Electromagnetic Compatibility (EMC) in the automobile industry, is validated by testing the performance of electronic sub-assemblies (ESAs), and complete vehicles, using standardised test methods in an EMC laboratory. This is the way that EMC is validated in most industries, and it is the 'traditional' approach to testing electromagnetic (EM) emissions and immunity.

'Functional safety' means the reduction of risks due to operational (functional) errors or malfunctions, to acceptable levels, over the anticipated lifetime of a product. There have long been concerns [1] that the traditional approach to EMC is inadequate for the achievement of functional safety.

In all safety engineering disciplines it is accepted that it is insufficient to rely totally on product testing. Instead, acceptable safety risks are validated using an approach based that employs a wide variety of methods (including, but not limited to testing) to verify the adequacy of the safety design.

This paper describes why the traditional EMC testing approach is insufficient as the sole means of demonstrating that a vehicle's EM characteristics achieve functional safety.

It then describes what EM engineering and verification techniques are required, where errors or malfunctions in electronics (hardware and firmware) could result in unacceptable functional safety risks.

Some industrial companies (for example, some manufacturers of flight-critical avionics or missiles) already employ verification methods that go well beyond their industry's standardised EMC tests, to help them achieve functional safety. But the use of good EMC-for-functional-safety practices is very far from being as common as it needs to be, especially in the vehicle manufacturing industry given the rapid increase in the use of increasingly complex electronic devices and firmware in areas where errors or malfunctions could increase safety risks.

2. Introduction

Safety-related systems, including industrial, commercial, medical, transportation (including avionics) and military, are increasingly using electrical, electronic and/or programmable electronic (E/E/PE) devices and equipment. A safety-related system could be a single ESA, or a combination of ESAs and other devices of any scale.

In a vehicle, safety-related systems are found in every aspect of drive-chain control, including acceleration, steering, braking, and in many aspects of body control, including lighting, displays, indicators and mirrors. The scope is broad including any ESA that affects the driver's direct control of the vehicle or functions that could cause confusion to other road users [9]. Even functions like electrically-controlled seats, windows and the volume of the sound system could be regarded as having an influence on vehicle safety, because if they malfunction they can significantly distract the driver or make it difficult for them to control the vehicle (e.g. if the seat moves uncommanded to a position that prevents the driver from controlling the pedals or steering).

All the above drive-chain and body control aspects now employ E/E/PE ESAs, with most of them being able to be described as 'drive-by-wire' in which there is no direct mechanical, hydraulic or electrical linkage between the driver's control device (e.g. gas pedal) and the actuator of function being controlled (e.g. a butterfly valve). Instead, the driver control device sends a weak electrical signal to an ESA that generally uses computer-based hardware and firmware to determine what control signal shall be sent to the actuator.

Steering and braking are two control functions still mostly relying upon mechanical and hydraulic linkages, respectively, but their pneumatic 'vacuum assist' power steering/braking systems are now being replaced by E/E/PE ESAs (e.g. ABS, electrically assisted braking, steering, etc.) to reduce power consumption and increase gas mileage.

Unfortunately, all E/E/PE ESAs can suffer from errors, malfunctions and even permanent damage due to EM interference (EMI).

Despite the existence of standards limiting the EM emissions from products, 'ambient' EM environments (the totality of all EM phenomena occurring at a given location) are continually worsening due to the increasing use of electronic technologies in all areas of society, generally increasing the aggregated EM 'noise' at any given location.

Another problem is the inadequacies in the methods of measuring and specifying emissions [1], which are all based on limiting the amplitude of narrowband frequencies to protect traditional narrowband radio communications channels. They do not limit the total emissions of EM energy, so the emissions spectrum from a given product can become much 'busier', representing much greater EM energy emissions, whilst remaining within the required emissions limits. Spread-spectrum techniques are an example of 'electronic trickery' developed over the last decade or so to spread emitted EM energy over wider bandwidths than are measured by the emissions tests. Despite a product's compliance with emissions standards, such techniques enable it to create significantly more EM 'pollution'. All ESAs rely on semiconductors, as discrete devices and/or integrated circuits (ICs), and the continuing trend in their manufacture to shrink their silicon feature sizes, and the associated reduction in operating voltages, make them more susceptible to EMI. So the importance of EMI for functional safety is increasing.

