density with the
established safety criterion.
HERO [12] is a potential hazard which occurs, when ammunition with electrically initialized
explosives (EID), is exposed to adverse electromagnetic environment. Ammunition includes rockets,
explosives, i.e. direct EID, petards, igniters, pyrotechnic bolts, electric filled cartridges, destructive
11
devices, etc. Modern transmitters radiate high level of EME which can be dangerous to arms. These
EME levels may cause premature actuating of explosives. Ammunition subsystems should not be
initialized by electrostatic categories of 25 kV, actuated by the personnel. Testing is conducted by
the direct discharge on a subsystem (electric interfaces, cases, points of operational work) through
the condenser of 500 pF and the resistor of 500 Ohm.
EMV [14] or electromagnetic vulnerability is a feature of an object which causes decrease of
its performance, and corresponds to its inability to complete the required task in working EME. The
element is vulnerable, if its parameters decline lower than an acceptable level of vulnerability to
working EME or transient processes. During the life cycle an object operates in various
electromagnetic environments. Many threats are rather rare. However, if the object operates in EME
which corresponds to its specification and has been tested in laboratory trials it either will sustain
performance decrease, or will be unable to carry out the required task in general in the operative
environment. EMV analysis usually requires definition of the correspondence between the
susceptibility observed in a laboratory and actual performance data. Results of EMV analysis show
possible directions in hardware updating, additional research and testing.
Lightning [21, 22] is an electric category which occurs in an atmosphere between clouds or
between clouds and the Earth. The EM-radiation from the lightning discharge creates electric and
magnetic fields which may impact on electric or electronic elements, and thus lead to destructive
currents and voltage surges. Effects of the lightning can be divided into direct and indirect.
Direct effects of the lightning discharge can cause physical damage to the system structure or
the equipment because of the direct impact of the lightning channel. These effects include hardware
ruptures, bends, combustion, evaporation or explosions, as well as high pressure shock waves and
magnetic forces caused by powerful digit current.
Indirect effects are caused by electric transients in electric chains due to EM-fields connected
with a lightning and interaction of these fields with the system equipment.
Superficial charging (p-static) [23, 24] is the EM disturbance caused by an accidental charge
of static electricity as a result of circulation of air, vapor or dust particles via a structure or
components of vehicles moving in the atmosphere, such as a plane or a spaceship. When systems
move surrounded by dust, rain, snow or ice, the electrostatic charge on its surface grows. The
escalation of static electricity results in significant electric voltage which can affect equipment and
pose a shock hazard to the personnel. The plane crew can be exposed to ESD during the flight, and
the ground maintenance staff can be exposed to ESD after landing. P-static requires special attention
due to the increased sensitivity of the electronic equipment, a wider frequency range for new
12
communication systems and advanced use of composite materials.
The system should control and scatter electrostatic charges to avoid fuel ignition and hazards
to arms, protect personnel from a shock and prevent performance decline and damage of electronic
equipment.
Fuel circulation in tanks and pipelines can contribute to charge increase and that can lead to a
potential fuel danger due to of ignition. Likewise any other liquid flowing in a system (for example,
cooling liquids) can produce a charge with potentially dangerous consequences.
The arms are potentially susceptible to casual ignition from ESD, especially to the charges
through EID detonators «bridgewire», used for initialization of explosives.
When maintaining equipment the contact of personnel with various devices and materials
can produce an electrostatic charge on personnel and equipment (especially on nonconductive
surfaces), and this poses safety problems to personnel, hazards to fuel and electronics.
Designing and testing
Electromagnetic effects should be considered through the whole life cycle of a system.
Technical decisions should be controlled by tests, analysis, examination or their combinations.
A project for recording EMC parameters should be complex, based on architecture of the
system level and corresponding to requirements of endurance increase which should be distributed
between the levels of systems, subsystems and the equipment.
Recording of electromagnetic effects can be executed in the following sequence:
1. An establishment of an external electromagnetic environment in which the system functions
normally.
2. Identification of electric and electronic equipment exposed to an external threat and carrying out a
set of operations. All functions essential for problem solving should be protected from external
electromagnetic effects.
