A t bil S ddAutomobile Sudden Acceleration:...
Transcript of A t bil S ddAutomobile Sudden Acceleration:...
A t bil S ddAutomobile Sudden Acceleration:Acceleration:
Controlling the FunctionalControlling the Functional Safety Risks caused by EMISafety Risks caused by EMI
Eur Ing Keith Armstrong CEng FIET SMIEEE ACGI
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
g g gphone & fax: +44 (0)1785 660 247
[email protected] www.cherryclough.com
Acknowledgements
Dr Brian Kirk and Dr Antony Anderson helped y pcreate the part of the following material...
that was presented at a Press Conference held in the– that was presented at a Press Conference held in the National Press Centre, Washington DC on March 23, 20102010...
and also used to brief NHTSA and various congressional committees on nearby datescommittees on nearby dates
NOTE: NOTE: I am not going to mention any specific N EN E g g y pautomakers in this presentation...
d l I t b d d i© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
– and any examples I use must be regarded as generic, and not specific to any automaker
What do we mean by “Sudden UnintendedSudden Unintended Acceleration” (SUA) ?
When the motor car’s engine begins to roar at high revsrevs…– without the driver’s command
(e.g. without pressing that hard on the gas pedal)...
– taking the driver by surprise– taking the driver by surprise…
– and making it more difficult to control the vehicle
We have to be careful with definitions…
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
– because some define this (or similar) terms differently
BackgroundBackgroundSUA has been a problem for all automakers since the early 1980s...
starting with the first vehicles with automatic gearboxes– starting with the first vehicles with automatic gearboxes that were also fitted with electronic cruise control...
lf ti i i t l t k th ttla malfunctioning cruise control can take over throttle control from the driver, possibly creating “WOT” (Wide Open Throttle)(Wide Open Throttle)
But automakers and the US Government's National Highway Transportation Agency (NHTSA) have always blamed SUA on driver "pedal error“...
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010– or on “floormat entrapment”, or “sticky pedals”
Background continuedBackground continued...
As an electronic engineer with 40 years experienceAs an electronic engineer with 40 years experience, I am used to dealing with electronic malfunctions....– a major part of the development time of a new product
can be insuring that it doesn’t do what it shouldn’t!
Since SUA only afflicts vehicles with auto boxes and cruise control (or electronic throttle control)and cruise control (or electronic throttle control)....– and incidence has increased 400% on a given model
when its manual throttle was replaced by “e-throttle”...
– it seems very obvious to me that the cause of most SUAs
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
– it seems very obvious to me that the cause of most SUAs is electronic malfunctions, and that EMI can be a factor
Throttle valve motorElectronic throttle Throttle valve motor and position sensors
Engine control
control “e-throttle”(graphics: courtesy of USA Today) Engine control
computer, “ECC”
Cables carry signals
(graphics: courtesy of USA Today)
Gas pedal sensorsCables carry signals
between modules
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
Stephen Stock’s* graph of NHTSA’s SUA complaints versus automaker: March 17, 2010 p ,
* Stephen is an investigative reporter for CBS TV, Miami, Florida, [email protected]
The apparent “tailing off” of complaints poutside this range
is an artefact caused by how NHTSA collect
and record the dataand record the data
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
Background continuedBackground continued...
I will compare the claims for “electronic safety”I will compare the claims for electronic safety made by NHTSA and automakers...
ith h t d i d f f t– with what we as designers and assessors of safety-related systems would consider necessary...
when electronic malfunctions could increase safety risks
I will include reasons why we can’t rely upon motorI will include reasons why we can’t rely upon motor vehicle event data recorders (so-called 'black boxes')...
