National Academies Press: OpenBook
« Previous: 1 Background and Charge
Page 43
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 43
Page 44
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 44
Page 45
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 45
Page 46
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 46
Page 47
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 47
Page 48
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 48
Page 49
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 49
Page 50
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 50
Page 51
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 51
Page 52
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 52
Page 53
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 53
Page 54
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 54
Page 55
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 55
Page 56
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 56
Page 57
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 57
Page 58
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 58
Page 59
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 59
Page 60
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 60
Page 61
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 61
Page 62
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 62
Page 63
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 63
Page 64
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 64
Page 65
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 65
Page 66
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 66
Page 67
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 67
Page 68
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 68
Page 69
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 69
Page 70
Suggested Citation:"2 The Electronics-Intensive Automobile." Transportation Research Board. 2012. TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration. Washington, DC: The National Academies Press. doi: 10.17226/13342.
×
Page 70

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

2 The Electronics-Intensive Automobile A major upgrade in automotive performance over the past two decades that has not had its basis in electronics, particularly in advances in computer and software technologies, would be difficult to identify. It would be surprising if this were not the case, given the proliferation of software-intensive electronics in nearly all high-value consumer products. As discussed in Chapter 1, today’s electronics-intensive vehi- cle is fundamentally different from the mostly mechanical vehicle of the 1970s and 1980s. The electronics in the contemporary automobile contain hundreds of sensors, drive circuits, and actuators that are con- nected to scores of microprocessors running on increasingly complex software and exchanging information through one or more commu- nications networks (Krüger et al. 2009). It has been estimated that electronics account for about 35 percent of the cost of designing and producing some vehicles (Charette 2009; Simonot-Lion and Trinquet 2009). Even today’s entry-level models contain far more sophisticated and capable electronics than premium-class models did less than a decade ago (Charette 2009). And given the history of technology dispersion in the automotive sector, many of the advanced electronics systems found in premium-class vehicles today can be expected to migrate through the fleet quickly. This chapter describes some of the major vehicle electronics systems that are now in vehicles, that will soon be deployed, and that are being developed and explored but whose mass introduction remains on the more distant horizon. Consideration is then given to the nature of the 43

44 || The Safety Promise and Challenge of Automotive Electronics safety assurance challenges that automobile manufacturers face as they design, develop, and integrate these systems for use by vehicles and drivers. The chapter concludes with relevant findings from the discus- sion that inform the committee’s recommendations to the National High- way Traffic Safety Administration (NHTSA) offered later in this report. Use of electronics in Vehicles today Figure 2-1 shows the multitude of electronics systems that are now or soon will be available in vehicles. It shows that there are few, if any, vehicle functions that are not mediated by computers. A majority of the functions shown would not be feasible or cost-effective if not for the FIGURE 2-1 Types of electronics systems in modern automobiles. (Source: Clemson University Vehicular Electronics Laboratory.)

The Electronics-Intensive Automobile || 45 advancements that have taken place in microprocessors, sensors, other hardware, and software during the past 30 years. Some of these electronics systems have improved on the capabilities once provided by mechanical, electromechanical, and hydraulic sys- tems. Increasingly, however, electronics are enabling new capabilities, as evident in the many convenience, comfort, entertainment, and per- formance applications indicated in Figure 2-1. Few systems provide these capabilities in stand-alone fashion; instead, they rely on inter- connections and communications with one another. For some time, this interconnectivity has permitted enhancements to certain safety and comfort features such as seat belt pretensioning before a crash and adjustment of the radio volume in relation to travel speed. However, the level of system interconnectivity is growing rapidly to provide a richer array of capabilities. For example, some adaptive cruise control (ACC) systems are sampling data from the Global Positioning System (GPS) to adjust headway limits depending on the vehicle’s proximity to a highway exit ramp. These systems provide one or more capabilities for the following, among others: • Entertainment, information, and navigation assistance—radios, satel- lite radio, CD and DVD players able to interpret a wide array of data formats, USB and other multimedia ports, Wi-Fi and Internet con- nectivity, GPS navigation, travel advisories; • Convenience—seat and mirror position memory, remote and key- less entry and ignition, automatic lights and wipers, embedded and Bluetooth-connected mobile phones; • Comfort and ease of use—suspension adjustment, brake and steer- ing assist, heated and cooled seats, cabin temperature control, inte- rior noise and vibration suppression, parking assist, hill hold, mirror and light dimming; • Emissions, energy, and operating performance – Concerted control of fuel flow, air intake, throttle position, and valve timing; cylinder deactivation; transmission control; trac- tion and cornering control; tire pressure monitoring; regenera- tive braking; – Power train and battery charging control for hybrid and electric- drive vehicles;

46 || The Safety Promise and Challenge of Automotive Electronics • Safety and security—crash-imminent seat belt tensioning and air bag deployment, antilock braking, ACC, crash warning and brake control, blind spot detection and warning, lane departure warning, yaw and stability control, backup sensors and cameras, tire pressure monitor- ing, 9-1-1 crash notification; and • Reliability and maintainability—onboard diagnostics systems, remote diagnostics, vibration control, battery management. The foundation for all of this system interconnectivity derives from the communications networks and protocols (messaging rules) that allow for the exchange of information, the sensors that gather the information, and the software programs that make use of it. The critical roles of communi- cations networks, sensors, and software are discussed next before an over- view of some of the major electronics systems that use them is provided. Communications Networks and Protocols All electronics systems that control vehicle functions consist of a con- trol module containing one or more computer processors. The control module receives input for its computations from a network of sensors (e.g., for engine speed, temperature, and pressure) and sends com- mands to various actuators that execute the commands, such as turn- ing on the cooling fan or changing gear. In addition, these control modules need to connect to other control modules—for example, to shift gears the transmission control module must have received infor- mation on the engine speed. In the early days of automotive electronics, the handful of controller systems in a vehicle could be linked through point-to-point wiring (Navet and Simonot-Lion 2009, 4-2). However, as the number of systems grew, the complexity and cost of wiring systems in this way increased substan- tially. The approach required not only costly and bulky wire harnesses but also repeated changes in wire designs depending on the specific mod- ules included in a given vehicle. For example, a vehicle equipped with antilock brakes would require wiring different from that of a vehicle not equipped with this feature. The industry’s solution was to install a net- work in the vehicle and “multiplex” (combine data streams into a single transmission) their communications among system elements. The multi- plexed networks are referred to as communication buses. A module plugged into the bus would thus be able to sample data from and com- municate with all other networked modules. In this way, each module