Car manufacturers are driven by profit, product liability and commercial competitiveness. To restate that in the negative: they do their best to minimize costs, avoid exposure to the financial (and bad publicity) risks of litigation and make a product that consumers see as superior to their competitors.

Most of the larger vehicle manufacturers have developed their own 'in-house' EMC test standards for their finished vehicles, which generally also include EMC tests for items supplied by their Tier 1 (ESA) and Tier 2 (component) suppliers. [2] was recently developed by a group of vehicle manufacturers, to try to standardize all these disparate test methods to help encourage the sharing of ESAs and systems between different manufacturers to reduce overall costs.

But all published EMC standards, and those used by the automobile industry, either do not address functional safety at all, or employ traditional testing methods and so do not deal with functional safety, as briefly described later in this paper.

In all areas of product and system manufacturing, published safety standards generally deal with EMI-related issues very poorly, where they cover the issue at all [3] [4] [5]. Generally, safety standards that do cover EMC simply require the application of traditional EMC immunity tests that can never be sufficient for demonstrating the achievement of adequate levels of safety, for reasons described later.

However, there are other safety publications being developed that do address this issue correctly, especially [6], which aims to become the International Electrotechnical Commission's (IEC's) basic standard on EMC for Functional Safety. [6] is based upon the IEC's well-established basic standard on Functional Safety, IEC 61508 [7]. The automotive industry typically looks to the International Standardization Organization (ISO) to produce its standards, so it is not clear how they will receive [6] and [7].

Another relevant document is the IET's 2000 guidance [8]. A much more detailed and practically useful revision of this is due to be published in 2008, and will be made available via the IET's website http://www.theiet.org.

The consequence of all this is that vehicle manufacturers who comply with the minimum regulatory requirements, for example the European Union's Automotive EMC Directive [9] and/or with their in-house or internationally standardised EMC or safety standards (such as [2]), will not adequately control EMC for Functional Safety " increasing the risks for their customers, third parties and themselves, as shown by Figure 1.

Adequate safety performance is that which results in acceptable safety risks, and for all safety issues including software [10] " but excluding EMC " is generally verified and validated as follows

• The design is assessed by safety experts against a number of well-proven safety engineering criteria, that take into account issues such as foreseeable faults, ageing and wear-and-tear

• Samples are tested to see if normal operation over the lifetime, and any reasonably foreseeable faults, misuse or environmental conditions could result in unacceptable risks

• Every product manufactured is tested to check that faulty parts or incorrect assembly has not degraded its basic safety features

For comparison: the traditional approach to EMC relies solely on applying a fixed set of immunity tests to a new unit in a benign physical environment. Such tests can never be sufficient for demonstrating acceptable safety risks, because (for the reasons described in the following section) the resulting test plan would be much too costly and time-consuming for any manufacturer to even begin to contemplate.

Figure 1: Increasing safety risks due to EMI

3. Why affordable EMC testing is always insufficient for safety purposes

The issues discussed in this section, and some others, are also discussed in [29] [30] and [31] for a wide range of industries including automotive. [1] is also relevant.

3.1 Foreseeable faults are ignored

Faults are considered in the auto industry, but only to reduce cost and eliminate waste. The main goal of Tier 1 suppliers is to have no 'zero kilometer' failures; i.e. units delivered to the car manufacturer that do not allow the car to move at all before it fails. The cost implication is the warranty return of one item consuming the profit on several items. Failures out of warranty mean one more unit sold with some additional profit, and these do not appear to be treated with the same zeal. However, all failures are analyzed and design improvements generally made where practicable, but preventative engineering and knowledge sharing across tiers appears to be poor.

Designing against foreseeable faults is done using Failure Mode Effect and Analysis (FMEA). The vehicle manufacturer does this at the system level, and then when the Tier 1 supplier has a complete design they repeat the FMEA process. There is also some pretty mature interface engineering such as reverse voltage protection, current limiting, ability to tolerate unintended application of battery voltage, etc. But the effectiveness of the process depends on how much cost the manufacturer is prepared to commit.