– why EMC testing alone cannot prove safe design...
and include recent test data showing that EMI can cause© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
– and include recent test data showing that EMI can cause a car engine to race, without triggering any fault codes
Balance of probabilitiesAutomakers/NHTSA say that nobody has been able to prove that an SUA was caused by electronicsto prove that an SUA was caused by electronics...– using the “absence of proof = proof of absence” g p p
argument that is in fact a logical fallacy [1]this argument is only used by people who are poorlythis argument is only used by people who are poorly educated – or are hoping that their audience is
BUT IN FACTBUT IN FACTBUT IN FACT:BUT IN FACT:– automakers can’t prove SUAs are caused by ‘pedal error’automakers can t prove SUAs are caused by pedal error
either, because it leaves no trace...
d th l i t t f i id t h SUA© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
– and they can only point to a few incidents where SUA was clearly caused by the floormat or a sticky pedal
Balance of probabilities continuedBalance of probabilities continued...
The likely cause(s) has (have) to be decided y ( ) ( )on the balance of probabilities...
which requires a comprehensive risk assessment– which requires a comprehensive risk assessment that takes everything into account...
i lit i EMI I’ll i l f th tmy speciality is EMI so I’ll mainly focus on that, but of course there are other possibilities, including: - incorrect assembly- incorrect assembly, - “bad batches” of components, - faults (including intermittents), - software glitches, - tin whiskers,
i i i di ti
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
- ionizing radiation, - and chance combinations of any/all of the above
Why electronics is the most ylikely cause of SUA
The experiences of the drivers and passengers who suffer an SUA...
those who live to tell, that is...
– and the witnesses to the accidents...
– is consistent with what the entire electronics industryis consistent with what the entire electronics industry worldwide has known for decades...
b t h l t i i b h d lf ti– about how electronics can misbehave and malfunction
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
What in the electronics could cause SUA?Misoperation or faults in electronics, specifically...– Sensors (gas pedal position, throttle valve position)...
Microprocessors and their memories (in the ECC)– Microprocessors and their memories (in the ECC)...
– Software (in the ECC)...( )
– Data communications (CANbus, LINbus, etc.)...e.g. even though e-throttle systems don’t use data buses for their throttle control signals, CANbus connects to the ECC and errors in it can cause software protocol failuresECC and errors in it can cause software protocol failures that can ‘ripple through’, affecting everything in the ECC...
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
– Actuators and their drivers (the throttle valve motor and its drive circuits)
What can cause electronics to ff lf i ?suffer errors or malfunctions?
Unwanted electrical noise– known as EMI (ElectroMagnetic Interference)– known as EMI (ElectroMagnetic Interference)
Mistakes (“bugs”) in the software programMistakes ( bugs ) in the software program
Intermittent electrical connections
Incorrect interaction between system components
Incorrect assembly, bad components, faults, ionizing radiation etc
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
ionizing radiation, etc.
Redundant Systemsy
Automakers claim that with their “redundant systems”, no dangerous malfunctions can occur...
BUT IN FACTBUT IN FACTBUT IN FACT:BUT IN FACT:– most (all?) of these systems are only partiallymost (all?) of these systems are only partially
redundant, because they use identical technologies...
th h l t t i t d h d f lt– so they help protect against random hardware faults...
– but not against systematic errors or malfunctions in but ot aga st syste at c e o s o a u ct o shardware or software (see IEC 61508 [2])...
sometimes called “common-cause”
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
sometimes called common cause or “common-mode” failures
Example of an e throttle gas pedalExample of an e-throttle gas pedal
Plug for the single unshielded wire
bundle that carries Plain plastic bodybundle that carries both sensor
signals to the ECC
Plain plastic body (unshielded against EMI)
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010The dual sensor assembly is inside here
The sensor PCB in the gas pedalTwo identical
Hall-effectThe single unshielded wire bundle Hall-effect sensors
in one packagethat carries both sensor signals
to the ECC plugs in here
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
Each Hall sensor is a complex electronic d i ith di it l t l f ll tdevice, with digital control of all parameters
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
This example is the MLX90277 Dual Programmable Linear Hall Effect Sensor
But we have known since the early 1990s that “diverse technology”1990s that “diverse technology”
is required in redundant systems...– for them to be effective in reducing safety risks...
for the hardware (e.g. sensors, microprocessors), and for the software...
