OEM guide to ADAS development Page 9
Optimizing in-vehicle data networks Page 16
The data-driven road to automated driving Page 36
AUGUST 2020
AUTONOMOUS
& CONNECTED VEHICLES
200709_AutoSick1_DW_US.indd 1
7/8/20 10:04 AM
™
h I g h
P E R f O R m a N C E
Color Keyed Automotive Blade Fuse Holders
• Available in colors to match fuse amperage colors for simplified fuse location • Available for Mini, Low Profile Mini and Standard automotive blade fuses • UL Recognized • Fully insulated contacts • Available in Thru Hole Mount (THM) rated for 30 Amps and Surface Mount (SMT) rated for 20 Amps • Available in Bulk or on Tape and Reel It’s what’s on the InsIde that counts ® E L E C T R O N I C S
C O R P.
View our Dynamic Catalog M70 at www.keyelco.com (516) 328-7500
(800) 221-5510
Request a copy of our Product Design Guide M70
EE-DWTHiNK Touch+CCFH_8-20.indd 1
7/2/20 4:07 PM
AUTONOMOUS & CONNECTED VEHICLES
Latest connected car feature: Germicidal lights A year ago, had you brought up the idea of adding germicidal lights to a connected car, you probably would have gotten back facial expressions suggesting you’d lost your mind. Today, the same idea would be more likely to engender a lot of head nodding. Who knew a year ago that disinfection would be a topic in the auto industry just as hot as self-driving vehicles? COVID-19 has sparked a lot of interest in using ultraviolet lighting to disinfect surfaces and to cleanse the air of microbes. The spotlight is on UV-C radiation, with a wavelength of between 200 and 280 nm. At a wavelength of 253.7 nm, UV breaks down the DNA of micro-organisms (RNA in the case of COVID-19) and renders them harmless. UV-C has long been used in medical settings. Now we are beginning to see it in trains, planes, and automobiles. One example is the Honeywell UV Cabin System for airliners. Roughly the size of an aircraft beverage cart, it has UV-C-equipped arms that extend over the top of seats and sweep the cabin. There are also UV-C lights marketed to sanitize ambulance interiors. It looks as though ordinary passenger vehicles will have UV-C sanitizing options. One being discussed by automotive developers is a cell phone charger in the car console that also disinfects charging phones. A similar idea turns the console compartment now used for storing items such as sunglasses and chewing gum into a chamber illuminated by UV-C. But you probably won’t be seeing UV-C dome lights or similar applications that bathe entire passenger compartments in germicidal light. One problem is that UV-C tends to cause skin cancer if you’re exposed to it and cataracts if you look at it. The light also tends to age the plastic surfaces common to automotive interiors. So it’s vehicular uses will probably be limited to confined areas bounded by surfaces that UV-C won’t degrade. However, there’s one notable area where UV-C might bring benefits: disinfecting passenger compartment air. Evidence indicates that the coronavirus responsible for the COVID-19 pandemic can be transmitted via aerosols—droplets less than 5 μm in diameter. Aerosol particles are much smaller than those spewed by coughing and sneezing. And aerosols travel a lot farther.
2
DESIGN WORLD — EE NETWORK
8 • 2020
Research suggests that large droplets quickly fall out of the air within about two meters. In contrast, researchers have calculated that one minute of loud speaking generates upwards of 1,000 COVID-19 aerosols that remain airborne for at least eight minutes. Though the idea sounds encouraging, there are problems with using UV-C for cleansing air in passenger compartments. For one thing, its harmful effects on humans and plastic surfaces necessitates its placement in air ducts. But tests by the Illumination Engineering Society reveal that for effective disinfection, the duct must move a lot of air, and the UV-C must be relatively intense. It’s not clear that existing vehicle air systems have the necessary output. And the only UV-C sources with enough intensity to do the job are the traditional mercury lamps which have lifetimes shorter than what’s optimal for the auto industry. (UV-C LEDs have recently become practical, but they typically put out too few lumens to disinfect air.) If UV-C air systems become automotive technology, they’ll likely debut in mass-transit settings. But it’s possible the first “autonomous” moniker for production vehicles may end up referring to autonomous disinfection.
LELAND TESCHLER EXECUTIVE EDITOR
SEARCH MILLIONS OF PARTS FROM THOUSANDS OF SUPPLIERS
ďƒ¨
PRICING & AVAILABILITY
DATA SHEETS & SPECS
SOURCE & PURCHASE
Get real-time pricing and stock info from authorized distributors and manufacturers.
View and download product data sheets and technical specifications.
Compare options from suppliers and buy direct from distributors and manufacturers.
ABOUT DESIGNFAST
DesignFast is a search engine for finding engineering components and products. With DesignFast, engineers and sourcing professionals can quickly search for products, compare prices, check stock, view data sheets and go direct to the supplier for purchase.
HOW DOES IT WORK?
DesignFast aggregates product data from thousands of suppliers and distributors and makes it available for searching. DesignFast provides pricing, availability and product data sheets for free download.
designfast.com
DESIGN WORLD FOLLOW THE WHOLE TE AM ON T WIT TER @DE SIG NWORLD CREATIVE SERVICES & PRINT PRODUCTION
EDITORIAL VP, Editorial Director Paul J. Heney pheney@wtwhmedia.com @wtwh_paulheney
VP, Creative Services Mark Rook mrook@wtwhmedia.com @wtwh_graphics
Senior Contributing Editor Leslie Langnau llangnau@wtwhmedia.com @dw_3Dprinting
Art Director Matthew Claney mclaney@wtwhmedia.com @wtwh_designer
Executive Editor Leland Teschler lteschler@wtwhmedia.com @dw_LeeTeschler
Graphic Designer Allison Washko awashko@wtwhmedia.com @wtwh_allison
Executive Editor Lisa Eitel leitel@wtwhmedia.com @dw_LisaEitel
Graphic Designer Mariel Evans mevans@wtwhmedia.com @wtwh_mariel
Senior Editor Miles Budimir mbudimir@wtwhmedia.com @dw_Motion
Director, Audience Development Bruce Sprague bsprague@wtwhmedia.com
Senior Editor Mary Gannon mgannon@wtwhmedia.com @dw_MaryGannon
VIDEOGRAPHY SERVICES Video Manager Bradley Voyten bvoyten@wtwhmedia.com @bv10wtwh
Associate Editor Mike Santora msantora@wtwhmedia.com @dw_MikeSantora
Videographer Derek Little dlittle@wtwhmedia.com @wtwh_derek
IN-PERSON EVENTS Events Manager Jen Osborne jkolasky@wtwhmedia.com @wtwh_Jen
ONLINE DEVELOPMENT & PRODUCTION
MARKETING VP, Digital Marketing Virginia Goulding vgoulding@wtwhmedia.com @wtwh_virginia
Web Development Manager B. David Miyares dmiyares@wtwhmedia.com @wtwh_WebDave
Digital Marketing Specialist Sean Kwiatkowski skwiatkowski@wtwhmedia.com
Senior Digital Media Manager Patrick Curran pcurran@wtwhmedia.com @wtwhseopatrick
Digital Production/ Marketing Designer Samantha King sking@wtwhmedia.com
Front End Developer Melissa Annand mannand@wtwhmedia.com
Senior Manager Webinars/ Virtual Events Lisa Rosen lrosen@wtwhmedia.com
Software Engineer David Bozentka dbozentka@wtwhmedia.com
Webinar Coordinator Halle Kirsh hkirsh@wtwhmedia.com
Digital Production Manager Reggie Hall rhall@wtwhmedia.com
Webinar Coordinator Kim Dorsey kdorsey@wtwhmedia.com
Digital Production Specialist Elise Ondak eondak@wtwhmedia.com
PRODUCTION SERVICES
VP, Strategic Initiatives Jay Hopper jhopper@wtwhmedia.com
Customer Service Manager Stephanie Hulett shulett@wtwhmedia.com
FINANCE
Customer Service Representative Tracy Powers tpowers@wtwhmedia.com
Controller Brian Korsberg bkorsberg@wtwhmedia.com
Customer Service Representative JoAnn Martin jmartin@wtwhmedia.com
Accounts Receivable Specialist Jamila Milton jmilton@wtwhmedia.com
Event Marketing Specialist Olivia Zemanek ozemanek@wtwhmedia.com 2011- 2019
WTWH Media, LLC 1111 Superior Ave., Suite 2600 Cleveland, OH 44114 Ph: 888.543.2447 FAX: 888.543.2447
2014 Winner
2014 - 2016
DESIGN WORLD does not pass judgment on subjects of controversy nor enter into dispute with or between any individuals or organizations. DESIGN WORLD is also an independent forum for the expression of opinions relevant to industry issues. Letters to the editor and by-lined articles express the views of the author and not necessarily of the publisher or the publication. Every effort is made to provide accurate information; however, publisher assumes no responsibility for accuracy of submitted advertising and editorial information. Non-commissioned articles and news releases cannot be acknowledged. Unsolicited materials cannot be returned nor will this organization assume responsibility for their care. DESIGN WORLD does not endorse any products, programs or services of advertisers or editorial contributors. Copyright© 2020 by WTWH Media, LLC. No part of this publication may be reproduced in any form or by any means, electronic or mechanical, or by recording, or by any information storage or retrieval system, without written permission from the publisher. Subscription Rates: Free and controlled circulation to qualified subscribers. Non-qualified persons may subscribe at the following rates: U.S. and possessions: 1 year: $125; 2 years: $200; 3 years: $275; Canadian and foreign, 1 year: $195; only US funds are accepted. Single copies $15 each. Subscriptions are prepaid, and check or money orders only. Subscriber Services: To order a subscription or change your address, please email: designworld@omeda.com, or visit our web site at www.designworldonline.com POSTMASTER: Send address changes to: Design World, 1111 Superior Ave., Suite 2600, Cleveland, OH 44114
4
DESIGN WORLD — EE NETWORK
8 • 2020
eeworldonline.com
|
designworldonline.com
CONTENTS AUTONOMOUS & CONNECTED VEHICLES HANDBOOK | AUGUST 2020
2 6 9
Latest connected car feature: Germicidal lights
Cybersecurity testing in 5G automotive designs
36
The data-driven road to automated driving
40
Enabling safety and cyber security for the connected car
44
CAN for better autonomous vehicles
Open standards for driverless cars Why unsafe autonomous vehicle systems are passing undetected during development.
