A t bil S ddAutomobile Sudden Acceleration:...

A t bil S ddAutomobile Sudden Acceleration:Acceleration:

Controlling the FunctionalControlling the Functional Safety Risks caused by EMISafety Risks caused by EMI

Eur Ing Keith Armstrong CEng FIET SMIEEE ACGI

© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010

g g gphone & fax: +44 (0)1785 660 247

[email protected] www.cherryclough.com

Acknowledgements

Dr Brian Kirk and Dr Antony Anderson helped y pcreate the part of the following material...

that was presented at a Press Conference held in the– that was presented at a Press Conference held in the National Press Centre, Washington DC on March 23, 20102010...

and also used to brief NHTSA and various congressional committees on nearby datescommittees on nearby dates

NOTE: NOTE: I am not going to mention any specific N EN E g g y pautomakers in this presentation...

d l I t b d d i© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010

– and any examples I use must be regarded as generic, and not specific to any automaker

What do we mean by “Sudden UnintendedSudden Unintended Acceleration” (SUA) ?

When the motor car’s engine begins to roar at high revsrevs…– without the driver’s command

(e.g. without pressing that hard on the gas pedal)...

– taking the driver by surprise– taking the driver by surprise…

– and making it more difficult to control the vehicle

We have to be careful with definitions…


– because some define this (or similar) terms differently

BackgroundBackgroundSUA has been a problem for all automakers since the early 1980s...

starting with the first vehicles with automatic gearboxes– starting with the first vehicles with automatic gearboxes that were also fitted with electronic cruise control...

lf ti i i t l t k th ttla malfunctioning cruise control can take over throttle control from the driver, possibly creating “WOT” (Wide Open Throttle)(Wide Open Throttle)

But automakers and the US Government's National Highway Transportation Agency (NHTSA) have always blamed SUA on driver "pedal error“...

© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010– or on “floormat entrapment”, or “sticky pedals”

Background continuedBackground continued...

As an electronic engineer with 40 years experienceAs an electronic engineer with 40 years experience, I am used to dealing with electronic malfunctions....– a major part of the development time of a new product

can be insuring that it doesn’t do what it shouldn’t!

Since SUA only afflicts vehicles with auto boxes and cruise control (or electronic throttle control)and cruise control (or electronic throttle control)....– and incidence has increased 400% on a given model

when its manual throttle was replaced by “e-throttle”...

– it seems very obvious to me that the cause of most SUAs


– it seems very obvious to me that the cause of most SUAs is electronic malfunctions, and that EMI can be a factor

Throttle valve motorElectronic throttle Throttle valve motor and position sensors

Engine control

control “e-throttle”(graphics: courtesy of USA Today) Engine control

computer, “ECC”

Cables carry signals

(graphics: courtesy of USA Today)

Gas pedal sensorsCables carry signals

between modules


Stephen Stock’s* graph of NHTSA’s SUA complaints versus automaker: March 17, 2010 p ,

* Stephen is an investigative reporter for CBS TV, Miami, Florida, [email protected]

The apparent “tailing off” of complaints poutside this range

is an artefact caused by how NHTSA collect

and record the dataand record the data


Background continuedBackground continued...

I will compare the claims for “electronic safety”I will compare the claims for electronic safety made by NHTSA and automakers...

ith h t d i d f f t– with what we as designers and assessors of safety-related systems would consider necessary...

when electronic malfunctions could increase safety risks

I will include reasons why we can’t rely upon motorI will include reasons why we can’t rely upon motor vehicle event data recorders (so-called 'black boxes')...

– why EMC testing alone cannot prove safe design...

and include recent test data showing that EMI can cause© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010

– and include recent test data showing that EMI can cause a car engine to race, without triggering any fault codes

Balance of probabilitiesAutomakers/NHTSA say that nobody has been able to prove that an SUA was caused by electronicsto prove that an SUA was caused by electronics...– using the “absence of proof = proof of absence” g p p

argument that is in fact a logical fallacy [1]this argument is only used by people who are poorlythis argument is only used by people who are poorly educated – or are hoping that their audience is

BUT IN FACTBUT IN FACTBUT IN FACT:BUT IN FACT:– automakers can’t prove SUAs are caused by ‘pedal error’automakers can t prove SUAs are caused by pedal error

either, because it leaves no trace...

d th l i t t f i id t h SUA© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010

– and they can only point to a few incidents where SUA was clearly caused by the floormat or a sticky pedal

Balance of probabilities continuedBalance of probabilities continued...

