Security, safety and functionality concerns are dominating new automotive designs.
Connected vehicles are all about convenience and safety. Modern vehicles are connected to the Internet via wireless networks, consumer apps, and infotainment systems, and there is work underway to connect them over 5G to guided driving. But there also are challenges to making all of this work securely, safely, and as expected throughout the expected lifetimes of chips and systems.
The goal is both improved safety as well as entertainment. With V2X-enabled vehicles, drivers can be alerted to accidents or hazardous road conditions ahead, and in-cabin monitoring that sounds an alarm if a child is left in the car. There also are new applications, such as sensors that help the vehicle detect objects around a vehicle, not just in front of it, and to remotely control air conditioning systems.
The ultimate goal would be connected, self-driving vehicles, but it may be years before that happens. Still, there is momentum to make that a reality. The U.S. Department of Transportation said 592,000 crashes and 270,000 injuries each year are preventable, and the USDOT Connected Vehicle program is working with local transportation agencies, automakers, and device makers to advance connected vehicle development.
This is a non-trivial effort involving multiple companies, agencies, and academic research. Connected vehicles require sophisticated electronics and software. With more and more electronic components added to the vehicle, the design process already has become extremely complex, and that complexity continues to grow. In addition, it is raising a number of issues for which there are no clear answers, including:
Fig. 1: Connected vehicles are part of future intelligent transportation applications. Source: neXt Curve
More chips in the car
To maximize road safety, more sensors are being added into vehicle designs. In autonomous vehicle prototypes, there are lots more. For example, the fourth-generation Waymo has 19 individual cameras, two radar sensors, short-, medium- and long-range lidar sensors, and a GPS. They all simultaneously feed signals to the control processors. But instead of prioritizing signal feeds, the design must simultaneously consider all the inputs using high-performance processors and sensors with low latency to make the best decisions.
“Data flows for sensor fusion cannot be de-prioritized,” said Prakash Madhvapathy, director of product marketing and product management for Tensilica audio/voice DSPs at Cadence. “True sensor fusion requires that all sensor data be available with the lowest latency any time fusion is being performed. Only then can the sensor data be fused correctly. If one or more sensor inputs arrive later due to prioritization of the various data paths, that data is too late for proper fusion and may as well be discarded. Depending on which sensor inputs are deprioritized in this scenario, sensor fusion functionality may limit itself in scope, degrade performance, or misfire altogether — such as when reference sensor data is not available.”
Power profile
When the engine is turned off, not all electronics are shut down completely. Some will be in low-power mode monitoring certain functions, such as remote door lock control. Most of these electronics will be consuming power in the microwatt range.
“If the car is off, most chips and functionality will not be available and will be turned off,” Madhvapathy said. “A few chips may be always on for the purposes of safety or user convenience, such as for detection of a baby left in a hot car, or to unlock the car based on face or fingerprint identification. But driving power will not be affected by a well-designed, always-on system that uses miniscule power compared to the car battery capacity. Battery consumption is not an issue. Always-on features will only cause the battery to drain at a trickle. Software can monitor the battery level and turn off the always-on feature if the battery falls below a certain manufacturer-determined threshold.”
While this may seem obvious to chipmakers, it’s a dramatic change for automotive OEMs and their suppliers.
“Car design is not limited to the mechanical aspect anymore,” said Chris Clark, Automotive Software and Security Solutions Architect, Synopsys. “Equally important are the electronic and software components. After all, software risk equates to business risk for automotive manufacturers and OEMs. For this reason, it is important to take a holistic approach in designing cars. There are different kinds of chips inside the car controlling various functions, including running the engine and power management even when the car is ‘off,’ meaning power is never 100% shut down. Because of this always-on state, testing is a very important aspect to ensuring safety, security, and reliability. Systems need to be tested in these conditions to protect against threat actors. This is, of course, in addition to other types of testing, such as power and heat cycling, which are important for weeding out marginal components and wear that could impact the expected performance. Software is seldom reset completely. There may be memory leaks not being detected, for example. In short, the electronic designs for cars need to go through extensive modeling and testing to prevent problems from occurring down the road.”
