Can you point me to recognized hardware and software standards for EFI design? I'd be very interested.
I can't point you to anything specific to
EFI, but there's a handful of standards for developing automotive embedded systems, and a few for aviation embedded systems. When I wrote that post I was thinking specifically of folks using automotive or military grade components rather than commercial and industrial grade, and validating the code against state diagrams and tables etc, as well as coding to standards like
MISRA C rather than being "clever" with the code... and following a formal software engineering development process (SLDC / V-model / Formal Method?) and documenting it - eg would you be comfortable with a large customer auditing your work? My EE-foo is relatively weak, so I'll gloss over the hardware angle...
In an ideal world, we'd go back and review against IEC 61508, DO-178B, DO-254, ARP4761, ARP4754, MIL-STD-882D, etc... but that's not going to be cheap, and perhaps not practical. However selecting the right components / connectors / materials, running static analysis tools over the code, and getting out the pen and paper to document everything is pretty easy (if uninspiring!).
In 14 years of aviation fuel injection experience we see a lot more engine shutdowns caused by sensor anomalies and inappropriate code designed to protect the engine, especially in the case of OEM units. Hence my point about knowing how the system will react in the case of various sensor failures. If in doubt, simulate at full power during ground testing by disconnecting or shorting sensors one at a time. You don't want to be flying a system which goes full rich if an engine temp or IAT sensor fails open for instance.
That is very good advice, and a good strategy for testing. "Limp Home" mode for a car (eg, you have a bad sensor, a check engine light, so it falls back to a default map) is probably not what you want in the air. It's also the reason that parallel and different systems make some amount of sense - you mitigate sensor failure and design/developer (or product selection!) error. It's a good question to ask your vendor - what happens if (say) the airflow sensor reads incorrectly? Can the system even determine that it does? Get them to show you on a test bed. They don't have one? Run.
There have been some good articles this year in Contact! magazine on EFI failure modes, especially relating to OEM systems.
I think I heard something about that. Will take a look... Thanks.