Embedded Control Systems Design/Hostile Environment
Hostile environment is understood as every possible factor that prevents a system (of any complexity or at any level) from performing its function correctly.
As an embedded systems designer one should make sure that hostile environment is taken in account during the development stage. Although existing systems encountering hostile environments can perfectly be protected as well, it is helpful to take hostile environment into consideration already in the design stage, in order not to introduce hostile environment yourself by faulty system design. Apart from their positive effect on system performance, the countermeasures to hostile environments may have negative effects on other system parameters, e.g. rising economical cost, weight, power consumption, etc. But even if a design contains the necessary countermeasures to hostile environment, a failure of the system is not always inevitable. In case of failure, there are several manners in which a system fails. That is where failure modes turn up. When countermeasures against hostile environment fail, the failure modes need to be observed in a correct way.
In this section we will try to present some basic design rules to deal with hostile environment.
Examples of hostile environments 
Below is an inexhaustive list of possible hostile environments
- Extreme temperatures (aerospace: -200°C to +150°C)
- Excessive current, overvoltage due to thunderstorm or due to starting electromotors
- Electromagnetic radiation of other devices
- Interference of the power grid (50 Hz or 60 Hz)
- Electrostatic discharge
- Robocup robots experience negative counteraction of the opposing football team
- Software virusses and other malware
- Adjustment of embedded control systems by end users in order to alter performance of a device (e.g. tuning the electronic control unit or engine control unit (ECU) of a car can devastate its exhaust emissions performance)
- Communication signals (GPS, cell phone) are not picked up inside tunnels or elevators (Faraday’s cage)
- Improper use by end user (unintentional generation of overflow)
- Power blackout
- Mechanical shock
In the following discussion we will take a closer look to some of the topics of the list above.
Consequences of a hostile environment 
Possible consequences of an improperly functioning system are
- System damage
- Substantial economical costs because of production standstill
- Life threats to the users of the particular system
Electromagnetic compatibility 
EMC is broadly discussed on Wikipedia. Here we make a brief summary of the phenomenon in order to get as soon as possible to the design countermeasures. The proper functionality of an electrical device might be influenced by unwanted generation, propagation or reception of electromagnetic radiation. Electromagnetic radiation can thus form a hostile environment. In order not to get influenced by electromagnetic radiation a device needs to be electromagnetically compatible with its environment. EMC can be divided in two phenomena: emission and immunity. This subdivision means that a device shouldn’t emit to much radiation but on the other hand should be immune to the radiation emitted by others. It is a design requirement for embedded control systems to overcome these two phenomena. In the European Union it is advised by EU directive 2004/108/CE to check a device for EMC before placing a CE-label.
Sources of electromagnetic waves 
- Anti-shoplifting devices
- Electronic hardware: Inductive coupling between lines on a printed circuit board that are separated by less than a wavelength of their transmitted signals.
- Lightning strikes can induce electromagnetic waves in telecommunication lines.
- Interference of the power grid (50 Hz or 60 Hz)
- Fluorescent lighting (100 Hz or 120 Hz)
- Solar flares
- Electromagnetic radiation originated at the sun’s surface can reach earth’s atmosphere and interfere with terrestrial communication. Professor Paul Kintner Jr. en Alessandro Cerruti (Cornell University ) discovered that GPS signals were interrupted for several minutes on the dayside of the earth due to solar flares. There is only a minor inconvenience for automotive navigation, but it can be dangerous for aerospace navigation and stabilization of oil rigs. Aerospace industries have built in redundancy by using gyroscopes as a backup. In fact the gyro’s date from the pre GPS era. Also the more expensive automotive navigation systems can be equipped with gyro’s as a backup in tunnels where the signal is low. In future designs of aerospace embedded control systems the designer should concern about these solar flares as they are expected to cut the GPS signal for several hours in the years 2011-2012.
- Medical applications exposed to electromagnetic waves can pose life threat, e.g. cardiac pacemakers.
- Photodiodes experience a 100 Hz noise component (2 times net frequency) of fluorescent lighting tubes. Possibly causing faulty decision taking in an infra red communication device.
- Data loss if a communication cable is influenced by a nearby power line (50 Hz or 60 Hz)
As explained before, EMC problems manifest at two domains: i.e. emission and immunity. It is self-explanatory that countermeasures can be made at both domains. Furthermore, a countermeasure to emission is often as effective as to the immunity of the device and the other way around.
Emission solutions 
- Avoid unnecessary operations. Necessary switching should be done as slowly as technically possible.
- Noisy circuits (with a lot of switching activity) should be physically separated from the rest of the design.
- Use harmonic wave filters.
Immunity solutions 
- Fuses, trip switches and circuit breakers.
- Transient absorbers.
Mutual solutions 
- Decoupling capacitors ( 1 to 100 µF) (small localized energy reservoir; these supply the circuit with current during transient, high current demand periods, preventing the voltage on the power supply rail from being pulled down by the momentary current load) (Line filter, Signal filter)
- RF chokes: Choke coils are inductances that isolate alternating current from certain areas of a radio circuit.
