Published on February 14, 2014
Controlling Automobile Safety Risks caused by EMI A case study to introduce “EMC for Functional Safety” Harshit Srivastava Rahul Sinha
EMC For Functional Safety Is Rapidly Becoming Very Important Indeed, As Electronic Control Spreads Throughout All Applications • So it is the focus of several new and modified IEC safety standards, • IEC TS 61000-1-2 (basic standard, EMC for functional safety ) • Draft IEC 61000-6-7 (generic standard, EMC for functional safety) • IEC 66061-1-2 draft ed4 (medical EMC)
Why can no-one prove SUA by testing? Example: NHTSA has had up to 3,000 SUA complaints in one year Assuming 30 million vehicles on the road, that’s a rate of 1 in 10,000 per vehicle per year... Assuming an average drive of 1 hr/day, 6 days/week, gives us one SUA per 3,120,000 hours of driving To detect one SUA in just one model would require testing 36 vehicles, 24/7, for 10 years !!!! or driving a single vehicle about 200 million miles
Background • • • • • • • Sudden Unintended Acceleration (SUA) Has Been A Problem For All Automakers Since The Early 1980s... Starting With The First Vehicles With Automatic Gearboxes That Were Also Fitted With Electronic Cruise Control... A Malfunctioning Cruise Control Can Take Over Throttle Control From The Driver, Possibly Creating “WOT” (Wide Open Throttle) But Automakers And NHTSA Have Always Blamed SUA On Driver "Pedal Error“... • Or Sticky Pedals.
Background continued... • • • • Electronic Malfunctions.... A Major Part Of The Development Time Of A New Product Can Be Insuring That It Doesn’t Do What It Shouldn’t! Since SUA Only Afflicts Vehicles With Auto Boxes And Cruise Control (Or Electronic Throttle Control) • And Incidence Has Increased 400% On A Given Model • When Its Manual Throttle Was Replaced By “E-throttle”... • The Cause Of Most SUA’s Is Electronic Malfunctions, And That EMI Can Be A Factor
What in the electronics could cause SUA? • Misoperation or faults in electronics, specifically... • Sensors (gas pedal position, throttle valve position)... • Microprocessors and their memories (in the ECC)...Software (in the ECC)...Data communications (CAN bus, LIN bus, etc.)... e.g. even though e-throttle systems don’t use data buses for their throttle control signals, CAN bus connects to the ECC and errors in it can cause software protocol failures that can ‘ripple through’, affecting everything in the ECC... Actuators and their drivers (the throttle valve motor and its drive circuits)
What can cause electronics to suffer errors or malfunctions? known as EMI (ElectroMagnetic • Unwanted electrical noise Interference) Mistakes (“bugs”) in the software program Intermittent electrical connections • Incorrect interaction between system components • Incorrect assembly, bad components, faults, ionizing radiation, etc.
Balance of probabilities continued... • The likely cause(s) has (have) to be decided on the balance of probabilities... which requires a comprehensive risk assessment that takes everything into account..., • but of course there are other possibilities, including: • - incorrect assembly, • - “bad batches” of components, • - faults (including intermittents), • - software glitches, • - tin whiskers, • - ionizing radiation, • - and chance combinations of any/all of the above
Safety Standards and Independent Assessments • Aviation and rail vehicles must comply with tough, peerreviewed, public functional safety standards, derived from IEC 61508, e.g.... And no vehicle is supplied to an end-user until “signed off” by an isa (independent safety assessor) • Although cars expose many more people to risks of injury and death each year... Automakers do not meet public functional safety standards, or have vehicles independently assessed.
Software “Bugs” • A software program is a series of written instructions (lines of “code”) for a digital computer (E.G. A microprocessor) to follow... The lines of code tell the computer how to read the input signals from sensors (e.G. Pedal position sensor, throttle valve position sensor)... And how to respond by sending control signals to actuators (e.g. The throttle valve motor)... • The software program must be designed to ensure the safe behaviour of the complete vehicle as a system a typical modern car has 20+ million lines, of lower quality code than the space shuttle, so we should expect at least two thousand latent bugs in every car !!! • Many auto recalls are now for software reprogramming
Case Study On Toyota • According to the NHTSA, the initial problem resulted when the accelerator pedal was depressed to, or almost to the floor, during sudden acceleration. • It can become trapped in the fully open position by an out of position floor mat. • The problem was later identified as a possible mechanical sticking of the accelerator pedal • As of February 2011, approximately 14 million cars worldwide have been involved in these recalls.