The Electronics-Intensive Automobile || 47 would serve as a node in the network, controlling the specific compo- nents related to its function while using a standard protocol to commu- nicate with other modules. To work in the automotive environment, these communications net- works had to be designed to achieve low production and maintenance costs, immunity from electromagnetic interference, reliability in harsh operating environments, and the flexibility to vary options without alternative wiring architectures. Although automotive manufacturers did not emphasize data throughput capacity when these networks were introduced 25 years ago, the subsequent demand for onboard comput- ing has been driving changes to networks to support higher bandwidth and higher-speed communications among modules. Today, multiple networks and communications protocols are used in vehicles for data exchange depending on factors such as required trans- mission speed, reliability, and timing constraints. The protocols are accompanied by a variety of physical media to provide the required con- nections among system components on the network, including single wires, twisted wire pairs, fiber-optic cables, and communication over the vehicle’s power lines. Many automotive manufacturers are seeking a standard protocol, but none has emerged. Not every protocol can be described here, but a number of them appear in the following list of example networking buses and communications protocol standards (Navet and Simonot-Lion 2009, 4-2). • CAN (controller area network): an inexpensive low-speed serial bus for interconnecting automotive components; • VAN (vehicle area network): similar to CAN but not widely used; • FlexRay: a general-purpose, high-speed protocol to support time- triggered architecture; • LIN (local interconnect network): a low-cost in-vehicle subnetwork; • SAE-J1939 and ISO 11783: an adaptation of CAN for agricultural and commercial vehicles; • MOST (Media-Oriented Systems Transport): a high-speed multimedia interface that supports user applications such as GPS, radios, and video players; • D2B (domestic digital bus): a high-speed multimedia interface;

48 || The Safety Promise and Challenge of Automotive Electronics • Keyword Protocol 2000 (KWP2000): a protocol for automotive diag- nostic devices (runs either on a serial line or over CAN); • DC-BUS [1]: automotive power line communication multiplexed network; • IDB-1394; • SMARTwireX; • SAE-J1850, SAE-J1708, and SAE-J1587; and • ISO-9141-I/-II. Because a typical vehicle will have a variety of networking speed and capacity needs, it will have multiple networks and will often host differ- ent control units and use different protocols and physical media. The networks are often intended to be isolated from one another for various reasons, including bandwidth and integration concerns (e.g., entertain- ment network isolated from the network containing the engine control- ler).1 In cases where information must be shared among networks, there will typically be a gateway module to control, and in certain cases iso- late, the communications. For example, the CAN bus typically used for electronic engine controls may have a connection to other networks on the vehicle to share information, but control signals from these other networks are precluded from access to the CAN by a gateway control module. As noted below, the effectiveness of these access controls is coming into question as electronic systems are connecting more with one another and with external devices that could provide access points for cyberattacks. Sensors Sensors are essential to the function of nearly all vehicle electronics sys- tems, many of which depend on multiple sensing technologies. A variety of sensors are deployed to measure positions and properties such as tem- perature, direction and angle, oil pressure, vacuum, torque, seat position, and engine speed and then to convert the measurements into electri- cal signals (digital or analog) that can be used by computers in one or more embedded electronics systems. New technologies are providing 1 As discussed in Box 2-2, it is not evident that this separation has been adequately designed for cyber- security concerns.

The Electronics-Intensive Automobile || 49 even greater sensing capability for applications such as distance ranging, motion detection, and vehicle position identification. The amount and types of sensors in vehicles have grown dramatically over the past 20 years as a consequence of advances in technology and in response to new demands for safety, emissions control, fuel economy, and customer convenience. Although there are too many sensor types and technologies to describe here, the following examples illustrate their range of uses. To support operation of the catalytic converter, oxygen sensors with zirconia tips probe exhaust gases. The zirconia reacts with the gases and develops a signal voltage, which is transmitted to a con- troller. Simple and low-cost sensors used in many vehicle applications are the potentiometer and the Hall effect sensor. The former can be used to determine the angle or direction of a component, such as the position of the accelerator pedal or throttle plate in an electronic throttle control system (ETC). It is designed with three terminals: a power input, ground, and variable voltage output. Acting as a transducer, the potentiometer’s voltage output varies with the position of a movable contact (such as the pedal or throttle shaft) across or around a fixed resistor. The output volt- age is higher or lower depending on whether the contact is near the power supply or ground. The Hall effect sensor, in comparison, detects its position relative to that of a magnet and thus has no moving parts that can degrade over time, as can those in potentiometers. From a tech- nical standpoint, the decision to use one sensor technology over another can depend on the needed accuracy, durability, task (e.g., linear, rotary, range, temperature measuring), and integration ability (e.g., space con- straints). In practice, the cost of the sensor is also important. Sensor technology is becoming more sophisticated and varied, espe- cially to support the functionality of many new convenience, comfort, and safety-related electronic systems. Advanced sensor technologies that are being used more often include the following: • Ultrasound (e.g., backup warning, parking assist); • Inertial sensors, accelerometers, yaw-rate sensors (e.g., stability con- trol, air bag deployment, suspension control, noise and vibration suppression); • Radar and light detection and ranging (lidar) (ACC); • Cameras (e.g., lane keeping, ACC); and • GPS (e.g., advanced ACC).

50 || The Safety Promise and Challenge of Automotive Electronics In discussing the array of electronics systems being deployed in modern vehicles, the current and emerging roles of these new sensing technolo- gies are noted. Continued advances in sensing reliability and capability, of course, will be central in enabling the development and deployment of many next-generation electronics-based systems. Software As the discussion above indicates, automobiles today are literally “com- puters on wheels.” A modern luxury car contains tens of millions of lines of software code executed in and across the scores of networked elec- tronic control units. By some estimates, more than 80 percent of auto- motive innovations derive from software (Charette 2009; Krüger et al. 2009). Automotive manufacturers now depend so much on software rather than on hardware for functionality because the former is easier to evolve and extend, and it is often the only feasible way to achieve a desired function. For years automakers have been leveraging the power of networked controllers and advances in software development to introduce active safety features, many of which are described below. Between 2,000 and 3,000 individual vehicle functions are estimated to be performed with the aid of software in a premium-class car (Charette 2009). This trend is almost certain to continue as the capabilities and performance of microprocessors, networks, and software grow. Software is contained in all controller modules and is used to direct and integrate their actions. The software that monitors and controls vehicle systems and their use is part of what is commonly known as an embedded real-time system (ERTS). Since its earliest use for electronic ignition timing in the 1977 Oldsmobile Toronado, ERTS software (and the processors that run it) has grown in size, state space, and complex- ity, in large part because of added functions and the demands of coor- dinating actions among systems. For example, for the Lexus emergency steering assist system to function, it must have close interaction with the vehicle’s variable gear ratio steering and adaptive variable suspension systems, among others.2 The software needed to support this real-time coordination among the safety-related subsystems is substantially more challenging to design, develop, and validate than are relatively self- contained features such as a door-lock controller. Software development and safety assurance processes are discussed further in Chapter 3. 2 http://www.worldcarfans.com/10608296343/lexus-ls460-achieves-world-first-in-preventative-safety.