OEM guide to ADAS development As automotive electronics becomes more complex, the quest is on for economical ways to cover the widest possible range of requirements.
12
The sense-think-act model of autonomous vehicles
16
Optimizing in-vehicle data networks
Electronics and software tend to be more important than the mechanics of autonomous vehicles. This shift has serious implications for how vehicles are designed.
Physical channels have limits that affect the practicalities of automotive network architecture and communication protocols. Here’s the lowdown on current work aimed at breaking bandwidth bottlenecks.
20
Protecting autonomous vehicle control circuits
26
How road-to-rig testing speeds vehicle development efforts
30
33
Special instrumentation can help bullet-proof the communication equipment powering next-generation vehicles.
Data replay and enrichment tools help analyze driving scenarios and verify simulations based on real-world events.
Even the best coding practices are likely to result in vehicles infected with 10,000 software bugs. Simulated attacks can sniff out vulnerabilities before the car hits the road.
Handing data-intensive lidar and radar processing at the sensor itself can let CAN connections make autonomous vehicle networking more economical.
30
The subsystems that make up an autonomous vehicle should be bullet-proof when it comes to electrical interference and transients.
Road-to-rig testing brings real-world emissions testing into a precision lab setting and is generally regarded as the future of vehicle development.
26
More accurate positioning for autonomous vehicles Next-generation inertial measurements will figure the where-abouts of AVs with centimeter-level precision.
eeworldonline.com | designworldonline.com
6
36 8 • 2020
DESIGN WORLD — EE NETWORK
5
AUTONOMOUS & CONNECTED VEHICLES
Open standards for driverless cars Why unsafe autonomous vehicle systems are passing undetected during development. DR. LUCA CASTIGNANI MSC SOFTWARE
In February, McAfee exposed the alarming gap between the road test and real-world performance of autonomous vehicle sensors. In a demonstration, McAfee was able to fool a Tesla car into accelerating to 85 mph in a 35 mph zone using a piece of duct tape. Such a fault could affect the 40 million vehicles using similar image-recognition systems. More troubling, it is also likely that many other latent defects afflicting autonomous vehicle systems lie waiting to be exposed. So why do such serious safety defects continue to go undetected during design, engineering and pre-production? The answer is complex but lies partly in the litany of real-world events which simply cannot be covered with real-world road testing. Incidents such as a speed sign being altered with duct tape form what autonomous carmakers call “edge cases,” rare scenarios
Virtual worlds were once equated with computer simulations involving avatars and multiplayer video games. Now, the term is more likely to be associated with tools that create problems for autonomous vehicles to solve. This view is from VTD, for virtual test drive. It is used for the development of ADAS and automated driving systems as well as the core for training simulators. It can generate 3D content, simulate complex traffic scenarios, and simulate sensors. It is used in SiL, DiL, ViL and HiL applications and may also be operated as a co-simulation with third-party packages.
6
DESIGN WORLD — EE NETWORK
8 • 2020
eeworldonline.com
|
designworldonline.com
OPEN STANDARDS
The Road Network Editor (ROD) lets developers design roads having an unlimited number of lanes, complex intersections, comprehensive signs and signalling. Virtual worlds can be designed from scratch or compiled from existing database tiles. Various import and export formats as well as large libraries of 3D models and country specific signs/signals accelerate the creation process. All logic data is exported compliant to the OpenDRIVE format.
that autonomous vehicles are unlikely to encounter in road testing but that may nonetheless happen in reality. Autonomous systems may not understand situations outside the context of their training data, so edge cases that humans can readily handle may fool an autonomous driving system. For example, if you train a system on road signs in Europe and export the vehicle to the U.S., you must be sure it can understand the different national traffic laws. An autonomous driving system trained to recognise a road sign in English would need to be trained so it could recognise the Japanese equivalent. Not so hard perhaps – but what happens when the same traffic light signals are interpreted differently in another country? In the U.S., you can make a right turn when the lights are red, but in Italy drivers would expect an additional light to filter traffic turning right. To ensure vehicles can respond to all known circumstances, regional differences must be accounted for. If handled through road testing, regional differences would require carefully planned test campaigns in every export country, quickly rendering the approach unfeasible. There will always be scenarios such as road markings that reflect in a tunnel or a traffic light failure that vehicles never see during road tests but which could
eeworldonline.com
|
designworldonline.com
leave an autonomous system blind-sided in the real world. Nevertheless, road tests can help find outlier scenarios. What could be more realistic than driving through a tunnel in the rain to see how the automated diving system copes? The problem – ironically – is that it’s impossible to then replicate those same conditions (weather, traffic, etc.) a week later to test if the updated system gives the desired response. No two real-world road conditions or hazards are ever precisely the same. But virtual testing makes it possible to replicate the exact same scenarios to validate the system’s safe response. The VIRES VTD software, for example, is used to test Advanced Driver Assistance Systems (ADAS) and autonomous driving systems by simulating scenarios so manufacturers and technology companies can test vehicles and their component systems. To test autonomous vehicles, companies use the software to replicate known situations by importing 3D scans of road tests. But developers can also test for edge cases that they have devised – from a moose running into the road during a snowstorm to a tram crossing traffic in a busy city. Simulation also helps companies determine how V2I infrastructure and V2V network systems should be designed. Such infrastructure holds great promise
8 • 2020
for autonomous vehicle safety because communication between vehicles with sensors effectively gives vehicle computers more inputs, providing more data for selfdriving cars to make decisions. Again, this additional input brings new complexities that the AI must be taught to interpret. Training is where driverless vehicle testing quickly diverges from conventional engineering. Vehicle dynamics engineers can simulate the response of a vehicle under prescribed conditions to find out if suspension modifications improve the handling – it’s cause and effect. However, to test how an AI algorithm responds we must create a diverse virtual world that exposes it to as many scenarios as possible – from its perception in all weather to traffic scenarios to connected vehicle errors. Running thousands of simulations simultaneously in the cloud makes it possible to examine car behavior over millions of miles a day to identify unique scenarios that can teach the autonomous driving system something new and prove it functions as intended under all conditions. Yet, feeding vehicles diverse datasets requires simulation software that’s interoperable so time is spent in high-value tasks such as designing and testing new scenarios rather then in converting data. Pioneering carmakers are now adopting open standards such as ASAM OpenDRIVE,
DESIGN WORLD — EE NETWORK
7
AUTONOMOUS & CONNECTED VEHICLES
Users of VTD may customize the software on various levels. Customization tools include SDKs, templates for sensor simulation (object-list based and physics based), dynamics simulation and image generation. VTD incorporates open interfaces for run-time data and simulation control making it modular and scalable.
OpenCRG, and OpenScenario that enable software, ADAS and mechanical engineering functions to collaborate. Initiatives like these are reducing barriers to development and test throughout the supply chain. Open standards should be extended to road surveys and maps so data producers, industry stakeholders and developers can easily share them to accelerate the development of technology and regulation. Open standards would make it easier to access public surveys or license commercial data, accessing large base datasets and more diverse data representing global roads and environmental conditions. While test results may be tightly guarded IP, we can likely expect to see more OEMs cooperating to capture road data and avoid reinventing the wheel. Such cooperation will let OEMs focus their resources on researching and designing effective tests strategies to improve the safety and comfort of their products. Bringing safe autonomous vehicles to market is a big technology challenge, and we are giving ourselves years – not decades – to achieve it. Open standards offer autonomous vehicle developers in Silicon Valley and Stuttgart alike the opportunity to accelerate R&D with more data and a greater diversity of scenarios than they can hope to get in isolation. Open standards are
8
DESIGN WORLD — EE NETWORK
already facilitating efficient testing of systems and hardware throughout the supply chain. Perhaps most importantly, open standards provide a much-needed common language for highway agencies producing data, certification agencies and insurance providers progress in tandem with industry to put autonomous vehicles on our roads.