Aging
As chips age, performance may be impacted. Some of the functions that are affected are less critical, but the goal is to lessen that impact. This is especially important for safety-critical functions, such as brake systems and ADAS functions, where seconds of delay may result in an accident.
“As chips age, the performance will degrade,” said David Fritz, senior director for autonomous and ADAS at Siemens Digital Industries Software. “Therefore, it is important to monitor these changing behaviors to ensure the safety and overall performance of the vehicle. Nowadays, more and more HD cameras are used for Level 3 and above automation, and degraded performance becomes a significant issue. For example, high-resolution cameras are spec’d at 30 frames per second. When only 29 frames per second performance is possible due to degradation, the issue needs to be detected and dealt with. If it is a software bug or defect, this could be fixed using over-the-air updates. But if it is a hardware problem, the vehicle may have to be taken back to the dealer for hardware replacement.”
The temperatures under the hood in which automotive chips operate are punishing. To function reliably, chips used in automotive design must operate over a temperature range from -40°C to +105°C, which is much more demanding than those commercial grade chips with – 40°C to 85°C temperature range. Silicon carbide (SiC) chips are gaining momentum, as they can operate in the 600°C range. Unless chips used in automotive operations can function in extreme heat or cold, they will age much faster.
“Power consumption relates to heat generation, as well,” said Amol Borkar, Cadence’s director of product management and marketing for Tensilica Vision & AI DSPs. “While the car power unit of battery + alternator should provide enough juice for these chips to run and execute algorithms easily, many chip designers are also opting for efficient utilization of the IP blocks within. Because many of these chips are in a ‘zero airflow environment,’ heat dissipation can become a big problem. Using heat sinks is not preferred because it impacts the form factor of the final product and makes integration into something tiny difficult. For example, there is no room in the head unit to add a heat sink. This is one reason why DSPs are the preferred choice for these applications.”
Security
Connected and digitized vehicles increase cyber risks. Unlike network or server operations, where professional cybersecurity teams are in place and can monitor threat activities around the clock, most vehicle owners will not be focused on potential attacks. Hackers are constantly looking for design vulnerabilities so they can steal information and/or disrupt operations. Designing secure systems that can prevent cyberattacks on vehicles from happening falls squarely on the automakers’ shoulders.
“Whenever vehicles are connected, they are vulnerable to attackers,” said Thierry Kouthon, technical product manager at Rambus Security. “Targets include USB ports, Wi-Fi, and any infotainment systems. Often, the malware is very difficult to detect because the large number of ECUs and computing devices creates a wide attack surface. Any computing device can be an entry point for an attack. The best approach is prevention, setting up mechanisms that severely limit the opportunity to load malware. During the system design phase of vehicular components, zero-trust principles are enforced using a root of trust with each computing device in the system. The zero-trust approach relies on strong authentication and attestation of the devices to be connected.”
Some of this is built into ISO 26262, which covers automotive functional safety, and ISO/SAE 21434, which addresses cyber security for road vehicles. “Always consider cyber security as part of the building blocks when designing a system, and not as an afterthought once the design is completed,” warned Kouthon. “It is important for the OEMs to have this safety and security knowledge. Fortunately, there are consultants who are experts in these areas available to OEMs when they need the help.”
The list of possible attack vectors is growing, but the attackers also are becoming more sophisticated as the value of data, the accessibility of that data, and the potential for ransomware payments increase.
