Automotive Safety and Security Requires Certification Reformation
FEBRUARY 19, 2020ZOHAR FOX, CEO, AURORA LABS
Safety, security, and trust are three of the most important factors required to ensure connected and autonomous vehicles are accepted by consumers. For the automotive industry to deliver on these three crucial elements, the most comprehensive vehicle certification is mandatory for a vehicle to be considered and remain road-worthy throughout the car’s entire lifecycle.
Today, the manner in which automotive manufacturers obtain vehicle certification varies from region-to-region. In North America, automotive manufacturers ‘self-certify’ based on guidelines provided by the National Highway Traffic Safety Administration (NHTSA). In Europe, Asia and other regions, the certification process is the responsibility of independent certification agencies. The certification process in these regions is called type approval or homologation.
Vehicle certification is not new; however, it is becoming more complex as the amount of in-vehicle software increases. The certification guidelines in all regions will need to mirror the changing makeup of the vehicle and recognize that a deep understanding of software behavior is required for comprehensive certification to be achieved for the lifecycle of the car.
Complexity of In-Vehicle Software
Currently, software makes up 10 percent of a vehicle’s bill-of-materials (BOM). This number is expected to grow at 11% CAGR and will represent 30 percent of a vehicle’s BOM by 2030. In addition to the increased amount of automotive code, there is also an increased amount of dependencies between the electronic control units (ECUs) running this code.
The advanced driver assistance system (ADAS) provides a good backdrop to discuss the complexity of in-vehicle software management. To start, the car manufacturer purchases and installs an ADAS system in a line of vehicles. This ADAS system is made up of a cluster of several ECUs from various suppliers. For example, the camera, sensors and processors are developed by different Tier 1 suppliers with unique ECUs, all of which become part of the ADAS ECU cluster. The ECUs in this cluster are codependent so that changing a line of code on one ECU will affect code on other ECUs within the cluster.
This change in code can come from the auto manufacturer or the Tier 1 supplier, resulting in a process that needs to be managed to understand the inter-dependencies between the components. The stronger the dependency between the components, the higher the probability that making a change to the software on one ECU will result in a change to dependent ECUs.
Over-the-Air Updates and UNECE WP.29
Making changes to the software is executed through an OTA update – a process that is not only recognized by automotive manufacturers as important but considered necessary to compete and succeed. Earlier this year, both GM and BMW made headlines discussing plans to embrace OTA updates as a strategic solution to differentiate their offerings and remain competitive with new features and functions. More recently, Ford announced that the new Ford Mustang Mach-E electric SUV will have an over-the-air software update delivery system.
The vehicle certification bodies are now questioning how best to maintain certification for vehicles that are constantly evolving through OTA updates. This topic has been discussed, and global regulations have been recommended by the United Nations Economic Commission for Europe (UNECE), which includes members from Europe, North America and Asia. These recommendations are expected to be ratified and entered into law in 2020.
According to the UNECE WP.29 GRVA position paper, an amended update to the vehicle’s type approval certification will be needed for all software functionality updates unless the software update is only fixing bugs or applying a security patch to existing, pre-certified functionality. WP.29 also states that if the new software functionality only affects a limited amount of the installed vehicle software, the tests required to receive amended type approval certification will also be limited.
This recommended regulation drives the automotive manufacturer to leverage OTA technology to make sure that software which is not controlled by the consumer and resides within the core systems of the vehicle, is always safe and secure.
The growth in the number of lines-of-code, the fact that every component in the car needs to be certified for safety and security purposes, the fact that there are inter-dependencies between these components, and OTA updates are needed to keep these components safe, secure and feature-rich for the lifecycle of the car, all contribute to the fact that having transparency and visibility into automotive software behavior is crucial. The ultimate goal of software transparency is to create a safe and secure experience for consumers. This starts with helping the industry - OEMS, Tier 1s and regulators – understand the behavior of the software functions in order to work smarter and more efficiently.
Once the software functions are identified, changes to the software that affect the regulated functionality can be distinguished from changes that either do not affect regulated functionality or do not change functionality at all – e.g. a bug fix. This enables the regulators to correlate between the tests and the specific functions and test only the functionality being reviewed and not blindly run all the tests for the full software images. Streamlining the process saves both time and money.
Another aspect of software quality testing and software regulation testing that needs to be taken into consideration is the effect of the delta update files on the test procedures. If software images are tested and not software functions, then all possible combinations of software images and update delta files will need to be considered, creating a huge overhead of required tests. If however, the software functions are regulated, monitored and tested then it will be possible to avoid additional test overhead and speed up the regulation process.
It is important that the certification guidelines, on a global basis, including careful study of recommendations regarding the approval of OTA updates, are taken seriously in order to keep vehicles safe, secure and trustworthy. Technologies and systems are required to simplify continuous software certification, especially because car manufacturers are under great pressure to continuously release new software features and functions to remain competitive.
The certification guidelines in all regions will need to mirror the changing makeup of the vehicle and recognize that a deep understanding of software functionality and behavior is required by the vehicle manufacturers for comprehensive certification to be achieved for the lifecycle of the car.