Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 43
2 The Electronics-Intensive Automobile A major upgrade in automotive performance over the past two decades that has not had its basis in electronics, particularly in advances in computer and software technologies, would be difficult to identify. It would be surprising if this were not the case, given the proliferation of software-intensive electronics in nearly all high-value consumer products. As discussed in Chapter 1, today’s electronics-intensive vehi- cle is fundamentally different from the mostly mechanical vehicle of the 1970s and 1980s. The electronics in the contemporary automobile contain hundreds of sensors, drive circuits, and actuators that are con- nected to scores of microprocessors running on increasingly complex software and exchanging information through one or more commu- nications networks (Krüger et al. 2009). It has been estimated that electronics account for about 35 percent of the cost of designing and producing some vehicles (Charette 2009; Simonot-Lion and Trinquet 2009). Even today’s entry-level models contain far more sophisticated and capable electronics than premium-class models did less than a decade ago (Charette 2009). And given the history of technology dispersion in the automotive sector, many of the advanced electronics systems found in premium-class vehicles today can be expected to migrate through the fleet quickly. This chapter describes some of the major vehicle electronics systems that are now in vehicles, that will soon be deployed, and that are being developed and explored but whose mass introduction remains on the more distant horizon. Consideration is then given to the nature of the 43
OCR for page 44
44 || The Safety Promise and Challenge of Automotive Electronics safety assurance challenges that automobile manufacturers face as they design, develop, and integrate these systems for use by vehicles and drivers. The chapter concludes with relevant findings from the discus- sion that inform the committee’s recommendations to the National High- way Traffic Safety Administration (NHTSA) offered later in this report. Use of electronics in Vehicles today Figure 2-1 shows the multitude of electronics systems that are now or soon will be available in vehicles. It shows that there are few, if any, vehicle functions that are not mediated by computers. A majority of the functions shown would not be feasible or cost-effective if not for the FIGURE 2-1 Types of electronics systems in modern automobiles. (Source: Clemson University Vehicular Electronics Laboratory.)
OCR for page 45
45 The Electronics-Intensive Automobile || advancements that have taken place in microprocessors, sensors, other hardware, and software during the past 30 years. Some of these electronics systems have improved on the capabilities once provided by mechanical, electromechanical, and hydraulic sys- tems. Increasingly, however, electronics are enabling new capabilities, as evident in the many convenience, comfort, entertainment, and per- formance applications indicated in Figure 2-1. Few systems provide these capabilities in stand-alone fashion; instead, they rely on inter- connections and communications with one another. For some time, this interconnectivity has permitted enhancements to certain safety and comfort features such as seat belt pretensioning before a crash and adjustment of the radio volume in relation to travel speed. However, the level of system interconnectivity is growing rapidly to provide a richer array of capabilities. For example, some adaptive cruise control (ACC) systems are sampling data from the Global Positioning System (GPS) to adjust headway limits depending on the vehicle’s proximity to a highway exit ramp. These systems provide one or more capabilities for the following, among others: • Entertainment, information, and navigation assistance—radios, satel- lite radio, CD and DVD players able to interpret a wide array of data formats, USB and other multimedia ports, Wi-Fi and Internet con- nectivity, GPS navigation, travel advisories; • Convenience—seat and mirror position memory, remote and key- less entry and ignition, automatic lights and wipers, embedded and Bluetooth-connected mobile phones; • Comfort and ease of use—suspension adjustment, brake and steer- ing assist, heated and cooled seats, cabin temperature control, inte- rior noise and vibration suppression, parking assist, hill hold, mirror and light dimming; • Emissions, energy, and operating performance – Concerted control of fuel flow, air intake, throttle position, and valve timing; cylinder deactivation; transmission control; trac- tion and cornering control; tire pressure monitoring; regenera- tive braking; – Power train and battery charging control for hybrid and electric- drive vehicles;
OCR for page 46
46 || The Safety Promise and Challenge of Automotive Electronics • Safety and security—crash-imminent seat belt tensioning and air bag deployment, antilock braking, ACC, crash warning and brake control, blind spot detection and warning, lane departure warning, yaw and stability control, backup sensors and cameras, tire pressure monitor- ing, 9-1-1 crash notification; and • Reliability and maintainability—onboard diagnostics systems, remote diagnostics, vibration control, battery management. The foundation for all of this system interconnectivity derives from the communications networks and protocols (messaging rules) that allow for the exchange of information, the sensors that gather the information, and the software programs that make use of it. The critical roles of communi- cations networks, sensors, and software are discussed next before an over- view of some of the major electronics systems that use them is provided. Communications Networks and Protocols All