Knowledge of hardware noise immunity is critical for including EM immunity in an FMEA process. Most typically, engineers simply assume that each output pin of a component can experience an incorrect value, due to a failure of some sort. But EMI effects can be 'common-cause' - .e. they can affect several (or all) output pins at the same time. If the foreseeable behavior in response to EMI is not correctly taken into account in an FMEA, the results are inadequate to guide the design process to achieve acceptable safety risks.

Faults can significantly affect immunity to the normal EM environment, for example

• Dry joints, open or short circuits

• Out-of-tolerance or incorrect components

• Missing or damaged conductive gaskets

• Loose or missing fixings in enclosures or cable shielding

• Failure of a surge protection device

• Intermittent electrical connections, e.g. to a transducer or actuator

But traditional automotive EMC testing regimes ignore all faults " only perfect specimens are tested for immunity. This is sufficient reason alone to show that the traditional auto industry approach to EMC is insufficient when functional safety issues are concerned.

Even where an enlightened design process was in place and had correctly identified the foreseeable effects of EMI, the use of traditional test regimes based on failure-free samples would not verify that the resulting design (hardware and/or firmware) was effective.

3.2 Foreseeable use and misuse are ignored

It is generally accepted in safety engineering that people must be protected from themselves. This means that acceptable levels of safety risks must be maintained despite reasonably foreseeable use or misuse of equipment, for example

• The user not following the correct operational procedures, either by ignorance of willfully

E.g. most/all vehicle user manuals state that hand-held cellphones must not be used in the vehicle unless connected to an approved external antenna installation. But it is it is reasonably foreseeable that even if they knew about this restriction (most drivers do not) they will ignore it anyway. In any case, it is commonly observed that " for whatever reason " almost all drivers and passengers do not comply.

However, many vehicle manufacturers seem instead to prefer to rely upon the abilities of their lawyers to resist any product liability lawsuits brought on the basis of foreseeable misuse. It seems as if they make the business decision that the cost of paying legal fees is less than that of designing the safety of their vehicles more carefully.

• Pranks, and overtly malicious behavior

Of course, it is impossible to make anything perfectly safe, and nobody in safety engineering ever suggests that this should be attempted. But human beings are not predictable machines and they are known to behave in certain ways, so it is recognized that safety engineering should take this into account in product design.

But traditional automotive EM testing regimes ignore any such issues " assuming that vehicles are operated in perfect accordance with their user manuals at all times. This is sufficient reason alone to show that the traditional auto industry approach to EMC is insufficient when functional safety issues are concerned.

3.3 Real-life EM environments are not simulated

Commercial competitiveness seems to make automobile manufacturer very reluctant to sit next to their competitors in International Standards forums, and they prefer to develop their own test methods. One result of this parochial approach is that individual manufacturer might not have the depth of EM knowledge required to create test standards that effectively verify the design of a new vehicle, as regards their likely reliability and safety in real life.

At the beginning of an automotive test standard one would hope to see data like that in IEC 61000-4-1 " a rationale for the need for the tests and their methods. Instead, they do not even include basic statistical data on the probability of single EM disturbance events, let alone likelihood of simultaneous events or their cumulative impact.

3.3.1 Test chambers are not realistic

Traditional radiated field immunity testing specifies test chamber set-ups that are designed to make the tests more repeatable, and less costly. Unfortunately, the tests are unlike all real-life EM environments experienced by road-going vehicles (they are similar to the environment of missiles and aircraft during flight), so the test results can differ markedly from the immunity to radiated fields in real life.

Vehicle manufacturers often claim that they 'overtest' to address such concerns, but cannot explain how they arrive at the levels they apply.

There are also concerns about the measurement uncertainties in the test chambers themselves, with some EMC testing experts suggesting large and unpredictable uncertainties [11], [12]. Reverberation (mode-tuned) chambers can provide much more realistic tests [13] [14], and are used by many manufacturers of flight-critical avionics for this reason.