REFERENCES MSC Software, www.mscsoftware.com
8 • 2020
eeworldonline.com
|
designworldonline.com
ADAS DEVELOPMENT
OEM guide to ADAS development As automotive electronics becomes more complex, the quest is on for economical ways to cover the widest possible range of requirements. ERIC PINTON | RENESAS ELECTRONICS
In recent years, few topics have stoked the automotive industry’s collective enthusiasm like autonomous vehicles. Pushed by widely publicized breakthroughs in connected vehicle development, deep learning software, and data-driven analytics by new players such as Google, Tesla, and Uber, auto manufacturers and OEMs have raced to deliver fully autonomous vehicles. Reality, however, has differed from these ambitions. Many projects have been beset by major delays and foundational challenges. The challenges include the complex architecture demanded by the massive number of heterogeneous sensors in a fully distributed system; the validation of nearly
infinite driving use cases; and hardware and software providers having dramatically different business models. Though autonomous vehicles make business sense to mobility service providers, there are few concrete business cases to justify the investment so far. Additionally, factors such as vehicle electrification and NCAP (New Car Assessment Program, which evaluates new automobile designs for performance against various safety threats) have squelched the hype around autonomous vehicles. Thus OEMs are looking for a more realistic foundation for building sustainable businesses. Safety, driven by the next version of NCAP requirements and legislation, remains the primary market driver for ADAS. There are five autonomous functions covered by the NCAP 2020 Assessment – automatic emergency braking, traffic sign recognition, lane-keep assist, vehicle detection, and pedestrian detection. These have became
mainstream for vehicles in 2019/2020. The NCAP assessment is still evolving. Over time, the number of functions it covers has increased. For example, an earlier version of NCAP focused only on front driving. But NCAP 2025 requires 360° surround view, far-distance view, steering, and interior monitoring. Moreover, legislation worldwide is encouraging the use of the cameras for safety purposes. U.S. cars now must have backup cameras. Automatic emergency braking will be mandated in Europe by February 2022, and China has issued new safety legislation for commercial vehicles. Besides safety, the convenience enabled by certain ADAS (Advanced Driver Assistance Systems) functions--such as automatic parking and adaptive cruise control with steer assist-are likely to boost demand for advanced
Features for different automation levels as depicted by Renesas.
From ADAS towards AD
eeworldonline.com
|
designworldonline.com
8 • 2020
DESIGN WORLD — EE NETWORK
9
AUTONOMOUS & CONNECTED VEHICLES
End-to-end platform for ADAS and automated driving
An end-to-end platform for ADAS and Automated driving as depicted by Renesas. functions as they become more affordable. For OEMs, this means the most financially viable path to autonomous vehicle development is in adapting their vehicles to the latest NCAP legislation requirements while developing ADAS functions as convenience functions.
A MATTER OF SCALE As ADAS becomes more complex, OEMs look for economical ways to cover the widest
possible range of requirements. The biggest challenge is in scaling entry level platforms-which cover the minimum ADAS requirements for an NCAP three-star rating--to premium autonomous levels. It’s essential that costs be controlled along the way and every effort be made to reuse elements across the full range of systems. The trend of integrating several functions into a centralized ECU looks quite appealing when designing for scalability. However, this approach leads to technical challenges for functional safety requirements, power consumption, and revising business models. For example, many OEMs have
Open platform model
found that the conventional approach of relying on single-sourced hardware or software no longer works for them. So they develop their own hardware or software in house or divide the work between multiple third parties. For hardware manufacturers, the challenge
An open platform model depicted by Renesas gives engineers the choice to develop in-house or with world-leading partners. The R-Car Consortium brings together system integrators, middleware/ application developers, and operating system and tools vendors who are developing solutions for the connected car and ADAS market.
Developers choose complete solution or build their own.
10
DESIGN WORLD — EE NETWORK
8 • 2020
eeworldonline.com
|
designworldonline.com
ADAS DEVELOPMENT
Heterogeneous cores: performance versus flexibility Same die, same power consumption @ 16 nm
Heterogeneous core performance versus flexibility as depicted by Renesas.
is finding a semiconductor vendor able to offer an open platform that can scale devices from entry level to high level while maintaining compatibility for upgrades. And OEMs must master new development methodologies and frameworks if they are to develop their own software or integrate with others. Artificial intelligence (AI) is another challenge, relying on a completely a new class of algorithms still researched a few years ago. Semiconductor suppliers must adapt their offerings for this new paradigm. Their first challenge is in accommodating functions ranging from entry level to high level while ensuring software will be reusable. Most semiconductor suppliers focus on entry- to mid-level systems where the key competencies are cost, low power consumption, handling critical real-time tasks, and functional safety. These systems represent the high-volume zone for automotive applications. Semiconductor suppliers from the consumer area face several problems when developing devices for automotive uses: Rigid power consumption needs, functional safety support up to ASIL-D, and high quality requirements with low PPM rates during production. Also challenging is the realization of an efficient bill of material (BOM) when trying to scale down a consumer device. An open software platform is a must as OEMs integrate software and look for best-in-
eeworldonline.com
|
designworldonline.com
class software providers. A black-box approach that couples hardware and application software is unsuitable because it locks out software suppliers with leading IP. It is also not ideal for Tier 1 suppliers as it complicates the task of creating value in house. Proprietary software also hinders the task of porting algorithms into an optimized hardware platform. The problems involved explain why many OEMs prefer open standards such as those from Khronos Group, which are supported by multiple third parties and suppliers. AI, meanwhile, is widely used for data center applications. The challenge here is embedding AI while accounting for constraints governing automotive systems: low power, functional safety and low cost, while optimizing the power/performance ratio. Consequently, OEMs have a long road to travel for ADAS/AD. To address the demands for flexible, scalable, and open environments, Renesas developed the Renesas autonomy platform for ADAS and automated driving. This platform leverages the RH850 MCU for real-time and functional safety and R-Car System on Chip (SoC) for high computing performance. The Renesas autonomy platform addresses the needs of OEMs and Tier 1 suppliers with: An open architecture that gives developers the freedom to buy or develop in house; embedded innovation, cutting edge IP, and AI with required IS026262 certifications; and support from a
8 • 2020
global supplier with decades of experience supplying high-quality products at high volume, paired with a committed road-map. The first products from this new platform – the R-Car V3M and R-Car V3H SoCs – are now in full mass production, deployed worldwide for front camera, surround view, and lidar applications. The entry-level R-Car V3M covers the NCAP2020 “5 Star” market and upcoming legislation requirements. It also provides an economical solution for 3D surround view systems. The R-Car V3H is optimized for premium smart camera features and is also suitable for convenience functions such as automatic parking and lidar systems. Both R-Car devices can accommodate embedded conventional computer vision algorithms and AI for embedded systems. Renesas continues to work toward future market requirements in next-generation devices such as NCAP2025 and autonomous functions for Level 2+ / Level 3 ADAS platforms.
REFERENCES Renesas Electronics, https://www.renesas.com/us/en/
DESIGN WORLD — EE NETWORK
11
AUTONOMOUS & CONNECTED VEHICLES
Simcenter Prescan simulation results illustrating sensor simulation that accounts for the surrounding environment (sun light, shades etc.) and traffic.
The sense-think-act model of autonomous vehicles PUNEET SINHA | MECHANICAL ANALYSIS DIV., MENTOR, A SIEMENS BUSINESS
Electronics and software tend to be more important than the mechanics of autonomous vehicles. This shift has serious implications for how vehicles are designed.
Though certain autonomous functions, especially driver-assist and active-safety features, have started to show up in some recent-model vehicles, the goal of fully self-driving cars continues to be a challenge. We are at the point where electronics and software tend to be more important than the mechanics. This shift has serious implications for how vehicles are designed. Safety-critical, sense-thinkact functions require new development and engineering methodologies. During the past two decades, digitization has greatly changed the automotive industry. Today’s vehicles include more than 150 electronic control units (ECUs) with accompanying software, good for one-third or more of their total cost.
12
DESIGN WORLD — EE NETWORK
8 • 2020
The industry is on course to having electronics account for about 50% of vehicle cost by 2030. Software content in cars is expected to triple by 2030. This growth dramatically boosts the number of requirements to be validated. Consequently, the practice of front-loading design decisions via digital solutions–once done simply to minimize costs—now has become indispensable for coping with growing development complexity. Autonomy Level 2 and Level 3 functions comprising advanced driver-assistance system (ADAS) operations such as pedestrian detection, adaptive cruise control, collision avoidance, lane correction and automated parking have already made their way into ordinary vehicles. Fully autonomous cars (SAE Level 4/5) are being tested on roads. Once the right conditions exist, the revolution can begin. One of the biggest impediments at this point is that governments must work out legislation and infrastructure. In addition, consumers must overcome their fear of eeworldonline.com
|
designworldonline.com
SENSE-THINK-ACT
SAE J3016 levels of driving automation Level 0
Level 1
Level 2
You are driving whenever these driver support features are engaged - even if your feet are off the pedals and you are not steering
What does the human in the driver’s seat have to do?
You must constantly supervise these support features; you must steer, brake or accelerate as needed to maintain safety These are driver support features
What do these features do?
