Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 43
2
The Electronics-Intensive
Automobile
A major upgrade in automotive performance over the past two decades
that has not had its basis in electronics, particularly in advances in
computer and software technologies, would be difficult to identify. It
would be surprising if this were not the case, given the proliferation
of software-intensive electronics in nearly all high-value consumer
products. As discussed in Chapter 1, today’s electronics-intensive vehi-
cle is fundamentally different from the mostly mechanical vehicle of
the 1970s and 1980s. The electronics in the contemporary automobile
contain hundreds of sensors, drive circuits, and actuators that are con-
nected to scores of microprocessors running on increasingly complex
software and exchanging information through one or more commu-
nications networks (Krüger et al. 2009). It has been estimated that
electronics account for about 35 percent of the cost of designing and
producing some vehicles (Charette 2009; Simonot-Lion and Trinquet
2009). Even today’s entry-level models contain far more sophisticated
and capable electronics than premium-class models did less than a decade
ago (Charette 2009). And given the history of technology dispersion in
the automotive sector, many of the advanced electronics systems found
in premium-class vehicles today can be expected to migrate through the
fleet quickly.
This chapter describes some of the major vehicle electronics systems
that are now in vehicles, that will soon be deployed, and that are being
developed and explored but whose mass introduction remains on the
more distant horizon. Consideration is then given to the nature of the
43
OCR for page 44
44 || The Safety Promise and Challenge of Automotive Electronics
safety assurance challenges that automobile manufacturers face as they
design, develop, and integrate these systems for use by vehicles and
drivers. The chapter concludes with relevant findings from the discus-
sion that inform the committee’s recommendations to the National High-
way Traffic Safety Administration (NHTSA) offered later in this report.
Use of electronics in Vehicles today
Figure 2-1 shows the multitude of electronics systems that are now or
soon will be available in vehicles. It shows that there are few, if any,
vehicle functions that are not mediated by computers. A majority of the
functions shown would not be feasible or cost-effective if not for the
FIGURE 2-1 Types of electronics systems in modern automobiles.
(Source: Clemson University Vehicular Electronics Laboratory.)
OCR for page 45
45
The Electronics-Intensive Automobile ||
advancements that have taken place in microprocessors, sensors, other
hardware, and software during the past 30 years.
Some of these electronics systems have improved on the capabilities
once provided by mechanical, electromechanical, and hydraulic sys-
tems. Increasingly, however, electronics are enabling new capabilities,
as evident in the many convenience, comfort, entertainment, and per-
formance applications indicated in Figure 2-1. Few systems provide
these capabilities in stand-alone fashion; instead, they rely on inter-
connections and communications with one another. For some time,
this interconnectivity has permitted enhancements to certain safety
and comfort features such as seat belt pretensioning before a crash and
adjustment of the radio volume in relation to travel speed. However,
the level of system interconnectivity is growing rapidly to provide a
richer array of capabilities. For example, some adaptive cruise control
(ACC) systems are sampling data from the Global Positioning System
(GPS) to adjust headway limits depending on the vehicle’s proximity to
a highway exit ramp.
These systems provide one or more capabilities for the following,
among others:
• Entertainment, information, and navigation assistance—radios, satel-
lite radio, CD and DVD players able to interpret a wide array of data
formats, USB and other multimedia ports, Wi-Fi and Internet con-
nectivity, GPS navigation, travel advisories;
• Convenience—seat and mirror position memory, remote and key-
less entry and ignition, automatic lights and wipers, embedded and
Bluetooth-connected mobile phones;
• Comfort and ease of use—suspension adjustment, brake and steer-
ing assist, heated and cooled seats, cabin temperature control, inte-
rior noise and vibration suppression, parking assist, hill hold, mirror
and light dimming;
• Emissions, energy, and operating performance
– Concerted control of fuel flow, air intake, throttle position, and
valve timing; cylinder deactivation; transmission control; trac-
tion and cornering control; tire pressure monitoring; regenera-
tive braking;
– Power train and battery charging control for hybrid and electric-
drive vehicles;
OCR for page 46
46 || The Safety Promise and Challenge of Automotive Electronics
• Safety and security—crash-imminent seat belt tensioning and air bag
deployment, antilock braking, ACC, crash warning and brake control,
blind spot detection and warning, lane departure warning, yaw and
stability control, backup sensors and cameras, tire pressure monitor-
ing, 9-1-1 crash notification; and
• Reliability and maintainability—onboard diagnostics systems, remote
diagnostics, vibration control, battery management.
The foundation for all of this system interconnectivity derives from the
communications networks and protocols (messaging rules) that allow for
the exchange of information, the sensors that gather the information, and
the software programs that make use of it. The critical roles of communi-
cations networks, sensors, and software are discussed next before an over-
view of some of the major electronics systems that use them is provided.
Communications Networks and Protocols
All electronics systems that control vehicle functions consist of a con-
trol module containing one or more computer processors. The control
module receives input for its computations from a network of sensors
(e.g., for engine speed, temperature, and pressure) and sends com-
mands to various actuators that execute the commands, such as turn-
ing on the cooling fan or changing gear. In addition, these control
modules need to connect to other control modules—for example, to
shift gears the transmission control module must have received infor-
mation on the engine speed.