The likely cause(s) has (have) to be decided y ( ) ( )on the balance of probabilities...

which requires a comprehensive risk assessment– which requires a comprehensive risk assessment that takes everything into account...

i lit i EMI I’ll i l f th tmy speciality is EMI so I’ll mainly focus on that, but of course there are other possibilities, including: - incorrect assembly- incorrect assembly, - “bad batches” of components, - faults (including intermittents), - software glitches, - tin whiskers,

i i i di ti


- ionizing radiation, - and chance combinations of any/all of the above

Why electronics is the most ylikely cause of SUA

The experiences of the drivers and passengers who suffer an SUA...

those who live to tell, that is...

– and the witnesses to the accidents...

– is consistent with what the entire electronics industryis consistent with what the entire electronics industry worldwide has known for decades...

b t h l t i i b h d lf ti– about how electronics can misbehave and malfunction


What in the electronics could cause SUA?Misoperation or faults in electronics, specifically...– Sensors (gas pedal position, throttle valve position)...

Microprocessors and their memories (in the ECC)– Microprocessors and their memories (in the ECC)...

– Software (in the ECC)...( )

– Data communications (CANbus, LINbus, etc.)...e.g. even though e-throttle systems don’t use data buses for their throttle control signals, CANbus connects to the ECC and errors in it can cause software protocol failuresECC and errors in it can cause software protocol failures that can ‘ripple through’, affecting everything in the ECC...


– Actuators and their drivers (the throttle valve motor and its drive circuits)

What can cause electronics to ff lf i ?suffer errors or malfunctions?

Unwanted electrical noise– known as EMI (ElectroMagnetic Interference)– known as EMI (ElectroMagnetic Interference)

Mistakes (“bugs”) in the software programMistakes ( bugs ) in the software program

Intermittent electrical connections

Incorrect interaction between system components

Incorrect assembly, bad components, faults, ionizing radiation etc


ionizing radiation, etc.

Redundant Systemsy

Automakers claim that with their “redundant systems”, no dangerous malfunctions can occur...

BUT IN FACTBUT IN FACTBUT IN FACT:BUT IN FACT:– most (all?) of these systems are only partiallymost (all?) of these systems are only partially

redundant, because they use identical technologies...

th h l t t i t d h d f lt– so they help protect against random hardware faults...

– but not against systematic errors or malfunctions in but ot aga st syste at c e o s o a u ct o shardware or software (see IEC 61508 [2])...

sometimes called “common-cause”


sometimes called common cause or “common-mode” failures

Example of an e throttle gas pedalExample of an e-throttle gas pedal

Plug for the single unshielded wire

bundle that carries Plain plastic bodybundle that carries both sensor

signals to the ECC

Plain plastic body (unshielded against EMI)

© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010The dual sensor assembly is inside here

The sensor PCB in the gas pedalTwo identical

Hall-effectThe single unshielded wire bundle Hall-effect sensors

in one packagethat carries both sensor signals

to the ECC plugs in here


Each Hall sensor is a complex electronic d i ith di it l t l f ll tdevice, with digital control of all parameters


This example is the MLX90277 Dual Programmable Linear Hall Effect Sensor

But we have known since the early 1990s that “diverse technology”1990s that “diverse technology”

is required in redundant systems...– for them to be effective in reducing safety risks...

for the hardware (e.g. sensors, microprocessors), and for the software...

– otherwise errors, misoperations or malfunctions caused for example by EMI can have the same effect on each system [2]...

– in which case the functional safety risks are identical to– in which case the functional safety risks are identical to having just one system...

the redundancy has not controlled the functional safety


the redundancy has not controlled the functional safety risks caused, for example, by EMI

Software “Bugs”g

Some automakers have recently claimed that their ysoftware is “bug-free”

BUT IN FACTBUT IN FACTBUT IN FACT:BUT IN FACT:

Carnegie Mellon University says the highest qualityCarnegie Mellon University says the highest-quality code (e.g. Space Shuttle) has about 1 latent bug per ten thousand lines of code [3]per ten thousand lines of code [3]...– a typical modern car has 20+ million lines, of lower y

quality code than the Space Shuttle, so we should expect at least two thousand latent bugs in every car !!!


many auto recalls are now for software reprogramming

Software “bugs” continued...