3. Evaluation of the internal electromagnetic environment caused by external electromagnetic
effects for each kind of the equipment. Every environment external to the system, should be coordinated with the internal environment of the system. If the induced signals exceed standard
requirements, measures of additional protection are to be developed, for example: shielding,
filtration, terminators setup, installation streamlining, zoning and improvement of quality of
electric connections [25].
4. Designing methods and protection means of the equipment and the system. The system measures
are developed to bring the parameters of the internal environment to the levels specified by
13
corresponding restrictions, imposed on the electric and electronic equipment.
5. Validation of protection adequacy. The system and the project of equipment protection should be
examined on conformity to the contract requirements. Validation of adequacy of the protection
project includes a demonstration to prove, that the actual levels of internal environments
appearing on interfaces and ports of the equipment do not exceed the limits of qualifying tests
for the equipment of every environment. These examinations should be registered in detail in
procedures of examinations and reports.
Early implementation of the protection requirements against electromagnetic effects
promotes prevention of the problem at the subsequent stages.
The choice of the test, methods of the analysis, natural experiments or some of their
combinations to demonstrate the specific requirements depends on the degree of the desirable
reliability of the results, technical possibilities, costs, etc. Analysis and testing often supplement
each other.
E3 requirements should be tested with the increasing testing process. The term "increasing"
implies that testing of the conformity to E3 requirements is an ongoing process during all stages of
the system design, i.e. the process goes from every component to the whole system.
EMC Management to Achieve Functional Safety
In order to manage EMC correctly and achieve functional safety, it is necessary to take into
consideration hazard and risk assessment, parameters of electromagnetic conditions, levels of
emission and noise stability characteristics, namely:
 Electromagnetic effects to which the equipment can be exposed to, even though, the frequency
of their occurrence is insignificant,
 Foreseeable effects of similar disturbances when the equipment is functioning,
Evaluation of the radiation effects of the equipment on another equipment which is installed or is
going to be installed,
 Foreseeable safety parameters, which can be altered at the above disturbances (severe danger,
hazard magnitude and the corresponding level of safety integrity),
 Certain confidence that all the necessary aspects of a problem has been considered and the
planned actions will allow to achieve the desirable safety level.
What functional safety values could be reasonably predicted? This analysis should take into
consideration severity of any potential danger or risk.
14
Electromagnetic environment. When conducting EME analysis it is necessary to evaluate
and define the amount of electromagnetic exposure and its parameters in the environment intended
for operation taking into consideration probable (or possible) changes in the future. This should
include all reasonably foreseeable electromagnetic disturbances of any kind.
Also it is necessary to define parameters of electromagnetic radiation from equipment,
consequences of their foreseeable effects on any other equipment, which operation can affect safety.
Technical requirements. It is necessary to define acceptable noise stability and criteria of
emission parameters for each function of the device contributing to safety. It is necessary to identify
desirable safety rates for each of the disturbances identified above so to specify safety factors in
every integral level.
Results are often convenient to express as a table (matrix) «the function  the
electromagnetic phenomenon» with the criteria noted in cells [26]. Assessment of hazards and risks
can result in functional criteria which differ from the requirements of the EMC Directive.
Development-production-verification-support. It is necessary to ensure, that all the necessary
steps are taken at all stages of the full life cycle of the device (including maintenance service,
upgrading or repair) to execute certain functional criteria. This should be controlled before the
delivery and after maintenance service, upgrading, modification and repair.
Verification guarantees, that the requirements to functional parameters of the equipment
conform to its operational environment and that their safety conforms to the requirements of the
current legislation and reasonable expectations of its users and other stakeholders. Some clients or
users can have their own requirements to approve the correctness of the technical solutions.
Testing. Testing issues are described above.
Informing and prevention. It is necessary to inform prospective and actual buyers and users
on EMC parameters of the equipment, any restrictions in operation, requirements to the qualification
of operators and service personnel, and on the potential performance decrease while in operation. It
is also necessary to warn about any potential risks resulting from unusual or especially powerful
emissions. These warnings, restrictions and technical requirements are to be included into all
proposals and contracts.
Danger warning should not be considered as a replacement of protection measures from
potential safety violations. In its turn protection should not replace design solutions for ensuring
functional safety, since they are of primary importance.