The Electronics-Intensive Automobile || 51 Control of Engine, Transmission, and Throttle Before there was a need for in-vehicle communications networks, com- puterized engine control units were introduced in vehicles in the late 1970s to meet federal emissions regulations. These early units governed the air–fuel mixture to enable more efficient fuel combustion to mini- mize emissions. An exhaust gas oxygen sensor provided a signal to the engine control unit so that it could regulate fuel levels to achieve an even more precise air–fuel mixture. As emissions standards were tight- ened and electronic fuel injectors were introduced, additional functions were added to the engine controller for such purposes as more precise and consistent spark timing and regulation of the flow of fuel during a cold start. Coincidental with these changes, automobile manufacturers began to introduce other computer controllers for transmission and throttle functions. These controllers were also designed to exchange informa- tion with and be regulated jointly by the engine controller. Automatic transmissions had previously relied on hydraulics to operate valves that engaged and disengaged clutches in planetary gear sets. With electronic controls, the shift point could be better controlled by using inputs from a network of sensors in the engine, transmission, and wheels. ETCs were introduced in the late 1990s, eliminating the physical link- age between the accelerator pedal and throttle by a cable and other con- nectors. A typical ETC consists of a control unit, a pair of throttle valve position sensors, a pair of pedal position sensors, and an electric motor that actuates the throttle. Depressing the accelerator pedal causes the pedal sensors to send a signal to the controller, which in turn sends a command to the throttle motor to open or close the throttle. Sensors on the throttle confirm its position and correspondence to the signals being sent by the sensors in the accelerator pedal. ETCs allow for more precise regulation of fuel consumption and emissions by the engine control unit and provide other benefits, such as a reduction in the cost of electronic cruise and stability control systems and an increase in their feasibility. Figure 2-2 shows some of the sensors and actuators in the vehicle that provide input to and receive commands from the engine control unit. In having such a wide array of inputs (e.g., coolant temperature, exhaust gas composition, mass air flow) and the ability to orchestrate so many outputs (e.g., spark timing, air and fuel flow, throttle opening), the engine control unit has been a major source of fuel economy and emis- sions performance improvements in vehicles over the past two decades.

52 || The Safety Promise and Challenge of Automotive Electronics FIGURE 2-2 Engine control sensor and actuator network (ECU = engine control unit; EGR = exhaust gas recirculation; HEGO = heated exhaust gas oxygen sensor). (Source: Cook et al. 2007.) Concerns over transportation’s dependence on imported oil and emis- sions of greenhouse gases have generated increased interest in electric- drive vehicles. These vehicles all have batteries and electric motors that provide some or all of the vehicle’s propulsion. The main types of electric- drive vehicles are conventional hybrid vehicles (HEVs), plug-in hybrid electric vehicles (PHEVs), and pure electric vehicles (EVs). While these vehicles have many of the same electronic capabilities as conventional vehicles, they have different control needs with implications for their electronics, as discussed in Box 2-1. Brake Power Assistance and Lockup Control Brakes continue to rely fundamentally on hydraulic lines that transmit the pressure at the brake pedal to actuators at the wheels to force the brake pads into contact with a drum or disc on the wheel. The generated friction slows and eventually stops the vehicle. For greater safety assur- ance, the hydraulics are split (as required by regulation) so the left front and right rear wheels use half the system and the right front and left rear

The Electronics-Intensive Automobile || 53 Box 2-1 electronic controls in electric-drive Vehicles The most common electric-drive vehicles in production are HEVs, which have been available for more than a decade. These vehicles have either one or two electric machines and a gasoline engine in parallel to drive the wheels. When the vehicle deceler- ates, the motor acts as a generator to recharge the battery with energy that would otherwise be lost in braking (regenerative braking). HEVs, therefore, require complicated electronic con- trols to optimize performance of the two power trains and ensure proper charging of the battery. Manufacturers are now introduc- ing PHEVs with batteries charged from the electric grid. PHEVs come in two forms. One is similar to a conventional hybrid but has a bigger battery that can be charged from a power line to allow electricity-only driving for about a dozen miles. The forth- coming plug-in Toyota Prius is an example of this type of PHEV. The General Motors (GM) Volt is a series PHEV in which the wheels are powered by electricity only. The battery is bigger than that in the parallel PHEV and may be capable of traveling 40 miles on a charge. Pure EVs such as the Nissan Leaf or the Tesla road- ster have a larger battery that can power driving for 80 miles or more. The battery is charged only from regenerative braking or a power outlet. Pure EVs are mechanically and electronically sim- pler than the hybrids, since they have an electric motor but no engine and no need to balance two power trains. Power train control in electric Vehicles All electric-drive vehicles require sophisticated power train con- trol to manage power flow from the battery to the motor and from the motor/generator to the battery during regenerative braking and, in the case of parallel hybrids (either HEV or PHEV), to coordinate the sharing of loads between the engine and the electric motor. Parallel hybrid controls must optimize operations to minimize fuel consumption while meeting emissions require- ments. Parallel hybrid vehicles may start repeatedly without fully (continued on next page)

54 || The Safety Promise and Challenge of Automotive Electronics Box 2-1 (continued) Electronic Controls in Electric-Drive Vehicles warming up. Because engines produce higher emissions when they are started cold, meeting emissions requirements is a con- cern. In addition, the battery charge status needs to be monitored so that it stays within limits to maximize its life. In series hybrids, control is less complex because loads are not shared between motor and engine. The battery state of charge must be monitored so that when it reaches a lower limit the engine is started and is turned off when the battery is sufficiently charged. In compari- son, EV power train control is simple since there is no concern over emissions and the only processes that need to be controlled are those involving the transmission from the battery to the motor and from regenerative braking back to the battery. Because switching large current either in the charger or in the power electronics for propulsion is done quickly to minimize losses, the potential for transients to be created in wiring harnesses that could cause electromagnetic interference and malfunctioning microprocessors is an area of design concern. controlling Battery charging EV and PHEV battery charging is handled through a sophisti- cated controlled rectifier that takes power from the plug, at 120 or 220 volts alternating current, which is converted to direct cur- rent for the battery. The charging voltage needs to be carefully monitored since overcharging can reduce battery life and lead to fire risks. EVs and PHEVs may use in-vehicle systems such as GM’s OnStar and Ford’s Sync to communicate with the charger, allowing the monitoring of the battery state of charge through an Internet-enabled phone. Similarly, the charger may communi- cate with a smart meter through the Internet, allowing charging to occur when electricity rates are lowest. Braking and stability control in electric Vehicles Regenerative braking is an important contributor to the high fuel economy of hybrids. However, this type of braking only works

