Can You Trust Your Car?
As cars become computers on wheels, they had better become more reliable than our desktop models
Carmakers are spending more on silicon these days, as electronics and software spread throughout motor vehicles, from underhood control units to driver information systems and rear-seat entertainment modules. It is now estimated that the cost of the electronics in a new car rises by 9-16 percent each year. In the 2001 model year, electronics accounted for 19 percent of a mid-sized vehicle's cost. In the year 2005, it may be 25 percent for mid-sized cars and possibly 50 percent for luxury models.
So in addition to being pervasive, automotive electronics had better be reliable. The failure of a 10-cent part can ruin a US $30 000 car purchase. Failures in braking and steering can cause injury or death. Servicing a system buried deep within a car is costly. And designers of automotive systems must be prepared for users who give the product almost zero maintenance. "It's not like aviation or aerospace, where you have human eyes looking at it after every few hours of operation," said Patrick Lincoln, director of the Computer Science Laboratory at SRI International (Menlo Park, Calif.). Now, in fact, the shoe is on the other foot, with aircraft makers eyeing mass-produced automotive databuses and other advanced technologies for possible avionics use.
Reliability can't be an afterthought, especially in the hostile underhood environment. Its foundations are laid early in the design process, through improved communications between manufacturers and suppliers and the use of formal development tools. And the quest for reliability (and testability) persists throughout the supply chain, from device manufacturers and system integrators to the vehicle makers themselves. Further, many of the innovations that make the vehicle electronics revolution possible are also enhancing repair service once vehicles leave the showroom
The growing challenge
As electronic systems in cars become more complex, reliability becomes harder to achieve. The more complex a system, the more failure points it offers--and today's separate systems are being networked together in ever more complicated arrangements. With point-to-point wiring giving way to control and power buses, the possibility of massive failures that affect the whole car, not just individual functions, arises. New functions often require new technologies, which in the beginning may be less reliable than more developed ones.
The growing reliance on software raises more issues. As every computer user knows, software is far more likely than hardware to fail, and rebooting is hardly practical in a sharp downhill turn. Then, too, automotive software modules must communicate and coordinate with one another.
For hardware, too, the environment is more demanding. Space constraints place circuits near heat sources. Sensors may be bathed in transmission fluid at peak temperatures nearing 165 degrees centigrade.
"Back in the 1980s, before antilock braking systems, the highest junction temperature we had to rate for was 150 degrees centigrade," said Randy Frank, an automotive marketing manager at International Rectifier (El Segundo, Calif.). But those systems required higher reliability, so makers of power semiconductors began qualifying their products for 175 degrees centigrade to prevent gradual shifts in operating parameters or failure of internal wire bonds, he explained.
Underhood temps may rise further, driving semiconductor makers toward devices qualified for 200degrees centigrade operation. Should even higher temperatures be required, liquid-cooling systems may be added to electronic modules. As a last resort, device makers may shift from silicon semiconductor materials to more costly silicon carbide, because of its stability at higher temperatures.
Nor is that all. More electronics means more risk from externally generated electromagnetic interference (EMI) and from EMI generated by systems in the vehicle that are adjacent or interconnected. The effects can be quite serious: on certain highway overpasses in Europe, the engines of some vehicles have been shut off when their control units encountered high EMI levels from, among other things, high-voltage lines beneath the roadway, reported David Ladd. He is communications manager at Siemens VDO Automotive (Auburn Hills, Mich.), which operates an electromagnetic compliance testing lab. "These problems must be identified and corrected before the vehicle goes into production," he emphasized.
Because of these risks, the auto industry is re-evaluating its requirements and testing for new sources of EMI. Suppliers are increasingly relied upon to develop expertise in managing potential risks during the early stages of engine control unit development, noted Ladd. And the growing use of optical-fiber databuses is eliminating one possible source of EMI problems.