electronics systems that control vehicle functions consist of a con- trol module containing one or more computer processors. The control module receives input for its computations from a network of sensors (e.g., for engine speed, temperature, and pressure) and sends com- mands to various actuators that execute the commands, such as turn- ing on the cooling fan or changing gear. In addition, these control modules need to connect to other control modules—for example, to shift gears the transmission control module must have received infor- mation on the engine speed. In the early days of automotive electronics, the handful of controller systems in a vehicle could be linked through point-to-point wiring (Navet and Simonot-Lion 2009, 4-2). However, as the number of systems grew, the complexity and cost of wiring systems in this way increased substan- tially. The approach required not only costly and bulky wire harnesses but also repeated changes in wire designs depending on the specific mod- ules included in a given vehicle. For example, a vehicle equipped with antilock brakes would require wiring different from that of a vehicle not equipped with this feature. The industry’s solution was to install a net- work in the vehicle and “multiplex” (combine data streams into a single transmission) their communications among system elements. The multi- plexed networks are referred to as communication buses. A module plugged into the bus would thus be able to sample data from and com- municate with all other networked modules. In this way, each module
OCR for page 47
47 The Electronics-Intensive Automobile || would serve as a node in the network, controlling the specific compo- nents related to its function while using a standard protocol to commu- nicate with other modules. To work in the automotive environment, these communications net- works had to be designed to achieve low production and maintenance costs, immunity from electromagnetic interference, reliability in harsh operating environments, and the flexibility to vary options without alternative wiring architectures. Although automotive manufacturers did not emphasize data throughput capacity when these networks were introduced 25 years ago, the subsequent demand for onboard comput- ing has been driving changes to networks to support higher bandwidth and higher-speed communications among modules. Today, multiple networks and communications protocols are used in vehicles for data exchange depending on factors such as required trans- mission speed, reliability, and timing constraints. The protocols are accompanied by a variety of physical media to provide the required con- nections among system components on the network, including single wires, twisted wire pairs, fiber-optic cables, and communication over the vehicle’s power lines. Many automotive manufacturers are seeking a standard protocol, but none has emerged. Not every protocol can be described here, but a number of them appear in the following list of example networking buses and communications protocol standards (Navet and Simonot-Lion 2009, 4-2). • CAN (controller area network): an inexpensive low-speed serial bus for interconnecting automotive components; • VAN (vehicle area network): similar to CAN but not widely used; • FlexRay: a general-purpose, high-speed protocol to support time- triggered architecture; • LIN (local interconnect network): a low-cost in-vehicle subnetwork; • SAE-J1939 and ISO 11783: an adaptation of CAN for agricultural and commercial vehicles; • MOST (Media-Oriented Systems Transport): a high-speed multimedia interface that supports user applications such as GPS, radios, and video players; • D2B (domestic digital bus): a high-speed multimedia interface;
OCR for page 48
48 || The Safety Promise and Challenge of Automotive Electronics • Keyword Protocol 2000 (KWP2000): a protocol for automotive diag- nostic devices (runs either on a serial line or over CAN); • DC-BUS : automotive power line communication multiplexed network; • IDB-1394; • SMARTwireX; • SAE-J1850, SAE-J1708, and SAE-J1587; and • ISO-9141-I/-II. Because a typical vehicle will have a variety of networking speed and capacity needs, it will have multiple networks and will often host differ- ent control units and use different protocols and physical media. The networks are often intended to be isolated from one another for various reasons, including bandwidth and integration concerns (e.g., entertain- ment network isolated from the network containing the engine control- ler).1 In cases where information must be shared among networks, there will typically be a gateway module to control, and in certain cases iso- late, the communications. For example, the CAN bus typically used for electronic engine controls may have a connection to other networks on the vehicle to share information, but control signals from these other networks are precluded from access to the CAN by a gateway control module. As noted below, the effectiveness of these access controls is coming into question as electronic systems are connecting more with one another and with external devices that could provide access points for cyberattacks. Sensors Sensors are essential to the function of nearly all vehicle electronics sys- tems, many of which depend on multiple sensing technologies. A variety of sensors are deployed to measure positions and properties such as tem- perature, direction and angle, oil pressure, vacuum, torque, seat position, and engine speed and then to convert the measurements into electri- cal signals (digital or analog) that can be used by computers in one or more embedded electronics systems. New technologies are providing As discussed in Box 2-2, it is not evident that this separation has been adequately designed for cyber- 1 security concerns.