– otherwise errors, misoperations or malfunctions caused for example by EMI can have the same effect on each system [2]...
– in which case the functional safety risks are identical to– in which case the functional safety risks are identical to having just one system...
the redundancy has not controlled the functional safety
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
the redundancy has not controlled the functional safety risks caused, for example, by EMI
Software “Bugs”g
Some automakers have recently claimed that their ysoftware is “bug-free”
BUT IN FACTBUT IN FACTBUT IN FACT:BUT IN FACT:
Carnegie Mellon University says the highest qualityCarnegie Mellon University says the highest-quality code (e.g. Space Shuttle) has about 1 latent bug per ten thousand lines of code [3]per ten thousand lines of code [3]...– a typical modern car has 20+ million lines, of lower y
quality code than the Space Shuttle, so we should expect at least two thousand latent bugs in every car !!!
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
many auto recalls are now for software reprogramming
Software “bugs” continued...
A software program is a series of written p ginstructions (lines of “code”) for a digital computer (e.g. a microprocessor) to follow...– the lines of code tell the computer how to read
the input signals from sensors (e g pedal positionthe input signals from sensors (e.g. pedal position sensor, throttle valve position sensor)...
– and how to respond by sending control signals to actuators (e.g. the throttle valve motor)...
– the software program must be designed to ensure the safe behaviour of the complete vehicle as a system
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
p y
Software “bugs” continued...
A modern vehicle can have more than 100 million lines of code [4]...
running on 70+ microprocessors around the vehicle– running on 70+ microprocessors around the vehicle, e.g. for the A/C, windows, seats, ABS, engine, etc.
The F-35 Joint Strike Fighter has 15.7 million lines...ll d i d i t i t f t d– all designed using a stringent safety process governed
by public standards...
– and rigorously and independently verified to deal with normal and abnormal operational situations
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
Software “bugs” continued...
Specifying/writing software are very complex tasks p y g g y p(especially to ensure safety)...
But every software program contains bugs when it is first written...– so has to go through multiple stages of correction...
– but we can never be sure that all bugs have been found...
– and functional testing can never be sufficient to proveand functional testing can never be sufficient to prove software is safe enough (e.g. 1 in a million chance of death per year) – see later
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
(e g a o c a ce o deat pe yea ) see ate
Some quotations on software testingon software testing
“Computer systems lack continuous behaviour – Computer systems lack continuous behaviour so that, in general, a successful set of tests provides little or no information about how the system would little or no information about how the system would behave in circumstances that differ, even slightly, f th t t diti ” [5]from the test conditions.” [5]
– “Systems that contain software will usually be far too Systems that contain software will usually be far too complex for it to be practical to test them exhaustively ” [5]exhaustively. [5]
– “Testing shows the presence, not the absence of bugs”
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
g p g[6]
Some quotations on ft t tisoftware testing continued...
– “Our programs are often used in unanticipated ways and it is impossible to test even fairly small programs and it is impossible to test even fairly small programs in every way that they could possibly be used.” [7]
“Wi h i l f – “With current practices, large software systems are riddled with defects, and many of these defects c nn t b f und n b th m st xt nsi t stin ”cannot be found even by the most extensive testing.” [7]
– “Unfortunately, it is true that there is no way to prove that a software system is defect free.” [7]
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
Some quotations on software testing continuedsoftware testing continued...
– “The difficulty in software testing stems from the y gcomplexity of software: we can not completely test a program with moderate complexity.” [8]
– “Correctness testing and reliability testing are two major areas of testing.” [8]major areas of testing. [8]
– “Software testing is a trade-off between budget, time d lit ” [8]and quality.” [8]
– “The critical problem with testing is to exercise the p m gconditions under which the system will actually be used” [9]
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010– “Software essentially requires infinite testing” [10]
Some quotations on software testing continuedsoftware testing continued...