Voltages will rise in the next decade or so, as vehicles move up from 14 V provided by today's 12-V car battery to 42 V from a 36-V battery, or to dual voltage systems. But voltage spikes, surprisingly, may become less troublesome.
Today's worst spikes are load dumps that occur if connection is suddenly lost between the alternator and battery. Rare as they are, the resulting transients must still be guarded against. In 12-V systems "today, with MOSFETs, we may use 55-V devices," said Frank. Tomorrow's 42-V alternators will incorporate transient suppressors, probably avalanche diodes, permitting the use of 75-V or 100-V devices. Fuses and relays may have to be redesigned. Connectors certainly will need redesigning, because disconnecting loads from a running system, which causes only brief sparks at 14 V, can cause sustained arcing at 42 V, and so erode contacts and even start fires.
Cost constraints add to the interest of an engineer's life, too. When you're deploying devices by the millions, saving a few nickels per car can make you a hero--as long as those savings don't up the expense of warranty service.
Longer warranties, owed in part to the increased use of electronics, make reliability still more important. But the electronics also can make repair more difficult, encouraging vehicle owners to have more of their service done by authorized agencies, who will report defects to the carmakers.
Reliability starts with design
Working toward reliability begins early. The specifications sent by carmakers to Tier 1 suppliers for bid now include stringent requirements for the semiconductor makers from which those suppliers buy. In 1996, according to Roger Newkirk, vice president of customer quality for Motorola Semiconductor Products Sector (Austin, Texas), the Big Three carmakers jointly established a requirement called QS-9000, which builds on ISO 9000 and requires that compliance be certified by a third party. Car manufacturers also specify standards that define communications and conformance between systems, said Per Blysa, director of product management for the Tau line of semiconductor development and test tools at Telelogic AB (Malmo, Sweden).
"At the original bidding stage, specs are often quite generic," said Dan Presidio, senior manager of core software and tools at Visteon Corp.'s Technical Center (Allen Park, Mich.). "We base our bids on our experiences. As the program unfolds, things get more specific and we make suggestions to move that along--a collaborative effort. If Visteon has more than one system in the vehicle, we can suggest ways to make them work better together."
"We specify the hardware-software interface and a test plan early on," he added. Parts can be designed to be more testable if designers know how it will be tested, can anticipate environmental changes in vibration, temperature, and so on, and have the software deal with it. That's why traditional software houses sometimes take a long time to get up to speed on automotive projects, he said--they often lack knowledge about operating environments. As a Tier 1 supplier, "Visteon has a relatively robust software development process. We're proud of it," said Presidio, "it made us the first in the industry to get a Level III rating for software capability maturity from the Software Engineering Institute" at Carnegie Mellon University.
In fact, car companies now verify software and hardware models ahead of time and pass them on to the supplier along with an automatically generated spec, according to George LeBlanc, vice president of the systems and microcontroller division at I-Logix Inc. The Andover, Mass., firm designs and implements advanced, high-performance systems and software for real-time embedded applications. The supplier has to add specific information about the target processor and the type of operating system, but the bulk of the logic has already been put into the model by the carmaker, shortening the iterations and producing a more reliable system. One of the things GM passes on to I-Logix is a series of test scenarios that can be used on the final implementation, with the implication that "it ran this way on the model, let's make sure it runs the same way on the final."
Development tools are a must. Sophisticated development tools are a necessity.
One such, called the formal verification tool (FVT), has long served the IC design industry and other users of computer-aided design. Another, called formal methods (FM), is now spreading from the aircraft to the automotive industry. It is more computationally intensive and uses first- and higher-order logic in addition to the propositional (true/false) logic and model checking of FVT.
The use of FM "allows you to automate some of the reasoning," in the words of SRI's Lincoln. It should be regarded as symbolic simulation. It can prove that, for all inputs, a circuit's outputs will be within specification, whereas ordinary simulation will check for a multitude of specific cases, "but you never know if you've done all the what-ifs you need to." It is very possible to miss cases where one of two inputs turns negative or where both inputs are equal. FM is more complete, and eliminates some areas of concern. It can be applied to manufacturing methods as well as to design.