OCR for page 49
49 The Electronics-Intensive Automobile || even greater sensing capability for applications such as distance ranging, motion detection, and vehicle position identification. The amount and types of sensors in vehicles have grown dramatically over the past 20 years as a consequence of advances in technology and in response to new demands for safety, emissions control, fuel economy, and customer convenience. Although there are too many sensor types and technologies to describe here, the following examples illustrate their range of uses. To support operation of the catalytic converter, oxygen sensors with zirconia tips probe exhaust gases. The zirconia reacts with the gases and develops a signal voltage, which is transmitted to a con- troller. Simple and low-cost sensors used in many vehicle applications are the potentiometer and the Hall effect sensor. The former can be used to determine the angle or direction of a component, such as the position of the accelerator pedal or throttle plate in an electronic throttle control system (ETC). It is designed with three terminals: a power input, ground, and variable voltage output. Acting as a transducer, the potentiometer’s voltage output varies with the position of a movable contact (such as the pedal or throttle shaft) across or around a fixed resistor. The output volt- age is higher or lower depending on whether the contact is near the power supply or ground. The Hall effect sensor, in comparison, detects its position relative to that of a magnet and thus has no moving parts that can degrade over time, as can those in potentiometers. From a tech- nical standpoint, the decision to use one sensor technology over another can depend on the needed accuracy, durability, task (e.g., linear, rotary, range, temperature measuring), and integration ability (e.g., space con- straints). In practice, the cost of the sensor is also important. Sensor technology is becoming more sophisticated and varied, espe- cially to support the functionality of many new convenience, comfort, and safety-related electronic systems. Advanced sensor technologies that are being used more often include the following: • Ultrasound (e.g., backup warning, parking assist); • Inertial sensors, accelerometers, yaw-rate sensors (e.g., stability con- trol, air bag deployment, suspension control, noise and vibration suppression); • Radar and light detection and ranging (lidar) (ACC); • Cameras (e.g., lane keeping, ACC); and • GPS (e.g., advanced ACC).
OCR for page 50
50 || The Safety Promise and Challenge of Automotive Electronics In discussing the array of electronics systems being deployed in modern vehicles, the current and emerging roles of these new sensing technolo- gies are noted. Continued advances in sensing reliability and capability, of course, will be central in enabling the development and deployment of many next-generation electronics-based systems. Software As the discussion above indicates, automobiles today are literally “com- puters on wheels.” A modern luxury car contains tens of millions of lines of software code executed in and across the scores of networked elec- tronic control units. By some estimates, more than 80 percent of auto- motive innovations derive from software (Charette 2009; Krüger et al. 2009). Automotive manufacturers now depend so much on software rather than on hardware for functionality because the former is easier to evolve and extend, and it is often the only feasible way to achieve a desired function. For years automakers have been leveraging the power of networked controllers and advances in software development to introduce active safety features, many of which are described below. Between 2,000 and 3,000 individual vehicle functions are estimated to be performed with the aid of software in a premium-class car (Charette 2009). This trend is almost certain to continue as the capabilities and performance of microprocessors, networks, and software grow. Software is contained in all controller modules and is used to direct and integrate their actions. The software that monitors and controls vehicle systems and their use is part of what is commonly known as an embedded real-time system (ERTS). Since its earliest use for electronic ignition timing in the 1977 Oldsmobile Toronado, ERTS software (and the processors that run it) has grown in size, state space, and complex- ity, in large part because of added functions and the demands of coor- dinating actions among systems. For example, for the Lexus emergency steering assist system to function, it must have close interaction with the vehicle’s variable gear ratio steering and adaptive variable suspension systems, among others.2 The software needed to support this real-time coordination among the safety-related subsystems is substantially more challenging to design, develop, and validate than are relatively self- contained features such as a door-lock controller. Software development and safety assurance processes are discussed further in Chapter 3. http://www.worldcarfans.com/10608296343/lexus-ls460-achieves-world-first-in-preventative-safety. 2
OCR for page 51
51 The Electronics-Intensive Automobile || Control of Engine, Transmission, and Throttle Before there was a need for in-vehicle communications networks, com- puterized engine control units were introduced in vehicles in the late 1970s to meet federal emissions regulations. These early units governed the air–fuel mixture to enable more efficient fuel combustion to mini- mize emissions. An exhaust gas oxygen sensor provided a signal to the engine control unit so that it could regulate fuel levels to achieve an even more precise air–fuel mixture. As emissions standards were tight- ened and electronic fuel injectors were introduced, additional functions were added to the engine controller for such purposes as more precise and consistent spark timing and regulation of the flow of fuel during a cold start. Coincidental with these changes, automobile manufacturers began to introduce other computer controllers for transmission and throttle functions. These controllers were also designed to exchange informa- tion with and be regulated jointly by the engine controller. Automatic transmissions had previously relied on hydraulics to operate valves that engaged and disengaged clutches in planetary gear sets. With electronic controls, the shift point could be better controlled by using inputs from a network of sensors in the engine, transmission, and wheels. ETCs were introduced in the late 1990s, eliminating the physical link- age between the accelerator pedal and throttle by a cable and other con- nectors. A typical ETC consists of a control unit, a pair of throttle valve position sensors, a pair of pedal position sensors, and an electric motor that actuates the throttle. Depressing the accelerator pedal causes the pedal sensors to send a signal to the controller, which in turn sends a command to the throttle motor to open or close the throttle. Sensors on the throttle confirm its position and correspondence to the signals being sent by the sensors in the accelerator pedal. ETCs allow for more precise regulation of fuel consumption and emissions by the engine control unit and provide other benefits, such as a reduction in the cost of electronic cruise and stability control systems and an increase in their feasibility. Figure 2-2 shows some of the sensors and actuators in the vehicle that provide input to and receive commands from the engine control unit. In having such a wide array of inputs (e.g., coolant temperature, exhaust gas composition, mass air flow) and the ability to orchestrate so many outputs (e.g., spark timing, air and fuel flow, throttle opening), the engine control unit has been a major source of fuel economy and emis- sions performance improvements in vehicles over the past two decades.