A software program is a series of written p ginstructions (lines of “code”) for a digital computer (e.g. a microprocessor) to follow...– the lines of code tell the computer how to read

the input signals from sensors (e g pedal positionthe input signals from sensors (e.g. pedal position sensor, throttle valve position sensor)...

– and how to respond by sending control signals to actuators (e.g. the throttle valve motor)...

– the software program must be designed to ensure the safe behaviour of the complete vehicle as a system


p y


A modern vehicle can have more than 100 million lines of code [4]...

running on 70+ microprocessors around the vehicle– running on 70+ microprocessors around the vehicle, e.g. for the A/C, windows, seats, ABS, engine, etc.

The F-35 Joint Strike Fighter has 15.7 million lines...ll d i d i t i t f t d– all designed using a stringent safety process governed

by public standards...

– and rigorously and independently verified to deal with normal and abnormal operational situations



Specifying/writing software are very complex tasks p y g g y p(especially to ensure safety)...

But every software program contains bugs when it is first written...– so has to go through multiple stages of correction...

– but we can never be sure that all bugs have been found...

– and functional testing can never be sufficient to proveand functional testing can never be sufficient to prove software is safe enough (e.g. 1 in a million chance of death per year) – see later


(e g a o c a ce o deat pe yea ) see ate

Some quotations on software testingon software testing

“Computer systems lack continuous behaviour – Computer systems lack continuous behaviour so that, in general, a successful set of tests provides little or no information about how the system would little or no information about how the system would behave in circumstances that differ, even slightly, f th t t diti ” [5]from the test conditions.” [5]

– “Systems that contain software will usually be far too Systems that contain software will usually be far too complex for it to be practical to test them exhaustively ” [5]exhaustively. [5]

– “Testing shows the presence, not the absence of bugs”


g p g[6]

Some quotations on ft t tisoftware testing continued...

– “Our programs are often used in unanticipated ways and it is impossible to test even fairly small programs and it is impossible to test even fairly small programs in every way that they could possibly be used.” [7]

“Wi h i l f – “With current practices, large software systems are riddled with defects, and many of these defects c nn t b f und n b th m st xt nsi t stin ”cannot be found even by the most extensive testing.” [7]

– “Unfortunately, it is true that there is no way to prove that a software system is defect free.” [7]


Some quotations on software testing continuedsoftware testing continued...

– “The difficulty in software testing stems from the y gcomplexity of software: we can not completely test a program with moderate complexity.” [8]

– “Correctness testing and reliability testing are two major areas of testing.” [8]major areas of testing. [8]

– “Software testing is a trade-off between budget, time d lit ” [8]and quality.” [8]

– “The critical problem with testing is to exercise the p m gconditions under which the system will actually be used” [9]

© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010– “Software essentially requires infinite testing” [10]

Some quotations on software testing continuedsoftware testing continued...

– “Many failures result from unforeseen input / environment conditions (e.g. Patriot)” [9]

– “Incentives matter hugely: commercial developers often Incentives matter hugely: commercial developers often look for friendly certifiers while military arrange hostile review (ditto manned spaceflight, nuclear)” [9]( p f g , ) [ ]

– “Software failures are rarely preceded by warnings while hardware failures are usually preceded by while hardware failures are usually preceded by warnings” [10]

– “We no longer have the luxury of carefully testing systems and designs to understand ll h l h d k f l


all the potential behaviors and risks before commercial or scientific use.” [11]

Fault Codes and Event Data Recorders (EDRs)Event Data Recorders (EDRs)

Automakers/NHTSA claim these prove that vehicle pelectronics are working correctly throughout a SUA

BUT IN FACTBUT IN FACTBUT IN FACT:BUT IN FACT:– automobile fault codes and EDRs rely on the outputs ofautomobile fault codes and EDRs rely on the outputs of

the vehicle’s electronics...

th l d h t th l t i thi k th– so they can only record what the electronics thinks the driver is doing with his gas and brake pedals...

And a “no fault” record could be caused by the fault not being detected in the first place


fault not being detected in the first place...due to inadequate software system specification

Fault Codes and EDRs continued...To detect electronic misbehaviour, an EDR needs independent sensors on the gas and brake pedals,independent sensors on the gas and brake pedals, and on the throttle valve...– to record their positions completely independently

of any other electronic system...