Example features
These features are limited to providing warnings and momentary assistance
These features provide steering OR brake/ acceleration support to the driver
These features provide steering AND brake/ acceleration support to the driver
• Automatic emergency braking
• Lane centering
• Lane centering
• Blind spot warning • Lane departure warning
OR • Adaptive cruise control
Level 3
Level 4
Level 5
You are not driving when these automated driving features are engaged - even if you are seated in “the driver’s seat” When the feature requests, you must drive
These automated driving features will not require you to take over driving
These are automated driving features These features can drive the vehicle under limited conditions and will not operate unless all required conditions are met
• Traffic jam chauffeur
AND
• Local driverless taxi • Pedals/ steering wheel may or may not be installed
• Adaptive cruise control at the same time
This feature can drive the vehicle under all conditions
• Same as level 4, but feature can drive everywhere in all conditions
For a more complete description, please download a free copy of SAE J3016: https://www.sae.org/standards/content/j3016_201806
relinquishing control. Putting your safety in the hands of a machine driving 70 MPH requires safety guarantees that will give consumers peace of mind. Researchers are still somewhat careful about making precise predictions because of such uncertainties, but many believe autonomous vehicles will represent a significant proportion of the market by 2030 (up to 15% according to McKinsey).
AUTONOMY CHALLENGES Vehicles capable of working at autonomy levels 4 and 5 must be capable of observing the environment, interpreting it, making decisions quickly and acting accordingly. However, the self-driving car will have to do much better at making decisions than the best driver because every incident and accident will be closely monitored. One bad outcome could be extremely harmful for the manufacturer or even the entire industry, causing serious delays in market introduction. The transfer of control also shifts responsibility from the driver to the vehicle OEM or other stakeholders in the vehicle lifecycle management process. This shift has implications, for example, in terms of insurance when there is an incident. So OEMs must be able to certify vehicle performance in all possible scenarios, as during inclement weather and poor road conditions. Theoretically, this certification necessitates billions of testing miles. Thus virtual testing, verification and validation will probably be the costliest item during the autonomous vehicle engineering process. Self-driving functions always combine capabilities that fit into one of the three segments of the sense-think-act model. Success only comes from systematically combining specializations in these disciplines. There eeworldonline.com
|
designworldonline.com
The SAE divides
will need to be more collaboration than autonomous driving ever among OEM departments, but also capabilities into five between OEMs and suppliers. levels. Sense: Before it can make proper decisions, the autonomous vehicle needs a robust 360° view in all weather and traffic conditions. So sensors and the way they integrate into the vehicle are important. All sensors have their strengths and weaknesses, and the industry has concluded that no single kind of sensor can handle the job on its own. Thus autonomous vehicles will require a combination of lidars, radars, cameras and ultrasonic sensors. Problems can manifest themselves at various stages ranging from chip design, electronic design, structure and attachment points to integration with the vehicle. Vehicle integration can involve incorporation of active cooling or dealing with moisture, fog or other issues. Having a digital thread makes design and integration more efficient as any changes can immediately propagate to all levels. Having a workflow that integrates the simulation of sensor electronics with CAD, thermal, and electromagnetics simulations lets sensor vendors both meet size and cost metrics without sacrificing performance, and account for the complexities of specific vehicle locations. Sensor vendors and OEMs must also ensure sensors will continue operating reliably for the lifespan of the vehicle. This task is particularly challenging because several new sensor technologies and startups are becoming a major part of the supply chain. It’s difficult for sensor makers to answer the reliability question on their own. They do not always work directly with the OEMs during development, so they cannot just mount 8 • 2020
DESIGN WORLD — EE NETWORK
13
AUTONOMOUS & CONNECTED VEHICLES
The changing automotive landscape with vehicle electrification and autonomy. There are 483 OEMs developing electric cars and light-duty trucks and 257 OEMs developing autonomous driving technology (per Siemens internal analysis).
the sensors in the vehicles and test them. But an integrated workflow—including electronics, thermal and dynamic structural simulation—can allow both OEMs and sensor makers to frontload lifetime predictions. Additionally, we must ensure sensors perform well in all weather and traffic conditions. Reliance only on testing is not practical or even feasible: By many estimates, it will take more than eight billion miles of testing, including safety-critical edge cases, to ensure this reliability. Thus it will take physicsbased simulation to verify sensor performance while also accounting for inclement weather and traffic scenarios. Think: The data from the different vision and non-vision sensors must be combined for use in making decisions and triggering actuators. This combination process is critical and must meet the highest safety and security standards. Further, it must happen in real time. The latter is only possible with the support of built-in intelligence, enabling the vehicle to quickly recognize all possible scenarios. Crucial to the success of AV designs are both the training and validation of machine learning
algorithms and low latency data fusion. Currently, ADAS setups generally use a distributed computation architecture that carries out data processing at each node or sensor type. This distributed computation architecture has important disadvantages. They include unacceptable system latency in the transfer of safety-critical information, the loss of potentially useful data at the edge nodes, and a rapid boost in cost and power consumption as systems become more complex. But a centralized raw data-fusion platform can eliminate the inherent limitations of these distributed architectures. This approach connects raw sensor data to a central automated driving compute module over high-speed communication lines. The compute module then fuses this data in real time. The high-speed, low-latency communication framework makes all sensor data, raw and processed, available across the entire system. Data processing takes place when required only in the region of interest. Doing so dramatically reduces the CPU load and fully supports autonomous driving functions while consuming less than 100 W of power.
Machine learning and validation: The scarcity of training data and validation of machine learning algorithms challenge every auto OEM and technology supplier doing AV work. It’s not practical to rely on realworld testing as estimates are that billions of training miles will be necessary to fully allow safe autonomous driving. To date, machine learning is mainly applied with cameras. The emerging challenge is to use it with non-vision sensors. Additionally, the current process for object classification is manual; it is inefficient and not scalable. The goal is to accelerate machine learning with a combination of real-life data and synthetic data. Users can generate synthetic training data from world modeling and simulation of cameras, lidars and radars. In addition, data captured during real-world testing can be seamlessly converted to scenarios to automate the process of object classification. Act: Ultimately, an autonomous vehicle must act upon decisions. These actions involve technologies in three areas: the E/E architecture, ECUs with embedded software, and control algorithms. Vehicle autonomy is forcing an explosion in the complexity of E/E architecture. Even in today’s (Level 1/2) luxury cars, one can already find six to eight sensors, over 150 ECUs, and more than 5,000 m of electrical cable. Operation at autonomy Level 4 or 5 will drastically boost development complexity, raising new challenges.
The Siemens sensor hardware development and vehicle integration portfolio for vision and non-vision sensors. These types of sensors are considered critical for autonomous driving.
14
DESIGN WORLD — EE NETWORK
8 • 2020
eeworldonline.com
|
designworldonline.com
The generative design process SENSE-THINK-ACT
E/E system complexity prevents defining the E/E architecture manually and treating autonomous functions individually. Instead, designers must take a model-based approach that delivers deterministic outcomes from the start. Companies can start from a deterministic overarching multi-domain base model. This model will be refined stepby-step and covers all components including electrical wiring, software, hardware and networks. This approach lets engineering departments choose between design options and virtually evaluate their implications for all domains. Designers can deliver the optimized architecture faster and with more confidence through performance balancing, trade-off analysis, and verification and validation during early development stages. In the control algorithm category, there are new challenges for autonomous vehicles. The traditional way of constructing a control algorithm is to monitor conditions and take action based on the state of the input variables. But this sort of reactive control will no longer be sufficient. Control algorithms for autonomous vehicles must anticipate conditions, accounting not just for vehicle dynamics but also planning trajectories that include what-if scenarios for the environment and traffic around the vehicle. For example, algorithms for automated valet parking must read sensor inputs and include tire dynamics in trajectory planning, which is critical for low-speed maneuvers. By 2030, it’s anticipated that a significant share of vehicles will be fully autonomous. The fact that software will gain importance over mechanics, and self-driving cars will have to completely replace the driver, will have huge implications on many aspects of automotive development. Automakers and their suppliers will have to revolutionize the processes used to deliver products. They will need to allow for constant upgrades and performance improvements, safety-related updates, and more. Such measures are only acheived with product lifecycle management and traceability. All in all, the sense-think-act model demands expertise in a range of diverse domains. It will be important to work with partners having know-how spanning the entire range of applications.
eeworldonline.com
|
designworldonline.com
A generative design process is an iterative process that produces fast results the engineer can refine via constraint variation to narrow in on the best design to meet the requirements. Visible here is the Siemens generative engineering portfolio for EE system development and validation for autonomous driving.