User’s instructions. At all stages of installation, use and service the relevant instructions
should define EME which provides the specified functional quality.
15
It is necessary to determine, how EME can relate to the user and which methods and tools
are available to reduce negative impact of EME.
Marketing and delivery. It is necessary to have guarantees that the equipment advertised and
delivered is intended for the operation in the specified EME, and the requirements to personnel
qualifications, restrictions and information on performance decrease are not concealed or distorted.
Procedures, documentation and verification. System safety planning. Before formally
documenting the system approach to safety, the terminal program manager, together with the system
design engineers and other experts involved in safety provision should define what system effort on
system maintenance is necessary to execute the program and the regulating requirements. This effort
is generated around the requirements which involve a project lay-out to ensure safety provisions,
competence of the personnel engaged in this process, requirements to execute safety tasks through
all levels of management and resource distribution to guarantee the completion of safety missions.
Maintenance of functional safety should be planned taking into account technical tasks to
establish:
1. Certain safety requirements based on the requirements to the system operation in the specified
conditions.
2. System requirements, functions and interaction procedures with governmental and contract
organizations involved in this project.
3. Safety maintenance plan specifying its integrity with the system strategic program for
development and production.
4. Control and reporting of the program execution
5. An acceptable level of failure, probability of failure and severity thresholds.
6. Approaches and methodology to provide safety in critical applications, requirements to service
and modernization, management of acquisition of hazardous materials.
7. Requirements to the final documentation by the value of residual risk and informing end users
about it.
Safety requirements. Safety is defined by risk levels which are acceptable by the system.
Acceptable risk levels can be specified as categories. Quantitative requirements are usually
described as frequency of an event causing the damage. A quantitative method to define the
complete safety is described in [9, 26].
Requirements management. The team of developers including system designers, design
engineers and experts on EMC and safety establish certain requirements to the complete safety of
the system project. The purpose of the safety project requirements is to achieve the acceptable risk
16
of damage by regular use of design guidelines, standard documentation, specifications, instructions,
control lists and other documents of technical norms and references. Thus it is considered reasonable
to undertake the following actions:
 To eliminate technical solutions leading to potential danger and reduce risks arising from them.
When applying potentially hazardous materials, it is necessary to select the materials which pose
the least threat throughout their life cycle;
 o isolate hazardous substances, components and operations from the personnel and
incompatible materials;
 To install the equipment the way so that access to it during its operating time, service, repair or
adjustments will not reduce personnel protection from hazards (for example, dangerous
substances, high voltage, electromagnetic radiation, etc.);
 To install power supplies, control facilities and critical components separated from each other or
shield them;
 consider devices of safety maintenance, which minimize the risk of damage (for example,
blocking, redundancy, system protection, etc.) for hazards that cannot be eliminated. These
devices should be examined at regular intervals;
 provide warning signals which minimize probability of a wrong reaction of the personnel;
they are standardized to conform to the system requirements of the similar type;
 To provide warnings and warning notes in guidelines for installation, operations and service
commands, including distinctive marks on hazardous components, equipment and devices to
ensure personnel and equipment protection when no additional measures can eliminate a hazard.
However, these warnings, cautions or other written information should not be considered as the
only tool to minimize risk of catastrophic or crucial threats;
 To establish and apply qualification tests for the personnel, as safety requires high professional
skills in critical situations;
 o consider all the modifications of the project, system or operation conditions within the safety
framework.
Unacceptable conditions. The following critical safety conditions are considered unacceptable
in system engineering. Positive actions are necessary to reduce risks arising from these situations
and bring them to an acceptable level.
1. A single failure, a personnel error or a certain feature of the project may cause catastrophic or
critical damage.
17
2. Double independent failures, double independent personnel errors or a combination of a failure
and a human error related to the critical commands and management functions may cause
catastrophic or critical damage.
3. Hazardous electromagnetic effects or energy when adequate protection measures of systems,
subsystems, equipment and personnel have not been taken.
4. Categories of hazards which are defined as unacceptable in the project technical documentation.
Acceptable conditions. The following approaches of the system design are considered to be
able to prevent occurrence of unacceptable conditions:
1. The critical command and management function of safety provision require two or more
independent failures, two or more independent human errors, or a combination of an
independent failure and a human error are required by.
