Search Results

Advanced safety features and new services in connected cars depend on the security of the underlying vehicle functions. Due to the interconnection with the outside world and as a result of being an embedded system a modern vehicle is exposed to both, malicious activities as faced by traditional IT world systems as well as physical attacks. This introduces the need for utilizing hardware-assisted security measures to prevent both kinds of attacks. In this paper we present a survey of the different classes of hardware security devices and depict their different functional range and application. We demonstrate the feasibility of our approach by conducting a case study on an exemplary implementation of a function-on-demand use case. In particular, our example outlines how to apply the different hardware security approaches in practice to address real-world security topics. We conclude with an assessment of today’s hardware security devices.

The increasing complexity of automotive functions which are necessary for improved driving assistance systems and automated driving require a change of common vehicle architectures. This includes new concepts for E/E architectures such as a domain-oriented vehicle network based on powerful Domain Control Units (DCUs). These highly integrated controllers consolidate several applications on different safety levels on the same ECU. Hence, the functions depend on a strictly separated and isolated implementation to guarantee a correct behavior. This requires middleware layers which guarantee task isolation and Quality of Service (QoS) communication have to provide several new features, depending on the domain the corresponding control unit is used for. In a first step we identify requirements for a middleware in automotive DCUs. Our goal is to reuse legacy AUTOSAR based code in a multicore domain controller.

The trend towards even more sophisticated driver assistance systems and growing automation of driving sets new requirements for the robustness and availability of the involved automotive systems. In case of an error, today it is still sufficient that safety related systems just fail safe or silent to prevent safety related influence of the driving stability resulting in a functional deactivation. But the reliance on passive mechanical fallbacks in which the human driver taking over control, being inevitable in such a scenario, is expected to get more and more insufficient along with a rising degree of driving automation as the driver will be given longer reaction time. The advantage of highly or even fully automated driving is that the driver can focus on other tasks than controlling the car and monitoring it’s behavior and environment.

Strategies for weight reduction have driven the noise treatment advanced developments with a great success considering the already mastered weight decreases observed in the last years in the automotive industry. This is typically the case for all soft trims parts. In the early 2010's a typical european B-segment car soft trims weights indeed 30 to 40% less than in the early 2000's years. The main driver behind such a gap has been to combine insulation and absorption properties on a single part while increasing the number of layers. This product-process evolution was conducted using a significant improvement in the simulation capacities. In that sense, several studies presenting very good correlation results between Transmission Loss measurements and finite elements simulations on dashboard or floor insulators were presented. One may consider that those kinds of parts have already achieved a considerable improvement in performance.

The increased pressure for power, space, and cost reduction in automotive applications together with the availability of high performance, automotive qualified multicore microcontrollers has lead to the ability to engineer Domain Controller ECUs that can host several separate applications in parallel. The standard automotive constraints however still apply, such as use of AUTOSAR operating system, support for legacy code, hosting OEM supplied code and the ability to determine warranty issues and responsibilities between a group of Tier 1 and Tier 2 vendors who all provide Intellectual Property to the final production ECU. Requirements for safety relevant applications add even more complexity, which in most current approaches demand a reconfiguration of all basic software layers and a major effort to redesign parts of the application code to enable co-existence on the same hardware platform. This paper outlines the conflicting requirements of hosting multiple applications.

Multicore-based ECUs are increasingly used in embedded automotive software systems to allow more demanding automotive applications at moderate cost and energy consumption. Using a high number of parallel processors together with a high number of executed software components results in a practically unmanageable number of deployment alternatives to choose from. However correct deployment is one important step for reaching timing goals and acceptable latency, both also a must to reach safety goals of safety-relevant automotive applications. In this paper we focus at reducing the complexity of deployment decisions during the phases of allocation and scheduling. We tackle this complexity of deployment decisions by a mixed constructive and analytic approach.

ISO 26262 is the actual standard for Functional Safety of automotive E/E (Electric/Electronic) systems. One of the challenges in the application of the standard is the distribution of safety related activities among the participants in the supply chain. In this paper, the concept of a Safety Element out of Context (SEooC) development will be analyzed showing its current problematic aspects and difficulties in implementing such an approach in a concrete typical automotive development flow with different participants (e.g. from OEM, tier 1 to semiconductor supplier) in the supply chain. The discussed aspects focus on the functional safety requirements of generic hardware and software development across the supply chain where the final integration of the developed element is not known at design time and therefore an assumption based mechanism shall be used.