– “Many failures result from unforeseen input / environment conditions (e.g. Patriot)” [9]
– “Incentives matter hugely: commercial developers often Incentives matter hugely: commercial developers often look for friendly certifiers while military arrange hostile review (ditto manned spaceflight, nuclear)” [9]( p f g , ) [ ]
– “Software failures are rarely preceded by warnings while hardware failures are usually preceded by while hardware failures are usually preceded by warnings” [10]
– “We no longer have the luxury of carefully testing systems and designs to understand ll h l h d k f l
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
all the potential behaviors and risks before commercial or scientific use.” [11]
Fault Codes and Event Data Recorders (EDRs)Event Data Recorders (EDRs)
Automakers/NHTSA claim these prove that vehicle pelectronics are working correctly throughout a SUA
BUT IN FACTBUT IN FACTBUT IN FACT:BUT IN FACT:– automobile fault codes and EDRs rely on the outputs ofautomobile fault codes and EDRs rely on the outputs of
the vehicle’s electronics...
th l d h t th l t i thi k th– so they can only record what the electronics thinks the driver is doing with his gas and brake pedals...
And a “no fault” record could be caused by the fault not being detected in the first place
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
fault not being detected in the first place...due to inadequate software system specification
Fault Codes and EDRs continued...To detect electronic misbehaviour, an EDR needs independent sensors on the gas and brake pedals,independent sensors on the gas and brake pedals, and on the throttle valve...– to record their positions completely independently
of any other electronic system...
– as is done with aircraft “black boxes”
EDRs should also comply with a public standard and be independently calibrated and sealed...– their data read by a standard device that anyone can buy
d f th EDR f t h h d th t th© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
a read of the EDR from a recent crash showed that the vehicle slowed down by 177mph, from a speed of 75mph
Safety Standards and I d d t A tIndependent Assessments
Aviation and rail vehicles must complyAviation and rail vehicles must comply with tough, peer-reviewed, public functional safety standards, derived from IEC 61508, e.g. [12]...standards, derived from IEC 61508, e.g. [12]...– and no vehicle is supplied to an end-user until “signed
ff” b ISA (I d d t S f t A ) [13]off” by an ISA (Independent Safety Assessor) [13]
Although cars expose many more people to risksAlthough cars expose many more people to risks of injury and death each year...– automakers do not meet public functional safety
standards, or have vehicles independently assessed...
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
– automotive functional safety is totally unregulated [24]
Why can no-one prove SUA by testing?by testing?
Example: NHTSA has had up to 3 000 SUAExample: NHTSA has had up to 3,000 SUA complaints in one year (1989-90)....– assuming 30 million vehicles on the road, that’s a rate of
1 in 10,000 per vehicle per year...y
– assuming an average drive of 1 hr/day, 6 days/week, gives us one SUA per 3 120 000 hours of drivinggives us one SUA per 3,120,000 hours of driving
To detect one SUA in just one model would requireTo detect one SUA in just one model would require testing 36 vehicles, 24/7, for 10 years !!!!
d i i i l hi l b t 200 illi il© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
– or driving a single vehicle about 200 million miles
Why can no one prove SUA by testing continuedby testing continued...
Basic reliability theory shows that to have a >50% chance of detecting one SUA in 3 million hours of driving requires testing for at least 3 million hours...– but this is for each type of test!
so if there are 10 tests to do each test will needso if there are 10 tests to do, each test will need the equivalent of 36 vehicles full-time for 10 years
This exact problem was faced by the software industry in the 1990s, who discovered they could y , ynever do enough testing for safety...