The Electronics-Intensive Automobile || 55 Box 2-1 (continued) Electronic Controls in Electric-Drive Vehicles with the driving wheels, whereas conventional hydraulic brakes work on all four wheels and are more powerful. For safety, hybrids and EVs also need hydraulic brakes that act in concert with regen- erative braking so that the driver does not feel a difference from conventional cars. In an electric-drive vehicle with wheel motors, stability control can involve decreasing power to the drive wheels on one side of the car and possibly selective braking of individual wheels. With parallel hybrid vehicles, the addition of electric motor power means that the systems can be controlled precisely. wheels use the other half.3 If one system fails, the other will provide degraded but balanced braking. The majority of today’s vehicles have power-assisted brakes. Most of these systems use an actuator (vacuum booster) that maintains vacuum derived from the engine during part load operation. When the driver depresses the brake pedal, the booster provides additional hydraulic pres- sure to the brakes, so the pedal force required by the driver is reduced. The vacuum booster has sufficient capacity for successive brake applica- tions depending on how forcefully the pedal is applied. In general, the assist capacity will be reduced if the driver applies and releases the brake repeatedly so as to deplete the vacuum in the booster. Under these cir- cumstances, the pedal force required for an emergency stop will increase substantially. Most new vehicles today also have an antilock brake system (ABS) that provides greatly improved braking on slippery surfaces. When the coefficient of friction between the tire and the road is low, firm applica- tion of the brake tends to lock the wheels, causing a loss of steering con- trol. The ABS was introduced widely in the 1980s. A typical system uses an electronic control unit and speed sensors in the wheels. The control unit constantly monitors the speed of each wheel. If it detects a wheel rotating more slowly than the others, which indicates an impending wheel lock, the unit will reduce the brake pressure at the affected wheel. 3 Front and rear wheel splits are legal in addition to the more common diagonal splits.

56 || The Safety Promise and Challenge of Automotive Electronics In the event of an ABS failure, the system reverts to conventional braking, in which the pressure applied to the brake pedal by the driver is not modulated by the computer and skidding can occur on slippery surfaces. Traction and Stability Control In conditions in which there is a low coefficient of friction, if one of the drive wheels spins, the opposite wheel will produce no force because of the action of the differential, which can cause the vehicle to become stuck. Electronic traction control systems, which were first introduced in the early 1990s, use the same wheel speed sensors as the ABS to detect wheel spin. These systems reduce the throttle opening and perhaps apply the brake to the spinning wheel to help restore traction. Electronic stability control systems (ESCs) evolved from traction control systems. The main difference is that they are designed to improve vehicle han- dling. For example, if the driver attempts to make a sharp turn at high speed, the tires may not sustain enough lateral force for the vehicle to follow the driver’s intended path accurately, depending on other vehicle dynamics factors such as braking, which may cause the vehicle to over- rotate (spin) or underrotate (plow). To predict this potential, the ESC uses the steering wheel angular position, the wheel speed sensors in the ABS, and the yaw-rate sensor. The system will reduce engine power by decreasing the throttle opening. If this response is insufficient, the sys- tem will apply the brakes to the appropriate wheels. These two actions will help change the yaw rate of the vehicle to match the driver’s intent more closely. When roll stability control is provided, it is integrated into the ESC. This feature helps to reduce tilting propensity by activating the brakes or special bars for stability. As in the case of the ABS, loss of these ESC capabilities puts responsibility back on the driver to avoid and react appropriately to events that risk destabilizing the vehicle. Suspension Control Electronically controlled suspension systems adapt the suspension of the car to the driver’s preferences for a stiffer or softer ride by taking into account vehicle speed, road surface, and cornering and acceleration requirements. Accelerometers sense and measure the motion and pitch of the car. In cars equipped with an air suspension system, the volume of the air in the cushions in all four corners of the car is regulated by a com- pressor, which is controlled by a processor interpreting signals from the

The Electronics-Intensive Automobile || 57 accelerometers. In cars with traditional shock absorbers, several other technologies exist to change damping rates that affect the ride quality.4 Power Steering Assist As vehicles became heavier, hydraulic power steering was introduced in the 1950s. These systems used a pump driven by the engine to provide assistance to the driver through a hydraulic motor. The driver input is applied to a torsion bar that opens a valve in proportion to the difference between the steering wheel position and the angular position of the wheels. Electric power steering was introduced in the 1990s, primarily to reduce the amount of energy that had been used by the hydraulic pump and thus to improve vehicle fuel economy.5 The torsion bar modi- fies compliance to facilitate stability, but an electrical sensor determines the angular displacement. The power assist is provided by an electric motor controlled by a microprocessor. Failures in electric power steering could lead to unintended steering or resistance to the driver’s attempt to steer; however, by design the system detects such conditions and deacti- vates the assist feature. At highway speeds, deactivation is manageable because only small displacements are needed. Deactivation at slow speeds and during parking makes steering more difficult. Adaptive Cruise Control Conventional cruise control systems, which were introduced in the late 1950s, control the vehicle’s speed to a point set by the driver. Early sys- tems used a vacuum actuator to pull and release the throttle cable. The system was turned on and off through toggling a switch and was disen- gaged by tapping the brake pedal. As an additional safety feature, the system disengaged at some minimum low speed and, in cars with man- ual transmission, when the driver changed gears. After ETCs were intro- duced, cruise control systems could use the throttle control motor rather than pull a cable to control the throttle position. ACC systems have a forward-looking sensor, usually radar-based, to determine the vehicle’s distance from other vehicles and obstacles ahead. Depending on the operating speed, the system calculates a safe following 4 These technologies include continuously variable real-time damping shocks and a magnetically con- trolled suspension system that has no valves or other moving parts. 5 Electric power steering is even more efficient than conventional power steering because the steering motor only needs to provide assistance when the steering wheel is turned, whereas the hydraulic pump must run constantly.