3.3.2 Continuous RF modulation types and frequencies are not realistic

For ease of testing, low costs and test repeatability, traditional RF immunity regimes test using a radio signal that is modulated with a 1kHz sine-wave, although some manufacturers employ pulse modulation to simulate digital cellphones or airport radar at frequencies above about 600MHz.

However, real-life EM environments contain radiated RF fields and conducted RF noises with a range of modulation types and frequencies. [15] and [16] show that equipment can have very significantly increased susceptibility (e.g. 20dB or more) when the modulation of an interfering signal corresponds with frequencies or waveforms used in its internal processes, or excites resonances in its circuits, cables, transducers or loads.

The importance of the type of modulation has been well known to military electronic jamming specialists for many decades, but is only now just starting to be recognized by traditional EMC testing regimes, see [17] [18], but not yet correctly developed.

3.3.3 DC power disturbance tests are not realistic or thorough

ISO 7637-2 [19] describes tests for disturbances conducted on the DC power supply (12V in most automobiles). The waveforms it uses are based on gross simplifications of the wide variety of DC power disturbances that can occur in real-life vehicles, so that they can easily and repeatably be achieved by low-cost test generators.

[20] describes tests of the DC power supply on a variety of real vehicles, and shows that the use of even the highest level pulses (Level IV) in [19] can be insufficient in some cases.

Many auto accessory manufacturers used to test their products to the lowest test level specified in [19] (Level I), and [20] shows this was inadequate to cover a variety of vehicles. If the EM environment for a particular model of vehicle is unknown, [20] recommends testing to Level IV, or at the very least never below Level II. Possibly as a consequence of [20], all testing is now done at a minimum of Level III.

Where an accessory could affect safety risks, testing at least to Level IV is clearly necessary unless the vehicle EM disturbance characteristics are known to always be less than this, over its operational lifetime. EMC test lab experience shows that varying the timings used by the ISO 7637-2 pulse 2b can delete the firmware in some ESAs, and that varying the settings of the start pulse so that they are close to the switch on/off threshold of some ESAs can cause them to switch on or off when uncommanded. However, most auto manufacturers do not vary the test waveforms in this way, sticking instead to settings permitted by [19] that reduce testing cost and time, or even that allow them to achieve a pass result. They thus fail to detect latent unreliabilities, which in some circumstances could lead to unacceptable safety risks.

But of course the real-life disturbances in the DC power supplies of vehicles can be very different from the tests in [19], and so are capable of interfering with the safe operation of ESAs and systems in different ways. Figure 2 shows three examples of real-life conducted transients in vehicles. There are no corresponding transient waveforms in [19].

Figure 2: Three examples of real-life conducted transients in vehicles, from [20]

[20] notes that the real vehicles tested exhibit additional types of disturbances from those tested by [19], including transients caused by intermittent electrical connections; sinewave modulations caused by pulse-width-modulated and stepper motor controllers, voltage dips and sags, etc. Many of these are known to cause significant interference events with ESAs in real-life, in automobiles.

[20] recommends at least adding the following tests, that some vehicle manufacturers (but not all) cover in their in-house EMC Specifications.

• Power Supply drop-outs between 500ms and 1 second

• Sine wave pulsed ripple test, 10kHz " 10MHz at 5Vpeak-to-peak.

Test methods already exist for these types of disturbance, ISO CD 16750-2 and ISO 11452 respectively, but not all vehicle manufacturers test using them.

The Ford Motor Company is unique in that its EMC test specification [41 deviates in part from [19] by using 'chattering relay' tests that should produce transient tests with waveforms closer to what is probably experienced in real-life.

3.3.4 Simultaneous disturbances are not tested

Traditional EMC testing applies one example in turn, of a limited number of types of EM disturbance. But in real life operation, many safety-related systems are frequently exposed to a number of simultaneous EM disturbances, for example:

• Two or more RF fields at different frequencies

• A radiated field plus a transient on the power lead

Simultaneous disturbances with different frequencies can cause EMI through intermodulation (IM), which (like demodulation) occurs naturally in all non-linear devices such as semiconductors. Figure 3 shows a very simple example of two RF fields at different frequencies, which can cause EMI by

• Direct interference from each frequency independently

• Demodulation of the amplitude envelopes of either frequency, or both mixed together

• Intermodulation, in which new frequencies are created

Figure 3: Example of RF noises in a circuit, showing demodulation and intermodulation

It is important to note that both demodulation and IM occur inside the devices, in the circuits within the equipment. Figure 3 shows the 'first-order' IM products in a very simple situation (two original frequencies). If there are more simultaneous frequencies " and especially if the levels are high enough for the second and even the third-order IM products to be significant " the number of new frequencies created by IM can be very high.