and e ent all sol ed b the design and erification© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
– and eventually solved by the design and verification procedures described in IEC 61508-3 [2]
Quotation on reliability testing of complex electronic systemsof complex electronic systems
“It is generally impractical to rely on test based – It is generally impractical to rely on test-based evidence in advance of putting a system into widespread service that the overall failure probability widespread service that the overall failure probability will be less than 10-5 per hour with 99% confidence, equivalent to a mean time between failures of equivalent to a mean time between failures of approximately one year.” [5]
10-5 per hour = 1 failure in 100 000 per hour equivalent to10 per hour = 1 failure in 100,000 per hour, equivalent to 1 failure in 320 per year (if you drive 1 hr/day, 6 days/week)obviously we require much greater protection from SUAobviously we require much greater protection from SUA than 1 in 320 per year, yet the above quote shows that testing to prove even that high level of safety risk
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
g p g yis “generally impractical”
Electromagnetic Interference (EMI)Electromagnetic Interference (EMI)The physical laws that govern all p y gelectrical/electronic power, signals, radiowavepropagation, infra-red and light...are Maxwell’s Equations Maxwell’s Equations
th l th t EMI !– the same laws that govern EMI !
So all applications of electricity and electronicSo all applications of electricity and electronic power and signals, create and suffer from EMI...– EMI is inherent, inevitable, unavoidable in all electronics
including software, which runs on hardware...
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
g ,
– no exceptions are possible, ever (in this universe)
O f GM’ EMC t tO f GM’ EMC t tOne of GM’s EMC test chambers, in 2008
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
Example of a stripline test at M d B T h lMercedes-Benz Technology
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
EMI continued...
Automakers claim they do comprehensive EMI testing...g– typical quote: “We bombard them with EMI at levels well ab ve any that can ccur in the envir nment”well above any that can occur in the environment”
BUT IN FACT:BUT IN FACT:BUT IN FACT:BUT IN FACT:– EMI testing at increased levels does not provide a
“safety margin” [14]...
– their tests don’t cover foreseeable real-life EMI [15] [16]their tests don t cover foreseeable real life EMI [15] [16](e.g. different modulations, simultaneous phenomena, etc.)...
d d ’t bi EMI ith f bl h i l© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
– and don’t combine EMI with foreseeable physical or climatic conditions that can affect EMC [15] [16]
EMI continued...
– they don’t test with foreseeable faults simulated (e.g. a failed EMI filter or transient protector) to verify the backfailed EMI filter or transient protector) to verify the back-up or fail-safe measures [15] [16]...
– they do not simulate real-world conditions [15] [16]..e.g. anechoic test chambers only test with radio waves g ycoming from a few fixed directions...but in real life they will come from any/all directions,but in real life they will come from any/all directions, some of which will most probably have a worse effect...
and no practical amount of testing can ever be sufficient– and no practical amount of testing can ever be sufficient anyway – given the huge number of possible test combinations required
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
combinations required.... see earlier discussions on reliability testing
SILs and EMC Testing
If we assume that an affordable EMC immunity test yplan covers up to 90% of real-life exposure to EMI over the anticipated lifetime...over the anticipated lifetime...
it surely can’t be more than this!
– then the EMC testing barely reaches the minimum level to achieve SIL1 (90 to 99%)...
– so we need to do 10 times more testing to reduce the risks from EMI for SIL1....risks from EMI for SIL1....
– and 10,000 times more testing work for SIL4...
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
– clearly unaffordable, impractical
EMI Shielding
Some automakers have claimed that their electronics are “totally shielded against EMI”
BUT IN FACTBUT IN FACTBUT IN FACT:BUT IN FACT:– this is impossible anywaythis is impossible, anyway...
– they use unshielded wires to carry electronic signals...