With the introduction of the ISO26262 automotive safety standard there is a burden of proof to show that the processing elements in embedded microcontroller hardware are capable of supporting a certain diagnostic coverage level, depending on the required Automotive Safety Integrity Level (ASIL). The current mechanisms used to provide actual metrics of the Built-in Self Tests (BIST) and Lock Step comparators use Register Transfer Level (RTL) simulations of the internal processing elements which force faults into individual nodes of the design and collect diagnostic coverage results. Although this mechanism is robust, it can only be performed by semiconductor suppliers and is costly. This paper describes a new solution whereby the microcontroller is synthesized into a large Field Programmable Gate Array (FPGA) with a test controller on the outside.

Due to increasing demand for environment friendly vehicles with better fuel economy and strict legislations on greenhouse gas emissions, lightweight design has become one of the most important issues concerning the automobile industry. Within the scope of this work lightweight design potentials that a conventional single cylinder engine crankshaft offers are researched through utilization of structural optimization techniques. The objective of the study is to reduce mass and moment of inertia of the crankshaft with the least possible effect on the stiffness and strength. For precise definition of boundary conditions and loading scenarios multi body simulations are integrated into the optimization process. The loading conditions are updated at the beginning of each optimization loop, in which a multi body simulation of the output structure from the previous optimization loop is carried out.

GTL (Gas-To-Liquid) fuel is well known to improve tailpipe emissions when fuelling a conventional diesel vehicle, that is, one optimized to conventional fuel. This investigation assesses the additional potential for GTL fuel in a GTL-dedicated vehicle. This potential for GTL fuel was quantified in an EU 4 6-cylinder serial production engine. In the first stage, a comparison of engine performance was made of GTL fuel against conventional diesel, using identical engine calibrations. Next, adaptations enabled the full potential of GTL fuel within a dedicated calibration to be assessed. For this stage, two optimization goals were investigated: - Minimization of NOx emissions and - Minimization of fuel consumption. For each optimization the boundary condition was that emissions should be within the EU5 level. An additional constraint on the latter strategy required noise levels to remain within the baseline reference.

The main tasks for all future powertrain developments are: regulated emissions, CO2-values, comfort, good drivability, high reliability and affordable costs. One widely discussed approach for fuel consumption improvement within passenger car applications, is to incorporate the downsizing effect. To attain constant engine performance an increase of boost pressure and/or rated speed is mandatory. In both cases, the mass flow rate through the intake and exhaust ports and valves will rise. In this context, the impact of the port layout on the system has to be reassessed. In this paper, the impact of the port layout on a modern diesel combustion system will be discussed and a promising concept shall be described in detail. The investigations shown include flow measurements, PIV measurements of intake flow, CFD simulations of the flow field during intake and results from the thermodynamic test bench. One of the important topics is to prove the impact of the flow quality on the combustion.

A broad range of diesel, kerosene, and gasoline-like fuels has been tested in a single-cylinder diesel engine optimized for advanced combustion performance. These fuels were selected in order to better understand the effects of ignition quality, volatility, and molecular composition on engine-out emissions, performance, and noise levels. Low-level biofuel blends, both biodiesel (FAME) and ethanol, were included in the fuel set in order to test for short-term advantages or disadvantages. The diesel engine optimized in Part 1 of this study included cumulative engine hardware enhancements that are likely to be used to meet Euro 6 emissions limits and beyond, in part by operating under conditions of Homogeneous Charge Compression Ignition (HCCI), at least over some portions of the speed and load map.

Two single-cylinder diesel engines were optimised for advanced combustion performance by means of practical and cumulative hardware enhancements that are likely to be used to meet Euro 5 and 6 emissions limits and beyond. These enhancements included high fuel injection pressures, high EGR levels and charge cooling, increased swirl, and a fixed combustion phasing, providing low engine-out emissions of NOx and PM with engine efficiencies equivalent to today's diesel engines. These combustion conditions approach those of Homogeneous Charge Compression Ignition (HCCI), especially at the lower part-load operating points. Four fuels exhibiting a range of ignition quality, volatility, and aromatics contents were used to evaluate the performance of these hardware enhancements on engine-out emissions, performance, and noise levels.

This paper proposes end-to-end protection mechanisms to be added to a generic FlexRay network in order to achieve fault detection and integrity levels sufficient for a SIL3 fail safe communication system. The mechanisms are derived from the random hardware failure modes to be considered for communication controllers according to IEC 61508. Mechanisms provided by the FlexRay protocol are pointed out. Additional features necessary to fulfil the requirements are discussed. It is shown how to calculate the failure rate probabilities of the CRC used as a safety code with respect to EN 50159.