REFERENCES 1. ECU costs--Embitel: “‘ECU’ is a Three Letter Answer for all the Innovative Features in Your Car: Know How the Story Unfolded.” https://www.embitel.com/blog/embedded-blog/ automotive-control-units-development-innovations-mechanicalto-electronics 2. Automotive electronic costs--I. Wagner, Statista: “Automotive electronics cost as a percentage of total car cost worldwide from 1950 to 2030,” October 23, 2019. https://www.statista.com/ statistics/277931/automotive-electronics-cost-as-a-share-oftotal-car-cost-worldwide/ 3. Automotive software content--Burkacky, Ondrej; Deichmann, Johannes; Doll, George; Knochenhauer, Christian: “Rethinking car software and electronics architecture,” February 2018. https:// www.mckinsey.com/industries/automotive-and-assembly/ourinsights/rethinking-car-software-and-electronics-architecture 4. Autonomous vehicle market share predictions--Gao, Paul;, Kaas, Hans-Werner; Mohr, Detlev; Wee, Dominik. Mc Kinsey: “Automotive revolution – perspective towards 2030,” January 1, 2016. “https://www.mckinsey.com/industries/automotive-andassembly/our-insights/disruptive-trends-that-will-transform-theauto-industry/de-de” 5. Training miles estimates--Ohnsman, Alan. Forbes: “Toyota’s Robot-Car Line In The Sand: 8.8 Billion Test Miles To Ensure Safety,” October 3, 2016. https://www.forbes.com/sites/ alanohnsman/2016/10/03/toyotas-robot-car-line-in-the-sand-88-billion-test-miles-to-ensure-safety/#19178f4216f0
8 • 2020
DESIGN WORLD — EE NETWORK
15
AUTONOMOUS & CONNECTED VEHICLES
Optimizing in-vehicle data networks CHRIS RUSCH, BERT BERGNER | TE CONNECTIVITY
Physical channels have limits that affect the practicalities of automotive network architecture and communication protocols. Here’s the lowdown on current work aimed at breaking bandwidth bottlenecks. It has become a truism that we have an insatiable appetite for data. Not so obvious is the effect our need for data has upon in-vehicle communication systems. Advanced safety, security, and convenience functions put demands on the already crowded data network in the car. For these functions, even one missed byte of data can have a profound impact on vehicle operation. The evolution toward advanced driver assist systems (ADAS) and automated driving functions has made high-speed data transmission lanes increasingly relevant to vehicle safety. OEMs must now consider the limitations of physical channels when defining the architecture and selecting the communication protocol. Safety considerations make the trade-off between the data channel (the wires and connectors) and the communications protocol performance (the ICs and software) more important for finding a cost-optimized combination of both. This higher complexity and the increasing number of data-links in vehicles lead to a new generation of automotive architectures. Fragmented vs. converged architectural approach. A modern luxury vehicle can contain up to 100 electronic control units (ECUs)
Classic
based on multiple proprietary operating systems. These ECUs handle tasks ranging from simple control programs to running complex, real-time, multifunctional embedded platforms that support, for example, increasingly sophisticated infotainment and driver assistance systems. The ADAS functions that will ultimately lead to fully automated driving are growing more complex. As a result, traditional ECUbased architectures are reaching their limits. Thus OEMs must develop new concepts to manage the high levels of complexity and data through-put. By clustering functions into domains and converging ECUs, OEMs can optimize the weight of the harness and reduce the complexity of connections. Such measures could reduce the number of components and the overall cost. Service-oriented architectures. The integration of ADAS applications is one of the most significant challenges OEMs face when designing vehicle architectures. High-resolution cameras and high-performance sensors for radar and lidar generate and require an immense amount of data. Within the vehicle, that data must traverse several meters of cable and be processed by powerful computing systems. For safety reasons, ADAS clusters feature a redundant computing platform. High-priority ADAS data also goes to a secondary processor physically separated from the primary ADAS.
Converged Zone control
Zone control
Zone control
Zone control
Zone control
Central computer
Zone control
16
DESIGN WORLD — EE NETWORK
8 • 2020
The difference between the classical fragmented architecture approach and the new converged architecture.
eeworldonline.com
|
designworldonline.com
DATA NETWORKS
A blend of different networking technologies may be featured in next-generation vehicle data networking architectures.
This lets the secondary ADAS run in emergencymode to bring the vehicle safely to a stop. High-speed vehicular computing domains require a symmetrical (i.e. in which all devices can send and receive data at the same rates), robust, easy-to-implement and standardized networking technology with high-performance backbone connectivity such as Ethernet. Cameras and displays usually need asymmetrical links with higher bandwidth in one direction than in the other. For these connections, less complex physical layers have become established in recent years through use of a serializer/de-serializer (SerDes) chipset that converts parallel data to serial data and vice versa. Generally, other sensors and actuators operate at much lower data rates which enables the use of less expensive and established bus technologies like CAN(-FD) or LIN. Gateways, that enable the data transfer between the different network technologies and protocols, will play an important role in these new architecture concepts.
NEXT-GENERATION VEHICLE COMMUNICATIONS Heterogenic high-speed chip landscape and standardization trends. For several years, eeworldonline.com
|
designworldonline.com
Ethernet has handled vehicle diagnostics and supported infotainment systems. The addition of deterministic timing functions is now expanding the role of Ethernet. For example, to reduce costs, Ethernet can now serve as a network backbone for inter-domain controller networks and replace serial networks such as MOST and FlexRay. Ethernet supports line, star, and hybrid ECU connections. As such, it was considered a promising candidate for many topology configurations in automotive applications. However, the original Ethernet standards were not created for time or safety-critical applications. Their adaptation to automotive applications has been the subject of several working groups within the Institute of Electrical and Electronics Engineers (IEEE). Initially, Ethernet cables for use in buildings were thick, double-shielded, and rather inflexible. Subsequently, Ethernet has become attractive to the automotive market thanks to the development of more lightweight and less expensive unshielded twisted-pair cables. 100BASE-T1 Ethernet technology with a maximum data rate of 100 Mbps became practical for vehicles with the development of the BroadR-Reach physical layer spec (by Broadcom Corp.). This spec received further 8 • 2020
support from the OPEN Alliance Special Interest Group, different OEMs, and from ECU, chip, and connector suppliers. Possible applications for 100/1000BASE-T1 are connections to rearview cameras with a 360° panoramic view, radar and lidar systems, as well as driver-cockpit and infotainment solutions. Soon, 1 Gbps (1000BASE-T1) will be implemented, enabling higher performance. TE Connectivity’s MATEnet portfolio of connectors offers optimized channel parameters for these Ethernet links. In 2017 another IEEE working group was created for boosting the automotive Ethernet data rate to the multi-gigabit range. The NGAUTO working group is developing the multi-gigabit standard (IEEE P802.3ch) for data rates of 2.5, 5 and 10 Gbps on fullduplex shielded differential cables. The 10 Gbps Ethernet standard includes a preliminary channel specification. Based on a channel analysis by TE (a consortium participant), this specification limits the used channel bandwidth to 4 GHz for return loss and insertion loss and 5.5 GHz for the coupling attenuation. For high-resolution camera and display connections, OEMs have in recent years deployed asymmetrical point-to-point links instead of Ethernet with SerDes ICs. The DESIGN WORLD — EE NETWORK
17
AUTONOMOUS & CONNECTED VEHICLES A full data communication system, consisting of the channel and the transceiver chipsets within the physical layer (PHY). The channel contains two headers (PCB connectors) and various cable segments, depending on the link topology, that connect via inline connectors.
Optimizing data comm channels IC PHY
Effort IC
current generation with APIX II, GMSL, FPD III-Link allows data rates of up to 3 Gbps on a single coaxial or differential cable. Soon, OEMs will implement the next generation of this technology in vehicle architectures for the first time. OEMs can increase data rates to 6 Gbps on one channel or 12 Gbps if two channels are combined. Unlike Ethernet, the SerDes protocols are not yet standardized. As a result, chip suppliers are releasing multiple proprietary solutions which are often incompatible with each other. Several OEMs, as well as device and chip manufacturers, have begun working on standardization for automotive display and camera links to reduce the number of non-compatible SerDes variants. The SerDes ICs usually support both coaxial and differential cables for cameras and displays. In contrast to Ethernet, a SerDes system provides an asymmetrical link in that the data rate for the downstream channel is much higher than for the upstream channel. Asymmetrical connections are sufficient because cameras produce high-speed data but receive control signals at much lower data-rates. Display units, on the other hand, receive high-speed data but need only send control signals to the ECU as, for example, for touchscreen inputs. This asymmetric approach reduces physical complexity and the channel requirements. Thus OEMs can create systems that are less expensive and more tailored to the application than full-duplex Ethernet systems with the same data rates. Consequently, it is likely that nextgeneration architectures will feature both Ethernet and SerDes. TE Connectivity is working closely with chip suppliers of the established SerDes system and tracks the progress of standardization efforts. This enables rapid adaption of products to upcoming data communication protocols. A full data communication system consists of the channel and the transceiver chipsets within the physical layer (PHY). The channel contains two headers (PCB connectors) and various cable segments that, depending on the link topology, connect via inline connectors. The maximum available data rate of the system depends on a combination of chip and channel complexity. If the goal is to reduce chipset costs, size, and power consumption, a simple modulation (e.g. pulse-amplitude-modulation with two amplitude levels, PAM-2) scheme could reduce complexity of equalization, filtering, or digital signal processing. However, this approach requires broadband channels with low attenuation and smooth frequency response over a large bandwidth to realize high data rates. System suppliers often encounter situations where channels provide only limited bandwidth, a non-linear frequency response, or strong echoes caused by channel components. Such sub-optimal scenarios can be addressed by making the chips involved more capable and thus, more complicated. Thus all parties involved in system development must analyze the trade-off between chip and channel complexity. As an example, TE
18
DESIGN WORLD — EE NETWORK
Channel
8 • 2020
IC PHY
cable, connectors
Effort channel
Total effort
Optimum complexity, chip size, power consumption material effort, process effort, complexity
Connectivity and the Fraunhofer Institute IIS have analyzed channel capacity based on automotive requirements such as topologies featuring link lengths of 10-15 m, EMI performance, signal integrity and IC implementation limitations. This study evaluated maximum data rates of available automotive channels. As ADAS functions become more sophisticated, the performance and reliability of data links to cameras and sensors becomes increasingly significant. As components get pushed close to their physical limits, the margin narrows between performance ceilings and typical operating parameters. It becomes increasingly important for component developers to consider all critical tolerances. And lower link budgets, driven by the need for more bandwidth, limit link lengths and IC choices for designers working on architectures. TE Connectivity is working diligently with the industry to handle the ever-increasing demands of automotive electronics in the least expensive and most time-efficient manner.