In the early days of automotive electronics, the handful of controller
systems in a vehicle could be linked through point-to-point wiring (Navet
and Simonot-Lion 2009, 4-2). However, as the number of systems grew,
the complexity and cost of wiring systems in this way increased substan-
tially. The approach required not only costly and bulky wire harnesses
but also repeated changes in wire designs depending on the specific mod-
ules included in a given vehicle. For example, a vehicle equipped with
antilock brakes would require wiring different from that of a vehicle not
equipped with this feature. The industry’s solution was to install a net-
work in the vehicle and “multiplex” (combine data streams into a single
transmission) their communications among system elements. The multi-
plexed networks are referred to as communication buses. A module
plugged into the bus would thus be able to sample data from and com-
municate with all other networked modules. In this way, each module
OCR for page 47
47
The Electronics-Intensive Automobile ||
would serve as a node in the network, controlling the specific compo-
nents related to its function while using a standard protocol to commu-
nicate with other modules.
To work in the automotive environment, these communications net-
works had to be designed to achieve low production and maintenance
costs, immunity from electromagnetic interference, reliability in harsh
operating environments, and the flexibility to vary options without
alternative wiring architectures. Although automotive manufacturers
did not emphasize data throughput capacity when these networks were
introduced 25 years ago, the subsequent demand for onboard comput-
ing has been driving changes to networks to support higher bandwidth
and higher-speed communications among modules.
Today, multiple networks and communications protocols are used in
vehicles for data exchange depending on factors such as required trans-
mission speed, reliability, and timing constraints. The protocols are
accompanied by a variety of physical media to provide the required con-
nections among system components on the network, including single
wires, twisted wire pairs, fiber-optic cables, and communication over the
vehicle’s power lines. Many automotive manufacturers are seeking a
standard protocol, but none has emerged. Not every protocol can be
described here, but a number of them appear in the following list of
example networking buses and communications protocol standards
(Navet and Simonot-Lion 2009, 4-2).
• CAN (controller area network): an inexpensive low-speed serial bus
for interconnecting automotive components;
• VAN (vehicle area network): similar to CAN but not widely used;
• FlexRay: a general-purpose, high-speed protocol to support time-
triggered architecture;
• LIN (local interconnect network): a low-cost in-vehicle subnetwork;
• SAE-J1939 and ISO 11783: an adaptation of CAN for agricultural and
commercial vehicles;
• MOST (Media-Oriented Systems Transport): a high-speed multimedia
interface that supports user applications such as GPS, radios, and video
players;
• D2B (domestic digital bus): a high-speed multimedia interface;
OCR for page 48
48 || The Safety Promise and Challenge of Automotive Electronics
• Keyword Protocol 2000 (KWP2000): a protocol for automotive diag-
nostic devices (runs either on a serial line or over CAN);
• DC-BUS [1]: automotive power line communication multiplexed
network;
• IDB-1394;
• SMARTwireX;
• SAE-J1850, SAE-J1708, and SAE-J1587; and
• ISO-9141-I/-II.
Because a typical vehicle will have a variety of networking speed and
capacity needs, it will have multiple networks and will often host differ-
ent control units and use different protocols and physical media. The
networks are often intended to be isolated from one another for various
reasons, including bandwidth and integration concerns (e.g., entertain-
ment network isolated from the network containing the engine control-
ler).1 In cases where information must be shared among networks, there
will typically be a gateway module to control, and in certain cases iso-
late, the communications. For example, the CAN bus typically used for
electronic engine controls may have a connection to other networks on
the vehicle to share information, but control signals from these other
networks are precluded from access to the CAN by a gateway control
module. As noted below, the effectiveness of these access controls is
coming into question as electronic systems are connecting more with
one another and with external devices that could provide access points
for cyberattacks.
Sensors
Sensors are essential to the function of nearly all vehicle electronics sys-
tems, many of which depend on multiple sensing technologies. A variety
of sensors are deployed to measure positions and properties such as tem-
perature, direction and angle, oil pressure, vacuum, torque, seat position,
and engine speed and then to convert the measurements into electri-
cal signals (digital or analog) that can be used by computers in one or
more embedded electronics systems. New technologies are providing
As discussed in Box 2-2, it is not evident that this separation has been adequately designed for cyber-
1
security concerns.
OCR for page 49
49
The Electronics-Intensive Automobile ||
even greater sensing capability for applications such as distance ranging,
motion detection, and vehicle position identification.
The amount and types of sensors in vehicles have grown dramatically
over the past 20 years as a consequence of advances in technology and
in response to new demands for safety, emissions control, fuel economy,
and customer convenience. Although there are too many sensor types
and technologies to describe here, the following examples illustrate their
range of uses. To support operation of the catalytic converter, oxygen
sensors with zirconia tips probe exhaust gases. The zirconia reacts with
the gases and develops a signal voltage, which is transmitted to a con-
troller. Simple and low-cost sensors used in many vehicle applications
are the potentiometer and the Hall effect sensor. The former can be used
to determine the angle or direction of a component, such as the position
of the accelerator pedal or throttle plate in an electronic throttle control
system (ETC). It is designed with three terminals: a power input, ground,
and variable voltage output. Acting as a transducer, the potentiometer’s
voltage output varies with the position of a movable contact (such as the
pedal or throttle shaft) across or around a fixed resistor. The output volt-
age is higher or lower depending on whether the contact is near the
power supply or ground. The Hall effect sensor, in comparison, detects
its position relative to that of a magnet and thus has no moving parts
that can degrade over time, as can those in potentiometers. From a tech-
nical standpoint, the decision to use one sensor technology over another
can depend on the needed accuracy, durability, task (e.g., linear, rotary,
range, temperature measuring), and integration ability (e.g., space con-
straints). In practice, the cost of the sensor is also important.