58 || The Safety Promise and Challenge of Automotive Electronics distance and maintains it by adjusting the vehicle’s speed. The adjust- ment is made not only by using the throttle but also by applying the brakes if necessary. Some ACC systems receive input from the vehicle’s GPS navigation system and a forward-pointing camera. By combining these features, the ACC can determine whether the lead car is slowing down with its turn signal on to move over to an exit ramp. Whereas a conventional ACC would sense the narrowing headway and slow the vehicle down, this advanced system will make a smaller adjustment to the following speed. Lane Departure Warning and Keeping Lane departure warning systems have been available for about a decade. In these systems, a forward-looking camera monitors pavement lane markings. A warning sound is issued when the vehicle drifts out of the lane. More recent systems for active lane-keeping use the ESC and elec- tric power steering to assist the driver in maintaining lane position by applying light brake pressure or countersteering forces. Parallel Parking Assistance Some automobile manufacturers have recently introduced systems that automatically control the power train and steering so that the vehicle can parallel park itself. Cameras and sensors judge the size of the parking spot and the distance between the vehicle and adjacent obstacles (other cars, the curb, etc.) to execute the parking maneuver. The system is designed so that if the driver touches the steering wheel or applies the brake firmly, the system will disengage. In addition, if the vehicle exceeds a set speed, the system will turn off. Navigation and Communications The navigation and communications systems in vehicles today have multiple capabilities. They are interconnected with one another, with many of the systems described above (e.g., ACC linked to GPS), and with entertainment systems. User peripherals such as short-range wire- less devices, mobile phones, and USB devices are routinely attached to the same internal networks. The telecommunications interfaces can also be used for remote vehicle surveillance, reprogramming of software, system diagnostics, and control of certain vehicle systems through con- nections with external devices. Some of the capabilities made possible through telematics can enhance safety, such as automatic crash response

The Electronics-Intensive Automobile || 59 through notification of air bag deployment and the vehicle’s coordinates (via cell tower and GPS). Occupant Protection Systems Much of the discussion of safety-related electronics systems in this chap- ter and elsewhere in the report concerns technologies used for crash avoidance and vehicle controls such as the ETC. Electronics, however, also play a central role in occupant protection systems such as air bags and seat belts. Accelerometers and other sensors positioned in impact zones can detect deceleration or multidirectional acceleration and deter- mine which vehicle seating positions are occupied. On the basis of the sensor information, the control unit can calculate the angle of impact and the force of the crash to determine which air bags to deploy and to what degree and activate additional measures such as seat belt preten- sioning. Every time a vehicle is started, the air bag control module self- checks the sensors and the state of the system. Self-Diagnostics All vehicles today contain computers that monitor the performance of certain major vehicle components, especially in the engine, and give diagnostic information to the vehicle owner or repair technician. Early self-diagnostic systems, introduced in the 1980s, would simply trigger a dashboard malfunction indicator light if a fault was found but would not indicate the nature of the problem. The self-checking takes place during engine start-up and continually as the vehicle operates, depending on the system. Diagnostics systems in vehicles today provide much more varied functions, including the triggering of corrective actions if necessary. It has been estimated that about one-third of the embedded software in a modern vehicle is used to run diagnostics (Charette 2009).6 This is because modern onboard diagnostics systems (OBDs) monitor a wide array of vehi- cle systems and apply myriad rules to decide whether a fault has occurred. The faults are logged as diagnostic trouble codes (DTCs). The DTCs allow technicians to identify and fix malfunctions rapidly. The setting of a DTC may also trigger actions, such as shutting down a system or alerting the driver through a dashboard light. The use of OBDs for system monitoring and safety assurance functions is discussed in more detail in Chapter 3. For some electronics systems such as electric power steering, diagnostics can account for the majority 6 of code.

60 || The Safety Promise and Challenge of Automotive Electronics While the U.S. Environmental Protection Agency specifies the type of diagnostic connectors and protocols required in vehicles for emissions control systems, OBDs in vehicles today differ by manufacturer, includ- ing the functions they monitor. These differences will undoubtedly grow. Opportunities for innovative diagnostics systems to become a selling point to consumers are already starting to be exploited. For example, onboard communications systems can already transmit vehicle “health” and operating parameters to original equipment manufacturers for remote analysis and diagnostics. These exchanges may be used to iden- tify vehicle systems that require firmware updating and to perform the upgrades remotely or notify the driver of the need to have the vehicle serviced (Charette 2009). Event Data Recorders Electronics sensors and connections have enabled automotive manufac- turers to install event data recorders (EDRs) on their vehicles. The record- ers are usually part of the air bag control module, and they are triggered to save data by a crash event in which an air bag is deployed or the sen- sors in the air bag system detect rapid deceleration or multidirectional acceleration. The recorders typically capture a few seconds of vehicle data before a crash, including vehicle speed, accelerator pedal position, throt- tle position, and brake switch position. The recorded information can be retrieved by investigators through the OBD port to help determine the causes of the crash. Because EDRs are not currently mandated, their usage varies by man- ufacturer. According to NHTSA, a large majority of vehicles sold in the United States have EDRs, but there is inconsistency among the manufac- turers in the array of data items recorded and the means available for accessing the stored data. NHTSA regulations mandate that most light- duty vehicles made on or after September 1, 2011 (Model Years 2012 or later) that are equipped with EDRs record a common set of variables, including precrash speed, brake light status, velocity change, engine rev- olutions per minute, seat belt use, and the timing of air bag deployment. NHTSA has indicated its intention to initiate a rulemaking to require EDRs on all cars and to expand the number of data items recorded. In addition, a variety of efforts are being pursued through standard-setting organizations to bring greater uniformity to the data collected by EDRs and the technical means for accessing the data. EDRs are discussed fur- ther later in this report.