Imagine that traditional (single frequency) testing over the range 10kHz " 2.5GHz discovers that an product is only susceptible over the range 50 - 100MHz. The designers add shielding and filtering that is effective over the range 50 - 100MHz, to make the equipment pass the tests.

No shielding and filtering was added over the range 200MHz " 2.5GHz (for example) because the tests revealed no immunity problems in that range. But if the operational EM environment suffers from simultaneous frequencies in the range 200MHz to 2.5GHz can enter the equipment's circuits and its semiconductors " their intermodulation can create new internal frequencies in the range 50 - 100MHz and so cause interference.

The above example uses simple numbers to illustrate the point that because of intermodulation, traditional RF immunity testing cannot on its own demonstrate that equipment will be sufficiently immune to its real-life EM environment.

When considering different types of EM disturbance (e.g. an RF field plus an ESD event), [21] shows that equipment that passes its individual immunity tests can be very much more susceptible to those same types of disturbances at much lower levels, when they are applied simultaneously, as they will be from time-to-time in real life.

Since traditional testing does not simulate the simultaneous disturbances that can be expected to occur in real life, its test results are incapable " on their own - of demonstrating that EM performance is adequate for achieving acceptably low safety risks.

There are many independent sources of EM phenomena in a typical vehicle. In vehicles with spark-ignition engines, transients caused by the sparks occur once per revolution, at a cruising rate of just below 2000 rpm a four-cylinder engine generates 33 transients during every second (50 per second for a 6-cylinder engine, and 66 per second for 8 cylinders). Some vehicles use 'wasted spark' technologies that can double these transient rates.

Operation of other devices, such as the solenoid valves in automatic gearboxes, windscreen wipers, flashing indicators, window winders, seat positioners, ABS and electrically-assisted steering also create EM phenomena.

Because these are all independent sources of EM phenomena they will, on occasion, occur at the same time. Figure 4 shows a simple statistical analysis based on simplistic but reasonable assumptions for a 6-cylinder engine at 2000 rpm with spark-ignition transients lasting 50ns. The likelihood of a once-per-minute 100ns transient (e.g. due to the actuation of an electric motor or solenoid) overlapping at least 50% with an ignition 'spike' is 0.001% per minute. Assume the vehicle is driven for 1 hour/day, 5 days/week, 40 weeks/year, the likelihood of such an overlapping pulse event is 12% per year.

Figure 4: Example statistical analysis of safety risks due to simultaneous transients

If such simultaneous conducted transients caused a safety-related system to latch-up or 'freeze', so that it would not respond the next time it was called upon to operate (e.g. ABS, even operation of wipers or headlamps in some circumstances). Some safety-related systems, such as cruise control and steering power assistance, are required not to malfunction at any time, because for safety they must operate continuously.

If each such an incident resulted in a 1% chance of death, the people traveling in such vehicles would be exposed to a risk of dying from this cause of 0.12% per year. This estimate compares with a death rate of about 0.1% per year for very hazardous occupations (e.g. oil industry divers).

Assuming that 50,000 vehicles of a given model are in use on average at any one time, the overlaps caused by the once-per-minute pulses would result in 60 deaths per year, with the assumptions made above. But all vehicle manufacturers and their Tier 1 suppliers ignore this possibility and only test with traditional immunity tests that assume conducted DC power transients only ever occur one at a time. Of course, road testing of new vehicles before sales release allows the possibility of simultaneous transients, but to be sure of experiencing just one occurrence of an overlapping transient such as the example above, the test vehicles would need to be driven '24/7' for 19 weeks. The likelihood of happening upon a significant safety problem in this way is extremely remote, and even then would almost certainly be incorrectly diagnosed as something more familiar to the people involved.