Sensor technology is becoming more sophisticated and varied, espe-
cially to support the functionality of many new convenience, comfort,
and safety-related electronic systems. Advanced sensor technologies that
are being used more often include the following:
• Ultrasound (e.g., backup warning, parking assist);
• Inertial sensors, accelerometers, yaw-rate sensors (e.g., stability con-
trol, air bag deployment, suspension control, noise and vibration
suppression);
• Radar and light detection and ranging (lidar) (ACC);
• Cameras (e.g., lane keeping, ACC); and
• GPS (e.g., advanced ACC).
OCR for page 50
50 || The Safety Promise and Challenge of Automotive Electronics
In discussing the array of electronics systems being deployed in modern
vehicles, the current and emerging roles of these new sensing technolo-
gies are noted. Continued advances in sensing reliability and capability, of
course, will be central in enabling the development and deployment of
many next-generation electronics-based systems.
Software
As the discussion above indicates, automobiles today are literally “com-
puters on wheels.” A modern luxury car contains tens of millions of lines
of software code executed in and across the scores of networked elec-
tronic control units. By some estimates, more than 80 percent of auto-
motive innovations derive from software (Charette 2009; Krüger et al.
2009). Automotive manufacturers now depend so much on software
rather than on hardware for functionality because the former is easier
to evolve and extend, and it is often the only feasible way to achieve
a desired function. For years automakers have been leveraging the
power of networked controllers and advances in software development
to introduce active safety features, many of which are described below.
Between 2,000 and 3,000 individual vehicle functions are estimated to
be performed with the aid of software in a premium-class car (Charette
2009). This trend is almost certain to continue as the capabilities and
performance of microprocessors, networks, and software grow.
Software is contained in all controller modules and is used to direct
and integrate their actions. The software that monitors and controls
vehicle systems and their use is part of what is commonly known as an
embedded real-time system (ERTS). Since its earliest use for electronic
ignition timing in the 1977 Oldsmobile Toronado, ERTS software (and
the processors that run it) has grown in size, state space, and complex-
ity, in large part because of added functions and the demands of coor-
dinating actions among systems. For example, for the Lexus emergency
steering assist system to function, it must have close interaction with the
vehicle’s variable gear ratio steering and adaptive variable suspension
systems, among others.2 The software needed to support this real-time
coordination among the safety-related subsystems is substantially more
challenging to design, develop, and validate than are relatively self-
contained features such as a door-lock controller. Software development
and safety assurance processes are discussed further in Chapter 3.
http://www.worldcarfans.com/10608296343/lexus-ls460-achieves-world-first-in-preventative-safety.
2
OCR for page 51
51
The Electronics-Intensive Automobile ||
Control of Engine, Transmission, and Throttle
Before there was a need for in-vehicle communications networks, com-
puterized engine control units were introduced in vehicles in the late
1970s to meet federal emissions regulations. These early units governed
the air–fuel mixture to enable more efficient fuel combustion to mini-
mize emissions. An exhaust gas oxygen sensor provided a signal to the
engine control unit so that it could regulate fuel levels to achieve an
even more precise air–fuel mixture. As emissions standards were tight-
ened and electronic fuel injectors were introduced, additional functions
were added to the engine controller for such purposes as more precise
and consistent spark timing and regulation of the flow of fuel during a
cold start.
Coincidental with these changes, automobile manufacturers began
to introduce other computer controllers for transmission and throttle
functions. These controllers were also designed to exchange informa-
tion with and be regulated jointly by the engine controller. Automatic
transmissions had previously relied on hydraulics to operate valves that
engaged and disengaged clutches in planetary gear sets. With electronic
controls, the shift point could be better controlled by using inputs from
a network of sensors in the engine, transmission, and wheels.
ETCs were introduced in the late 1990s, eliminating the physical link-
age between the accelerator pedal and throttle by a cable and other con-
nectors. A typical ETC consists of a control unit, a pair of throttle valve
position sensors, a pair of pedal position sensors, and an electric motor
that actuates the throttle. Depressing the accelerator pedal causes the
pedal sensors to send a signal to the controller, which in turn sends a
command to the throttle motor to open or close the throttle. Sensors on
the throttle confirm its position and correspondence to the signals being
sent by the sensors in the accelerator pedal. ETCs allow for more precise
regulation of fuel consumption and emissions by the engine control unit
and provide other benefits, such as a reduction in the cost of electronic
cruise and stability control systems and an increase in their feasibility.