REFERENCES TE Connectivity, www.te.com Christian Rusch, Bert Bergner, “Robust Connectivity Solutions for Next-Generation Automotive Data Networks,” TE Connectivity White Paper, https://www. te.com/usa-en/industries/automotive/insights/the-nextgeneration-of-mobility/robust.html
eeworldonline.com
|
designworldonline.com
5G TECHNOLOGY WORLD Delivers the Latest 5G Technology Trends
5G Technology World is EEWorldOnline’s newest site covering 5G technology, systems, infrastructure, and wireless design and development. Get caught up on critical 5G information, check out the following articles on 5GTechnologyWorld.com: Massive MIMO performance testing: Emulate the channel Performing MIMO testing using real-world conditions is critical for successful 5G deployments. www.5gtechnologyworld.com/massive-mimoperformance-testing-emulate-the-channel
5G is hot, keep your components and systems cool 5G’s antennas and the devices that drive them generate more heat than their LTE predecessors. That creates new cooling problems for wireless devices and systems. www.5gtechnologyworld.com/5g-is-hot-keep-yourcomponents-and-systems-cool
5G moves into production, causes test issues 5G Technology World talks with Teradyne’s Jeorge Hurtarte, who explains components and over-the-air production test of 5G components. www.5gtechnologyworld.com/5g-moves-intoproduction-causes-test-issues
IEEE 1588 adds timing performance while reducing cost and risk GPS and GNSS have been the standards for network timing, but they have security issues. A Master clock and IEEE 1588 reduces the risk and lowers installation costs. www.5gtechnologyworld.com/ieee-1588-adds-timingperformance-while-reducing-cost-and-risk
For additional content, go to: www.5gtechnologyworld.com
AUTONOMOUS & CONNECTED VEHICLES
Protecting autonomous vehicle control circuits JAMES COLBY, PRASAD TAWADE LITTELFUSE, INC.
The subsystems that make up an autonomous vehicle should be bullet-proof when it comes to electrical interference and transients. Those who follow autonomous vehicle technology are usually well aware of its benefits. But the safety and convenience autonomous vehicles offer can only come if the vehicle electronics is reliable and robust to electrical shocks such as lightning strikes (limited to the ac input of on-board chargers), in-vehicle power surges, and electrostatic discharge (ESD). Designers must incorporate circuit protection early enough in the design process to avoid last-minute revisions that can delay compliance approvals and potentially compromise circuit performance.
First consider the case of the camera subsystem. Among other things, multiple cameras work together to provide depth perception and convert visual light through a CCD/CMOS image sensor into electronic signals sent to a communication and control circuit. Of the circuit blocks in a camera subsystem, those that require protection components connect with external circuitry. They typically include a CAN transceiver, the power supply, and an Ethernet transceiver. The camera power supply subsystem requires protection from over-currents, high-energy transients, and ESD. A fuse provides over-current Typical camera system protection. Designers can select either make-up on an a conventional one-time blow, ceramic autonomous vehicle.
Typical automotive camera subsystem Technology
12 V
Power supply
1
Fuse PPTC
1
TVS diode Varistor Schottky diode
CAN
CAN transceiver
2
ESD protection Control unit (DSP)
Ethernet
Ethernet transceiver
Serializer
4
CCD/CMOS imaging module
2
Diode arrays
3
Polymer and silicon ESD diode
4
Diode arrays
3 Image sensor Legend
20
DESIGN WORLD — EE NETWORK
8 • 2020
eeworldonline.com
|
Power line Signal line
designworldonline.com
CIRCUIT PROTECTION
ESD for CANbus SPLIT CANH R T/2
CAN BUS transceiver
CAN BUS
R T/2 CANL
Common mode choke (optional)
CG AQ24CANA
Recommended layout for ESD protection of a CANbus transceiver.
fuse, or a polymer-based, positive temperature coefficient (PPTC) resettable fuse. Both components can have wide temperature ratings for automotive requirements. Ceramic fuses can have operating temperature ratings of -55 to +150 °C, and PPTC resettable fuses can operate up to +125 °C. The PPTC has the advantage of not needing replacement if it experiences an over-current. The PPTC substantially boosts resistance in response to the heat generated by an over current. When the over-current is removed, the PPTC recovers to a low resistance. Both component types come in surface-mount packages to save valuable PCB space. Besides over currents, power supply circuits need protection from high-energy transients caused by in-vehicle sources such as motors turning on and off. The circuitry must be capable of withstanding transients defined by ISO Standards 7637 and 16750. Compliant components include transient voltage suppressor (TVS) diodes which can safely absorb both low-energy transients and high-energy transients as specified in Pulses 1, 2, 3 and 5 that the above-referenced standards spell out.
Designers can also consider a metal oxide varistor (MOV) for transient energy protection. MOVs can absorb transients with surge currents of 500 A from 8x20-µsec pulses and up to 2.5 J from 10x1,000 µsec pulses. These components comply with Electromagnetic Compliance Standard IEC 61000-4-2. MOVs can also safely withstand the automotive environment with an operating temperature range of -40 to + 125 °C. To avoid catastrophic failure if the polarity of the voltage to the power supply accidentally reverses, designers can insert a Schottky diode in series with the fuse. While providing reverse polarity protection, the diode’s low forward voltage drop will have a minimal impact on power supply performance. The Controller Area Network (CAN) protocol transceiver needs protection from ESD, fast electrical transients, and other over-voltage transients. Some diode arrays are specifically designed to protect the CAN lines without degrading. Diode arrays have high ESD tolerance with models having 30-kV air and 30-kV contact discharge capabilities. These devices help designers meet the ISO 10605 standard for ESD in road vehicles. As well as withstanding the high ESD voltages, the diode arrays can absorb up to 50 A of transients defined by IEC Standard 61000-4-4 (Electrical Fast Transients). Furthermore, with a capacitance of about 15 pF and leakage current under 1 µA, the diode arrays do not interfere with protocol transmissions. These devices also survive the automotive environment with a temperature operating range of -40 to 150 °C. Circuits designed to protect a CAN transceiver generally include a two-channel diode array on both the high and low lines. A single protection component containing both arrays is available and helps to reduce pick-and-place costs in production. The Ethernet transceiver, like the CAN transceiver, needs ESD and transient surge protection. Diode arrays and polymer ESD suppressors can provide the necessary protection for the high-speed differential data lines. Models of these diode arrays can provide up to ±30 kV ESD protection and can absorb up to 50 A of Electrical Fast Transients. Diode arrays can protect a differential line pair in a single package to save space. Versions are also available as discrete components in
Thwarting ESD in Ethernet connections Twisted pair cable CMC DC block
Connector
AXGD series
eeworldonline.com
|
designworldonline.com
Automotive ethernet PHY
Common mode termination
8 • 2020
Recommended ESD protection for an Ethernet transceiver.
DESIGN WORLD — EE NETWORK
21
AUTONOMOUS & CONNECTED VEHICLES
TVS diode
Bipolar TVS diode array for an analog circuit. 0402 and 0603 surface mount packages to minimize capacitance and pc board space. These ESD protection devices cut signal distortion, reduce voltage overshoot, and simplify the circuit design. Capacitance values can get down to 0.35 pF for the diode array and down to 0.04 pF for the polymer ESD suppressor. These parameters ensure the ESD protection does not impede 1-Gbit Ethernet transmission rates. The most important circuit block is that of the image sensor. A single pair, bipolar set of ESD diodes can protect the image sensor and its circuit. The diodes in this bipolar protection component are oriented cathode to cathode. This model of TVS diode can withstand an ESD strike of up to ±30 kV and has extremely low leakage current with
typical values of under 10 nA. Its capacitance is around 0.35 pF. These TVS diode arrays have ultra-small, 1.0x0.5-mm SOD882 packaging to minimize board space. Keeping protection components as close as possible to the circuit inputs keeps extraneous energy from damaging critical parts. The radar subsystem provides the input for forward and side pedestrian detection and collision avoidance. The circuit generally has two dc power supplies, a low-noise supply powering the analog radar transmitter and receiver circuit blocks, a conventional supply for the logic and communication circuits. Like the camera subsystem power supply, radar subsystem power supplies need over-current protection, transient surge protection, reverse polarity, and ESD protection. One set of protection components can handle over currents and reverse polarity for both supplies. Again, designers can employ either a conventional surface-mount fuse or a PPTC resettable fuse. A low-forward-voltage Schottky diode, in series with the input line to both supplies, will protect against reverse
polarity for both power supplies and the radar subsystem circuit blocks. Designers should provide each supply with surge protection at the input. TVS diodes are the recommended surge protection component. They can absorb large amounts of transient power, such as 600 W for 1 msec. These diodes can also absorb up to 100 A of transient current. Designers select a TVS diode based on its transient power rating (400/600 W for low-power transients and 1,500/7,000 W for high-power transients). The waveform generator and the analog front end are part of the radar transmitter and radar receiver, respectively. They are separate from the transmitter and receiver blocks because protection components on the transmitter output and receiver input blocks would alter their transmission and reception impedance. The protection components safeguard as much of the circuits as possible. A bipolar diode array is the recommended component for ESD protection. A component similar to the diode array protecting the image sensor in the camera subsystem will provide
Automotive radar subsystem Technology 12 V
1 Power supply
Tx
2
Radar transmitter
Power supply
Waveform generator
Radar receiver
DESIGN WORLD — EE NETWORK
Resettable PPTC Schottky diode
Multicore microcontrollers
2
TVS diode
3
Diode arrays
4
Polymer and silicon ESD diode
5
Diode arrays, polymer ESD
Analog frontend
A typical radar subsystem block diagram for autonomous vehicle applications.