– as is done with aircraft “black boxes”

EDRs should also comply with a public standard and be independently calibrated and sealed...– their data read by a standard device that anyone can buy

d f th EDR f t h h d th t th© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010

a read of the EDR from a recent crash showed that the vehicle slowed down by 177mph, from a speed of 75mph

Safety Standards and I d d t A tIndependent Assessments

Aviation and rail vehicles must complyAviation and rail vehicles must comply with tough, peer-reviewed, public functional safety standards, derived from IEC 61508, e.g. [12]...standards, derived from IEC 61508, e.g. [12]...– and no vehicle is supplied to an end-user until “signed

ff” b ISA (I d d t S f t A ) [13]off” by an ISA (Independent Safety Assessor) [13]

Although cars expose many more people to risksAlthough cars expose many more people to risks of injury and death each year...– automakers do not meet public functional safety

standards, or have vehicles independently assessed...


– automotive functional safety is totally unregulated [24]

Why can no-one prove SUA by testing?by testing?

Example: NHTSA has had up to 3 000 SUAExample: NHTSA has had up to 3,000 SUA complaints in one year (1989-90)....– assuming 30 million vehicles on the road, that’s a rate of

1 in 10,000 per vehicle per year...y

– assuming an average drive of 1 hr/day, 6 days/week, gives us one SUA per 3 120 000 hours of drivinggives us one SUA per 3,120,000 hours of driving

To detect one SUA in just one model would requireTo detect one SUA in just one model would require testing 36 vehicles, 24/7, for 10 years !!!!

d i i i l hi l b t 200 illi il© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010

– or driving a single vehicle about 200 million miles

Why can no one prove SUA by testing continuedby testing continued...

Basic reliability theory shows that to have a >50% chance of detecting one SUA in 3 million hours of driving requires testing for at least 3 million hours...– but this is for each type of test!

so if there are 10 tests to do each test will needso if there are 10 tests to do, each test will need the equivalent of 36 vehicles full-time for 10 years

This exact problem was faced by the software industry in the 1990s, who discovered they could y , ynever do enough testing for safety...

and e ent all sol ed b the design and erification© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010

– and eventually solved by the design and verification procedures described in IEC 61508-3 [2]

Quotation on reliability testing of complex electronic systemsof complex electronic systems

“It is generally impractical to rely on test based – It is generally impractical to rely on test-based evidence in advance of putting a system into widespread service that the overall failure probability widespread service that the overall failure probability will be less than 10-5 per hour with 99% confidence, equivalent to a mean time between failures of equivalent to a mean time between failures of approximately one year.” [5]

10-5 per hour = 1 failure in 100 000 per hour equivalent to10 per hour = 1 failure in 100,000 per hour, equivalent to 1 failure in 320 per year (if you drive 1 hr/day, 6 days/week)obviously we require much greater protection from SUAobviously we require much greater protection from SUA than 1 in 320 per year, yet the above quote shows that testing to prove even that high level of safety risk


g p g yis “generally impractical”

Electromagnetic Interference (EMI)Electromagnetic Interference (EMI)The physical laws that govern all p y gelectrical/electronic power, signals, radiowavepropagation, infra-red and light...are Maxwell’s Equations Maxwell’s Equations

th l th t EMI !– the same laws that govern EMI !

So all applications of electricity and electronicSo all applications of electricity and electronic power and signals, create and suffer from EMI...– EMI is inherent, inevitable, unavoidable in all electronics

including software, which runs on hardware...


g ,

– no exceptions are possible, ever (in this universe)

O f GM’ EMC t tO f GM’ EMC t tOne of GM’s EMC test chambers, in 2008


Example of a stripline test at M d B T h lMercedes-Benz Technology


EMI continued...

Automakers claim they do comprehensive EMI testing...g– typical quote: “We bombard them with EMI at levels well ab ve any that can ccur in the envir nment”well above any that can occur in the environment”

BUT IN FACT:BUT IN FACT:BUT IN FACT:BUT IN FACT:– EMI testing at increased levels does not provide a

“safety margin” [14]...

– their tests don’t cover foreseeable real-life EMI [15] [16]their tests don t cover foreseeable real life EMI [15] [16](e.g. different modulations, simultaneous phenomena, etc.)...

d d ’t bi EMI ith f bl h i l© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010

– and don’t combine EMI with foreseeable physical or climatic conditions that can affect EMC [15] [16]

EMI continued...

– they don’t test with foreseeable faults simulated (e.g. a failed EMI filter or transient protector) to verify the backfailed EMI filter or transient protector) to verify the back-up or fail-safe measures [15] [16]...