Figure 2-2 shows some of the sensors and actuators in the vehicle that
provide input to and receive commands from the engine control unit. In
having such a wide array of inputs (e.g., coolant temperature, exhaust
gas composition, mass air flow) and the ability to orchestrate so many
outputs (e.g., spark timing, air and fuel flow, throttle opening), the
engine control unit has been a major source of fuel economy and emis-
sions performance improvements in vehicles over the past two decades.
OCR for page 52
52 || The Safety Promise and Challenge of Automotive Electronics
FIGURE 2-2 Engine control sensor and actuator network (ECU = engine
control unit; EGR = exhaust gas recirculation; HEGO = heated exhaust gas
oxygen sensor).
(Source: Cook et al. 2007.)
Concerns over transportation’s dependence on imported oil and emis-
sions of greenhouse gases have generated increased interest in electric-
drive vehicles. These vehicles all have batteries and electric motors that
provide some or all of the vehicle’s propulsion. The main types of electric-
drive vehicles are conventional hybrid vehicles (HEVs), plug-in hybrid
electric vehicles (PHEVs), and pure electric vehicles (EVs). While these
vehicles have many of the same electronic capabilities as conventional
vehicles, they have different control needs with implications for their
electronics, as discussed in Box 2-1.
Brake Power Assistance and Lockup Control
Brakes continue to rely fundamentally on hydraulic lines that transmit
the pressure at the brake pedal to actuators at the wheels to force the
brake pads into contact with a drum or disc on the wheel. The generated
friction slows and eventually stops the vehicle. For greater safety assur-
ance, the hydraulics are split (as required by regulation) so the left front
and right rear wheels use half the system and the right front and left rear
OCR for page 53
53
The Electronics-Intensive Automobile ||
Box 2-1
electronic controls in electric-drive Vehicles
The most common electric-drive vehicles in production are
HEVs, which have been available for more than a decade. These
vehicles have either one or two electric machines and a gasoline
engine in parallel to drive the wheels. When the vehicle deceler-
ates, the motor acts as a generator to recharge the battery with
energy that would otherwise be lost in braking (regenerative
braking). HEVs, therefore, require complicated electronic con-
trols to optimize performance of the two power trains and ensure
proper charging of the battery. Manufacturers are now introduc-
ing PHEVs with batteries charged from the electric grid. PHEVs
come in two forms. One is similar to a conventional hybrid but
has a bigger battery that can be charged from a power line to
allow electricity-only driving for about a dozen miles. The forth-
coming plug-in Toyota Prius is an example of this type of PHEV.
The General Motors (GM) Volt is a series PHEV in which the
wheels are powered by electricity only. The battery is bigger than
that in the parallel PHEV and may be capable of traveling 40 miles
on a charge. Pure EVs such as the Nissan Leaf or the Tesla road-
ster have a larger battery that can power driving for 80 miles or
more. The battery is charged only from regenerative braking or a
power outlet. Pure EVs are mechanically and electronically sim-
pler than the hybrids, since they have an electric motor but no
engine and no need to balance two power trains.
Power train control in electric Vehicles
All electric-drive vehicles require sophisticated power train con-
trol to manage power flow from the battery to the motor and
from the motor/generator to the battery during regenerative
braking and, in the case of parallel hybrids (either HEV or PHEV),
to coordinate the sharing of loads between the engine and the
electric motor. Parallel hybrid controls must optimize operations
to minimize fuel consumption while meeting emissions require-
ments. Parallel hybrid vehicles may start repeatedly without fully
(continued on next page)
OCR for page 60
60 || The Safety Promise and Challenge of Automotive Electronics
While the U.S. Environmental Protection Agency specifies the type of
diagnostic connectors and protocols required in vehicles for emissions
control systems, OBDs in vehicles today differ by manufacturer, includ-
ing the functions they monitor. These differences will undoubtedly grow.
Opportunities for innovative diagnostics systems to become a selling
point to consumers are already starting to be exploited. For example,
onboard communications systems can already transmit vehicle “health”
and operating parameters to original equipment manufacturers for
remote analysis and diagnostics. These exchanges may be used to iden-
tify vehicle systems that require firmware updating and to perform the
upgrades remotely or notify the driver of the need to have the vehicle
serviced (Charette 2009).
Event Data Recorders
Electronics sensors and connections have enabled automotive manufac-
turers to install event data recorders (EDRs) on their vehicles. The record-
ers are usually part of the air bag control module, and they are triggered
to save data by a crash event in which an air bag is deployed or the sen-
sors in the air bag system detect rapid deceleration or multidirectional
acceleration. The recorders typically capture a few seconds of vehicle data
before a crash, including vehicle speed, accelerator pedal position, throt-
tle position, and brake switch position. The recorded information can be
retrieved by investigators through the OBD port to help determine the
causes of the crash.
Because EDRs are not currently mandated, their usage varies by man-
ufacturer. According to NHTSA, a large majority of vehicles sold in the
United States have EDRs, but there is inconsistency among the manufac-
turers in the array of data items recorded and the means available for
accessing the stored data. NHTSA regulations mandate that most light-
duty vehicles made on or after September 1, 2011 (Model Years 2012 or
later) that are equipped with EDRs record a common set of variables,
including precrash speed, brake light status, velocity change, engine rev-
olutions per minute, seat belt use, and the timing of air bag deployment.
