Search Results

The development of highly automated driving functions (AD) recently rises the demand for so called Fail-Operational systems for native driving functions like steering and braking of vehicles. Fail-Operational systems shall guarantee the availability of driving functions even in presence of failures. This can also mean a degradation of system performance or limiting a system’s remaining operating period. In either case, the goal is independency from a human driver as a permanently situation-aware safety fallback solution to provide a certain level of autonomy. In parallel, the connectivity of modern vehicles is increasing rapidly and especially in vehicles with highly automated functions, there is a high demand for connected functions, Infotainment (web conference, Internet, Shopping) and Entertainment (Streaming, Gaming) to entertain the passengers, who should no longer occupied with driving tasks.

Classic vehicle production had limitations in bringing the driving commands to the actuators for vehicle motion (engine, steering and braking). Steering columns, hydraulic tubes or steel cables needed to be placed between the driver and actuator. Change began with the introduction of e-gas systems. Mechanical cables were replaced by thin, electric signal wires. The technical solutions and legal standardizations for addressing the steering and braking systems, were not defined at this time. Today, OEMs are starting E/E-Architecture transformations for manifold reasons and now have the chance to remove the long hydraulic tubes for braking and the solid metal columns used for steering. X-by-wire is the way forward and allows for higher Autonomous Driving (AD) levels for automated driving vehicles. This offers new opportunities to design the vehicle in-cabin space. This paper will start with the introduction of x-by-wire technologies.

Software complexity of vehicles is constantly growing especially with additional autonomous driving features being introduced. This increases the risk for bugs in the system, when the car is delivered. According to a car manufacturer, more than 90% of availability problems corresponding to Electronic Control Unit (ECU) functionality are either caused by software bugs or they can be resolved by applying software updates to overcome hardware issues. The main concern are sporadic errors which are not caught during the development phase since their trigger condition is too unlikely to occur or is not covered by the tests. For such systems, there is a need of safe and secure infield diagnosis. In this paper we present a tool software architecture with remote access, which facilitates standard read/write access, an efficient channel interface for communication and file I/O, and continuous trace.

Recently, vehicle networks have increased complexity due to the demand for autonomous driving or connected devices. This increasing complexity requires high bandwidth. As a result, vehicle manufacturers have begun using Ethernet-based communication for high-speed links. In order to deal with the heterogeneity of such networks where legacy automotive buses have to coexist with high-speed Ethernet links vehicle manufacturers introduced a vehicle gateway system. The system uses Ethernet as a backbone between domain controllers and CAN buses for communication between internal controllers. As a central point in the vehicle, the gateway is constantly exchanging vehicle data in a heterogeneous communication environment between the existing CAN and Ethernet networks. In an in-vehicle network context where the communications are strictly time-constrained, it is necessary to measure the delay for such routing task.

For highly automated driving, commercial vehicles require an Electric/Electronic (E/E) architecture, which - in addition to sensor fusion - ensures safety-critical processes such as steering and braking at all times. Among other things, a redundant 24 V supply with corresponding disconnection is required. The battery switch is a key component. Commercial, construction, and agricultural vehicles (CAV) need to operate at the highest possible availability and the lowest possible cost of ownership. This is why automated and autonomous driving has the potential to revolutionize the CAV sector. Driverless machines can be operated around the clock and almost non-stop. Platooning allows automated, interconnected trucks to drive in a convoy and very close to each other. Platooning saves fuel.

Advanced safety features and new services in connected cars depend on the security of the underlying vehicle functions. Due to the interconnection with the outside world and as a result of being an embedded system a modern vehicle is exposed to both, malicious activities as faced by traditional IT world systems as well as physical attacks. This introduces the need for utilizing hardware-assisted security measures to prevent both kinds of attacks. In this paper we present a survey of the different classes of hardware security devices and depict their different functional range and application. We demonstrate the feasibility of our approach by conducting a case study on an exemplary implementation of a function-on-demand use case. In particular, our example outlines how to apply the different hardware security approaches in practice to address real-world security topics. We conclude with an assessment of today’s hardware security devices.