“Threats and attacks, such as advanced persistent threat (APT), man-in-the-middle, side-channel, tampering, spyware, ransomware, and Trojan horse, are popping up everywhere,” said Thomas Kuehnle, product marketing manager for automotive security at Infineon Technologies. “Such malware can attack, or it can remain dormant in automotive operating systems or firmware, waiting to do damage. Communications using internal automotive networks, or external wireless communication, such as car access, EV charging, E-mobility, and OTA firmware updates may all be targets. So for electronics in a vehicle, it is critical to take a system-oriented approach to security, with cybersecurity support in hardware and software to prevent threat actors from taking control. In moving to increased levels of autonomous driving, security will become even more relevant.”
Functional safety
Security is one aspect of functional safety. But various systems inside and outside a vehicle need to be designed as part of a functionally safe system of systems.
“In electronic designs, there are constant tradeoffs between performance, power consumption, size of the packaging, reliability, security, user-friendliness, and cost,” said Alessandra Nardi, functional safety working group chair at Accellera. “Safety was often implemented as an afterthought. Once in a while, we hear news of recalls in the automotive market that tend to worry everyone. Nowadays, automobiles have more and more electronics in them. Propulsion, ADAS, entertainment, brakes, and safety airbag deployment are all controlled by electronics. On top of that, there are multiple sensors to feed data into the automobile’s electronic controllers to assist safe driving. This is why, above all, it is so critical to consider the functional safety aspects of automotive design. Safety standards such as ISO 26262 and IEC 61508, and the ones in development at Accellera Systems Initiative and IEEE, can play a significant role to increase confidence in the disciplined application of best practices during the design and verification processes. Safety is even more critical with fully autonomous driving.
Customization and the supply chain
Traditionally, OEMs rely on Tier 1, Tier 2, or chipmakers to provide most of the electronic and chip solutions for the vehicles. Because of the complexity of electronics, OEMs are now doing more system design, modeling, and simulation. In the process, they are discovering features they need for a new vehicle design. So instead of relying on suggestions coming from the supply chain, which has been the typical practice, OEMs are now requesting customized solutions to fit their requirements.
This paradigm shift enables the OEMs to take the lead.
“Customization is very important in vehicle design,” said Siemens’ Fritz. “Almost all OEMs/automakers have plans for their own custom electronic designs for their next-generation vehicles. Traditionally, chipmakers would offer the OEMs a ready-made solution, along with reference designs through the Tier 1 or Tier 2 suppliers. This is changing. Learning from design simulation and modeling, OEMs now understand what highly specific features they need for their designs and demand chipmakers come up with solutions that fit the OEM’s requirements. The new trend is for the burden of customization to shift from the OEM side to the chipmakers or new in-house IC teams.”
This provides the chipmakers with something akin to a roadmap of possibilities, providing a glimpse of what’s next so they can accommodate future changes. “Some chipmakers are taking a longer-term view and anticipating what OEMs will need in a few years,” Fritz said. “For example, if a design only focuses on Level 3 automation, when the fully autonomous Level 5 is needed, a company must develop a completely new design to meet customer expectations. This can be quite costly. Instead, chipmakers could create a scalable Level 5 solution, but only populate it, say, with the chipsets required by Level 3 to meet OEM’s short-term requirements. It is more cost-effective to upgrade the Level 3 chipsets with Level 5 chipsets down the road than to do a completely new, multi-year design.”
The future
As more electronics are crammed into small spaces inside of connected vehicles, the number of factors that can affect performance, reliability and safety is growing. This includes everything from power profiles to security, and it involves a supply chain that will continue to be modified and altered as increasingly autonomous vehicles begin populating roadways around the world.
What goes on inside and outside a vehicle is changing as those vehicles are increasingly connected. There will be issues involving massive amounts of data, from infotainment and analytics to software updates, and that will create new problems as well as new opportunities. Where will the data be stored? Who owns the data? Who should be allowed to view that data? All of this is still evolving, and it will take time before those issues are even fully defined, let alone solved. But along the way, vehicles still need to be safe, secure, and they need to perform as expected. And for the chip industry, that should keep everyone busy for years to come.
 |
 |
 |
 |
 |
 |
 |
 |
 |
Leave a Reply