This is basically a case study which is done on vehicles braking system which is effected due to emic effect which caused many accidents.
This presentation thus points out the emic effects and how it can be controlled in safety products
2. EMC For Functional Safety Is Rapidly Becoming Very Important Indeed, As
Electronic Control Spreads Throughout All Applications
• So it is the focus of several new and modified IEC safety standards,
• IEC TS 61000-1-2 (basic standard, EMC for functional safety )
• Draft IEC 61000-6-7 (generic standard, EMC for functional safety)
• IEC 66061-1-2 draft ed4 (medical EMC)
3. Why can no-one prove
SUA
by testing?
Example: NHTSA has had up to 3,000 SUA complaints in one year
Assuming 30 million vehicles on the road, that’s a rate of 1 in 10,000
per vehicle per year...
Assuming an average drive of 1 hr/day, 6 days/week, gives us one
SUA per 3,120,000 hours of driving
To detect one SUA in just one model would require testing 36
vehicles, 24/7, for 10 years !!!! or driving a single vehicle about 200
million miles
4. Background
•
•
•
•
•
•
•
Sudden Unintended Acceleration (SUA) Has Been A
Problem For All Automakers Since The Early 1980s...
Starting With The First Vehicles With Automatic Gearboxes
That Were Also Fitted With Electronic Cruise Control...
A Malfunctioning Cruise Control Can Take Over Throttle
Control From The Driver, Possibly Creating “WOT” (Wide Open Throttle)
But Automakers And NHTSA Have Always Blamed SUA On Driver "Pedal
Error“...
• Or Sticky Pedals.
5. Background continued...
•
•
•
•
Electronic Malfunctions....
A Major Part Of The Development Time Of A New Product
Can Be Insuring That It Doesn’t Do What It Shouldn’t!
Since SUA Only Afflicts Vehicles With Auto Boxes And Cruise Control (Or
Electronic Throttle Control)
• And Incidence Has Increased 400% On A Given Model
• When Its Manual Throttle Was Replaced By “E-throttle”...
• The Cause Of Most SUA’s Is Electronic Malfunctions, And That EMI Can Be
A Factor
6. What in the electronics could cause
SUA?
• Misoperation or faults in electronics, specifically...
• Sensors (gas pedal position, throttle valve position)...
• Microprocessors and their memories (in the ECC)...Software (in the
ECC)...Data communications (CAN bus, LIN bus, etc.)...
e.g. even though e-throttle systems don’t use data buses for their
throttle control signals, CAN bus connects to the ECC and errors in it
can cause software protocol failures that can ‘ripple
through’, affecting everything in the ECC... Actuators and their drivers
(the throttle valve motor and its drive circuits)
7. What can cause
electronics to
suffer errors or
malfunctions? known as EMI (ElectroMagnetic
• Unwanted electrical noise
Interference) Mistakes (“bugs”) in the software program
Intermittent electrical connections
• Incorrect interaction between system components
• Incorrect assembly, bad components, faults, ionizing radiation, etc.
8. Balance of probabilities
continued...
• The likely cause(s) has (have) to be decided on the balance of probabilities...
which requires a comprehensive risk assessment that takes everything into
account...,
• but of course there are other possibilities, including:
• - incorrect assembly,
• - “bad batches” of components,
• - faults (including intermittents),
• - software glitches,
• - tin whiskers,
• - ionizing radiation,
• - and chance combinations of any/all of the above
9. Safety Standards and
Independent
Assessments
• Aviation and rail vehicles must comply with tough, peerreviewed, public functional safety standards, derived from IEC
61508, e.g.... And no vehicle is supplied to an end-user until “signed
off” by an isa (independent safety assessor)
• Although cars expose many more people to risks of injury and
death each year... Automakers do not meet public functional safety
standards, or have vehicles independently assessed.
10. Software
“Bugs”
• A software program is a series of written instructions (lines of “code”) for
a digital computer
(E.G. A microprocessor) to follow... The lines of code tell the computer how
to read the input signals from sensors (e.G. Pedal position sensor, throttle
valve position sensor)... And how to respond by sending control signals to
actuators (e.g. The throttle valve motor)...
• The software program must be designed to ensure the safe behaviour of
the complete vehicle as a system a typical modern car has 20+ million
lines, of lower quality code than the space shuttle, so we should expect
at least two thousand latent bugs in every car !!!
• Many auto recalls are now for software reprogramming
11. Case Study On Toyota
• According to the NHTSA, the initial problem resulted when the
accelerator pedal was depressed to, or almost to the floor, during
sudden acceleration.
• It can become trapped in the fully open position by an out of
position floor mat.
• The problem was later identified as a possible mechanical sticking of
the accelerator pedal
• As of February 2011, approximately 14 million cars worldwide have
been involved in these recalls.
13. Example of an e-throttle gas pedal
Plug for the single
unshielded wire
bundle that carries
both sensor
signals to the ECC
Plain plastic body
(unshielded against EMI)
The dual sensor assembly is inside here
14. The sensor PCB in the gas
pedal
The single unshielded wire bundle
that carries both sensor signals
to the ECC plugs in here
Hall-effect
sensors
in one package
15. Recommendations By NHTSA
• Brake override systems Standardized operation of keyless ignition
system Data recorders in all passenger vehicles
• Research on reliability & security of electronic control systems
• Research on placement & design of accelerator & brake pedals and
driver usage of these pedals
16. Solution They Tried To Provide
• Toyota’s remedies: Accelerator pedal reconfigured by the dealers to
shorten it
• Development of replacement pedals for the vehicles (available for
some models in April 2010)
• Offering owners who chose to have their pedals reconfigured would
be offered the replacement pedal when it became available
• Providing all-weather floor mats Installation of a brake override
system on certain models – enabling the car to stop if both the
brake and the accelerator were pushed simultaneously
17. Electromagnetic Interference (EMI)
• The physical laws that govern all electrical/electronic
power, signals, radiowave propagation, infra-red and light... Are
maxwell’s equations the same laws that govern emi !
• So all applications of electricity and electronic power and
signals, create and suffer from emi...
• Emi is inherent, inevitable, unavoidable in all electronics including
software, which runs on hardware...
• No exceptions are possible in this universe, ever
19. EMI
continued...
• EMC tests aren’t done with foreseeable faults simulated (e.G. Failed
EMI filter, failed surge protector) to verify the safety back-up or failsafe measures ... and tests do not simulate real-world conditions
, e.G. Anechoic test chambers only test with radio waves coming
from a few fixed directions...
• But in real life they will come from any/all directions, some of which
will most probably have a worse effect... And no practical amount of
testing can ever be sufficient
• Anyway – given the huge number of possible test combinations
required....
20. SILs „Safety Integrated Level‟ (from IEC 61508)
and EMC Testing
• If we assume that an affordable EMC immunity test plan covers up
to 90% of real-life exposure to EMI over the anticipated lifetime...It
surely can’t be more than this!
• Then the emc testing barely reaches the minimum level to achieve
sil (90 to 99%)... So we need to do 10 times more testing to reduce
the risks from emi for sil....
• And 10,000 times more testing work for sil level 4...
• Clearly unaffordable, impractical
21. What should be
done?
• This ‘reliability-proving’ problem faced the software industry, who
solved it during the 1990s (resulting in IEC 61508-3)
• We need to use the same basic methods....
• The use of proven emc design techniques...
• Plus a range of verification/validation methods... E.G. Checklists,
reviews, assessments, audits, validated computer modeling, etc...
• Plus emc immunity testing designed case-by-case to improve
confidence for certain issues…
(The EMC aspects are all described in the iet’s 2008 guide)