The Electronics-Intensive Automobile || 61 next-Generation systems Consumer and manufacturer experience with some of the newer sys- tems described above will affect the rate of introduction and penetration of even more complex electronics systems. While the following systems are in research and developmental stages, many are candidates for deploy- ment during the next 25 years. Steer-by-Wire and Brake-by-Wire In steer-by-wire systems, the mechanical link between the steering wheel and the vehicle wheels is removed, and the driver’s intent is translated into signals to a motor or motors that turn the wheels. Among possible advantages, steer-by-wire would reduce vehicle weight, eliminate the safety hazard presented by the protruding steering column, offer greater flexibility in designing the car interior, and enable customizable driver interfaces since the steering mechanism could be designed and installed as a modular unit. Brake-by-wire would substitute sensors, computers, and actuators for pumps, hoses, fluids, and master cylinders. These sys- tems would eliminate the direct mechanical connection between the pedal and the brakes by activating motors on each wheel. Both of these advanced concepts have been demonstrated, but mak- ing a convincing case with regard to their operating reliability will be fundamental to their deployment because the only safe state for steer- ing and braking is “operational.” Addressing these concerns through the use of redundant systems (as found in aircraft fly-by-wire) may be pos- sible but could negate the purpose of adding the drive-by-wire systems. The challenge will be in finding ways to ensure safety without greatly increasing each system’s total cost. Vehicle-to-Vehicle and Vehicle-to-Infrastructure Communications Vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communi- cations are being studied by manufacturers, suppliers, universities, trans- portation agencies, and NHTSA. As conceived, an equipped vehicle would function as a node in a network able to communicate with other vehi- cles and roadside units to provide one another with information on such topics as safety warnings and the state of traffic. Electronic messages could notify the driver or perhaps the ACC that the vehicle ahead is

62 || The Safety Promise and Challenge of Automotive Electronics slowing down and thus give more reaction time to the trailing vehicle. Communications through a string of vehicles could warn of traffic slow- downs, and communications between vehicles could reduce crashes at blind intersections. Because V2V would require a substantial number of vehicles equipped with transponders and V2I would require intelligent highway infrastructure, the emergence of these systems will depend not only on further technological advances but also on many safety assur- ance, institutional, and economic factors. Partly and Fully Automated Vehicles In contrast to systems that provide the driver with a warning or assume temporary control over the vehicle in an emergency situation, partial or fully automated systems would provide assistance for routine driving tasks. In the case of partially automated systems, the driver would relin- quish control of some driving tasks but retain control of the vehicle generally. Fully automated vehicles are often conceived as providing “hands-off, feet-off” driving, whereby the driver is disengaged from virtually all driving tasks. The notion of fully automated driving dates back to at least the 1939 World’s Fair, which included a GM exhibit on “driverless” cars (Shladover 1990). Even today, there is no agreement on how such an outcome could be achieved from both the technical and the practical standpoints. One possibility is that instrumented vehicles operate autonomously by using artificial intelligence and V2V-type sensors and communications capabili- ties that enable safe navigation within a highway environment consisting of a mix of automated and nonautomated vehicles. Other possibilities include varying degrees of cooperation among vehicles and infrastructure, perhaps on dedicated lanes. One of the earliest demonstrations of these concepts was organized by the National Automated Highway System Consortium, which demonstrated various forms of automated driving on an Interstate highway outside of San Diego, California, in 1997.7 The Defense Advanced Research Projects Agency has sponsored several com- petitions to demonstrate hands-free driving.8 Recently, Google announced that it has tested several vehicles over 140,000 miles hands free.9 These 7 For a review of the National Automated Highway System Consortium research program, see TRB (1998). 8 http://www.darpa.mil/grandchallenge/index.asp. 9 http://www.nytimes.com/2010/10/10/science/10googleside.html?_r=2&ref=science.

The Electronics-Intensive Automobile || 63 vehicles use radar, lidar, vision cameras, and GPS, among other contem- porary technologies. All concepts of vehicle automation, both partial and full, face major technological challenges, as well as substantial safety assurance hurdles. Partially automated systems can be more difficult to design and imple- ment because of the potential for confusion over the division of functions between the driver and the machine and the need to maintain driver situation awareness. This study cannot begin to address these and other safety issues associated with the many forms of automation. Although such systems may not emerge on a large scale for decades, opportunities may arise sooner under certain controlled conditions, such as the use of automated snowplow and freight truck convoys (with drivers in the lead trucks) on rural Interstate highways and buses on dedicated transitways (TRB 1998, 60–62). safety challenGes As the description in this chapter makes clear, electronics provide a wide array of benefits to motorists. Electronics not only make vehicles more energy- and emissions-efficient and reliable10 but also improve many capabilities that have clear safety implications, such as reducing the vul- nerability of braking to skidding. In addition, electronics allow many new vehicle capabilities intended to improve the safety of driving. Among them are stability control and blind spot, lane-keeping, and headway sur- veillance. Even after a crash occurs, electronics allow more effective air bag deployment and faster emergency response through automatic emer- gency responder notification of crash location. Although electronics provide reliability and safety benefits, they also present safety challenges. One relates to ensuring that software performs as expected under a range of vehicle operating conditions. As indicated earlier, vehicles today have embedded software comprising millions of lines of code in a wide variety of vehicle systems. It is well known that 10 According to J. D. Power and Associates (2011), a study measuring problems experienced during the past 12 months by original owners of 3-year-old (2008 model year) vehicles indicates that owners are experiencing the lowest problem rate since the inception of the study in 1990. The study found that the greatest gains have been made in reducing problems associated with vehicle interiors, engines, transmissions, steering, and braking. However, the problem rate for some electronics systems, includ- ing entertainment and tire pressure monitoring systems, increased.

64 || The Safety Promise and Challenge of Automotive Electronics exhaustively testing large and complex software programs to simulate every possible state under real-world operating conditions is not physi- cally possible. Accordingly, development of vehicle control strategies that are fail-safe (or “fail-soft”) in the event of some unforeseen and potentially unsafe vehicle operating condition is a critical goal for automotive manu- facturers. This will remain the case, since software in future vehicles can be expected to become even more complex. Of course, the growth in soft- ware size and complexity in the automotive industry is mirrored in other sectors of transportation and in other fields such as energy, chemical pro- duction, and manufacturing. The complexity is creating challenges in all domains and thus becoming the subject of much research.11 In this regard, the automotive industry should benefit from the understanding gained in developing safety-critical software generally. Another challenge of the electronics-intensive vehicle stems from the highly interactive nature of the electronic control systems on the vehi- cle. Increasingly, these systems share sensors and information to reduce cost and complexity and to increase system functionality. Thus, the sys- tems could share incorrect information, which might lead to unintended consequences in vehicle operation. As in the case of software, under- standing every possible unintended interaction among complex systems and implementing mitigation strategies as part of the vehicle validation process are difficult, and the difficulty will increase as systems are added and become dependent on one another. Meeting this challenge places a premium on monitoring the vehicle state in real time and on imple- menting strategies for fail-safe or fail-soft operation. A further challenge in today’s electronics-intensive vehicle relates to the interactions between the driver and the vehicle. As electronics-driven systems with new behaviors and interfaces are introduced at a faster pace, the driving experience can change, and some drivers may be sur- prised by certain vehicle behaviors that are normal for the new system. The unfamiliar driver may respond in a way that causes safety problems. Similarly, a startled or stressed driver may not react properly when faced with an unexpected condition. For example, the means for shutting off 11 For example, in 2007, because of concerns about problems attributed to software for robotic space- craft, the National Aeronautics and Space Administration conducted a study of “flight software com- plexity,” and in 2009 the National Science Foundation initiated a research program on “cyber-physical systems” intended to “reveal cross-cutting fundamental scientific and engineering principles that underpin the integration of cyber and physical elements.”