Electronic throttle control “e-throttle” • Cables carry signals between modules Engine control computer, “ECC” Throttle valve motor and position sensors Gas pedal sensors
Example of an e-throttle gas pedal Plug for the single unshielded wire bundle that carries both sensor signals to the ECC Plain plastic body (unshielded against EMI) The dual sensor assembly is inside here
The sensor PCB in the gas pedal The single unshielded wire bundle that carries both sensor signals to the ECC plugs in here Hall-effect sensors in one package
Recommendations By NHTSA • Brake override systems Standardized operation of keyless ignition system Data recorders in all passenger vehicles • Research on reliability & security of electronic control systems • Research on placement & design of accelerator & brake pedals and driver usage of these pedals
Solution They Tried To Provide • Toyota’s remedies: Accelerator pedal reconfigured by the dealers to shorten it • Development of replacement pedals for the vehicles (available for some models in April 2010) • Offering owners who chose to have their pedals reconfigured would be offered the replacement pedal when it became available • Providing all-weather floor mats Installation of a brake override system on certain models – enabling the car to stop if both the brake and the accelerator were pushed simultaneously
Electromagnetic Interference (EMI) • The physical laws that govern all electrical/electronic power, signals, radiowave propagation, infra-red and light... Are maxwell’s equations the same laws that govern emi ! • So all applications of electricity and electronic power and signals, create and suffer from emi... • Emi is inherent, inevitable, unavoidable in all electronics including software, which runs on hardware... • No exceptions are possible in this universe, ever
One of GM’s EMC test chambers, in 2008
EMI continued... • EMC tests aren’t done with foreseeable faults simulated (e.G. Failed EMI filter, failed surge protector) to verify the safety back-up or failsafe measures ... and tests do not simulate real-world conditions , e.G. Anechoic test chambers only test with radio waves coming from a few fixed directions... • But in real life they will come from any/all directions, some of which will most probably have a worse effect... And no practical amount of testing can ever be sufficient • Anyway – given the huge number of possible test combinations required....
SILs „Safety Integrated Level‟ (from IEC 61508) and EMC Testing • If we assume that an affordable EMC immunity test plan covers up to 90% of real-life exposure to EMI over the anticipated lifetime...It surely can’t be more than this! • Then the emc testing barely reaches the minimum level to achieve sil (90 to 99%)... So we need to do 10 times more testing to reduce the risks from emi for sil.... • And 10,000 times more testing work for sil level 4... • Clearly unaffordable, impractical
What should be done? • This ‘reliability-proving’ problem faced the software industry, who solved it during the 1990s (resulting in IEC 61508-3) • We need to use the same basic methods.... • The use of proven emc design techniques... • Plus a range of verification/validation methods... E.G. Checklists, reviews, assessments, audits, validated computer modeling, etc... • Plus emc immunity testing designed case-by-case to improve confidence for certain issues… (The EMC aspects are all described in the iet’s 2008 guide)
Thank You “Electromagnetic interference leaves no trace, it goes away just as it came.”
Catalogue Emic Mv 3tb; Catalogue Emic Mv 3tb Apr 18, 2015 Documents scribdquy. of 12 ... Emic Effects on controlling automobile safety. m.v Circulatorio.
Road traffic safety refers to methods and ... The Automobile Association was established ... and may even have negative effect on road safety in ...
Title: The Effects of Automobile Safety Regulation Created Date: 20160330160521Z
safety. But the effects go further in electric ... The ICT infrastructure in an automobile of today ... ical architecture for controlling humanoid ...
How Crumple Zones Work. ... These cars have been put to the collision test at an automobile safety research ... You've seen this effect for yourself if you ...
Controlling vehicle speed can prevent crashes ... information on road safety, ... THE ADVERSE EFFECTS OF SPEED?
The Emic2 text to speech module. ... The Emic 2 Text to Speech Module ... Policy & Safety Send feedback;
Safety features you should look for ... deployment can have adverse effects, ... vehicle stability by controlling the amount the drive wheels can ...
The National Highway Traffic Safety Administration ... and Chrysler) controlling 85% of the market. ... Sam. "The Effects of Automobile Safety Regulation."