– some manufacturers use unshielded plastic connectors for their ECC connections...o t e CC co ect o s
– most (all?) gas pedal and throttle valve position sensors se nshielded plastic ho sings
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
use unshielded plastic housings
Some quotations on EMI and EMI testingSome quotations on EMI, and EMI testing– “Electromagnetic interference leaves no trace, git goes away just as it came.” [17]
– “An automaker who declares bluntly that uncontrolled – An automaker who declares bluntly that uncontrolled acceleration cannot be caused by electromagnetic interference because they have fully tested their interference because they have fully tested their vehicle is a liar, or naive.” [17]
“ th i b t ti t d li t ll th – “…there is no way by testing to duplicate all the possible combinations of frequencies, amplitudes, modulation waveforms spatial distributions and modulation waveforms, spatial distributions, and relative timing of the many simultaneous interfering signals that an operating system may encounter
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
signals that an operating system may encounter. As a result, it’s going to fail.” [18]
Some quotations on EMI and EMI testing continuedand EMI testing continued...
“Alth h l t i t t t f – “Although electronic components must pass a set of EMC tests to (help) ensure safe operations, the evolution of EMC over time is not characterized and evolution of EMC over time is not characterized and cannot be accurately forecast.” [19]
– “As indicated in [2] narrow-band threat fields with simple modulations are no longer necessarily
f h E h h h f l representative of the EMI which causes the failure in digital systems.” [20]
NOTE: “narrow-band threat fields with simple modulations” is how automotive radiated EMI tests are done
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
From Professor Todd Hubing’s presentation to the NAS committee on SUA , July 01, 2010 [21]to the NAS committee on SUA , July 01, 2010 [21]
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
Prof. Todd Hubing’s presentation to the NAS SUA committee [21] continued...NAS SUA committee [21] continued...
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
Prof. Todd Hubing’s presentation to the NAS SUA committee [21] continued...
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
Prof. Todd Hubing’s presentation to the NAS SUA committee [21] continued...
“Open Throttle”
“Error Detected”
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
Prof. Todd Hubing’s presentation to the NAS SUA committee [21] continued...
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
Prof. Todd Hubing’s presentation to the NAS SUA committee [21] continued...
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
What should be done? (very briefly)What should be done? (very briefly)
This ‘reliability-proving’ problem faced the software y p g pindustry...
who solved it during the 1990s resulting in IEC 61508 3– who solved it during the 1990s, resulting in IEC 61508-3
We need to use the same basic methods....– the use of proven EMC design techniques...
– plus a range of verification/validation methods...
e g checklists reviews assessments audits validatede.g. checklists, reviews, assessments, audits, validated computer modeling, etc...
l EM i it t ti d i d b© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
plus EM immunity testing designed case-by-case to improve confidence for certain issues
ConclusionEMC immunity testing can never be sufficient, on its own...
t d t t ffi i t fid i l lif– to demonstrate sufficient confidence in real-life reliability...
– for high-reliability and critical equipment...
– regardless of the test level that is applied during the test...
We need to use appropriate EMC design engineering and a variety of verification and
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
engineering, and a variety of verification and validation techniques (including testing) [22] [23]
Conclusion continued...
And the automotive industry should be brought i t th d ldinto the modern world...
– required to comply with peer-reviewed public functionalrequired to comply with peer-reviewed public functional safety standards that include a comprehensive assessment of risks due to EMI...assessment of risks due to EMI...
not just a bunch of standard tests...
– and subject each new vehicle to independent safety assessmentassessment...