– they do not simulate real-world conditions [15] [16]..e.g. anechoic test chambers only test with radio waves g ycoming from a few fixed directions...but in real life they will come from any/all directions,but in real life they will come from any/all directions, some of which will most probably have a worse effect...

and no practical amount of testing can ever be sufficient– and no practical amount of testing can ever be sufficient anyway – given the huge number of possible test combinations required


combinations required.... see earlier discussions on reliability testing

SILs and EMC Testing

If we assume that an affordable EMC immunity test yplan covers up to 90% of real-life exposure to EMI over the anticipated lifetime...over the anticipated lifetime...

it surely can’t be more than this!

– then the EMC testing barely reaches the minimum level to achieve SIL1 (90 to 99%)...

– so we need to do 10 times more testing to reduce the risks from EMI for SIL1....risks from EMI for SIL1....

– and 10,000 times more testing work for SIL4...


– clearly unaffordable, impractical

EMI Shielding

Some automakers have claimed that their electronics are “totally shielded against EMI”

BUT IN FACTBUT IN FACTBUT IN FACT:BUT IN FACT:– this is impossible anywaythis is impossible, anyway...

– they use unshielded wires to carry electronic signals...

– some manufacturers use unshielded plastic connectors for their ECC connections...o t e CC co ect o s

– most (all?) gas pedal and throttle valve position sensors se nshielded plastic ho sings


use unshielded plastic housings

Some quotations on EMI and EMI testingSome quotations on EMI, and EMI testing– “Electromagnetic interference leaves no trace, git goes away just as it came.” [17]

– “An automaker who declares bluntly that uncontrolled – An automaker who declares bluntly that uncontrolled acceleration cannot be caused by electromagnetic interference because they have fully tested their interference because they have fully tested their vehicle is a liar, or naive.” [17]

“ th i b t ti t d li t ll th – “…there is no way by testing to duplicate all the possible combinations of frequencies, amplitudes, modulation waveforms spatial distributions and modulation waveforms, spatial distributions, and relative timing of the many simultaneous interfering signals that an operating system may encounter


signals that an operating system may encounter. As a result, it’s going to fail.” [18]

Some quotations on EMI and EMI testing continuedand EMI testing continued...

“Alth h l t i t t t f – “Although electronic components must pass a set of EMC tests to (help) ensure safe operations, the evolution of EMC over time is not characterized and evolution of EMC over time is not characterized and cannot be accurately forecast.” [19]

– “As indicated in [2] narrow-band threat fields with simple modulations are no longer necessarily

f h E h h h f l representative of the EMI which causes the failure in digital systems.” [20]

NOTE: “narrow-band threat fields with simple modulations” is how automotive radiated EMI tests are done


From Professor Todd Hubing’s presentation to the NAS committee on SUA , July 01, 2010 [21]to the NAS committee on SUA , July 01, 2010 [21]


Prof. Todd Hubing’s presentation to the NAS SUA committee [21] continued...NAS SUA committee [21] continued...


Prof. Todd Hubing’s presentation to the NAS SUA committee [21] continued...



“Open Throttle”

“Error Detected”


What should be done? (very briefly)What should be done? (very briefly)

This ‘reliability-proving’ problem faced the software y p g pindustry...

who solved it during the 1990s resulting in IEC 61508 3– who solved it during the 1990s, resulting in IEC 61508-3

We need to use the same basic methods....– the use of proven EMC design techniques...

– plus a range of verification/validation methods...

e g checklists reviews assessments audits validatede.g. checklists, reviews, assessments, audits, validated computer modeling, etc...

l EM i it t ti d i d b© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010

plus EM immunity testing designed case-by-case to improve confidence for certain issues

ConclusionEMC immunity testing can never be sufficient, on its own...

t d t t ffi i t fid i l lif– to demonstrate sufficient confidence in real-life reliability...

– for high-reliability and critical equipment...

– regardless of the test level that is applied during the test...

We need to use appropriate EMC design engineering and a variety of verification and


engineering, and a variety of verification and validation techniques (including testing) [22] [23]

Conclusion continued...

And the automotive industry should be brought i t th d ldinto the modern world...

– required to comply with peer-reviewed public functionalrequired to comply with peer-reviewed public functional safety standards that include a comprehensive assessment of risks due to EMI...assessment of risks due to EMI...

not just a bunch of standard tests...