2. The critical command and management function of safety provision require at least three
independent failures, or three independent human errors, or a combination of three independent
failures and human errors.
3. It is necessary to foresee measures to prevent errors in assembly, installation or connection which
can lead to safety violations.
4. It is important to apply measures which prevent damage distribution from one component to
another or prevent distribution of energy sufficient to cause failure.
5. Safety factors and limits minimizing the probability of failure are to be maintained.
6. Systems controlling energy escalation may cause potential damage (for example, fuses, auxiliary
valves, etc.).
7. Designing systems which permit temporary failures, after which the operations can be resumed
with the reduced, but acceptable safety integrity.
8. Designing systems which enable the personnel to turn into the state of emergency in case of a
hazard, the design should take into account operators’ reaction.
9. Designing systems in which the use of hazardous materials is either limited or controlled.
Elements of the effective system approach. Elements of the effective system safety approach
include the following:
1. The developer is always aware of the risks related to the system, and officially records his
awareness. System-related hazards are identified, evaluated, tracked, examined and the related
risks are either eliminated or minimized to an acceptable level throughout the full life cycle. It is
necessary to identify and record the actions undertaken to eliminate and reduce risks, so the
records can be reviewed and examined subsequently.
18
2. It is necessary to study best practices in safety system design.
3. The environment protection, safety and professional health conforming to technical requirements
are considered in designing by the most efficient way. Special safety features are included in
certain stages of the system life cycle.
4. Risks arising from exposure to hazardous environment (for example, electromagnetic effects,
temperature, pressure, toxicity, acceleration and vibration) and human errors are minimized.
5. Systems’ users are involved in system safety maintenance.
The documentation should provision execution of guidelines and procedures, the instruction
of actions and their clear results. If the action is not properly recorded, it can be legally proved in
court. It may pose a serious problem for any organization which is subject to control in the sphere of
safety maintenance.
Hazards Identification
Today numerous approaches have been developed and applied for identification of system
hazards. The key aspect of many of these approaches is to identify hazards for the further
management of development and support of safety maintenance programs related to the project [11].
Risk assessment. It is necessary to evaluate the severeness and the probabilities of the
damage related to every identified threat, i.e. to define potential impact on the personnel, technical
facilities, equipment, fuel, executed operations or environment. In order to assess risk other factors,
for example, the number of people suffering from health hazard exposure can be analyzed.
Categories of consequences. Categories of damage infliction consequences are defined to
evaluate the quantitative measure of the most reasonable potential damage which arises from
personnel errors, exposure to environment, errors of the project, procedural discrepancies and
operational system and subsystem errors. The accepted categories are given in Table 1. The cost
shown in this table should be established depending on the size of the system and should reflect the
aspect of tangible damage.
Adaptation of the described categories to the specific program is provided by the interaction
between the developers regarding the definition of the terms used for the categories. Other methods
of risk evaluation can be applied provided that the user approves them.
Probability of a dangerous event. The probability of a dangerous event is a probability that
an event will occur during the system projected service life. The evaluation of the quantitative
probability of an event for the project is unavailable at early project stages. The evaluation of
qualitative probability of a dangerous event can be obtained from the research findings, analysis and
19
evaluation of historical safety data of similar systems. Qualitative levels of probability of a
dangerous event are presented to table 2.
Table 1. Categories of consequences of infliction to damage
Description of
consequences
Catastrophic
Category
Damage to personnel and environment
I
Causes death or permanent full disablement, loss
exceeding $1M, or irreversible severe
environmental damage which violates legislation
Critical
II
Causes permanent partial disablement, injure or
professional illness with hospitalization of at least
three people, loss from $ 200K to $1M or reversible
environmental damage which violates legislation
Boundary
III
Causes injure or professional illness with 1 or more
days on sick leave, loss from $10K to $200K, or
insignificant reversible environmental damage
without violation of legislation
Insignificant
IV
Causes injure or illness without disability, loss of
$2K-$10K or minor environmental damage without
violation of legislation.
The note: M  one million, K  one thousand.
Table 2. Levels of hazard probability
Description
Frequent
Level
A
Probable
B
Casual
C
Rare
D
Improbable
E
Characteristics
Occurs often in an element life
with the probability of more
than 101 during a life.