OCR for page 52
52 || The Safety Promise and Challenge of Automotive Electronics FIGURE 2-2 Engine control sensor and actuator network (ECU = engine control unit; EGR = exhaust gas recirculation; HEGO = heated exhaust gas oxygen sensor). (Source: Cook et al. 2007.) Concerns over transportation’s dependence on imported oil and emis- sions of greenhouse gases have generated increased interest in electric- drive vehicles. These vehicles all have batteries and electric motors that provide some or all of the vehicle’s propulsion. The main types of electric- drive vehicles are conventional hybrid vehicles (HEVs), plug-in hybrid electric vehicles (PHEVs), and pure electric vehicles (EVs). While these vehicles have many of the same electronic capabilities as conventional vehicles, they have different control needs with implications for their electronics, as discussed in Box 2-1. Brake Power Assistance and Lockup Control Brakes continue to rely fundamentally on hydraulic lines that transmit the pressure at the brake pedal to actuators at the wheels to force the brake pads into contact with a drum or disc on the wheel. The generated friction slows and eventually stops the vehicle. For greater safety assur- ance, the hydraulics are split (as required by regulation) so the left front and right rear wheels use half the system and the right front and left rear
OCR for page 53
53 The Electronics-Intensive Automobile || Box 2-1 electronic controls in electric-drive Vehicles The most common electric-drive vehicles in production are HEVs, which have been available for more than a decade. These vehicles have either one or two electric machines and a gasoline engine in parallel to drive the wheels. When the vehicle deceler- ates, the motor acts as a generator to recharge the battery with energy that would otherwise be lost in braking (regenerative braking). HEVs, therefore, require complicated electronic con- trols to optimize performance of the two power trains and ensure proper charging of the battery. Manufacturers are now introduc- ing PHEVs with batteries charged from the electric grid. PHEVs come in two forms. One is similar to a conventional hybrid but has a bigger battery that can be charged from a power line to allow electricity-only driving for about a dozen miles. The forth- coming plug-in Toyota Prius is an example of this type of PHEV. The General Motors (GM) Volt is a series PHEV in which the wheels are powered by electricity only. The battery is bigger than that in the parallel PHEV and may be capable of traveling 40 miles on a charge. Pure EVs such as the Nissan Leaf or the Tesla road- ster have a larger battery that can power driving for 80 miles or more. The battery is charged only from regenerative braking or a power outlet. Pure EVs are mechanically and electronically sim- pler than the hybrids, since they have an electric motor but no engine and no need to balance two power trains. Power train control in electric Vehicles All electric-drive vehicles require sophisticated power train con- trol to manage power flow from the battery to the motor and from the motor/generator to the battery during regenerative braking and, in the case of parallel hybrids (either HEV or PHEV), to coordinate the sharing of loads between the engine and the electric motor. Parallel hybrid controls must optimize operations to minimize fuel consumption while meeting emissions require- ments. Parallel hybrid vehicles may start repeatedly without fully (continued on next page)
OCR for page 60
60 || The Safety Promise and Challenge of Automotive Electronics While the U.S. Environmental Protection Agency specifies the type of diagnostic connectors and protocols required in vehicles for emissions control systems, OBDs in vehicles today differ by manufacturer, includ- ing the functions they monitor. These differences will undoubtedly grow. Opportunities for innovative diagnostics systems to become a selling point to consumers are already starting to be exploited. For example, onboard communications systems can already transmit vehicle “health” and operating parameters to original equipment manufacturers for remote analysis and diagnostics. These exchanges may be used to iden- tify vehicle systems that require firmware updating and to perform the upgrades remotely or notify the driver of the need to have the vehicle serviced (Charette 2009). Event Data Recorders Electronics sensors and connections have enabled automotive manufac- turers to install event data recorders (EDRs) on their vehicles. The record- ers are usually part of the air bag control module, and they are triggered to save data by a crash event in which an air bag is deployed or the sen- sors in the air bag system detect rapid deceleration or multidirectional acceleration. The recorders typically capture a few seconds of vehicle data before a crash, including vehicle speed, accelerator pedal position, throt- tle position, and brake switch position. The recorded information can be retrieved by investigators through the OBD port to help determine the causes of the crash. Because EDRs are not currently mandated, their usage varies by man- ufacturer. According to NHTSA, a large majority of vehicles sold in the United States have EDRs, but there is inconsistency among the manufac- turers in the array of data items recorded and the means available for accessing the stored data. NHTSA regulations mandate that most light- duty vehicles made on or after September 1, 2011 (Model Years 2012 or later) that are equipped with EDRs record a common set of variables, including precrash speed, brake light status, velocity change, engine rev- olutions per minute, seat belt use, and the timing of air bag deployment. NHTSA has indicated its intention to initiate a rulemaking to require EDRs on all cars and to expand the number of data items recorded. In addition, a variety of efforts are being pursued through standard-setting organizations to bring greater uniformity to the data collected by EDRs and the technical means for accessing the data. EDRs are discussed fur- ther later in this report.