- RC elements: RC-low-pass-filters can filter AC.
- Shield Housings and lines: always exist out of conducting material. Although not all conducting materials are metals, shield housings mostly are made out of metal. Electromagnetic shields act as Faraday’s cages. Faraday’s cages shield electromagnetic radiation from the inside to the outside en the other way around, thus providing mutual protection. The mesh size of the cage should be smaller than the wavelengths to be blocked. Applications of Faraday’s cages are
- A microwave oven is equipped with a grid in front of the window. The mesh size of this grid is smaller than the wavelength of typical microwaves (1mm – 1m). However, visible light (400-700nm) can still pass trough in order to offer the user a clear view of the food being processed.
- Plastic housings don’t act as a Faraday’s cage, but are aesthetically more suitable for consumer products than metal housings. Both aesthetics and EMC can be combined by coating a plastic housing with a metallic spray on the inside. Make sure that antenna’s have a proper access to the outside world of this housing.
- Shoplifters often wrap the RFID chip in aluminium foil. That forms a Faraday’s cage as well, preventing the alarm from being triggered.
- US passports are equipped with an RFID chip that can be read remotely at airport customs. However, to protect the owner's privacy, this passport shouldn’t be read at any time. That’s why these passports are provided in a shielding sleeve, acting as a Faraday’s cage.
- Avoid antenna structures in PCB Design, such as loops of circulating current or unbalanced transmission lines.
- Keep in mind that radio communication (GPS, etc.) can be interrupted by nature (solar flares) or by humans (military enemies, terrorists). Therefore in systems of vital importance, (e.g. airplanes, military vehicles) one should build in some redundancy. In the specific case of GPS navigation gyroscopes are often used to overcome dead signal periods.
- Raise the transmitting power of the signal source. Note that this can be constrained by health regulations.
- Implement weak signal-tracking algorithms in the receivers, so that they can detect a signal in worse circumstances such as solar winds. Mind that this measure can contradict other parameters, e.g. the economical cost, weight, power consumption, etc. of the receiver.
Power blackout 
A power interruption can take from several milliseconds to several hours or even days. Long blackouts can be overcome by installation of an uninterruptible power supply (UPS). Al sorts and sizes of UPS’s are available. For small electronic devices a battery will do the job, for large plants, hospitals and systems of systems (telecommunication networks) diesel generators are commonly used. Selection and control of UPS’s is a discipline in itself and is widely available on the web and in literature.
Voltage Dips 
When the supply voltage only reduces for a couple of milliseconds, it is referred to as a voltage dip or a dropout. These short interruptions are far more frequent than long time blackouts. According to [Schneider, p. 51-58] interruptions of 10ms are likely to occur every 200h in contrast to long time interruptions that occur around once every 10,000h. Voltage dips could lead to production halts that last much longer than the dip itself. According to [Terörde, p. 282] voltage dips of 100ms duration can lead to production halts of 24 hours.
Drives of electric AC motors are very sensitive to voltage dips. The AC engine itself can perfectly cope with a transient in the supply. There is DC bus between de AC supply and the AC motor which contains a large capacitor to flatten the DC. When a voltage dip occurs at the supply side, the energy in this capacitor is consumed by the motor within a few milliseconds. The control loops of the engine drive draw their power from this DC bus. As soon as this DC bus goes under a predetermined voltage, the inverter shuts down in order to avoid possible damage. With an offline controller, the motor and production process remain uncontrolled, which can cause economical damage.
- One might enlarge the capacitor in the DC link. But this capacitor is already a major cost item. Enlarging it would make the drive even more expensive. Furthermore one might wonder if there exists any capacitor that can feed the hunger of multi-kW electromotors.
- Ride-through scheme or kinetic buffering: The most interesting way of overcoming a voltage dip is to recover mechanical energy stored in the rotating masses of the motor and its load. In case of a voltage dip, the motor will be used in generator mode and will generate a minor amount of electrical power to maintain the DC bus and to keep the control logic alive. Actually this comes down to regenerative breaking. In essence there’s a dip detection mechanism that activates a preprogrammed ride-through scheme. This reverses the power flow in a matter of milliseconds. Of course the motor will slow down as this is regenerative breaking. The amount of kinetic energy in the motor is exhaustive, but should suffice for the duration of the voltage dip. When the power failure persists the motor will lose all its mechanical energy and won’t be able to restart. Eventually the control logic will shut down. But at least the process could be halted in a controlled way, without major damage. This concept is innovative and not yet common practice in the industries, but it could be in the future. Extensive explanations can be found in [Terörde p. 283].
- Cornell University: article about solar flares and gps
- Gerd Terörde, Electrical Drives and Control Techniques, 2004.
- F.J. Schneider, Brownouts and Blackouts in the Public Power Supply of the Federal Republic of Germany, 1985.