NHTSA has indicated its intention to initiate a rulemaking to require
EDRs on all cars and to expand the number of data items recorded. In
addition, a variety of efforts are being pursued through standard-setting
organizations to bring greater uniformity to the data collected by EDRs
and the technical means for accessing the data. EDRs are discussed fur-
ther later in this report.
OCR for page 61
61
The Electronics-Intensive Automobile ||
next-Generation systems
Consumer and manufacturer experience with some of the newer sys-
tems described above will affect the rate of introduction and penetration
of even more complex electronics systems. While the following systems
are in research and developmental stages, many are candidates for deploy-
ment during the next 25 years.
Steer-by-Wire and Brake-by-Wire
In steer-by-wire systems, the mechanical link between the steering wheel
and the vehicle wheels is removed, and the driver’s intent is translated
into signals to a motor or motors that turn the wheels. Among possible
advantages, steer-by-wire would reduce vehicle weight, eliminate the
safety hazard presented by the protruding steering column, offer greater
flexibility in designing the car interior, and enable customizable driver
interfaces since the steering mechanism could be designed and installed
as a modular unit. Brake-by-wire would substitute sensors, computers,
and actuators for pumps, hoses, fluids, and master cylinders. These sys-
tems would eliminate the direct mechanical connection between the
pedal and the brakes by activating motors on each wheel.
Both of these advanced concepts have been demonstrated, but mak-
ing a convincing case with regard to their operating reliability will be
fundamental to their deployment because the only safe state for steer-
ing and braking is “operational.” Addressing these concerns through the
use of redundant systems (as found in aircraft fly-by-wire) may be pos-
sible but could negate the purpose of adding the drive-by-wire systems.
The challenge will be in finding ways to ensure safety without greatly
increasing each system’s total cost.
Vehicle-to-Vehicle and Vehicle-to-Infrastructure
Communications
Vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communi-
cations are being studied by manufacturers, suppliers, universities, trans-
portation agencies, and NHTSA. As conceived, an equipped vehicle would
function as a node in a network able to communicate with other vehi-
cles and roadside units to provide one another with information on such
topics as safety warnings and the state of traffic. Electronic messages
could notify the driver or perhaps the ACC that the vehicle ahead is
OCR for page 62
62 || The Safety Promise and Challenge of Automotive Electronics
slowing down and thus give more reaction time to the trailing vehicle.
Communications through a string of vehicles could warn of traffic slow-
downs, and communications between vehicles could reduce crashes at
blind intersections. Because V2V would require a substantial number of
vehicles equipped with transponders and V2I would require intelligent
highway infrastructure, the emergence of these systems will depend not
only on further technological advances but also on many safety assur-
ance, institutional, and economic factors.
Partly and Fully Automated Vehicles
In contrast to systems that provide the driver with a warning or assume
temporary control over the vehicle in an emergency situation, partial or
fully automated systems would provide assistance for routine driving
tasks. In the case of partially automated systems, the driver would relin-
quish control of some driving tasks but retain control of the vehicle
generally. Fully automated vehicles are often conceived as providing
“hands-off, feet-off” driving, whereby the driver is disengaged from
virtually all driving tasks.
The notion of fully automated driving dates back to at least the 1939
World’s Fair, which included a GM exhibit on “driverless” cars (Shladover
1990). Even today, there is no agreement on how such an outcome could
be achieved from both the technical and the practical standpoints. One
possibility is that instrumented vehicles operate autonomously by using
artificial intelligence and V2V-type sensors and communications capabili-
ties that enable safe navigation within a highway environment consisting
of a mix of automated and nonautomated vehicles. Other possibilities
include varying degrees of cooperation among vehicles and infrastructure,
perhaps on dedicated lanes. One of the earliest demonstrations of these
concepts was organized by the National Automated Highway System
Consortium, which demonstrated various forms of automated driving on
an Interstate highway outside of San Diego, California, in 1997.7 The
Defense Advanced Research Projects Agency has sponsored several com-
petitions to demonstrate hands-free driving.8 Recently, Google announced
that it has tested several vehicles over 140,000 miles hands free.9 These
For a review of the National Automated Highway System Consortium research program, see TRB
7
(1998).
http://www.darpa.mil/grandchallenge/index.asp.
8
http://www.nytimes.com/2010/10/10/science/10googleside.html?_r=2&ref=science.
9
OCR for page 63
63
The Electronics-Intensive Automobile ||
vehicles use radar, lidar, vision cameras, and GPS, among other contem-
porary technologies.
All concepts of vehicle automation, both partial and full, face major
technological challenges, as well as substantial safety assurance hurdles.
Partially automated systems can be more difficult to design and imple-
ment because of the potential for confusion over the division of functions
between the driver and the machine and the need to maintain driver
situation awareness. This study cannot begin to address these and other
safety issues associated with the many forms of automation. Although
such systems may not emerge on a large scale for decades, opportunities
may arise sooner under certain controlled conditions, such as the use of
automated snowplow and freight truck convoys (with drivers in the lead
trucks) on rural Interstate highways and buses on dedicated transitways
(TRB 1998, 60–62).
safety challenGes
As the description in this chapter makes clear, electronics provide a wide
array of benefits to motorists. Electronics not only make vehicles more
energy- and emissions-efficient and reliable10 but also improve many
capabilities that have clear safety implications, such as reducing the vul-
nerability of braking to skidding. In addition, electronics allow many new
vehicle capabilities intended to improve the safety of driving. Among
them are stability control and blind spot, lane-keeping, and headway sur-
veillance. Even after a crash occurs, electronics allow more effective air
bag deployment and faster emergency response through automatic emer-
gency responder notification of crash location.