OCR for page 61
61 The Electronics-Intensive Automobile || next-Generation systems Consumer and manufacturer experience with some of the newer sys- tems described above will affect the rate of introduction and penetration of even more complex electronics systems. While the following systems are in research and developmental stages, many are candidates for deploy- ment during the next 25 years. Steer-by-Wire and Brake-by-Wire In steer-by-wire systems, the mechanical link between the steering wheel and the vehicle wheels is removed, and the driver’s intent is translated into signals to a motor or motors that turn the wheels. Among possible advantages, steer-by-wire would reduce vehicle weight, eliminate the safety hazard presented by the protruding steering column, offer greater flexibility in designing the car interior, and enable customizable driver interfaces since the steering mechanism could be designed and installed as a modular unit. Brake-by-wire would substitute sensors, computers, and actuators for pumps, hoses, fluids, and master cylinders. These sys- tems would eliminate the direct mechanical connection between the pedal and the brakes by activating motors on each wheel. Both of these advanced concepts have been demonstrated, but mak- ing a convincing case with regard to their operating reliability will be fundamental to their deployment because the only safe state for steer- ing and braking is “operational.” Addressing these concerns through the use of redundant systems (as found in aircraft fly-by-wire) may be pos- sible but could negate the purpose of adding the drive-by-wire systems. The challenge will be in finding ways to ensure safety without greatly increasing each system’s total cost. Vehicle-to-Vehicle and Vehicle-to-Infrastructure Communications Vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communi- cations are being studied by manufacturers, suppliers, universities, trans- portation agencies, and NHTSA. As conceived, an equipped vehicle would function as a node in a network able to communicate with other vehi- cles and roadside units to provide one another with information on such topics as safety warnings and the state of traffic. Electronic messages could notify the driver or perhaps the ACC that the vehicle ahead is
OCR for page 62
62 || The Safety Promise and Challenge of Automotive Electronics slowing down and thus give more reaction time to the trailing vehicle. Communications through a string of vehicles could warn of traffic slow- downs, and communications between vehicles could reduce crashes at blind intersections. Because V2V would require a substantial number of vehicles equipped with transponders and V2I would require intelligent highway infrastructure, the emergence of these systems will depend not only on further technological advances but also on many safety assur- ance, institutional, and economic factors. Partly and Fully Automated Vehicles In contrast to systems that provide the driver with a warning or assume temporary control over the vehicle in an emergency situation, partial or fully automated systems would provide assistance for routine driving tasks. In the case of partially automated systems, the driver would relin- quish control of some driving tasks but retain control of the vehicle generally. Fully automated vehicles are often conceived as providing “hands-off, feet-off” driving, whereby the driver is disengaged from virtually all driving tasks. The notion of fully automated driving dates back to at least the 1939 World’s Fair, which included a GM exhibit on “driverless” cars (Shladover 1990). Even today, there is no agreement on how such an outcome could be achieved from both the technical and the practical standpoints. One possibility is that instrumented vehicles operate autonomously by using artificial intelligence and V2V-type sensors and communications capabili- ties that enable safe navigation within a highway environment consisting of a mix of automated and nonautomated vehicles. Other possibilities include varying degrees of cooperation among vehicles and infrastructure, perhaps on dedicated lanes. One of the earliest demonstrations of these concepts was organized by the National Automated Highway System Consortium, which demonstrated various forms of automated driving on an Interstate highway outside of San Diego, California, in 1997.7 The Defense Advanced Research Projects Agency has sponsored several com- petitions to demonstrate hands-free driving.8 Recently, Google announced that it has tested several vehicles over 140,000 miles hands free.9 These For a review of the National Automated Highway System Consortium research program, see TRB 7 (1998). http://www.darpa.mil/grandchallenge/index.asp. 8 http://www.nytimes.com/2010/10/10/science/10googleside.html?_r=2&ref=science. 9
OCR for page 63
63 The Electronics-Intensive Automobile || vehicles use radar, lidar, vision cameras, and GPS, among other contem- porary technologies. All concepts of vehicle automation, both partial and full, face major technological challenges, as well as substantial safety assurance hurdles. Partially automated systems can be more difficult to design and imple- ment because of the potential for confusion over the division of functions between the driver and the machine and the need to maintain driver situation awareness. This study cannot begin to address these and other safety issues associated with the many forms of automation. Although such systems may not emerge on a large scale for decades, opportunities may arise sooner under certain controlled conditions, such as the use of automated snowplow and freight truck convoys (with drivers in the lead trucks) on rural Interstate highways and buses on dedicated transitways (TRB 1998, 60–62). safety challenGes As the description in this chapter makes clear, electronics provide a wide array of benefits to motorists. Electronics not only make vehicles more energy- and emissions-efficient and reliable10 but also improve many capabilities that have clear safety implications, such as reducing the vul- nerability of braking to skidding. In addition, electronics allow many new vehicle capabilities intended to improve the safety of driving. Among them are stability control and blind spot, lane-keeping, and headway sur- veillance. Even after a crash occurs, electronics allow more effective air bag deployment and faster emergency response through automatic emer- gency responder notification of crash location. Although electronics provide reliability and safety benefits, they also present safety challenges. One relates to ensuring that software performs as expected under a range of vehicle operating conditions. As indicated earlier, vehicles today have embedded software comprising millions of lines of code in a wide variety of vehicle systems. It is well known that According to J. D. Power and Associates (2011), a study measuring problems experienced during the 10 past 12 months by original owners of 3-year-old (2008 model year) vehicles indicates that owners are experiencing the lowest problem rate since the inception of the study in 1990. The study found that the greatest gains have been made in reducing problems associated with vehicle interiors, engines, transmissions, steering, and braking. However, the problem rate for some electronics systems, includ- ing entertainment and tire pressure monitoring systems, increased.