22
1
3
4 Rx
SMD fuse
2
8 • 2020
5 CAN
5 Ethernet
eeworldonline.com
|
designworldonline.com
CIRCUIT PROTECTION
Typical ADAS connections Technology
6 12 V
Power supply
Ethernet transceiver
1 Camera 2 Radar
3 CAN transceiver
LIN transceiver
FlexRay transceiver
1
HSSL fast link Microcontroller
DSP
4
2
Diode arrays, polymer ESD
3
Diode arrays
4
Diode arrays
5
Diode arrays
6
Diode arrays, polymer ESD
Lidar 5 RAM
PROTECTING THE ADAS The signal processing, communication, and control subsystem operates the vehicle. This main subsystem must be robust, reliable, and fail-safe. The circuit must react to other vehicles in traffic and make fast stops when an animal or person obstructs the vehicle’s path, And the subsystem must have a fail-safe response to a failed sensor. All circuit blocks that supply information to the controller need protection from ESD. The ADAS power supply, like the other power supply blocks, requires over-current protection, surge protection, and reverse polarity protection. The fuse for this supply can reside within the module or further upstream in the vehicle’s low-voltage junction box. A TVS diode, picked for its surge power rating, protects against surge transients. |
Schottky diode
An ADAS communication and control subsystem.
the necessary ESD protection. The high-sensitivity analog front end requires ESD protection that will not interfere with the circuit’s lowlevel signal integrity. Designers should consider a bipolar polymer ESD suppressor. The ESD suppressor has a capacitance below 0.1 pF and draws under 1 nA of leakage current for a minimal impact on the circuit’s gain and bandwidth. As with the camera subsystem, the radar subsystem sends its information to the vehicle central processing subsystem. Bipolar diode arrays provide ESD protection for both the high and low side of CAN I/O lines. The Ethernet transceiver can use either diode arrays or polymer ESD suppressors to minimize signal distortion and not impact the Ethernet transmission rate. The radar system is crucial for the safe, proper operation of an autonomous vehicle. It is, like the camera system, the set of eyes that monitor the road. Protection of its circuit blocks from the external environment is essential.
eeworldonline.com
ADAS sensors
TVS diode
designworldonline.com
GPS
A Schottky diode in series with the power supply input line provides reverse voltage polarity protection. Each communication link requires ESD and transient protection designed for each port’s performance and configuration. Designers can select from a wide range of diode arrays and polymer ESD suppressors that can protect each communication link without compromising its data rate or its high-to-low voltage differential. Any signal lines connecting directly to the DSP circuit block should have ESD and transient protection. Designers can use diode arrays or polymer ESD suppressors that provide bipolar protection for both the high and low signal lines. The ADAS communication and control subsystem is the primary intelligence for autonomous vehicles. It’s critical that this subsystem remains operational at all times. ESD protection on all ADAS inputs and outputs will protect the subsystem from disabling ESD strikes, and TVS diodes will protect against surge transients generated by electric and electromechanical devices. Designers should be aware of the ISO standards with which vehicle electronic systems must comply. The most important of them include Standard ISO7637-2, which defines requirements for protection from conducted electrical transients; Standard ISO167502, which describes environmental stresses that automotive electrical and electronic systems must withstand; and Standard ISO 10605:2008, which defines the ESD conditions that automotive electronics must withstand. Familiarity with these standards helps designers avoid expensive and time-consuming re-designs. The automotive industry has defined a qualification system for components that can be used in automotive electronic circuits. The components that pass a set of defined mechanical, electrical and environmental stress tests, including operation over a wide temperature 8 • 2020
DESIGN WORLD — EE NETWORK
23
AUTONOMOUS & CONNECTED VEHICLES
Title
General scope
Littelfuse recommended protection
Region
ISO7637-2
Road vehicles — electrical disturbances from conduction and coupling — Part 2: electrical transient conduction along supply lines only
Specifies test methods and procedures to ensure the compatibility conducted electrical transients of equipment installed on passenger cars and commercial vehicles fitted with 12 V or 24 V electrical systems. It describes bench tests for both the injection and measurement of transients. It is applicable to all types of road vehicles independent of the propulsion system (e.g. spark ignition or diesel engine, electric motor).
TVS diode
Global
ISO16750-2
Road vehicles — environmental conditions and testing for electrical and electronic equipment — Part 2: electrical loads
This standard applies to electric and electronic systems/ components for road vehicles. It describes the potential environmental stresses and specifies tests and requirements recommended for the specific mounting location on/in the road vehicle.
TVS diode
Global
ISO 10605:2008
Road vehicles — test methods for electrical disturbances from electrostatic discharge
This standard specifies the electrostatic discharge (ESD) test methods necessary to evaluate electronic modules intended for vehicle use. It includes these sources ESD: in assembly, by service staff, by vehicle occupants.
Diode array PulseGuard (AXGD) Multilayer varistor
Global
Standard
range, can be designated as AEC-Q (Automotive Electronics Council-Quality). There are a number of “Q” values, including AEC-Q100, AEC-Q101, and AEC-Q200. This qualification system determines which tests must take place. Use of AEC-Q qualified components can enable a faster approval process for automotive electronic circuitry. To certify a component as Automotive Grade, a manufacturer generally must do more than prove a component passes a series of defined tests. The manufacturer should also have a documented Production Part Approval Process (PPAP) which demonstrates the supplier can manufacture the components to consistently meet its quality requirements at a specified production rate. And the manufacturing facility should be certified to International Automotive Task Force (IATF) 61949; an automotive quality system based on ISO 9001. In a nutshell, robust, reliable vehicle electronic systems will help to make autonomous vehicles fixtures on the road. Designers can substantially reduce the risk of circuit failures by providing over-current protection, transient surge protection, ESD protection, and reverse polarity protection.
24
DESIGN WORLD — EE NETWORK
Three important standards that apply to electrical protection for automotive electronics.
REFERENCES The article, Advanced Circuit Protection for Connected Autonomous Vehicles, presents protection solutions for vehicle electronic circuits not mentioned here, https://www.powerelectronictips.com/ advanced-circuit-protection-for-connected-autonomous-vehicles/ For more information on protection of automotive circuits, see the Littelfuse Automotive Electronics Applications Guide, littelfuse.com/ automotive-electronics-applications-guide
8 • 2020
eeworldonline.com
|
designworldonline.com
EE Classroom is a syndicated content resource for electronic engineers looking for need-to-know information about various electronic components and systems. Curated by EE World’s editorial team, this digital content hub includes valuable technology background and insights, key trends affecting your designs of today and tomorrow, and frequently asked questions relating to a wide range of important electronic engineering topics. Topics include: • • • • •
Power electronics Embedded computing Test & measurement Sensors Connectivity
To view free educational content, go to www.eeworldonline.com/learning-center
AUTONOMOUS & CONNECTED VEHICLES
The HORIBA RDE+ solution includes a novel R2R testing method known as HORIBA Torque Matching for replicating and simulating different real-world conditions, e.g. changes in weather, while measuring emissions with laboratory precision. Software coordinates the control of the R2R tools needed to replicate real-world conditions in a lab while also coordinating the workflow of the R2R test routine.
How road-to-rig testing speeds vehicle development efforts Road-to-rig testing brings real-world emissions testing into a precision lab setting and is generally regarded as the future of vehicle development. JOSH ISRAEL | HORIBA AUTOMOTIVE TEST SYSTEMS
In 1995, the Environmental Protection Agency (EPA) created Rover—a first-of-its-kind on-board mass emissions measurement system. In the 25 years since the creation of that first unit, the automotive testing world has been applying and refining on-board test equipment, ultimately known as Portable Emissions Measurement Systems (PEMS).