The Electronics-Intensive Automobile || 65 the engine while driving when a vehicle has a keyless ignition system (push button) has been suspected to be misunderstood by drivers accus- tomed to the traditional keyed ignition switch. Thus, human factors, which have always been important in the design of vehicles, will grow in significance as new systems affecting the driver’s interfaces and inter- actions with the vehicle are introduced.12 The fundamental role of networked electronics in today’s vehicles was discussed earlier in the chapter. These networks are crucial in the opera- tion of the vehicle, and various strategies are being used by manufactur- ers to ensure that they are protected against and isolated from sources of environmental interference and malicious access. The strategies include testing, monitoring and diagnostics, fail-safe mechanisms, controlled net- work gateways, and the use of communications protocols. For example, manufacturers and suppliers test vehicles and components to ensure that electromagnetic fields from a variety of external and internal sources do not cause unexpected or errant system behaviors. Whether the nature and level of this testing have kept pace with the changing electromag- netic environment and increased safety assurance required for the expanding electronics content in vehicles has not been the subject of extensive research in the public domain. In addition, the effectiveness of controlled network gateways and firewalls is coming into question as a result of recent research and testing. Examples of hackers accessing secure computer systems in other domains are well known, and researchers have recently demonstrated that vehicle systems can be accessed in a multitude of ways through these networks, as described in Box 2-2. The researchers have also shown that this access can be used to alter and degrade safety-critical vehicle systems such as braking, exterior lighting, and speed control. Cybersecurity, in particular, is attracting increasing attention from automobile manufacturers and NHTSA. Finally, advanced vehicle technologies are being developed, and in some cases deployed, that promise further changes in the safety land- scape. Electric-drive vehicles are already in use that have regenerative braking and propulsion systems under more integrated control as well as torque characteristics that differ from traditional vehicles powered by 12 Customized interfaces are already being introduced. For example, BMW and Mini recently announced their support for “iPod Out,” a scheme whereby Apple media devices will be able to control a display on the car’s console. Increased customization along these lines can have the advantage of tailoring an interface to the needs of each driver, but they may lead to greater interface variability and driver unfamiliarity.

66 || The Safety Promise and Challenge of Automotive Electronics Box 2-2 automotive Vulnerabilities to cyberattack Experiments have been conducted by researchers at the University of Washington and the University of California, San Diego, to examine cybersecurity vulnerabilities in modern automobiles. They have demonstrated how individuals with sufficient skill and malicious intent could access and compromise in-vehicle networks and computer control units, including those control- ling safety-critical capabilities such as braking, exterior lighting, and engine operations. In the laboratory and in road tests, the researchers first demonstrated the ability to bridge internal net- works and bypass what the researchers described as “rudimen- tary” network security protections to gain control over a number of automotive functions and ignore or override driver input, including disabling the brakes, shutting off the engine, and turn- ing off all lights (Koscher et al. 2010). To do so, they extracted and reverse-engineered vehicle firmware to create messages that could be sent on the CAN through the OBD port to take control of these systems. This included the insertion of code in the con- trol units to bridge across multiple CAN buses. In follow-up experiments, the researchers examined all external attack sur- faces in the vehicle to demonstrate and assess the possibility of remote access to cause similar outcomes (Checkoway et al. 2011). The experiments indicated that such exploitation can occur through multiple avenues, including those requiring physical access to the vehicle (e.g., mechanics’ tools, CD players) and those using remote means such as cell phones, other short- range wireless devices, and tire pressure monitoring systems. The committee was briefed by the researchers, who described in more detail the many possible means by which an adversary could attack a vehicle in the manner outlined above and the implications for the safe operation of a vehicle.1 In the briefing and published papers cited above, the researchers surmise that automotive manufacturers have designed their networks with-

The Electronics-Intensive Automobile || 67 Box 2-2 (continued) Automotive Vulnerabilities to Cyberattack out giving sufficient attention to such cybersecurity vulnerabili- ties because automobiles have not faced adversarial pressures (unlike PCs connected to the Internet) and because of the incre- mental nature by which these networks have been expanded, interconnected, and opened to external communication chan- nels. Recognizing that high levels of interconnectedness among vehicle control units are necessary for desired functionality, the researchers did not propose the creation of physically isolated net- works. Instead, they proposed the hardening of remote interfaces and the underlying code platform, greater use of antiexploitation mitigations used elsewhere, and the use of secure (authenticated and reliable) software updates as part of automotive component design. The committee notes that although the researchers did not give specific examples of a vehicle having been compromised by such an external attack, cyberattacks in the field have been reported. One such incident, in early 2010, involved a former employee of an automotive dealership alleged to have remotely hacked into systems that had been installed in purchased vehi- cles to track their whereabouts and gain access to them in the event of a bank repossession. About 100 private vehicles were targeted; their starters and GPS were deactivated and their horns were triggered. Many of the owners were stranded and incurred towing expenses, according to media reports.2 Obviously, had such an attack compromised a vehicle’s power train, braking, and other operating systems while being driven, the conse- quences could have been much more severe. 1 Two of the researchers, Tadayoshi Kohno and Stefan Savage, briefed the committee on March 4, 2011. 2 http://www.pcworld.com/article/191856/exemployee_wreaks_havoc_on_100_cars_ wirelessly.html.