OCR for page 64
64 || The Safety Promise and Challenge of Automotive Electronics exhaustively testing large and complex software programs to simulate every possible state under real-world operating conditions is not physi- cally possible. Accordingly, development of vehicle control strategies that are fail-safe (or “fail-soft”) in the event of some unforeseen and potentially unsafe vehicle operating condition is a critical goal for automotive manu- facturers. This will remain the case, since software in future vehicles can be expected to become even more complex. Of course, the growth in soft- ware size and complexity in the automotive industry is mirrored in other sectors of transportation and in other fields such as energy, chemical pro- duction, and manufacturing. The complexity is creating challenges in all domains and thus becoming the subject of much research.11 In this regard, the automotive industry should benefit from the understanding gained in developing safety-critical software generally. Another challenge of the electronics-intensive vehicle stems from the highly interactive nature of the electronic control systems on the vehi- cle. Increasingly, these systems share sensors and information to reduce cost and complexity and to increase system functionality. Thus, the sys- tems could share incorrect information, which might lead to unintended consequences in vehicle operation. As in the case of software, under- standing every possible unintended interaction among complex systems and implementing mitigation strategies as part of the vehicle validation process are difficult, and the difficulty will increase as systems are added and become dependent on one another. Meeting this challenge places a premium on monitoring the vehicle state in real time and on imple- menting strategies for fail-safe or fail-soft operation. A further challenge in today’s electronics-intensive vehicle relates to the interactions between the driver and the vehicle. As electronics-driven systems with new behaviors and interfaces are introduced at a faster pace, the driving experience can change, and some drivers may be sur- prised by certain vehicle behaviors that are normal for the new system. The unfamiliar driver may respond in a way that causes safety problems. Similarly, a startled or stressed driver may not react properly when faced with an unexpected condition. For example, the means for shutting off For example, in 2007, because of concerns about problems attributed to software for robotic space- 11 craft, the National Aeronautics and Space Administration conducted a study of “flight software com- plexity,” and in 2009 the National Science Foundation initiated a research program on “cyber-physical systems” intended to “reveal cross-cutting fundamental scientific and engineering principles that underpin the integration of cyber and physical elements.”
OCR for page 65
65 The Electronics-Intensive Automobile || the engine while driving when a vehicle has a keyless ignition system (push button) has been suspected to be misunderstood by drivers accus- tomed to the traditional keyed ignition switch. Thus, human factors, which have always been important in the design of vehicles, will grow in significance as new systems affecting the driver’s interfaces and inter- actions with the vehicle are introduced.12 The fundamental role of networked electronics in today’s vehicles was discussed earlier in the chapter. These networks are crucial in the opera- tion of the vehicle, and various strategies are being used by manufactur- ers to ensure that they are protected against and isolated from sources of environmental interference and malicious access. The strategies include testing, monitoring and diagnostics, fail-safe mechanisms, controlled net- work gateways, and the use of communications protocols. For example, manufacturers and suppliers test vehicles and components to ensure that electromagnetic fields from a variety of external and internal sources do not cause unexpected or errant system behaviors. Whether the nature and level of this testing have kept pace with the changing electromag- netic environment and increased safety assurance required for the expanding electronics content in vehicles has not been the subject of extensive research in the public domain. In addition, the effectiveness of controlled network gateways and firewalls is coming into question as a result of recent research and testing. Examples of hackers accessing secure computer systems in other domains are well known, and researchers have recently demonstrated that vehicle systems can be accessed in a multitude of ways through these networks, as described in Box 2-2. The researchers have also shown that this access can be used to alter and degrade safety-critical vehicle systems such as braking, exterior lighting, and speed control. Cybersecurity, in particular, is attracting increasing attention from automobile manufacturers and NHTSA. Finally, advanced vehicle technologies are being developed, and in some cases deployed, that promise further changes in the safety land- scape. Electric-drive vehicles are already in use that have regenerative braking and propulsion systems under more integrated control as well as torque characteristics that differ from traditional vehicles powered by Customized interfaces are already being introduced. For example, BMW and Mini recently announced 12 their support for “iPod Out,” a scheme whereby Apple media devices will be able to control a display on the car’s console. Increased customization along these lines can have the advantage of tailoring an interface to the needs of each driver, but they may lead to greater interface variability and driver unfamiliarity.