by already-established safety assessment bodies,
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
with the safety assessor having to “sign-off” before a vehicle can be sold [24]
Automobile Sudden Acceleration:Automobile Sudden Acceleration:Controlling the FunctionalControlling the Functional
Safety Risks caused by EMI
the endthe endthe endthe endthe endthe endthe endthe end
Eur Ing Keith Armstrong CEng FIET SMIEEE ACGI
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
Eur Ing Keith Armstrong CEng FIET SMIEEE ACGIphone & fax: +44 (0)1785 660 247
[email protected] www.cherryclough.com
References[1] “Absence of evidence is not evidence of absence”, Dr. Antony
Anderson, 20th Conference of the Society of Expert Witnesses, Alexander House Wroughton UK May 16 2008 www sew org ukAlexander House, Wroughton, UK, May 16, 2008, www.sew.org.uk, www.antony-anderson.com
[2] IEC 61508: 2000 “Functional Safety of[2] IEC 61508: 2000 “Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems”, IEC basic safety publication, from http://webstore.iec.ch (Th f t i di t h l i d d t t(The references to using diverse technology in redundant systems are in IEC 61508-7 clause B.1.4 “Diverse hardware” and clause C.3.5 “Software diversity (diverse programming)”)
[3] “Dependability for Embedded Systems”, Philip Koopman, Distributed Embedded Systems Course, Carnegie Mellon University, March 25, 2009. Prof Koopman is Assistant Professor Carnegie Mellon University, Department of Electrical and Computer Engineering (ECE), faculty member Institute for Complex Engineered Systems (ICES) and
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
y p g y ( )Institute for Software Research, International (ISRI), affiliated with the General Motors Collaborative Research Laboratory at Carnegie Mellon
References continued...[4] “This car runs on code”, Robert N. Charette, IEEE Spectrum, Feb.
2009, http://spectrum.ieee.org/green-tech/advanced-cars/this-car-runs-on-code
[5] “Computer Based Safety-Critical Systems”, [ ] p y yThe Institution of Engineering and Technology, London, U.K., Sept. 2008, www.theiet.org/factfiles/it/computer-based-scs.cfm?type=pdf
[6] “The Modest Software Engineer”, Martyn Thomas, Visiting Professor of Software Engineering, Oxford University Computing Laboratory, Keynote speech, ISADS, Pisa, April 2003, Proc ISADS 2003, pp 169-Keynote speech, ISADS, Pisa, April 2003, Proc ISADS 2003, pp 169174, IEEE Press. He attributes the quote to E. W. Dijkstra, “The Humble Programmer”, CACM 15, 10 October 1972 pp859-866.
[7] “The Quality Attitude”, Watts S. Humphrey (often called “The Father of Software Quality”), Senior Member of Technical Staff, Software Engineering Institute (SEI) Carnegie Mellon University in News at SEI
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
Engineering Institute (SEI), Carnegie Mellon University, in News at SEI, originally published March 1, 2004, www.sei.cmu.edu/library/abstracts/news-at-sei/wattsnew20043.cfm
References continued...
[8] “Software Testing”, Jiantao Pan, Carnegie Mellon University, 18-849b Dependable Embedded Systems, Spring 1999, p y , p g ,www.ece.cmu.edu/~koopman/des_s99/sw_testing
[9] Software Engineering, CST 1b, Ross Anderson, Professor of Security [ ] g g, , , yEngineering at the Computer Laboratory, Cambridge University, UK, www.cl.cam.ac.uk/teaching/0910/SWEng/cst-1b-sweng.ppt
[10] “Software Reliability”, NASA, Goddard Space Flight Center, http://sw-assurance.gsfc.nasa.gov/disciplines/reliability/index.php
[11] “A New Accident Model for Engineering Safer Systems”, Prof. Nancy Leveson, Professor of Aeronautics and Astronautics, also Professor of Engineering Systems Massachusetts Institute ofProfessor of Engineering Systems, Massachusetts Institute of Technology (MIT), in Safety Science, Vol. 42, No. 4, April 2004, pp. 237-270, http://sunnyday.mit.edu/accidents/safetyscience-single.pdf
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
[12] Rail safety standards EN50126, 50128 and 50129
References continued...[13] “Open IEC 61508 Certification of Products”, Rainer Faller and Dr.
William M. Goble, id / ti l /IE %2061508%20C ftifi ti dfwww.exida.com/articles/IEc%2061508%20Cerftification.pdf
[14] “Why Increasing Immunity Test Levels is Not Sufficient for High-R li bilit d C iti l E i t” K ith A t 2009 IEEEReliability and Critical Equipment”, Keith Armstrong, 2009 IEEE International EMC Symposium, Austin, TX, August 17-21, ISBN: 978-1-4244-4285-0
[15] “EMC for the Functional Safety of Automobiles — Why EMC Testing is Insufficient, and What is Necessary”, Keith Armstrong, 2008 IEEE y gInt’l EMC Symposium, Detroit, August 18-22, ISBN 978-1-4244-1699-8. Also: www.conformity.com/PDFs/0902/0902_F1.pdf
[16] “Why EMC Immunity Testing is Inadequate for Functional Safety”, Keith Armstrong, 2004 IEEE International EMC Symposium, Santa Clara, August 9-13, ISBN 0-7803-8443-1, pp 145-149.