Although electronics provide reliability and safety benefits, they also
present safety challenges. One relates to ensuring that software performs
as expected under a range of vehicle operating conditions. As indicated
earlier, vehicles today have embedded software comprising millions of
lines of code in a wide variety of vehicle systems. It is well known that
According to J. D. Power and Associates (2011), a study measuring problems experienced during the
10
past 12 months by original owners of 3-year-old (2008 model year) vehicles indicates that owners are
experiencing the lowest problem rate since the inception of the study in 1990. The study found that
the greatest gains have been made in reducing problems associated with vehicle interiors, engines,
transmissions, steering, and braking. However, the problem rate for some electronics systems, includ-
ing entertainment and tire pressure monitoring systems, increased.
OCR for page 64
64 || The Safety Promise and Challenge of Automotive Electronics
exhaustively testing large and complex software programs to simulate
every possible state under real-world operating conditions is not physi-
cally possible. Accordingly, development of vehicle control strategies that
are fail-safe (or “fail-soft”) in the event of some unforeseen and potentially
unsafe vehicle operating condition is a critical goal for automotive manu-
facturers. This will remain the case, since software in future vehicles can
be expected to become even more complex. Of course, the growth in soft-
ware size and complexity in the automotive industry is mirrored in other
sectors of transportation and in other fields such as energy, chemical pro-
duction, and manufacturing. The complexity is creating challenges in all
domains and thus becoming the subject of much research.11 In this regard,
the automotive industry should benefit from the understanding gained in
developing safety-critical software generally.
Another challenge of the electronics-intensive vehicle stems from the
highly interactive nature of the electronic control systems on the vehi-
cle. Increasingly, these systems share sensors and information to reduce
cost and complexity and to increase system functionality. Thus, the sys-
tems could share incorrect information, which might lead to unintended
consequences in vehicle operation. As in the case of software, under-
standing every possible unintended interaction among complex systems
and implementing mitigation strategies as part of the vehicle validation
process are difficult, and the difficulty will increase as systems are added
and become dependent on one another. Meeting this challenge places a
premium on monitoring the vehicle state in real time and on imple-
menting strategies for fail-safe or fail-soft operation.
A further challenge in today’s electronics-intensive vehicle relates to
the interactions between the driver and the vehicle. As electronics-driven
systems with new behaviors and interfaces are introduced at a faster
pace, the driving experience can change, and some drivers may be sur-
prised by certain vehicle behaviors that are normal for the new system.
The unfamiliar driver may respond in a way that causes safety problems.
Similarly, a startled or stressed driver may not react properly when faced
with an unexpected condition. For example, the means for shutting off
For example, in 2007, because of concerns about problems attributed to software for robotic space-
11
craft, the National Aeronautics and Space Administration conducted a study of “flight software com-
plexity,” and in 2009 the National Science Foundation initiated a research program on “cyber-physical
systems” intended to “reveal cross-cutting fundamental scientific and engineering principles that
underpin the integration of cyber and physical elements.”
OCR for page 65
65
The Electronics-Intensive Automobile ||
the engine while driving when a vehicle has a keyless ignition system
(push button) has been suspected to be misunderstood by drivers accus-
tomed to the traditional keyed ignition switch. Thus, human factors,
which have always been important in the design of vehicles, will grow
in significance as new systems affecting the driver’s interfaces and inter-
actions with the vehicle are introduced.12
The fundamental role of networked electronics in today’s vehicles was
discussed earlier in the chapter. These networks are crucial in the opera-
tion of the vehicle, and various strategies are being used by manufactur-
ers to ensure that they are protected against and isolated from sources of
environmental interference and malicious access. The strategies include
testing, monitoring and diagnostics, fail-safe mechanisms, controlled net-
work gateways, and the use of communications protocols. For example,
manufacturers and suppliers test vehicles and components to ensure that
electromagnetic fields from a variety of external and internal sources do
not cause unexpected or errant system behaviors. Whether the nature
and level of this testing have kept pace with the changing electromag-
netic environment and increased safety assurance required for the
expanding electronics content in vehicles has not been the subject of
extensive research in the public domain. In addition, the effectiveness of
controlled network gateways and firewalls is coming into question as a
result of recent research and testing. Examples of hackers accessing secure
computer systems in other domains are well known, and researchers
have recently demonstrated that vehicle systems can be accessed in a
multitude of ways through these networks, as described in Box 2-2. The
researchers have also shown that this access can be used to alter and
degrade safety-critical vehicle systems such as braking, exterior lighting,
and speed control. Cybersecurity, in particular, is attracting increasing
attention from automobile manufacturers and NHTSA.