OCR for page 66
66 || The Safety Promise and Challenge of Automotive Electronics Box 2-2 automotive Vulnerabilities to cyberattack Experiments have been conducted by researchers at the University of Washington and the University of California, San Diego, to examine cybersecurity vulnerabilities in modern automobiles. They have demonstrated how individuals with sufficient skill and malicious intent could access and compromise in-vehicle networks and computer control units, including those control- ling safety-critical capabilities such as braking, exterior lighting, and engine operations. In the laboratory and in road tests, the researchers first demonstrated the ability to bridge internal net- works and bypass what the researchers described as “rudimen- tary” network security protections to gain control over a number of automotive functions and ignore or override driver input, including disabling the brakes, shutting off the engine, and turn- ing off all lights (Koscher et al. 2010). To do so, they extracted and reverse-engineered vehicle firmware to create messages that could be sent on the CAN through the OBD port to take control of these systems. This included the insertion of code in the con- trol units to bridge across multiple CAN buses. In follow-up experiments, the researchers examined all external attack sur- faces in the vehicle to demonstrate and assess the possibility of remote access to cause similar outcomes (Checkoway et al. 2011). The experiments indicated that such exploitation can occur through multiple avenues, including those requiring physical access to the vehicle (e.g., mechanics’ tools, CD players) and those using remote means such as cell phones, other short- range wireless devices, and tire pressure monitoring systems. The committee was briefed by the researchers, who described in more detail the many possible means by which an adversary could attack a vehicle in the manner outlined above and the implications for the safe operation of a vehicle.1 In the briefing and published papers cited above, the researchers surmise that automotive manufacturers have designed their networks with-
OCR for page 67
67 The Electronics-Intensive Automobile || Box 2-2 (continued) Automotive Vulnerabilities to Cyberattack out giving sufficient attention to such cybersecurity vulnerabili- ties because automobiles have not faced adversarial pressures (unlike PCs connected to the Internet) and because of the incre- mental nature by which these networks have been expanded, interconnected, and opened to external communication chan- nels. Recognizing that high levels of interconnectedness among vehicle control units are necessary for desired functionality, the researchers did not propose the creation of physically isolated net- works. Instead, they proposed the hardening of remote interfaces and the underlying code platform, greater use of antiexploitation mitigations used elsewhere, and the use of secure (authenticated and reliable) software updates as part of automotive component design. The committee notes that although the researchers did not give specific examples of a vehicle having been compromised by such an external attack, cyberattacks in the field have been reported. One such incident, in early 2010, involved a former employee of an automotive dealership alleged to have remotely hacked into systems that had been installed in purchased vehi- cles to track their whereabouts and gain access to them in the event of a bank repossession. About 100 private vehicles were targeted; their starters and GPS were deactivated and their horns were triggered. Many of the owners were stranded and incurred towing expenses, according to media reports.2 Obviously, had such an attack compromised a vehicle’s power train, braking, and other operating systems while being driven, the conse- quences could have been much more severe. Two of the researchers, Tadayoshi Kohno and Stefan Savage, briefed the committee on 1 March 4, 2011. http://www.pcworld.com/article/191856/exemployee_wreaks_havoc_on_100_cars_ 2 wirelessly.html.