3.3.5 Only one port is tested at a time

Traditional immunity testing applies EM disturbances to only one 'port' at a time. A 'port' is defined as the enclosure itself, or a point of entry/exit of a conductor (e.g. a cable) to/from the enclosure. The enclosure port is tested with radiated fields above some frequency, often 80MHz, and with electrostatic discharge (ESD). The conductor ports are tested by injecting conducted EM disturbances into the conductors directly, using specially-designed injection devices for radio frequencies below some frequency (typically 400MHz), plus transients and surges.

Conducted RF tests are intended to simulate the coupling of radiated fields into cables, because it can be difficult (or very costly) to achieve good uniformity of the radiated fields, or high enough field strengths, in practical test chambers of the types specified by the standards.

But in real life, when a radiated EM field 'illuminates' a vehicle, all of the cables associated with an ESA within it pick up RF voltages and fields at the same time " but with phase differences between them depending on the frequency, and on the time differences caused by the finite velocity of wave propagation.

Experiments at Qinetiq PLC that injected RF energies into all conductor ports simultaneously, with phase shifts to match what would be expected in real life, have shown that the immunity of the tested electronic units can be significantly worse than when one port is tested at a time in the traditional manner.

Since traditional testing does not simulate the simultaneous (actually, phase-shifted) application of EM disturbances to all ports that can be expected to occur in real life, its test results are incapable " on their own - of demonstrating that EM performance is adequate for achieving acceptably low safety risks.

3.4 The physical environment is ignored

An appropriate level of EM performance must be maintained despite the effects of the physical environment over the operational lifetime. The physical environment includes the following 'threats':

• Mechanical (static bending and twisting forces, shock, vibration, etc.)

• Climatic (temperature, humidity, air pressure, etc. " both extremes and cycling effects)

• Chemical (oxidation, galvanic corrosion, conductive dusts, condensation, drips, spray, immersion, icing, etc.)

• Biological (e.g. mould growth, etc.)

• Operational 'wear and tear' over the lifetime (friction, fretting, effects of repetitive cleaning, build-up of grease, etc.)

Physical effects vary from immediate (e.g. frame distortion due to non-flat mounting opening a gap in a conductive gasket and degrading shielding) to long-term (e.g. corrosion of a shield joint or filter ground bond). MIL-STD-464 [23] includes annexes that describe a number of real-life problems of this nature.

For example, filters can be badly affected by higher than nominal ambient temperatures, supply voltages, and load currents. Up to 20dB degradation in filter attenuation has been measured " caused by combinations of ambient temperature and load current within the manufacturer's continuous ratings " when compared with the results achieved on the usual EM immunity tests [24].

Vehicle manufacturers generally aim for a 10-year vehicle life, with the well-established high-end manufacturers making the most efforts to ensure longevity (as might be expected). A variety of highly-accelerated lifetime tests are performed to check that functionality is maintained over the desired lifetime, but in general the resulting 'aged' units are not tested to see if their EM noise emissions or immunity varies is affected by ageing.

In the UK, telecomm's providers are suffering interference problems with domestic appliances and electronics (e.g. TVs) that have emissions up to 60dB higher than their claimed specifications [25], but it is not clear whether this is due to errors of defects in the design or manufacture of the products (also see 3.5 and 3.6) or ageing. There seems to be no reason why automotive ESAs should not suffer from the same variability in actual EM performance.

However, the traditional approach to EMI simply tests brand-new ESAs in a benign physical environment, and so is incapable of discovering whether sufficient EM performance would be maintained during real-life operation over the lifetime of the equipment.

This alone is sufficient to show that relying on traditional testing is insufficient, where functional safety risks are concerned [26].

3.5 Traditional EMC standards ignore the quality of the EM design

Most manufacturers test their products using traditional immunity test methods, then iterate the design of the unit until it passes. The modifications are then applied in serial manufacture. But even if many samples are tested during the design process, this approach does not necessarily show whether the final version passed because of good EM design, or because of some fluke that might not be adequately controlled in serial manufacture over a vehicle's production life.