Occurs several times during an
element life, with the probability
lower than 101 and higher than
102.
Occurs several times during an
element life, with the probability
lower than 102 and higher than
103.
Improbable, but may occur
during an element life, with the
probability lower than 103 and
higher than 106.
Nearly absolutely improbable,
that it does not occur at all; with
the probability lower than 106
during a life.
Frequency of occurrence
Continuously
Frequently
Sometimes
Hardly ever, but may
occur
Unlikely to occur, with
the slightest possibility
20
Hazard risk assessment. Classification of hazards, their consequences and probabilities can
be executed by a matrix of risk estimation. This estimation assigns a risk estimation value depending
on the degree of hazard based on its consequences and probability. This value is often used for
ranging various hazards with regard to the related risks. The example of a risk estimation matrix is
shown in Table 3.
Table 3. Example of classification risks by frequency of accidents
Frequency
Frequent
Probable
Occasional
Remote
Improbable
Catastrophic
1
2
4
8
12
Consequences
Important
Boundary
3
7
5
9
6
11
10
14
15
17
Insignificant
13
16
18
19
20
Categories of hazards. Values of estimated risks are often used for grouping single hazards
in categories which are used for generating certain actions, such as preventive measures or formal
acceptance of risks. Table 4 shows examples of risk categories and the related estimated values. The
value of 15 corresponds to "high" risks, and the value of 69 corresponds to "serious" risks.
Table 4. Risk categories
Class of
risks
Class I
Class II
Risk estimation
Risk category
15
69
High
Serious
Class III
1017
Average
Class IV
1820
Low
Interpretation
Unacceptable risk
Undesirable risk can be acceptable, only
if risk can not be minimized or if
minimization costs are essentially
disproportionate to the achievable result
Risk can be acceptable if minimization
costs exceed the achievable benefit
Insignificant risk.
The risk assessment can be executed as required, using other factors to distinguish the
hazards with identical risk estimation values. It would be possible to distinguish hazards with the
same value of risk estimation in terms of the system availability or factors of social, economic and
political consequences. In this case it is necessary to consult with experts concerning prioritizing
solutions when developing and maintaining safety programs.
21
Hazards should be prioritized so that correcting efforts are first focused on the most severe
ones. Classification of hazards can be provided according to their potential risk.
The final goal of the safety program is to design hazard-free systems. However the nature of
the majority of complex systems either does not allow their hazard-free design or make it
economically unacceptablecessful. However, a successful program of safety maintenance enables to
develop systems free from hazards posing an unacceptable risk level.
Functional Safety and EMC Standards
It is widely known that application of the equipment marked with a sign of conformity, for
example, with the «CE» sign of conformity to the European Directive on EMC 204/108/ЕС [1],
provisions reliable functioning in the conditions of electromagnetic interference. However, there are
reasons according to which this is not always correct, namely:
 S standards do not use the term "safety" in the text;
 EMC standards cover only average situations and do not mention reasonably foreseeable
maximum deviations of environmental parameters, errors of operators, unpredictable operational
situations or misappropriate use, i.e. a number of essential functional safety factors are omitted;
 Almost all EMC standards including those harmonized with the EMC Directive, either explicitly
or implicitly exclude consideration of safety aspects;
 The mentioned standards cover the limited number of possible electromagnetic interferences,
and their final number also defines final probability of incompatibility;
 Specifications, as a rule, give minimal requirements of EMC maintenance and do not mention
safety issues; institutions responsible for certification usually do not take into consideration
safety issues.
The Directive is mostly concerned about eliminating technical trade barriers within the EU
market, and can not, due to its own limitations, deal appropriately with EMC functional safety
issues. It takes into consideration only normal operation and typical electromagnetic environment. In
contrast, safety requirements consider reasonably foreseeable events of low probability, human
errors and misuse, overloads and extreme environmental conditions, including critical
electromagnetic effects.
Thus, conformity to the EMC Directive does not provision EMC of the equipment in a real
life and risk-free operation without EMC violations.
The list of the US basic functional safety military standards is shown below.
22

MIL-STD-882E, DEPARTMENT OF DEFENSE STANDARD PRACTICE: SYSTEM
SAFETY (11-MAY-2012).