– and subject each new vehicle to independent safety assessmentassessment...

by already-established safety assessment bodies,


with the safety assessor having to “sign-off” before a vehicle can be sold [24]

Automobile Sudden Acceleration:Automobile Sudden Acceleration:Controlling the FunctionalControlling the Functional

Safety Risks caused by EMI

the endthe endthe endthe endthe endthe endthe endthe end

Eur Ing Keith Armstrong CEng FIET SMIEEE ACGI


Eur Ing Keith Armstrong CEng FIET SMIEEE ACGIphone & fax: +44 (0)1785 660 247

[email protected] www.cherryclough.com

References[1] “Absence of evidence is not evidence of absence”, Dr. Antony

Anderson, 20th Conference of the Society of Expert Witnesses, Alexander House Wroughton UK May 16 2008 www sew org ukAlexander House, Wroughton, UK, May 16, 2008, www.sew.org.uk, www.antony-anderson.com

[2] IEC 61508: 2000 “Functional Safety of[2] IEC 61508: 2000 “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems”, IEC basic safety publication, from http://webstore.iec.ch (Th f t i di t h l i d d t t(The references to using diverse technology in redundant systems are in IEC 61508-7 clause B.1.4 “Diverse hardware” and clause C.3.5 “Software diversity (diverse programming)”)

[3] “Dependability for Embedded Systems”, Philip Koopman, Distributed Embedded Systems Course, Carnegie Mellon University, March 25, 2009. Prof Koopman is Assistant Professor Carnegie Mellon University, Department of Electrical and Computer Engineering (ECE), faculty member Institute for Complex Engineered Systems (ICES) and


y p g y ( )Institute for Software Research, International (ISRI), affiliated with the General Motors Collaborative Research Laboratory at Carnegie Mellon

References continued...[4] “This car runs on code”, Robert N. Charette, IEEE Spectrum, Feb.

2009, http://spectrum.ieee.org/green-tech/advanced-cars/this-car-runs-on-code

[5] “Computer Based Safety-Critical Systems”, [ ] p y yThe Institution of Engineering and Technology, London, U.K., Sept. 2008, www.theiet.org/factfiles/it/computer-based-scs.cfm?type=pdf

[6] “The Modest Software Engineer”, Martyn Thomas, Visiting Professor of Software Engineering, Oxford University Computing Laboratory, Keynote speech, ISADS, Pisa, April 2003, Proc ISADS 2003, pp 169-Keynote speech, ISADS, Pisa, April 2003, Proc ISADS 2003, pp 169174, IEEE Press. He attributes the quote to E. W. Dijkstra, “The Humble Programmer”, CACM 15, 10 October 1972 pp859-866.

[7] “The Quality Attitude”, Watts S. Humphrey (often called “The Father of Software Quality”), Senior Member of Technical Staff, Software Engineering Institute (SEI) Carnegie Mellon University in News at SEI


Engineering Institute (SEI), Carnegie Mellon University, in News at SEI, originally published March 1, 2004, www.sei.cmu.edu/library/abstracts/news-at-sei/wattsnew20043.cfm

References continued...

[8] “Software Testing”, Jiantao Pan, Carnegie Mellon University, 18-849b Dependable Embedded Systems, Spring 1999, p y , p g ,www.ece.cmu.edu/~koopman/des_s99/sw_testing

[9] Software Engineering, CST 1b, Ross Anderson, Professor of Security [ ] g g, , , yEngineering at the Computer Laboratory, Cambridge University, UK, www.cl.cam.ac.uk/teaching/0910/SWEng/cst-1b-sweng.ppt

[10] “Software Reliability”, NASA, Goddard Space Flight Center, http://sw-assurance.gsfc.nasa.gov/disciplines/reliability/index.php

[11] “A New Accident Model for Engineering Safer Systems”, Prof. Nancy Leveson, Professor of Aeronautics and Astronautics, also Professor of Engineering Systems Massachusetts Institute ofProfessor of Engineering Systems, Massachusetts Institute of Technology (MIT), in Safety Science, Vol. 42, No. 4, April 2004, pp. 237-270, http://sunnyday.mit.edu/accidents/safetyscience-single.pdf


[12] Rail safety standards EN50126, 50128 and 50129

References continued...[13] “Open IEC 61508 Certification of Products”, Rainer Faller and Dr.