Systems such as FM and FVT have several advantages over simulations, according to I-Logix' LeBlanc. "Instead of exhaustively simulating what they've already done, designers can now mathematically prove that the properties of a model hold." Thus, a requirement that the system go into a low-power or cooling mode whenever the temperature exceeds a certain level can be forced in all cases.
Uncovering the cases where this will not happen is the hard part. Imagine a car that's supposed to unlock all the doors when it crashes; and imagine there's a shutoff that locks the doors if they get toggled repeatedly (something kids might do) and keeps it locked to save the motors. "Testing, you'd have to be lucky to think of that specific scenario," said LeBlanc, but "with model checking, you say 'no matter what, if it crashes, doors should unlock'--and the check discloses a case when they won't."
Another development tool applicable to hardware and software is requirements management. Bill Ables, a sales representative at Telelogic North America Inc. (Reston, Va.), defines his company's dynamic object-oriented requirement system as a central repository that helps identify, capture, and manage requirements throughout the product's life cycle, the goal being to understand what the customer wants and then ensure that the particular product or system meets those requirements.
His company favors tools that have been well established in other industries, said Brian Murray, manager of safety systems engineering at Delphi Saginaw Steering Systems (Brighton, Mich.). They include failure modes and effects analysis (FMEA), reliability growth modeling, and fault tree analysis. FMEA is a structured process for identifying how failures can occur and either correcting the causes or minimizing the effects early in design and development stages. Reliability growth modeling accelerates system operation to see how soon failures appear, and then models that mathematically. Fault tree analysis, done for both reliability and safety, starts with what is undesirable, follows the tree back to see possible causes for those undesired effects--and is followed by design changes.
Consortia promote, develop standards
Standards have always been a means of increasing reliability while decreasing cost and shortening time to market, and the auto industry is establishing new, mainly de facto ones, "even though that goes against their history," said Robert LeFort, vice president, automotive and industrial group, of Infineon Technologies North America Corp. (Northville, Mich.). The company makes power drivers for electrically actuated motors in cars.
Two or three consortia now exist on interface matters alone. There's one for the controller area network (CAN), an in-car network well accepted in Europe and increasingly accepted by U.S. carmakers. But the bus is nondeterministic in that its latency is not guaranteed. So automakers are going to time-triggered protocol (TTP) or FlexRay. In fact, both are time-triggered architectures, in which actions are carried out on a prioritized basis at well-defined times, so actuators, motors, and all other network nodes have a common time reference based on their synchronized clocks. [See "By-Wire Cars Turn the Corner," IEEE Spectrum, April 2001, pp. 68-73.]
Other consortia have produced such bus designs, protocols, and software environments as OSEK (a German acronym for real-time executive for engine control unit software), Media-Oriented Systems Transport (MOST), and K-Line (ISO 14230).
The specifications issued by the consortia are followed by many car companies, though some add proprietary elements. A single car may use many specifications concurrently. The new BMW 745i, for example, uses the MOST bus for infotainment gear [see sidebar, "Infotainment You Can Rely On"]. a variety of high-speed, low-speed, and fault-tolerant CAN buses for various control applications; and BMW's own ByteFlight high-speed bus (which is evolving into FlexRay) to control airbags and other systems for ensuring the safety of a car's occupants.
Another consortium, the United States Council for Automotive Research (Southfield, Mich.), is helping manufacturers standardize such parts as connectors, control-panel light bulbs, and cigarette-lighter sockets, now mainly used as power outlets. And work is going on toward standardized implementation in electronic braking [see http://www.uscar.org]. Further, said Thilo Koslowski, lead automotive analyst for research firm GartnerG2 (San Jose, Calif.), following standards reduces a manufacturer's risk of liability should problems arise.