Since ESAs and vehicles are not designed to ensure that their EM specifications are met despite component tolerances, semiconductor die-shrinks, variations in assembly (e.g. cable harnesses, grounding points, etc.), replacement of obsolete components, firmware bug fixes, etc. " the fact that one or two examples once passed their EMC tests means nothing at all for the EM performance of the ESAs supplied to vehicle manufacturers, or the vehicles actually supplied to customers.

Some vehicle manufacturers have guidance documents on good EM design and assembly practices, for use in-house or by their Tier 1 suppliers, but compliance with them is not mandatory and they are always lower in priority than achieving lowest cost.

Traditional EMC standards are only concerned with testing finished ESAs, and ignore EM design, so they cannot demonstrate that adequate EM performance has been designed-in, to ensure that all ESAs actually supplied meet their EMC specifications. The result is that relying on traditional EMC test standards is insufficient for ensuring acceptable levels of safety risks.

3.6 Traditional EM testing ignores assembly errors

Good safety engineering always requires some testing of each unit manufactured to make sure that assembly errors have not made it unsafe, but traditional EMC standards do not include any requirements for manufacturers to perform routine checks on the EM characteristics of serially manufactured ESAs or vehicles.

As a result, we have no way of knowing if the ESAs actually supplied to vehicle manufacturers, or vehicles actually supplied to their users, are suffering from significant EMI defects. Experience in test laboratories is that it is not uncommon for ESAs and vehicles that function correctly to fail EMC tests because of 'misbuild', which is then corrected by the manufacturer so that the tests can continue. Although most manufacturers employ rigorous end-of-line testing, including in-circuit test, this might not be designed to discover misbuilds that do not affect functionality. If the experience of EMC laboratories represents the likelihood of misbuild in actual products, the consequences could be very serious indeed.

This is yet another reason why relying on traditional EMC testing standards is insufficient for ensuring that safety risks are acceptable.

3.7 Traditional EM testing ignores systematic effects

It is generally assumed that if all the ESAs incorporated into a system pass their immunity tests, then those systems will also be immune enough. This incorrect idea is made more attractive by the fact that it is usually much easier, quicker and less costly to test individual ESAs, than it is to test a complete safety-related system in a vehicle. But the phenomenon of 'emergence' (also 'emergent complexity', 'emergent behavior', 'emergent properties', etc.) can appear "when a number of simple entities (agents) operate in an environment, forming more complex behaviors as a collective" [27]. This can mean that performance degradations that are perfectly acceptable when an ESA is tested for EMC on its own, or are not even measured during such testing, could have significant implications for the safety risks of systems that use those ESAs.

Simply knowing that all of the ESAs used in a system pass their individual EMC tests, is insufficient to predict the EMC performance of the overall system [28]. Agreement between the EMC test results on ESAs, and on the systems that incorporate them, is frequently poor.

3.8 The maximum test level is not necessarily the worst

All electronic devices are non-linear, and their circuits/firmware can be very complex, so they can sometimes fail when tested with low levels of EM disturbances " but fail in a different way " or even operate within acceptable bounds, when tested with the maximum specified levels. An example of non-linear device behavior is saturation.

Some traditional EM tests only expose equipment to the highest levels of EM disturbances they are considered likely to be exposed to, to save testing time and cost, despite the fact that lower disturbance levels might be hundreds (even thousands) of times more likely and therefore much more significant in a quantitative assessment of safety risks.

For these traditional EMC tests, this is reason enough on its own to show that they are insufficient to ensure that acceptable levels of safety risks are achieved over the lifetime of a vehicle.

Part 2 of this paper, which you can find here, contains suggested solutions to the set of problems described above.

Keith Armstrong is founder of Cherry Clough Consultants, Stafford, U.K.. He is also President of the EMC Industries Association (EMCIA) and chairman of the IET Working Group on "EMC and functional safety". Keith can be reached by email under keith.armstrong@cherryclough.com

This is an extended version of the paper titled: "EMC for the Functional Safety of Automobiles — Why EMC Testing is Insufficient, and What is Necessary" presented by Keith at the IEEE 2008 International EMC Symposium, Detroit, 18-22 August 2008, ISBN: 978-1-4244-1699-8.