Controlling Automobile Safety

Risks caused by EMIA case study to introduce

“EMC for Functional Safety”

Harshit SrivastavaRahul Sinha

EMC For Functional Safety Is Rapidly Becoming Very Important Indeed, As Electronic Control Spreads Throughout All Applications

• So it is the focus of several new and modified IEC safety standards, • IEC TS 61000-1-2 (basic standard, EMC for functional safety )• Draft IEC 61000-6-7 (generic standard, EMC for functional safety)• IEC 66061-1-2 draft ed4 (medical EMC)

Why can no-one prove SUAby testing? Example: NHTSA has had up to 3,000 SUA complaints in one yearAssuming 30 million vehicles on the road, that’s a rate of 1 in 10,000 per vehicle per year...Assuming an average drive of 1 hr/day, 6 days/week, gives us one SUA per 3,120,000 hours of driving To detect one SUA in just one model would require testing 36 vehicles, 24/7, for 10 years !!!! or driving a single vehicle about 200 million miles

Background

• Sudden Unintended Acceleration (SUA) Has Been A• Problem For All Automakers Since The Early 1980s...• Starting With The First Vehicles With Automatic Gearboxes• That Were Also Fitted With Electronic Cruise Control...• A Malfunctioning Cruise Control Can Take Over Throttle• Control From The Driver, Possibly Creating “WOT” (Wide Open Throttle)• But Automakers And NHTSA Have Always Blamed SUA On Driver "Pedal

Error“...• Or Sticky Pedals.

Background continued...

• Electronic Malfunctions....• A Major Part Of The Development Time Of A New Product• Can Be Insuring That It Doesn’t Do What It Shouldn’t!• Since SUA Only Afflicts Vehicles With Auto Boxes And Cruise Control (Or

Electronic Throttle Control)• And Incidence Has Increased 400% On A Given Model• When Its Manual Throttle Was Replaced By “E-throttle”...• The Cause Of Most SUA’s Is Electronic Malfunctions, And That EMI Can Be

A Factor

What in the electronics could cause SUA?• Misoperation or faults in electronics, specifically...• Sensors (gas pedal position, throttle valve position)...• Microprocessors and their memories (in the ECC)...Software (in the

ECC)...Data communications (CAN bus, LIN bus, etc.)...e.g. even though e-throttle systems don’t use data buses for their throttle control signals, CAN bus connects to the ECC and errors in it can cause software protocol failures that can ‘ripple through’, affecting everything in the ECC... Actuators and their drivers (the throttle valve motor and its drive circuits)

What can cause electronics tosuffer errors or malfunctions?• Unwanted electrical noise known as EMI (ElectroMagnetic

Interference) Mistakes (“bugs”) in the software program Intermittent electrical connections• Incorrect interaction between system components• Incorrect assembly, bad components, faults, ionizing radiation, etc.

Balance of probabilities continued...• The likely cause(s) has (have) to be decided on the balance of probabilities...

which requires a comprehensive risk assessment that takes everything into account...,• but of course there are other possibilities, including:• - incorrect assembly,• - “bad batches” of components,• - faults (including intermittents),• - software glitches,• - tin whiskers,• - ionizing radiation,• - and chance combinations of any/all of the above

Safety Standards andIndependent Assessments• Aviation and rail vehicles must comply with tough, peer-reviewed,

public functional safety standards, derived from IEC 61508, e.g.... And no vehicle is supplied to an end-user until “signed off” by an isa (independent safety assessor)• Although cars expose many more people to risks of injury and

death each year... Automakers do not meet public functional safety standards, or have vehicles independently assessed.

Software “Bugs”• A software program is a series of written instructions (lines of “code”) for

a digital computer(E.G. A microprocessor) to follow... The lines of code tell the computer how to read the input signals from sensors (e.G. Pedal position sensor, throttle valve position sensor)... And how to respond by sending control signals to actuators (e.g. The throttle valve motor)...• The software program must be designed to ensure the safe behaviour of

the complete vehicle as a system a typical modern car has 20+ million lines, of lower quality code than the space shuttle, so we should expect at least two thousand latent bugs in every car !!!• Many auto recalls are now for software reprogramming

Case Study On Toyota

• According to the NHTSA, the initial problem resulted when the accelerator pedal was depressed to, or almost to the floor, during sudden acceleration. • It can become trapped in the fully open position by an out of

position floor mat. • The problem was later identified as a possible mechanical sticking of

the accelerator pedal • As of February 2011, approximately 14 million cars worldwide have

been involved in these recalls.

Electronic throttlecontrol “e-throttle”•

Throttle valve motorand position sensors

Engine controlcomputer, “ECC”

Cables carry signalsbetween modules

Gas pedal sensors

Example of an e-throttle gas pedal

Plain plastic body(unshielded against EMI)

Plug for the singleunshielded wirebundle that carriesboth sensorsignals to the ECC

The dual sensor assembly is inside here

The sensor PCB in the gas pedal

Hall-effectsensorsin one package

The single unshielded wire bundlethat carries both sensor signalsto the ECC plugs in here

Recommendations By NHTSA

• Brake override systems Standardized operation of keyless ignition system Data recorders in all passenger vehicles • Research on reliability & security of electronic control systems • Research on placement & design of accelerator & brake pedals and

driver usage of these pedals

Solution They Tried To Provide

• Toyota’s remedies: Accelerator pedal reconfigured by the dealers to shorten it• Development of replacement pedals for the vehicles (available for

some models in April 2010) • Offering owners who chose to have their pedals reconfigured would

be offered the replacement pedal when it became available• Providing all-weather floor mats Installation of a brake override

system on certain models – enabling the car to stop if both the brake and the accelerator were pushed simultaneously

Electromagnetic Interference (EMI)• The physical laws that govern all electrical/electronic power, signals,

radiowave propagation, infra-red and light... Are maxwell’s equations the same laws that govern emi !• So all applications of electricity and electronic power and signals,

create and suffer from emi...• Emi is inherent, inevitable, unavoidable in all electronics including

software, which runs on hardware...• No exceptions are possible in this universe, ever

One of GM’s EMC testchambers, in 2008

EMI continued...• EMC tests aren’t done with foreseeable faults simulated (e.G. Failed

EMI filter, failed surge protector) to verify the safety back-up or fail-safe measures ... and tests do not simulate real-world conditions , e.G. Anechoic test chambers only test with radio waves coming from a few fixed directions...• But in real life they will come from any/all directions, some of which

will most probably have a worse effect... And no practical amount of testing can ever be sufficient• Anyway – given the huge number of possible test combinations

required....

SILs ‘Safety Integrated Level’ (from IEC 61508)and EMC Testing• If we assume that an affordable EMC immunity test plan covers up

to 90% of real-life exposure to EMI over the anticipated lifetime...It surely can’t be more than this!• Then the emc testing barely reaches the minimum level to achieve

sil (90 to 99%)... So we need to do 10 times more testing to reduce the risks from emi for sil....• And 10,000 times more testing work for sil level 4...• Clearly unaffordable, impractical

What should be done?• This ‘reliability-proving’ problem faced the software industry, who

solved it during the 1990s (resulting in IEC 61508-3) • We need to use the same basic methods.... • The use of proven emc design techniques... • Plus a range of verification/validation methods... E.G. Checklists,

reviews, assessments, audits, validated computer modeling, etc... • Plus emc immunity testing designed case-by-case to improve

confidence for certain issues…(The EMC aspects are all described in the iet’s 2008 guide)

Thank You

“Electromagnetic interference leaves no trace, it goes away just as it came.”