Adding virtues to device design
Device-level reliability is, of course, fundamental. In today's semiconductor factories, automotive ICs are probably the most reliable parts made, according to Motorola's Newkirk. In power devices, as Infineon's LeFort has noted, this often amounts simply to "putting in a bit of extra capacity beyond worst-case--maybe oversizing the case a hair, [to] run a little cooler."
In microcontrollers and other intelligent chips, some redundancy is often built in. Said LeFort, "You may have multiple cores on one chip--perhaps identical, perhaps not--running the same software and processing the same information, with error-checking and handshaking." Applications engineers would like the silicon cores to be the same, but, to save costs, a 32-bit microprocessor could run the box while an 8-bit one checked the safety-critical details. Car companies have a voice in selecting controller cores, so that they may apply their own development toolsets, he explained.
Most customers write the software themselves, he said, but if it doesn't work or if they want fresh eyes to check the 1s and 0s, Infineon gets involved. Most carmakers share algorithms with their suppliers, telling them, "We want the engine to work like this" and passing along part of the coding. But the production software is virtually all done by the Tier 1 supplier, with semiconductor makers like Infineon doing some macros, which are small pieces of control mechanism.
"The trend is to devote more time in the development cycle to planning and simulation," LeFort said. The early evaluation of system behavior helps in working out major issues before they are encountered in the actual platform.
Not that there are not numerous tests at all levels. For instance, four-season testing puts components through simulations of two winters and two summers (the extreme seasons), using Michigan and Death Valley weather data. Next comes design validation at the chip and module level, including building sample parts. Then, said LeFort, it's time for process validation--checking it out on production tooling, putting the now certified parts in for accelerated stress tests, 1000-hour tests, and the like. All changes must be fully validated as well.
After leaping all the hurdles of design and manufacturing, electronics undoubtedly enhances vehicle reliability, and not just by outlasting mechanical or hydraulic equivalents. The electronic components in today's vehicles, and the buses that link them, make service diagnostics easier, at least at the small but growing number of service shops equipped to read their secrets. "When we build diagnostics into our components," said International Rectifier's Frank, "we can enhance fault-finding right down to the service-station level." That's especially the case if flash memory or some other form of storage is included to record intermittent events. "You want to minimize the mechanic's time rather than have him charge you for not finding the problem," he pointed out.
A new development, remote diagnostics, should make a significant contribution. Today, drivers of more than 30 GM and Acura models with the OnStar telematics system can ask a remote operator to read the car's onboard diagnostics system whenever the check-engine light comes on or the engine knocks. Soon, some Peugeot car problems will be logged and transmitted to authorized service agencies, which will be made aware of the problem, and even order parts, if need be, before the driver brings the car in for service. Similar services are expected to soon be available on luxury cars sold in the United States.
Carmakers may also pick up this on-road data to add to the reliability of future production units. They need not even equip all of their cars to reap this benefit--a statistically valid sample will do, as Umar Riaz, a partner in the New York City office of Accenture, observed (this management and technology services organization recently teamed with Microsoft Corp. to serve the automotive market). "And monitoring even those few vehicles can alert a manufacturer to warranty problems much earlier," he said, "which is far less costly than detecting problems only after a lot of cars have been shipped." But if manufacturers collect this data, warned GartnerG2's Koslowski, they'd better use it, if they want to avoid liability for any serious faults that go unfixed after they're known.
—Elizabeth A. Bretz, Editor
To Probe Further
The spread of electronics in cars is due in part to services like telematics and navigation. See the companion piece to this article, "Infotainment You Can Rely On."
An approach to achieving reliable software by considering performance during the entire software development cycle is presented by Evgeni Dimitrov and others in "UML-Based Performance Engineering Possibilities and Techniques," in IEEE Software, January/February 2002, pp. 74-83.
For more on the Motor Industry Software Reliability Association, visit http://www.misra.org.uk.