The automotive industry experiences a major change as vehicles are gradually becoming a part of the Internet. Security concepts based on the closed-world assumption cannot be deployed anymore due to a constantly changing adversary model. Automotive Ethernet as future in-vehicle network and a new E/E Architecture have different security requirements than Ethernet known from traditional IT and legacy systems. In order to achieve a high level of security, a new multi-layer approach in the vehicle which responds to special automotive requirements has to be introduced. One essential layer of this holistic security concept is to restrict non-authorized access by the deployment of embedded firewalls. This paper addresses the introduction of automotive firewalls into the next-generation domain architecture with a focus on partitioning of its features in hardware and software.

Connecting mobile communication channels to vehicles’ networks is currently attracting engineers in a wide range. Herein the desire of vehicle manufacturers to remotely execute software updates over the air (SOTA) within electronic control units (ECU) is probably the field of highest attention at the moment. Today software updates are typically done at vehicle service stations and connection the vehicles electronic network via the onboard diagnosis (OBD) interface to a service computer. Herby the duration of the update is invisible to the user, as this happens during standard service appointments. With introduction of SOTA, these updates become very convenient to the customer and can lead to higher customer satisfaction levels. SOTA can be made transparent to the user however the method of implementation can affect the user experience.

Functional safe products conforming to the ISO 26262 standard are getting more important for automotive applications wherein electronic takes more and more response for safety relevant operations. Consequently safety mechanisms are needed and implemented in order to reach defined functional safety targets. To prove their effectiveness diagnostic coverage provides a measurable quantity. A straight forward safety mechanism for sensor systems can be established by redundant signal paths measuring the same physical quantity and subsequently performing an independent output difference-check that decides if the data can be transmitted or an error message shall be sent. This paper focuses on the diagnostic coverage figure calculation of such data correlation-checks for linear sensors which are also shown in ISO 26262 part5:2011 ANNEX D2.10.2.

A cooperation of several research partners supported by the German Federal Ministry of Research and Education proposes a new active matrix LED light source. A multi pixel flip chip LED array is directly mounted to an active driver IC. A total of 1024 pixel can be individually addressed through a serial data bus. Several of these units are integrated in a prototype headlamp to enable advanced light distribution patterns in an evaluation vehicle.

Introduction The introduction of Ethernet and Gigabit Ethernet [2] as the main invehicle network infrastructure is the technical foundation for different new functionalities such as piloted driving, minimizing the CO2- footprint and others. The high data rate of such systems influences also the used microcontrollers due the fact that a big amount of data has to be transferred, encrypted, etc. Figure 1 Motivation - Vehicles will become connected to uncontrolled networks The usage of Ethernet as the in-vehicle-network enables the possibility that future road vehicles are going to be connected with other vehicles and information systems to improve system functionality. These previously closed automotive systems will be opened up for external access (see Figure 1). This can be Car2X connectivity or connection to personal devices. Allowing vehicle systems to communicate with other systems that are not within their physical boundaries impose a previously non-existing security problem.

The constant motivation for lower fuel consumption and emission levels has always been in the minds of most auto makers. Therefore, it is important to have precise control of the fuel being delivered into the engine. Gasoline Port fuel injection has been a matured system for many years and cars sold in emerging markets still favor such system due to its less system complexity and cost. This paper will explain injection control strategy of today during development, and especially the injector dead-time compensation strategy in detail and how further improvements could still be made. The injector current profile behavior will be discussed, and with the use of minimum hardware electronics, this paper will show the way for a new compensation strategy to be adopted.

Vehicle manufacturers are challenged by rising costs for vehicle recalls. A major part of the costs are caused by software updates. This paper describes a feasibility study on how to implement software update over the air (SOTA) in light vehicles. The differences and special challenges in the automotive environment in comparison to the cellular industry will be explained. Three key requirements focus on the drivers’ acceptance and thus are crucial for the vehicle manufacturers: SOTA must be protected against malicious attacks. SOTA shall interfere as little as possible with the availability of a vehicle. Long update processes with long vehicle downtimes or even complete fails must be avoided. The functional safety of the vehicle during operation may not be limited in any way The study gives options how those objectives can be achieved. It considers the necessary security measures and describes the required adaptations of the board-net architectures both on software and hardware level.

The trend towards even more sophisticated driver assistance systems and growing automation of driving sets new requirements for the robustness and availability of the involved automotive systems. In case of an error, today it is still sufficient that safety related systems just fail safe or silent to prevent safety related influence of the driving stability resulting in a functional deactivation. But the reliance on passive mechanical fallbacks in which the human driver taking over control, being inevitable in such a scenario, is expected to get more and more insufficient along with a rising degree of driving automation as the driver will be given longer reaction time. The advantage of highly or even fully automated driving is that the driver can focus on other tasks than controlling the car and monitoring it’s behavior and environment.