MIL-STD-1316E, DEPARTMENT OF DEFENSE DESIGN CRITERIA STANDARD: FUZE
DESIGN, SAFETY CRITERIA FOR (10 JUL 1998).

MIL-STD-1466,
MILITARY
SPECIFICATION:
SAFETY
CRITERIA
AND
QUALIFICATION REQUIREMENTS FOR PYROTECHNIC INITIATED EXPLOSIVE (PIE)
AMMUNITION (25 MAR 1983).

MIL-HDBK-504, DEPARTMENT OF DEFENSE HANDBOOK: GUIDANCE ON SAFETY
CRITERIA FOR INITIATION SYSTEMS (10 FEB 2004).

MIL-HDBK-764, MILITARY HANDBOOK: SYSTEM SAFETY ENGINEERING DESIGN
GUIDE FOR ARMY MATERIEL (12 JAN 1990).
The personnel involved in maintaining EMC and functional safety, should have relevant
qualifications and possess a complex of competencies and skills which cannot be divided between
separate workers. These experts should tackle a problem as a whole and co-ordinate their solutions
at every stages, starting from the design concept and finishing with the equipment withdrawl out of
operation.
The conclusion
1. EMC related functional safety is a complex interdisciplinary area of technical expert appraisal and
practice of complex radio engineering and electronic systems that is requiring concern and
seeking development of methods and means of integrity maintenance.
2. The electromagnetic environment and its electromagnetic effects are continuously becoming more
complex: intensity of electromagnetic fields is rising, the frequency range is extending thus
increasing the number of hazards caused by malfunctioning systems and equipment.
3. More advanced theoretical and practical methods of radio and electronic engineering are required
to provide functional safety integrity through the full system life cycle.
4. Testing methods, measurements and the experimentally-research base should correspond to the
actual electromagnetic effects which are reproduced in research and certification of production,
complying with the functional safety requirements.
5. Technical staff engaged in system and equipment engineering and operation should be aware of
functional safety and have expertise in all issues concerning the electromagnetic environment
and its impact on the system operation. Competence of the personnel working with equipment
23
and systems during their full life cycle is the major factor to provision the integral functional
safety.
References
1. Directive 2004/108/EC of the European Parliament and of the Council.  2004.  14 p.
2. Byrytin A., Balyk N., Kechiev L. Electomagnitnye effecty sredy I funcionalyinay bezopasnost
radielectronnykh system voorujenia.  Technologii electromagnitnoi sovmestimosti.  2010.  №1. 
p. 327.
3. Armstrong Keith. EMC-Related Functional Safety of Electronically Controlled Equipment.
Compliance Engineering, 2001. [Jelektronnyj resurs]. www.ce-mag.com.
4.
GOST R MJeK 61508-12007. Funkcional'naja bezopasnost' sistem jelektricheskih, jelektronnyh,
programmiruemyh jelektronnyh, svjazannyh s bezopasnost'ju. Chast' 1. Obshhie trebovanija. M.:
Standartinform, 2008.  50 с.
5.
GOST R MJeK 61508-22007. Funkcional'naja bezopasnost' sistem jelektricheskih, jelektronnyh,
programmiruemyh jelektronnyh, svjazannyh s bezopasnost'ju. Chast' 2. Trebovanija k sistemam. 
М.: Standartinform, 2008.  22 с.
6.
GOST R MJeK 61508-32007. Funkcional'naja bezopasnost' sistem jelektricheskih, jelektronnyh,
programmiruemyh jelektronnyh, svjazannyh s bezopasnost'ju. Chast' 3. Trebovanija k
programmnomu obespecheniju.  М.: Standartinform, 2008.  42 с.
7.
GOST R MJeK 61508-42007. Funkcional'naja bezopasnost' sistem jelektricheskih, jelektronnyh,
programmiruemyh jelektronnyh, svjazannyh s bezopasnost'ju. Chast' 4. Terminy i opredelenija.  М.:
Standartinform, 2008.  22 с.
8.
