Controlling Automobile Safety
Risks caused by EMIA case study to introduce
“EMC for Functional Safety”
Harshit SrivastavaRahul Sinha
EMC For Functional Safety Is Rapidly Becoming Very Important Indeed, As Electronic Control Spreads Throughout All Applications
• So it is the focus of several new and modified IEC safety standards, • IEC TS 61000-1-2 (basic standard, EMC for functional safety )• Draft IEC 61000-6-7 (generic standard, EMC for functional safety)• IEC 66061-1-2 draft ed4 (medical EMC)
Why can no-one prove SUAby testing? Example: NHTSA has had up to 3,000 SUA complaints in one yearAssuming 30 million vehicles on the road, that’s a rate of 1 in 10,000 per vehicle per year...Assuming an average drive of 1 hr/day, 6 days/week, gives us one SUA per 3,120,000 hours of driving To detect one SUA in just one model would require testing 36 vehicles, 24/7, for 10 years !!!! or driving a single vehicle about 200 million miles
Background
• Sudden Unintended Acceleration (SUA) Has Been A• Problem For All Automakers Since The Early 1980s...• Starting With The First Vehicles With Automatic Gearboxes• That Were Also Fitted With Electronic Cruise Control...• A Malfunctioning Cruise Control Can Take Over Throttle• Control From The Driver, Possibly Creating “WOT” (Wide Open Throttle)• But Automakers And NHTSA Have Always Blamed SUA On Driver "Pedal
Error“...• Or Sticky Pedals.
Background continued...
• Electronic Malfunctions....• A Major Part Of The Development Time Of A New Product• Can Be Insuring That It Doesn’t Do What It Shouldn’t!• Since SUA Only Afflicts Vehicles With Auto Boxes And Cruise Control (Or
Electronic Throttle Control)• And Incidence Has Increased 400% On A Given Model• When Its Manual Throttle Was Replaced By “E-throttle”...• The Cause Of Most SUA’s Is Electronic Malfunctions, And That EMI Can Be
A Factor
What in the electronics could cause SUA?• Misoperation or faults in electronics, specifically...• Sensors (gas pedal position, throttle valve position)...• Microprocessors and their memories (in the ECC)...Software (in the
ECC)...Data communications (CAN bus, LIN bus, etc.)...e.g. even though e-throttle systems don’t use data buses for their throttle control signals, CAN bus connects to the ECC and errors in it can cause software protocol failures that can ‘ripple through’, affecting everything in the ECC... Actuators and their drivers (the throttle valve motor and its drive circuits)
What can cause electronics tosuffer errors or malfunctions?• Unwanted electrical noise known as EMI (ElectroMagnetic
Interference) Mistakes (“bugs”) in the software program Intermittent electrical connections• Incorrect interaction between system components• Incorrect assembly, bad components, faults, ionizing radiation, etc.
Balance of probabilities continued...• The likely cause(s) has (have) to be decided on the balance of probabilities...
which requires a comprehensive risk assessment that takes everything into account...,• but of course there are other possibilities, including:• - incorrect assembly,• - “bad batches” of components,• - faults (including intermittents),• - software glitches,• - tin whiskers,• - ionizing radiation,• - and chance combinations of any/all of the above
Safety Standards andIndependent Assessments• Aviation and rail vehicles must comply with tough, peer-reviewed,
public functional safety standards, derived from IEC 61508, e.g.... And no vehicle is supplied to an end-user until “signed off” by an isa (independent safety assessor)• Although cars expose many more people to risks of injury and
death each year... Automakers do not meet public functional safety standards, or have vehicles independently assessed.
Software “Bugs”• A software program is a series of written instructions (lines of “code”) for
a digital computer(E.G. A microprocessor) to follow... The lines of code tell the computer how to read the input signals from sensors (e.G. Pedal position sensor, throttle valve position sensor)... And how to respond by sending control signals to actuators (e.g. The throttle valve motor)...• The software program must be designed to ensure the safe behaviour of
the complete vehicle as a system a typical modern car has 20+ million lines, of lower quality code than the space shuttle, so we should expect at least two thousand latent bugs in every car !!!• Many auto recalls are now for software reprogramming
Case Study On Toyota
• According to the NHTSA, the initial problem resulted when the accelerator pedal was depressed to, or almost to the floor, during sudden acceleration. • It can become trapped in the fully open position by an out of
position floor mat. • The problem was later identified as a possible mechanical sticking of
the accelerator pedal • As of February 2011, approximately 14 million cars worldwide have
been involved in these recalls.
Electronic throttlecontrol “e-throttle”•
Throttle valve motorand position sensors
Engine controlcomputer, “ECC”
Cables carry signalsbetween modules
Gas pedal sensors
Example of an e-throttle gas pedal
Plain plastic body(unshielded against EMI)
Plug for the singleunshielded wirebundle that carriesboth sensorsignals to the ECC
The dual sensor assembly is inside here
The sensor PCB in the gas pedal
Hall-effectsensorsin one package
The single unshielded wire bundlethat carries both sensor signalsto the ECC plugs in here
Recommendations By NHTSA
• Brake override systems Standardized operation of keyless ignition system Data recorders in all passenger vehicles • Research on reliability & security of electronic control systems • Research on placement & design of accelerator & brake pedals and
driver usage of these pedals
Solution They Tried To Provide
• Toyota’s remedies: Accelerator pedal reconfigured by the dealers to shorten it• Development of replacement pedals for the vehicles (available for
some models in April 2010) • Offering owners who chose to have their pedals reconfigured would
be offered the replacement pedal when it became available• Providing all-weather floor mats Installation of a brake override
system on certain models – enabling the car to stop if both the brake and the accelerator were pushed simultaneously
Electromagnetic Interference (EMI)• The physical laws that govern all electrical/electronic power, signals,
radiowave propagation, infra-red and light... Are maxwell’s equations the same laws that govern emi !• So all applications of electricity and electronic power and signals,
create and suffer from emi...• Emi is inherent, inevitable, unavoidable in all electronics including
software, which runs on hardware...• No exceptions are possible in this universe, ever
One of GM’s EMC testchambers, in 2008
EMI continued...• EMC tests aren’t done with foreseeable faults simulated (e.G. Failed
EMI filter, failed surge protector) to verify the safety back-up or fail-safe measures ... and tests do not simulate real-world conditions , e.G. Anechoic test chambers only test with radio waves coming from a few fixed directions...• But in real life they will come from any/all directions, some of which
will most probably have a worse effect... And no practical amount of testing can ever be sufficient• Anyway – given the huge number of possible test combinations
required....
SILs ‘Safety Integrated Level’ (from IEC 61508)and EMC Testing• If we assume that an affordable EMC immunity test plan covers up
to 90% of real-life exposure to EMI over the anticipated lifetime...It surely can’t be more than this!• Then the emc testing barely reaches the minimum level to achieve
sil (90 to 99%)... So we need to do 10 times more testing to reduce the risks from emi for sil....• And 10,000 times more testing work for sil level 4...• Clearly unaffordable, impractical
What should be done?• This ‘reliability-proving’ problem faced the software industry, who
solved it during the 1990s (resulting in IEC 61508-3) • We need to use the same basic methods.... • The use of proven emc design techniques... • Plus a range of verification/validation methods... E.G. Checklists,
reviews, assessments, audits, validated computer modeling, etc... • Plus emc immunity testing designed case-by-case to improve
confidence for certain issues…(The EMC aspects are all described in the iet’s 2008 guide)
Thank You
“Electromagnetic interference leaves no trace, it goes away just as it came.”
Top Related