|
1. Synopsis
Electromagnetic Compatibility (EMC) in the automobile industry, is validated by testing the performance of electronic sub-assemblies (ESAs), and complete vehicles, using standardised test methods in an EMC laboratory. This is the way that EMC is validated in most industries, and it is the 'traditional' approach to testing electromagnetic (EM) emissions and immunity.
'Functional safety' means the reduction of risks due to operational (functional) errors or malfunctions, to acceptable levels, over the anticipated lifetime of a product. There have long been concerns [1] that the traditional approach to EMC is inadequate for the achievement of functional safety.
In all safety engineering disciplines it is accepted that it is insufficient to rely totally on product testing. Instead, acceptable safety risks are validated using an approach based that employs a wide variety of methods (including, but not limited to testing) to verify the adequacy of the safety design.
This paper describes why the traditional EMC testing approach is insufficient as the sole means of demonstrating that a vehicle's EM characteristics achieve functional safety.
It then describes what EM engineering and verification techniques are required, where errors or malfunctions in electronics (hardware and firmware) could result in unacceptable functional safety risks.
Some industrial companies (for example, some manufacturers of flight-critical avionics or missiles) already employ verification methods that go well beyond their industry's standardised EMC tests, to help them achieve functional safety. But the use of good EMC-for-functional-safety practices is very far from being as common as it needs to be, especially in the vehicle manufacturing industry given the rapid increase in the use of increasingly complex electronic devices and firmware in areas where errors or malfunctions could increase safety risks.
2. Introduction
Safety-related systems, including industrial, commercial, medical, transportation (including avionics) and military, are increasingly using electrical, electronic and/or programmable electronic (E/E/PE) devices and equipment. A safety-related system could be a single ESA, or a combination of ESAs and other devices of any scale.
In a vehicle, safety-related systems are found in every aspect of drive-chain control, including acceleration, steering, braking, and in many aspects of body control, including lighting, displays, indicators and mirrors. The scope is broad including any ESA that affects the driver's direct control of the vehicle or functions that could cause confusion to other road users [9]. Even functions like electrically-controlled seats, windows and the volume of the sound system could be regarded as having an influence on vehicle safety, because if they malfunction they can significantly distract the driver or make it difficult for them to control the vehicle (e.g. if the seat moves uncommanded to a position that prevents the driver from controlling the pedals or steering).
All the above drive-chain and body control aspects now employ E/E/PE ESAs, with most of them being able to be described as 'drive-by-wire' in which there is no direct mechanical, hydraulic or electrical linkage between the driver's control device (e.g. gas pedal) and the actuator of function being controlled (e.g. a butterfly valve). Instead, the driver control device sends a weak electrical signal to an ESA that generally uses computer-based hardware and firmware to determine what control signal shall be sent to the actuator.
Steering and braking are two control functions still mostly relying upon mechanical and hydraulic linkages, respectively, but their pneumatic 'vacuum assist' power steering/braking systems are now being replaced by E/E/PE ESAs (e.g. ABS, electrically assisted braking, steering, etc.) to reduce power consumption and increase gas mileage.
Unfortunately, all E/E/PE ESAs can suffer from errors, malfunctions and even permanent damage due to EM interference (EMI).
Despite the existence of standards limiting the EM emissions from products, 'ambient' EM environments (the totality of all EM phenomena occurring at a given location) are continually worsening due to the increasing use of electronic technologies in all areas of society, generally increasing the aggregated EM 'noise' at any given location.
Another problem is the inadequacies in the methods of measuring and specifying emissions [1], which are all based on limiting the amplitude of narrowband frequencies to protect traditional narrowband radio communications channels. They do not limit the total emissions of EM energy, so the emissions spectrum from a given product can become much 'busier', representing much greater EM energy emissions, whilst remaining within the required emissions limits. Spread-spectrum techniques are an example of 'electronic trickery' developed over the last decade or so to spread emitted EM energy over wider bandwidths than are measured by the emissions tests. Despite a product's compliance with emissions standards, such techniques enable it to create significantly more EM 'pollution'.
All ESAs rely on semiconductors, as discrete devices and/or integrated circuits (ICs), and the continuing trend in their manufacture to shrink their silicon feature sizes, and the associated reduction in operating voltages, make them more susceptible to EMI. So the importance of EMI for functional safety is increasing.
Car manufacturers are driven by profit, product liability and commercial competitiveness. To restate that in the negative: they do their best to minimize costs, avoid exposure to the financial (and bad publicity) risks of litigation and make a product that consumers see as superior to their competitors.
Most of the larger vehicle manufacturers have developed their own 'in-house' EMC test standards for their finished vehicles, which generally also include EMC tests for items supplied by their Tier 1 (ESA) and Tier 2 (component) suppliers. [2] was recently developed by a group of vehicle manufacturers, to try to standardize all these disparate test methods to help encourage the sharing of ESAs and systems between different manufacturers to reduce overall costs.
But all published EMC standards, and those used by the automobile industry, either do not address functional safety at all, or employ traditional testing methods and so do not deal with functional safety, as briefly described later in this paper.
In all areas of product and system manufacturing, published safety standards generally deal with EMI-related issues very poorly, where they cover the issue at all [3] [4] [5]. Generally, safety standards that do cover EMC simply require the application of traditional EMC immunity tests that can never be sufficient for demonstrating the achievement of adequate levels of safety, for reasons described later.
However, there are other safety publications being developed that do address this issue correctly, especially [6], which aims to become the International Electrotechnical Commission's (IEC's) basic standard on EMC for Functional Safety. [6] is based upon the IEC's well-established basic standard on Functional Safety, IEC 61508 [7]. The automotive industry typically looks to the International Standardization Organization (ISO) to produce its standards, so it is not clear how they will receive [6] and [7].
|