GOST R MJeK 61508-52007. Funkcional'naja bezopasnost' sistem jelektricheskih, jelektronnyh,
programmiruemyh jelektronnyh, svjazannyh s bezopasnost'ju. Chast' 5. Rekomendacii po
primeneniju metodov opredelenija urovnej polnoty bezopasnosti.  М.: Standartinform, 2008.  27 с.
9.
GOST R MJeK 61508-62007. Funkcional'naja bezopasnost' sistem jelektricheskih, jelektronnyh,
programmiruemyh jelektronnyh, svjazannyh s bezopasnost'ju. Chast' 6. Rekomendacii po
primeneniju GOST R MJeK 61508-2 i GOST R MJeK 61508-3.  М.: Standartinform, 2008.  22 с.
10. GOST R MJeK 61508-72007. Funkcional'naja bezopasnost' sistem jelektricheskih, jelektronnyh,
programmiruemyh jelektronnyh, svjazannyh s bezopasnost'ju. Chast' 7. Metody i sredstva.  М.:
Standartinform, 2008.  73 с.
11. MIL-STD-882D, DoD. Standard Practice for System Safety.  2000.  31 p.
12. MIL-HDBK-240, DoD Handbook. Hazards of Electromagnetic Radiation
to Ordnance (HERO) Test Guide.  2002.  121 p.
24
13. MIL-HDBK-764(MI), Military Handbook. System Safety Engineering Design Guide
for Army Material.  1990.  346 p.
14. MIL-HDBK-237D. DoD Handbook. Electromagnetic Environmental Effects and Spectrum
Supportability Guidance for Acquisition Process.  2005. 172 p.
15. Electromagnetic Compatibility & Functional Safety. A Factfile provided by The Institution of
Engineering and Technology, 2006, 69 p.
16. E3 and SM Assessment Guide for Operational Testing. Director Operational Test & Evaluation,
2001.  86 p.
17. MIL-HDBK-235-1B. Military Handbook. Electromagnetic (Radiated) Environment Considerations
for Design and Procurement of Electrical and Electronic Equipment, Subsystems and Systems.
General Guidance.  1993. – 36 p.
18. Gazizov T.R. Prednamerennye jelektromagnitnye pomehi i avionika.  Uspehi sovremennoj
radiojelektroniki.  2004.  № 2.  С. 3751.
19. Baljuk N.V., Kechiev L.N., Stepanov P.V. Moshhnyj jelektromagnitnyj impul's: vozdejstvie na
jelektronnye sredstva i metody zashhity.  M.: OOO «Gruppa IDT», 2008.  478 с.
20. MJeK 61000-5-3. Jelektromagnitnaja sovmestimost' (JeMS). "Ustojchivost' k jelektromagnitnomu
impul'su vysotnogo jadernogo vzryva (JeMI VJaV). Koncepcija (klassy) zashhity oborudovanija",
1999.
21. Kravchenko V.I., Bolotov E.A., Latunova N.I. Radiojelektronnye sredstva i moshhnye
jelektromagnitnye pomehi.  M., Radio i svjaz', 1987.  256 с.
22. Kravchenko V.I. Grozozashhita radiojelektronnyh sredstv. Spravochnik.  M.: Radio i svjaz', 1991 –
264 с.
23. MIL-STD-461F, Military Standard. Department of Defense. Interface Standard.
Requirements for the Control of Electromagnetic Interference Characteristics of Subsystems
and Equipment (10 Dec 2007).  269 p.
24. MIL-STD-464A (2002), Military Standard. Electromagnetic Environmental Effects.
Requirements for Systems. (19 Dec 2002).  116 p.
25. Uil'jams T. JeMS dlja razrabotchikov produkcii.  M.: Izdatel'skij Dom «Tehnologii», 2003.  540 с.
26. Smit D.D. Funkcional'naja bezopasnost'. Prostoe rukovodstvo po primeneniju standarta MJeK 61508
i svjazannyh s nim standartov/ Djevid Dzh. Smit, Kennet Dzh. L. Simpson  M. Izdatel'skij Dom
«Tehnologii», 2004.  208 с.
25
Author:
Kechiev Leonid, Higher School of Economics (Moscow, Russia). Department of electronic
engineering, professor, [email protected]
Any opinions or claims contained in this Working Paper do not necessarily reflect the
views of National Research University Higher School of Economics.
Kechiev, 2015
26