OCR for page 68
68 || The Safety Promise and Challenge of Automotive Electronics internal combustion engines. Continued growth in the EV fleet will place new safety assurance demands on industry and oversight responsibilities on NHTSA. Intelligent vehicle concepts that now appear to be far out on the horizon, such as V2V and V2I, may progress even faster than expected and add further to the safety assurance and oversight challenge. The next chapter discusses how automobile manufacturers are attempting to meet these various safety and cybersecurity challenges through their product design, development, and production processes. chaPter findinGs Finding 2.1: Electronics systems have become critical to the functioning of the modern automobile. Enabled by advances in sensors, microprocessors, software, and networking capabilities, these systems are providing a rich and expanding array of vehicle features and applications for comfort, convenience, efficiency, operating performance, and safety. Almost all functions in today’s automobile are mediated by computer-based elec- tronics systems. Some of these systems have improved on capabilities once provided by mechanical, electromechanical, and hydraulic systems. In many other cases, electronics systems are enabling the introduction of new capabilities, including a growing number of applications intended to assist the driver in avoiding and surviving crashes. Finding 2.2: Electronics systems are being interconnected with one another and with devices and networks external to the vehicle to provide their desired func- tions. System interconnectivity and complexity are destined to grow as the capabilities and performance of electronics hardware, software, and networking continue to expand along with consumer demands for the benefits these interconnected systems confer. Networked electronics sys- tems and software will continue to be the foundation for much of the innovation in automobiles and may lead to fundamental changes in how the responsibilities for driving tasks and vehicle control are shared among the driver, the vehicle, and the infrastructure. Finding 2.3: Proliferating and increasingly interconnected electronics systems are creating opportunities to improve vehicle safety and reliability as well as demands for addressing new system safety and cybersecurity risks. As systems share sensors and exchange data to expand functionality, an emerging safety assurance challenge is to prevent (a) the unintended coupling
OCR for page 69
69 The Electronics-Intensive Automobile || of systems that can lead to incorrect information being shared and (b) unauthorized access to or modifications of vehicle control systems, both of which could lead to unintended and unsafe vehicle behaviors. A critical aspect of this challenge is to ensure that the complex software programs managing and integrating these electronics systems perform as expected and avoid unsafe interactions. Another is to ensure that the electronics hardware being embedded throughout the vehicle is compatible with the demanding automotive operating environment, including the electromagnetic environment, which may be changing as electronics devices and accessories are added to automobiles. Inasmuch as many problems in software and electromagnetic interference may leave no physical trace behind, detection and diagnosis of them can be more difficult. Finding 2.4: By enabling the introduction of many new vehicle capabilities and changes in familiar driver interfaces, electronics systems are presenting new human factors challenges for system design and vehicle-level integration. Although auto- motive manufacturers spend much time and effort in designing and testing their systems with users in mind, the creation of new vehicle capabilities may lead to responses by drivers that are not predicted and that may not become evident until a system is in widespread use. Drivers unfamiliar with the new system capabilities and interfaces may respond to or use them in unexpected and potentially unsafe ways. Thus, human factors expertise, which has always been important in vehicle design and development, is likely to become even more so in designing electronics systems that perform and are used safely. Finding 2.5: Electronics technology is enabling nearly all vehicles to be equipped with EDRs that store information on collision-related parameters as well as enabling other embedded systems that monitor the status of safety-critical electronics, identify and diagnose abnormalities and defects, and activate pre- defined corrective responses when a hazardous condition is detected. Access to data logged in EDRs can aid crash investigators, while diagnostics sys- tems can facilitate vehicle repair and servicing and inform automotive manufacturers about possible system design, engineering, and produc- tion issues. Continued advances in electronics technology and their prolif- eration in vehicles can be expected both to necessitate and to enable more applications for monitoring state of health, performing self-diagnostics, implementing fail-safe strategies, and logging critical data in the event of crashes and unusual system and vehicle behaviors.
OCR for page 70
70 || The Safety Promise and Challenge of Automotive Electronics references Abbreviation TRB Transportation Research Board Charette, R. N. 2009. This Car Runs on Code. IEEE Spectrum, Feb. http:// spectrum.ieee.org/green-tech/advanced-cars/this-car-runs-on-code. Checkoway, S., D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, and T. Kohno. 2011. Comprehensive Experimental Analyses of Automotive Attack Surfaces. Presented at 20th Advanced Computing Systems Association Conference, San Francisco, Calif., Aug. 10–12. http://www.autosec.org/publications.html. Cook, J. A., I. V. Kolmanovsky, D. McNamara, E. C. Nelson, and K. V. Prasad. 2007. Control, Computing and Communications: Technologies for the Twenty-First Century Model T. Proceedings of the Institute of Electrical and Electronics Engineers, Vol. 95, No. 2, Feb., pp. 334–355. J. D. Power and Associates. 2011. U.S. Vehicle Dependability Study. Press release. http://www.jdpower.com/news/pressrelease.aspx?ID=2011029. Koscher, K., A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage. 2010. Experimental Security Analysis of a Modern Automobile. In Institute of Electrical and Electronics Engineers Symposium on Security and Privacy (D. Evans and G. Vigna, eds.), Institute of Electrical and Electronics Engineers Computer Society, May. Krüger, A., B. Hardung, and T. Kölzow. 2009. Reuse of Software in Automotive Electronics. In Automotive Embedded Systems Handbook (N. Navet and F. Simonot-Lion, eds.), CRC Press, Boca Raton, Fla. Navet, N., and F. Simonot-Lion. 2009. A Review of Embedded Automotive Protocols. In Automotive Embedded Systems Handbook (N. Navet and F. Simonot- Lion, eds.), CRC Press, Boca Raton, Fla. Shladover, S. E. 1990. Roadway Automation Technology—Research Needs. In Transportation Research Record 1283, Transportation Research Board, National Research Council, Washington, D.C., pp. 158–167. Simonot-Lion, F., and Y. Trinquet. 2009. Vehicle Functional Domains and Their Requirements. In Automotive Embedded Systems Handbook (N. Navet and F. Simonot-Lion, eds.), CRC Press, Boca Raton, Fla. TRB. 1998. Special Report 253: National Automated Highway System Research Program: A Review. National Research Council, Washington, D.C. http://onlinepubs.trb. org/onlinepubs/sr/sr253.html.