68 || The Safety Promise and Challenge of Automotive Electronics internal combustion engines. Continued growth in the EV fleet will place new safety assurance demands on industry and oversight responsibilities on NHTSA. Intelligent vehicle concepts that now appear to be far out on the horizon, such as V2V and V2I, may progress even faster than expected and add further to the safety assurance and oversight challenge. The next chapter discusses how automobile manufacturers are attempting to meet these various safety and cybersecurity challenges through their product design, development, and production processes. chaPter findinGs Finding 2.1: Electronics systems have become critical to the functioning of the modern automobile. Enabled by advances in sensors, microprocessors, software, and networking capabilities, these systems are providing a rich and expanding array of vehicle features and applications for comfort, convenience, efficiency, operating performance, and safety. Almost all functions in today’s automobile are mediated by computer-based elec- tronics systems. Some of these systems have improved on capabilities once provided by mechanical, electromechanical, and hydraulic systems. In many other cases, electronics systems are enabling the introduction of new capabilities, including a growing number of applications intended to assist the driver in avoiding and surviving crashes. Finding 2.2: Electronics systems are being interconnected with one another and with devices and networks external to the vehicle to provide their desired func- tions. System interconnectivity and complexity are destined to grow as the capabilities and performance of electronics hardware, software, and networking continue to expand along with consumer demands for the benefits these interconnected systems confer. Networked electronics sys- tems and software will continue to be the foundation for much of the innovation in automobiles and may lead to fundamental changes in how the responsibilities for driving tasks and vehicle control are shared among the driver, the vehicle, and the infrastructure. Finding 2.3: Proliferating and increasingly interconnected electronics systems are creating opportunities to improve vehicle safety and reliability as well as demands for addressing new system safety and cybersecurity risks. As systems share sensors and exchange data to expand functionality, an emerging safety assurance challenge is to prevent (a) the unintended coupling

The Electronics-Intensive Automobile || 69 of systems that can lead to incorrect information being shared and (b) unauthorized access to or modifications of vehicle control systems, both of which could lead to unintended and unsafe vehicle behaviors. A critical aspect of this challenge is to ensure that the complex software programs managing and integrating these electronics systems perform as expected and avoid unsafe interactions. Another is to ensure that the electronics hardware being embedded throughout the vehicle is compatible with the demanding automotive operating environment, including the electromagnetic environment, which may be changing as electronics devices and accessories are added to automobiles. Inasmuch as many problems in software and electromagnetic interference may leave no physical trace behind, detection and diagnosis of them can be more difficult. Finding 2.4: By enabling the introduction of many new vehicle capabilities and changes in familiar driver interfaces, electronics systems are presenting new human factors challenges for system design and vehicle-level integration. Although auto- motive manufacturers spend much time and effort in designing and testing their systems with users in mind, the creation of new vehicle capabilities may lead to responses by drivers that are not predicted and that may not become evident until a system is in widespread use. Drivers unfamiliar with the new system capabilities and interfaces may respond to or use them in unexpected and potentially unsafe ways. Thus, human factors expertise, which has always been important in vehicle design and development, is likely to become even more so in designing electronics systems that perform and are used safely. Finding 2.5: Electronics technology is enabling nearly all vehicles to be equipped with EDRs that store information on collision-related parameters as well as enabling other embedded systems that monitor the status of safety-critical electronics, identify and diagnose abnormalities and defects, and activate pre- defined corrective responses when a hazardous condition is detected. Access to data logged in EDRs can aid crash investigators, while diagnostics sys- tems can facilitate vehicle repair and servicing and inform automotive manufacturers about possible system design, engineering, and produc- tion issues. Continued advances in electronics technology and their prolif- eration in vehicles can be expected both to necessitate and to enable more applications for monitoring state of health, performing self-diagnostics, implementing fail-safe strategies, and logging critical data in the event of crashes and unusual system and vehicle behaviors.

70 || The Safety Promise and Challenge of Automotive Electronics references Abbreviation TRB Transportation Research Board Charette, R. N. 2009. This Car Runs on Code. IEEE Spectrum, Feb. http:// spectrum.ieee.org/green-tech/advanced-cars/this-car-runs-on-code. Checkoway, S., D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, and T. Kohno. 2011. Comprehensive Experimental Analyses of Automotive Attack Surfaces. Presented at 20th Advanced Computing Systems Association Conference, San Francisco, Calif., Aug. 10–12. http://www.autosec.org/publications.html. Cook, J. A., I. V. Kolmanovsky, D. McNamara, E. C. Nelson, and K. V. Prasad. 2007. Control, Computing and Communications: Technologies for the Twenty-First Century Model T. Proceedings of the Institute of Electrical and Electronics Engineers, Vol. 95, No. 2, Feb., pp. 334–355. J. D. Power and Associates. 2011. U.S. Vehicle Dependability Study. Press release. http://www.jdpower.com/news/pressrelease.aspx?ID=2011029. Koscher, K., A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage. 2010. Experimental Security Analysis of a Modern Automobile. In Institute of Electrical and Electronics Engineers Symposium on Security and Privacy (D. Evans and G. Vigna, eds.), Institute of Electrical and Electronics Engineers Computer Society, May. Krüger, A., B. Hardung, and T. Kölzow. 2009. Reuse of Software in Automotive Electronics. In Automotive Embedded Systems Handbook (N. Navet and F. Simonot-Lion, eds.), CRC Press, Boca Raton, Fla. Navet, N., and F. Simonot-Lion. 2009. A Review of Embedded Automotive Protocols. In Automotive Embedded Systems Handbook (N. Navet and F. Simonot- Lion, eds.), CRC Press, Boca Raton, Fla. Shladover, S. E. 1990. Roadway Automation Technology—Research Needs. In Transportation Research Record 1283, Transportation Research Board, National Research Council, Washington, D.C., pp. 158–167. Simonot-Lion, F., and Y. Trinquet. 2009. Vehicle Functional Domains and Their Requirements. In Automotive Embedded Systems Handbook (N. Navet and F. Simonot-Lion, eds.), CRC Press, Boca Raton, Fla. TRB. 1998. Special Report 253: National Automated Highway System Research Program: A Review. National Research Council, Washington, D.C. http://onlinepubs.trb. org/onlinepubs/sr/sr253.html.

Next: 3 Safety Assurance Processes for Automotive Electronics »
TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

TRB Special Report 308: The Safety Challenge and Promise of Automotive Electronics: Insights from Unintended Acceleration examines how the National Highway Traffic Safety Administration's (NHTSA) regulatory, research, and defect investigation programs can be strengthened to meet the safety assurance and oversight challenges arising from the expanding functionality and use of automotive electronics. The report gives particular attention to NHTSA's response to consumer complaints of vehicles accelerating unintentionally and to concerns that faulty electronic systems may have been to blame.

The committee that produced the report found that the increasingly capable and complex electronics systems being added to automobiles present many opportunities for making driving safer but also present new demands for ensuring their safe performance. These safety assurance demands pertain both to the automotive industry's development and deployment of electronics systems and to NHTSA's safety oversight role. With regard to the latter, the committee recommends that NHTSA give explicit consideration to the oversight challenges arising from automotive electronics and that the agency develop and articulate a long-term strategy for meeting these challenges.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!