Finally, advanced vehicle technologies are being developed, and in
some cases deployed, that promise further changes in the safety land-
scape. Electric-drive vehicles are already in use that have regenerative
braking and propulsion systems under more integrated control as well as
torque characteristics that differ from traditional vehicles powered by
Customized interfaces are already being introduced. For example, BMW and Mini recently announced
12
their support for “iPod Out,” a scheme whereby Apple media devices will be able to control a display
on the car’s console. Increased customization along these lines can have the advantage of tailoring
an interface to the needs of each driver, but they may lead to greater interface variability and driver
unfamiliarity.
OCR for page 66
66 || The Safety Promise and Challenge of Automotive Electronics
Box 2-2
automotive Vulnerabilities to cyberattack
Experiments have been conducted by researchers at the University
of Washington and the University of California, San Diego, to
examine cybersecurity vulnerabilities in modern automobiles.
They have demonstrated how individuals with sufficient skill
and malicious intent could access and compromise in-vehicle
networks and computer control units, including those control-
ling safety-critical capabilities such as braking, exterior lighting,
and engine operations. In the laboratory and in road tests, the
researchers first demonstrated the ability to bridge internal net-
works and bypass what the researchers described as “rudimen-
tary” network security protections to gain control over a number
of automotive functions and ignore or override driver input,
including disabling the brakes, shutting off the engine, and turn-
ing off all lights (Koscher et al. 2010). To do so, they extracted
and reverse-engineered vehicle firmware to create messages that
could be sent on the CAN through the OBD port to take control
of these systems. This included the insertion of code in the con-
trol units to bridge across multiple CAN buses. In follow-up
experiments, the researchers examined all external attack sur-
faces in the vehicle to demonstrate and assess the possibility of
remote access to cause similar outcomes (Checkoway et al. 2011).
The experiments indicated that such exploitation can occur
through multiple avenues, including those requiring physical
access to the vehicle (e.g., mechanics’ tools, CD players) and
those using remote means such as cell phones, other short-
range wireless devices, and tire pressure monitoring systems.
The committee was briefed by the researchers, who described
in more detail the many possible means by which an adversary
could attack a vehicle in the manner outlined above and the
implications for the safe operation of a vehicle.1 In the briefing
and published papers cited above, the researchers surmise that
automotive manufacturers have designed their networks with-
OCR for page 67
67
The Electronics-Intensive Automobile ||
Box 2-2 (continued) Automotive Vulnerabilities to Cyberattack
out giving sufficient attention to such cybersecurity vulnerabili-
ties because automobiles have not faced adversarial pressures
(unlike PCs connected to the Internet) and because of the incre-
mental nature by which these networks have been expanded,
interconnected, and opened to external communication chan-
nels. Recognizing that high levels of interconnectedness among
vehicle control units are necessary for desired functionality, the
researchers did not propose the creation of physically isolated net-
works. Instead, they proposed the hardening of remote interfaces
and the underlying code platform, greater use of antiexploitation
mitigations used elsewhere, and the use of secure (authenticated
and reliable) software updates as part of automotive component
design.
The committee notes that although the researchers did not
give specific examples of a vehicle having been compromised by
such an external attack, cyberattacks in the field have been
reported. One such incident, in early 2010, involved a former
employee of an automotive dealership alleged to have remotely
hacked into systems that had been installed in purchased vehi-
cles to track their whereabouts and gain access to them in the
event of a bank repossession. About 100 private vehicles were
targeted; their starters and GPS were deactivated and their horns
were triggered. Many of the owners were stranded and incurred
towing expenses, according to media reports.2 Obviously, had
such an attack compromised a vehicle’s power train, braking,
and other operating systems while being driven, the conse-
quences could have been much more severe.
Two of the researchers, Tadayoshi Kohno and Stefan Savage, briefed the committee on
1
March 4, 2011.
http://www.pcworld.com/article/191856/exemployee_wreaks_havoc_on_100_cars_
2
wirelessly.html.
OCR for page 68
68 || The Safety Promise and Challenge of Automotive Electronics
internal combustion engines. Continued growth in the EV fleet will place
new safety assurance demands on industry and oversight responsibilities
on NHTSA. Intelligent vehicle concepts that now appear to be far out on
the horizon, such as V2V and V2I, may progress even faster than expected
and add further to the safety assurance and oversight challenge.
The next chapter discusses how automobile manufacturers are
attempting to meet these various safety and cybersecurity challenges
through their product design, development, and production processes.
chaPter findinGs
Finding 2.1: Electronics systems have become critical to the functioning of the
modern automobile. Enabled by advances in sensors, microprocessors,
software, and networking capabilities, these systems are providing a rich
and expanding array of vehicle features and applications for comfort,
convenience, efficiency, operating performance, and safety. Almost all
functions in today’s automobile are mediated by computer-based elec-
tronics systems. Some of these systems have improved on capabilities
once provided by mechanical, electromechanical, and hydraulic systems.
In many other cases, electronics systems are enabling the introduction of
new capabilities, including a growing number of applications intended
to assist the driver in avoiding and surviving crashes.
Finding 2.2: Electronics systems are being interconnected with one another and
with devices and networks external to the vehicle to provide their desired func-
tions. System interconnectivity and complexity are destined to grow as
the capabilities and performance of electronics hardware, software, and
networking continue to expand along with consumer demands for the
benefits these interconnected systems confer. Networked electronics sys-
tems and software will continue to be the foundation for much of the
innovation in automobiles and may lead to fundamental changes in how
the responsibilities for driving tasks and vehicle control are shared among
the driver, the vehicle, and the infrastructure.