In recent years, we see more and more ECUs integrating a huge number of application software components. This process mostly results from the increasing amount of so called in-house software in various fields like electric-drive, chassis and driver assistance systems. The software development for these systems is partially moved from the supplier to the car manufacturers. Another important trend is the introduction of new network architectures intending to meet the growing communication requirements. For such ECUs the software integration scenarios become more complicated, as more quality of service requirements with regards to timing, safety and security need to be considered [2]. Multi-core microcontrollers offer even more potential variants for integration scenarios. Understanding the interaction between the different software components, not only from a functional, but also from a timing view, is a key success factor for modern electronic systems [6,7,8,9].

End of Line tests are brief set of tests intended to evaluate ECU's in order to ensure correct functioning of its intended functionality. As these tests are executed on the production line, available time to perform these tests is limited. On one hand, faster production demands require these tests and its framework to be designed in a time optimized manner. On the other hand, increase in ECU functionality translates to an increase in test's functional coverage, requiring more time. Therefore the time taken to execute the tests reaches a critical point in overall ECU production. Availability of multicore microcontrollers with increase in clock speed can increase the performance of end of line tests, but design challenges e.g. synchronization do not guarantee a linear performance increase. Therefore, design of test execution framework is absolutely critical to increase performance of test execution.

The German funded project ARAMiS included work on several demonstrators one of which was a multicore approach on large scale software integration (LSSI) for the automotive domain. Here BMW and Audi intentionally implemented two different integration platforms to gain both experience and real life data on a Hypervisor based concept on one side as well as using only native AUTOSAR-based methods on the other side for later comparison. The idea was to obtain figures on the added overhead both for multicore as well as safety, based on practical work and close-to-production implementations. During implementation and evaluation on one hand there were a lot of valuable lessons learned about multicore in conjunction with safety. On the other hand valuable information was gathered to make it finally possible to set up a cost model for estimation of potential overhead generated by different integration approaches for safety related software functions.

This paper presents a reliability study of a directly cooled IGBT module after a test drive of 85,000 Km in a fuel cell electric vehicle, as well as of an indirectly cooled IGBT module after a test drive of 200,000km in a hybrid car on public roads. At the end of the test drive, the inverter units were disassembled and analyzed with regard to the lifetime consumption. First, electrical measurements were carried out and the results were compared with the ones obtained directly after module production (End of Line test). After that, ultrasonic microscopy was performed in order to investigate any delamination in the solder layers. As a third step, an optical inspection was performed to monitor damages in the housing, formation of cracks or degradation of wire bonds. The results show none of the depicted failure modes could be found on the tested power modules after the field test. Obviously, no significant life time consumption could be observed.

In Engine Management System, more accurate control is required to improve engine performance. Especially generating the precise ignition signal has a direct effect on better engine performance. In the beginning of this paper, a basic software structure to synchronize the engine crank signal and generate ignition signals will be explained. Several cases which can generate dwell timing error will be introduced based on this software structure. In addition, each impact level for each error case will be described. For cases of major error, compensation ways will be proposed in order to obtain more accurate dwell timing. The compensation ways by both microcontroller hardware and user software will be explained in detail. In conclusion, this paper will show the accuracy of ignition signal which implements proposed compensation ways that can be improved as compared to conventional ignition signal.

It has become an important trend to implement safety-related requirements in the road vehicles. Recent studies have shown that accidents, which occurred when drivers are not focused due to fatigue or distractions, can be predicted in advance when using safety features. Advanced Driver Assistance Systems (ADAS) are used to prevent this kind of situation. Currently, many major tiers are using a DSP chip for ADAS applications. This paper suggests the migration from a DSP configuration to a Microcontroller configuration for ADAS application, for example, using a 32bit Multi-core Microcontroller. In this paper, the following topics will be discussed. Firstly, this paper proposes and describes the system block diagram for ADAS configuration followed by the requirements of the ADAS system. Secondly, the paper discusses the current solutions using a DSP. Thirdly, the paper presents a system that is migrated to a Multi-core microcontroller.