Based on the TurboDISI engine presented earlier [1], [2], a new Spray Guided Turbo (SGT) concept with enhanced engine performance was developed. The turbocharged engine was modified towards utilizing a spray-guided combustion system with a central piezo injector location. Higher specific power and torque levels were achieved by applying specific design and cooling solutions. The engine was developed utilizing a state-of-the-art newly developed charge motion design (CMD) process in combination with single cylinder investigations. The engine control unit has a modular basis and is realized using rapid prototyping hardware. Additional fuel consumption potentials can be achieved with high load EGR, use of alternative fuels and a hybrid powertrain. The CO2 targets of the EU (120 g/km by 2012 in the NEDC) can be obtained with a mid-size vehicle applying the technologies presented within this paper.

Due to the complex powertrain layout in hybrid vehicles, different configurations concerning internal combustion engine, electric motor and transmission can be combined - as is demonstrated by currently produced hybrid vehicles ([1], [2]). At the Institute for Combustion Engines (VKA) at RWTH Aachen University a combination of simulation, Design of Experiments (DoE) and numerical optimization methods was used to optimize the combustion engine, the powertrain configuration and the operation strategy in hybrid powertrains. A parametric description allows a variation of the main hybrid parameters. Parallel as well as power-split hybrid powertrain configurations were optimized with regard to minimum fuel consumption in the New European Driving Cycle (NEDC). Besides the definition of the optimum configuration for engine, powertrain and operation strategy this approach offers the possibility to predict the fuel consumption for any modifications of the hybrid powertrains.

Under city driving conditions, the powertrain represents one of the major vehicle exterior noise sources. Especially at idle and during full load acceleration, the oil pan contributes significantly to the overall powertrain sound emission. The engine oilpan can be a significant contributor to the powertrain radiated sound levels. Passive optimization measures, such as structural optimization and acoustic shielding, can be limited by e.g. light-weight design, package and thermal constraints. Therefore, the potential of the Active Structure Acoustic Control (ASAC) method for noise reduction was investigated within the EU-sponsored project InMAR. The method has proven to have significant noise reduction potential with respect to oil pan vibration induced noise. The paper reports on activities within the InMAR project with regard to a passenger car oil pan application of an ASAC system based on piezo-ceramic foil technology.

Electronic Control Units of safety critical systems require constant monitoring of the hardware to be able to bring the system to a safe state if any hardware defects or malfunctions are detected. This monitoring includes memory checking, peripheral checking as well as checking the main processor core. However, checking the processor core is difficult because it cannot be guaranteed that the error will be properly detected if the monitor function is running on a processing system which is malfunctioning. To circumvent this issue, several previously presented monitoring concepts (e.g. SAE#2006-01-0840) employ a second external microprocessor to communicate with the main processor to check its integrity. The addition of a second microcontroller and the associated support circuitry that is required adds to the overall costs of the ECU, increases the size and creates significant system complexity.

Electronic Control Units of safety critical systems require constant monitoring of the hardware to be able to bring the system to a safe state if any hardware defects or malfunctions are detected. This monitoring includes memory checking, peripheral checking as well as checking the main processor core. However, checking the processor core is difficult because it cannot be guaranteed that the error will be properly detected if the monitor function is running on a processing system which is malfunctioning. To circumvent this issue, several previously presented monitoring concepts (e.g. SAE#2006-01-0840) employ a second external microprocessor to communicate with the main processor to check its integrity. This paper will present a concept which maps the functions of the external monitoring unit into an internal second processing core which are frequently available on modern, 32bit, monolithic, dual-core microcontrollers.

Over the last decades, the use of computers has become an integral part of the engine development process. Computer-based tools are increasingly used in the design process, and especially the layout of the various subsystems is conducted by means of simulation models. Computer-aided engineering plays a central role e.g. in the design of the combustion process as well as with regards to work performed in the area of engine mechanics, where CFD, FEM, and MBS are applied. As a parallel trend, it can be observed that various engine performance characteristics such as e.g. the specific power output and the power-to-weight ratio have undergone an enormous increase, a trend which to some extent counteracts the increase in safety against malfunction and failure. As yet, due to the constant need for further optimization, mechanical testing and verification processes have not become redundant, and it is assumed that they will remain indispensable for the foreseeable future.