Finding 2.3: Proliferating and increasingly interconnected electronics systems
are creating opportunities to improve vehicle safety and reliability as well as
demands for addressing new system safety and cybersecurity risks. As systems
share sensors and exchange data to expand functionality, an emerging
safety assurance challenge is to prevent (a) the unintended coupling
OCR for page 69
69
The Electronics-Intensive Automobile ||
of systems that can lead to incorrect information being shared and
(b) unauthorized access to or modifications of vehicle control systems,
both of which could lead to unintended and unsafe vehicle behaviors.
A critical aspect of this challenge is to ensure that the complex software
programs managing and integrating these electronics systems perform
as expected and avoid unsafe interactions. Another is to ensure that
the electronics hardware being embedded throughout the vehicle is
compatible with the demanding automotive operating environment,
including the electromagnetic environment, which may be changing as
electronics devices and accessories are added to automobiles. Inasmuch
as many problems in software and electromagnetic interference may
leave no physical trace behind, detection and diagnosis of them can be
more difficult.
Finding 2.4: By enabling the introduction of many new vehicle capabilities and
changes in familiar driver interfaces, electronics systems are presenting new human
factors challenges for system design and vehicle-level integration. Although auto-
motive manufacturers spend much time and effort in designing and
testing their systems with users in mind, the creation of new vehicle
capabilities may lead to responses by drivers that are not predicted and
that may not become evident until a system is in widespread use. Drivers
unfamiliar with the new system capabilities and interfaces may respond
to or use them in unexpected and potentially unsafe ways. Thus, human
factors expertise, which has always been important in vehicle design and
development, is likely to become even more so in designing electronics
systems that perform and are used safely.
Finding 2.5: Electronics technology is enabling nearly all vehicles to be equipped
with EDRs that store information on collision-related parameters as well as
enabling other embedded systems that monitor the status of safety-critical
electronics, identify and diagnose abnormalities and defects, and activate pre-
defined corrective responses when a hazardous condition is detected. Access
to data logged in EDRs can aid crash investigators, while diagnostics sys-
tems can facilitate vehicle repair and servicing and inform automotive
manufacturers about possible system design, engineering, and produc-
tion issues. Continued advances in electronics technology and their prolif-
eration in vehicles can be expected both to necessitate and to enable more
applications for monitoring state of health, performing self-diagnostics,
implementing fail-safe strategies, and logging critical data in the event of
crashes and unusual system and vehicle behaviors.
OCR for page 70
70 || The Safety Promise and Challenge of Automotive Electronics
references
Abbreviation
TRB Transportation Research Board
Charette, R. N. 2009. This Car Runs on Code. IEEE Spectrum, Feb. http://
spectrum.ieee.org/green-tech/advanced-cars/this-car-runs-on-code.
Checkoway, S., D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage,
K. Koscher, A. Czeskis, F. Roesner, and T. Kohno. 2011. Comprehensive
Experimental Analyses of Automotive Attack Surfaces. Presented at 20th
Advanced Computing Systems Association Conference, San Francisco, Calif.,
Aug. 10–12. http://www.autosec.org/publications.html.
Cook, J. A., I. V. Kolmanovsky, D. McNamara, E. C. Nelson, and K. V. Prasad.
2007. Control, Computing and Communications: Technologies for the
Twenty-First Century Model T. Proceedings of the Institute of Electrical and
Electronics Engineers, Vol. 95, No. 2, Feb., pp. 334–355.
J. D. Power and Associates. 2011. U.S. Vehicle Dependability Study. Press release.
http://www.jdpower.com/news/pressrelease.aspx?ID=2011029.
Koscher, K., A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy,
B. Kantor, D. Anderson, H. Shacham, and S. Savage. 2010. Experimental
Security Analysis of a Modern Automobile. In Institute of Electrical and Electronics
Engineers Symposium on Security and Privacy (D. Evans and G. Vigna, eds.),
Institute of Electrical and Electronics Engineers Computer Society, May.
Krüger, A., B. Hardung, and T. Kölzow. 2009. Reuse of Software in Automotive
Electronics. In Automotive Embedded Systems Handbook (N. Navet and
F. Simonot-Lion, eds.), CRC Press, Boca Raton, Fla.
Navet, N., and F. Simonot-Lion. 2009. A Review of Embedded Automotive
Protocols. In Automotive Embedded Systems Handbook (N. Navet and F. Simonot-
Lion, eds.), CRC Press, Boca Raton, Fla.
Shladover, S. E. 1990. Roadway Automation Technology—Research Needs. In
Transportation Research Record 1283, Transportation Research Board, National
Research Council, Washington, D.C., pp. 158–167.
Simonot-Lion, F., and Y. Trinquet. 2009. Vehicle Functional Domains and
Their Requirements. In Automotive Embedded Systems Handbook (N. Navet
and F. Simonot-Lion, eds.), CRC Press, Boca Raton, Fla.
TRB. 1998. Special Report 253: National Automated Highway System Research Program:
A Review. National Research Council, Washington, D.C. http://onlinepubs.trb.
org/onlinepubs/sr/sr253.html.