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
Clara, August 9 13, ISBN 0 7803 8443 1, pp 145 149. Also: Conformity, March 2005: www.conformity.com/artman/publish/printer_227.shtml.
References continued...
[17] Michel Mardiguian, of Paris, France, a renowned EMC expert who often works for the auto industry, reported in “Toyota's Crisis Puts y, p ySpotlight on Auto Electronics” by Tom Krisher, AP Detroit, 25 February 2010 http://abcnews.go.com/Technology/wirestory?id=9950797&page=4http://abcnews.go.com/Technology/wirestory?id 9950797&page 4
[18] “EMC Failures Happen”, Ron Brewer, NARTE Certified EMC Engineer IEEE EMC Society Distinguished Lecturer; in EvaluationEngineer, IEEE EMC Society Distinguished Lecturer; in Evaluation Engineering magazine, Dec. 2007, www.evaluationengineering.com/features/2007_december/1207_emc_test aspxest.aspx
[19] Alexandre Boyer et al, “Characterization of the Evolution of IC Emissions After Accelerated Aging” IEEE Transactions on EMC VolEmissions After Accelerated Aging , IEEE Transactions on EMC, Vol. 51, No. 4, November 2009, pages 892-900
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
References continued...
[20] “Preliminary Investigation into a Methodology for Assessing the Direct RF Susceptibility of Digital Hardware, Final Report for p y g , pRadiocommunications Agency, Document No. R/99/042, Project No. 0921”, Dr I D Flintoff, May 1999, www.ofcom.org/uk/static/archive/ra/topics/research/topics/emc/r99042/r99042.pdf/ra/topics/research/topics/emc/r99042/r99042.pdf
[21] “Analyzing Unintended Acceleration and Electronic Controls”, Professor Todd Hubing presented to the NAS Committee onProfessor Todd Hubing, presented to the NAS Committee on Unintended Acceleration, July 1, 2010, http://onlinepubs.trb.org/onlinepubs/ua/100701hubing.pdf Prof Hubing is Michelin Professor of Vehicle Electronic SystemsProf. Hubing is Michelin Professor of Vehicle Electronic Systems Integration, Clemson University International Center for Automotive Research.
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010
References continued...
[22] IEC TS 61000-1-2, Ed2.0, 2008 “Electromagnetic Compatibility (EMC) – Part 1-2: General – Methodology for the achievement of the gyfunctional safety of electrical and electronic equipment with regard to electromagnetic phenomena”, an IEC basic safety publication, Santa Clara, California, August 9-13, ISBN 0-7803-8443-1, pp 145-149Santa Clara, California, August 9 13, ISBN 0 7803 8443 1, pp 145 149
[23] “Guide on EMC for Functional Safety”, Edition 1, The Institution of Engineering and Technology (The IET) London UK August 2008Engineering and Technology (The IET), London, UK, August 2008, www.theiet.org/factfiles/emc/index.cfm or: www.emcacademy.org/books.asp
[24] “The Poor Quality of Functional Safety Engineering in the Automobile Industry”, an Open Letter to the NAS team working on the project: Electronic Vehicle Controls and Unintended Accelerationproject: Electronic Vehicle Controls and Unintended Acceleration (TRB-SASP-10-03), by Dr Antony Anderson, Dr Brian Kirk and EurIng Keith Armstrong, August 30, 2010
© 2010 M K ArmstrongBoston, MA Oct. 18-20, 2010