William M. Goble, id / ti l /IE %2061508%20C ftifi ti dfwww.exida.com/articles/IEc%2061508%20Cerftification.pdf

[14] “Why Increasing Immunity Test Levels is Not Sufficient for High-R li bilit d C iti l E i t” K ith A t 2009 IEEEReliability and Critical Equipment”, Keith Armstrong, 2009 IEEE International EMC Symposium, Austin, TX, August 17-21, ISBN: 978-1-4244-4285-0

[15] “EMC for the Functional Safety of Automobiles — Why EMC Testing is Insufficient, and What is Necessary”, Keith Armstrong, 2008 IEEE y gInt’l EMC Symposium, Detroit, August 18-22, ISBN 978-1-4244-1699-8. Also: www.conformity.com/PDFs/0902/0902_F1.pdf

[16] “Why EMC Immunity Testing is Inadequate for Functional Safety”, Keith Armstrong, 2004 IEEE International EMC Symposium, Santa Clara, August 9-13, ISBN 0-7803-8443-1, pp 145-149.


Clara, August 9 13, ISBN 0 7803 8443 1, pp 145 149. Also: Conformity, March 2005: www.conformity.com/artman/publish/printer_227.shtml.


[17] Michel Mardiguian, of Paris, France, a renowned EMC expert who often works for the auto industry, reported in “Toyota's Crisis Puts y, p ySpotlight on Auto Electronics” by Tom Krisher, AP Detroit, 25 February 2010 http://abcnews.go.com/Technology/wirestory?id=9950797&page=4http://abcnews.go.com/Technology/wirestory?id 9950797&page 4

[18] “EMC Failures Happen”, Ron Brewer, NARTE Certified EMC Engineer IEEE EMC Society Distinguished Lecturer; in EvaluationEngineer, IEEE EMC Society Distinguished Lecturer; in Evaluation Engineering magazine, Dec. 2007, www.evaluationengineering.com/features/2007_december/1207_emc_test aspxest.aspx

[19] Alexandre Boyer et al, “Characterization of the Evolution of IC Emissions After Accelerated Aging” IEEE Transactions on EMC VolEmissions After Accelerated Aging , IEEE Transactions on EMC, Vol. 51, No. 4, November 2009, pages 892-900



[20] “Preliminary Investigation into a Methodology for Assessing the Direct RF Susceptibility of Digital Hardware, Final Report for p y g , pRadiocommunications Agency, Document No. R/99/042, Project No. 0921”, Dr I D Flintoff, May 1999, www.ofcom.org/uk/static/archive/ra/topics/research/topics/emc/r99042/r99042.pdf/ra/topics/research/topics/emc/r99042/r99042.pdf

[21] “Analyzing Unintended Acceleration and Electronic Controls”, Professor Todd Hubing presented to the NAS Committee onProfessor Todd Hubing, presented to the NAS Committee on Unintended Acceleration, July 1, 2010, http://onlinepubs.trb.org/onlinepubs/ua/100701hubing.pdf Prof Hubing is Michelin Professor of Vehicle Electronic SystemsProf. Hubing is Michelin Professor of Vehicle Electronic Systems Integration, Clemson University International Center for Automotive Research.



[22] IEC TS 61000-1-2, Ed2.0, 2008 “Electromagnetic Compatibility (EMC) – Part 1-2: General – Methodology for the achievement of the gyfunctional safety of electrical and electronic equipment with regard to electromagnetic phenomena”, an IEC basic safety publication, Santa Clara, California, August 9-13, ISBN 0-7803-8443-1, pp 145-149Santa Clara, California, August 9 13, ISBN 0 7803 8443 1, pp 145 149

[23] “Guide on EMC for Functional Safety”, Edition 1, The Institution of Engineering and Technology (The IET) London UK August 2008Engineering and Technology (The IET), London, UK, August 2008, www.theiet.org/factfiles/emc/index.cfm or: www.emcacademy.org/books.asp

[24] “The Poor Quality of Functional Safety Engineering in the Automobile Industry”, an Open Letter to the NAS team working on the project: Electronic Vehicle Controls and Unintended Accelerationproject: Electronic Vehicle Controls and Unintended Acceleration (TRB-SASP-10-03), by Dr Antony Anderson, Dr Brian Kirk and EurIng Keith Armstrong, August 30, 2010


A t bil S ddAutomobile Sudden Acceleration:...

Documents

Transcript of A t bil S ddAutomobile Sudden Acceleration:...