26
DESIGN WORLD — EE NETWORK
8 • 2020
On-board, real-world emissions testing is best characterized by how it contrasts to traditional vehicle certification testing. Traditional laboratory test programs apply precision instrumentation and testing methods to measure highly variable exhaust emissions. Vehicle manufacturers and regulators run lab tests in climate-controlled facilities and apply loads to the vehicle via a full-vehicle chassis dynamometer that simulates driving. The traditional laboratory approach tests vehicle emissions with sophisticated and precision equipment and methods under a eeworldonline.com
|
designworldonline.com
ROAD-TO-RIG TESTS
narrow set of possible operating conditions that may not be generally representative of real-world emissions. As has been found in the past few decades, real vehicle emissions often depend upon operating conditions that may not be reproduced during traditional lab testing. The invention of PEMS systems and their application to real-world testing has been a significant mitigating factor in this regard. PEMS testing measures representative real-world emissions with accurate measurement equipment under actual realworld operating conditions. PEMS have now become standard equipment for regulatory bodies. In 1999 the EPA and the heavy-duty engine industry entered into a consent decree with a total cost estimated at over $1 billion, including fines, on heavy-duty diesel engine manufacturers. This action paved the way for new regulations such as 40 CFR Part 1065 (June 2005) and led to the establishment of PEMS test protocols for the heavy-duty engine industry. In 2015, following the “dieselgate” emissions scandal, the EPA warned all OEMs that their light-duty vehicles would undergo PEMS testing during certification (without disclosing their specific test methods). Also, in the wake of the “dieselgate” findings, European regulatory bodies finalized EURO VI test standards within the WLTP On-Board Test procedures, requiring PEMS testing for all vehicles sold in Europe. Despite a lack of formal in-use U.S. regulation that requires PEMS testing for light-duty vehicles, North American OEMs have embraced this technology for both R&D and pre-certification. Real-time on-board testing has become a vital tool for all OEMs and engine calibration and a common part of the emissions testing process. Labs currently use PEMS for a variety of reasons— including in-use compliance assurance, engine optimization, calibration development, and platform harmonization for global sale.
PEMS AND ROAD-TO-RIG
world testing that is repeatable, in a precision laboratory, over a wide range of operating conditions. Such capabilities let OEMs build and tune vehicles that comply with future regulatory requirements on feasible timelines without excessive prototyping and design iteration. A process commonly referred to as road-to-rig testing (R2R) brings real-world PEMS testing into a precision laboratory setting and is generally regarded as the future of vehicle testing and development. In essence, R2R combines accurate, repeatable, controlled-environment lab testing with the real-world on-road PEMS testing. It uses the results of on-road PEMS tests as inputs and, in some cases, for model validation. R2R also uses advanced chassis dynamometer techniques combined with real-time environmental control as well as, in many cases, hardware and software-in-the-loop. To accurately replicate real-world conditions in the lab, R2R mimics them using PEMS combined with advanced testing techniques such as a driving robot, advanced dynamometers, and dynamic temperature and pressure control. The HORIBA road-to-rig approach is rooted in HORIBA Torque Matching (HTM). The torque matching method matches each parameter that affects the emissions of a vehicle during laboratory testing with the value recorded during a prior real-world drive. In this way, the vehicle does not distinguish between a dynamometer test in the lab and the corresponding real-world drive. The overall HTM test method can be considered a three-step process: Step 1 is a road test in which baseline route, vehicle, and weather data is collected to establish a reference for replication in the lab. A data logger, weather station, and an optional PEMS system log certain basic, real-world vehicle operating parameters and mass emissions over a road route. Step 2 is a validation test of the vehicle in the laboratory under the same precisely-controlled conditions as the road test. The replication employs the coordinated use of a robot driver, an altitude simulator,
While on-road testing has become universal, the focus has shifted to identifying discrepancies, and ultimately closing the gaps, between real-world test results and certification-quality data. One such gap is the repeatability of results. In real-world PEMS testing, test-to-test repeatability is difficult because it is impossible to repeat a road test under the same traffic, driving, and ambient conditions. Thus the test method lacks precision. Test-to-test comparisons aren’t possible for evaluating the effects of alternative powertrain calibrations or small changes to exhaust after-treatment systems. What OEMs currently need is the ability to conduct realistic and representative real-
The Medas altitude simulator finds use in durability, RDE replication, and emission tests to name a few. The Medas can produce dynamic changes on the simulated atmosphere with high accuracy.
eeworldonline.com
|
designworldonline.com
8 • 2020
DESIGN WORLD — EE NETWORK
27
AUTONOMOUS & CONNECTED VEHICLES
A Portable Emissions Measurement System (PEMS) in action.
and the dynamometer to continuously match the operating state of the vehicle emissions control system. Step 3 consists of lab simulation tests in which different powertrain calibrations, emissions control components, environmental conditions, or other driving conditions are substituted or simulated for the purpose of measuring the “real world emissions” to determine the impact of the change. The ultimate goal of R2R is to shorten development cycles while meeting the goal of fielding cleaner, more efficient vehicles. With a robust R2R toolset, manufacturers can push development efforts farther upstream to reduce prototyping and the number of testing iterations both in the lab and on the road. Reductions in testing and prototyping have become critical for manufacturers as they grapple with the diversity of powertrain systems in electric and hybrid-electric vehicles. Complex drive systems, such as those with
28
DESIGN WORLD — EE NETWORK
hybrid transmissions, previously required extensive tests and a long series of on-road trials. The testing of complete powertrains is shifting to the test bed at every stage of development, thereby improving the quality of development services, reducing costs, and shortening development time.
EIL PAIRED WITH PEMS Parallel testing is a major area of focus as manufacturers push to shorten development cycles. Users are pairing PEMS testing with various simulation methods, among them EiL (engine in the loop). EIL is an advanced simulation method used by Horiba-Mira’s engineering consultancy team. Along with simulation of the driver, environment, and road, this method accelerates vehicle development by allowing laboratory testing to more accurately represent real-world performance. Rooted in testing automation software, Horiba’s RDE+ solution includes a novel R2R
8 • 2020
testing method known as HORIBA Torque Matching. This method has been developed and evaluated for replicating and simulating different real-world conditions, e.g. changes in weather, while measuring emissions with laboratory precision. The software coordinates the control of the complex R2R tools necessary to replicate real-world conditions in a laboratory while also coordinating the workflow of the R2R test routine to optimize lab efficiency. RDE CoDriver is a mobile app tool that helps drivers navigate complex on-road tests. During each test, the RDE CoDriver app calculates and presents real-time information related to the progress and validity of the test. It uses data from a wirelessly connected PEMS app which continuously gives feedback about the status of the test and immediately informs the driver about failures, reducing wasted test time and minimizing resources. To help lab managers boost test efficiency, eeworldonline.com
|
designworldonline.com
ROAD-TO-RIG TESTS
How EIL (engine in the loop), paired with PEMS testing, shortens the vehicle development cycle
PEMS road data
Application ready
Chassis correlation
On-road verification
EIL integration
Chassis verification
Complete road, chassis and engine correlation
Verify RDE+ models and rapid development tools
System approach
Detailing depth
System optimization
RDE+ models and rapid development tools generation
reduce down time, and increase control over the testing process, Horiba has developed STARS Enterprise. This app-based laboratory automation system handles testing workflow and data management in the interest of efficiency. Accurate testing at various altitudes and temperatures, paired with other real-driving conditions, is essential to ensure internal combustion engines meet emissions and performance standards. Altitude chambers have been the typical solution—but they are costly, inflexible, and often don’t represent real-world conditions. They also take up a large footprint and consume appreciable power. Mobile Multi-Function Efficient Dynamic Altitude Simulation (Medas) from Horiba dynamically controls engine intake air and exhaust back pressure to simulate desired altitudes and seasonal temperature changes. Medas also provides temperature and humidity conditioning to the engine or powertrain to duplicate real-world testing conditions. The methods and uses of PEMS-based testing will evolve as automakers continually experience more stringent emissions standards and diverse technology accompanying the rise of connected autonomous vehicles. R2R solutions will be an important part of that process, and it is easy to imagine a future where designers complete significant design milestones in a lab using on-road testing results as inputs to the simulation and validation process. Thus the use of PEMS and R2R test methods is an art that will continue to be refined.
eeworldonline.com
|
designworldonline.com
EIL is an advanced simulation method that, coupled with the simulation of the driver, environment, and road, accelerates whole-vehicle development by allowing lab testing to more accurately represent real-world performance.
REFERENCES HORIBA Ltd., www.horiba.com/en_en/
8 • 2020
DESIGN WORLD — EE NETWORK
29
AUTONOMOUS & CONNECTED VEHICLES
More accurate positioning for autonomous vehicles Next-generation inertial measurements will figure the where-abouts of AVs with centimeter-level precision.
REEM MALIK | ACEINNA INC.
Congested, urban canyon environments pose big challenges to AV sensor arrays. IMU technology is especially helpful when an autonomous vehicle is trying to make a left turn without a GPS/GNSS connection.
Underlying any autonomous technology is the promise and necessity of superior safety. The technology in any autonomous vehicle helps it navigate the world around it; to do it safely and precisely is of utmost importance. The increasingly sophisticated functions of AVs necessitate that each vehicle have reliable knowledge of its precise position. Perception sensors see the world around the vehicle and are often the primary source of information for active decision making. Such sensing technology includes radar, lidar, infrared, ultrasonic and camera vision all backed up with intensive compute power.
30
DESIGN WORLD — EE NETWORK
8 • 2020
Guidance and navigation systems tell autonomous vehicles where they are and where they need to go. These systems consist of GNSS/ GPS receivers and an INS (inertial navigation system) which includes inertial motion sensors and inputs from odometry and steering sensors. MEMS-based inertial sensors such as gyroscopes and accelerometers have long been used in vehicles as discrete components – for collision detection, airbag deployment, and electronic stability control. High-end IMUs (inertial measurement units) using MEMS or fiber-optic technology are commonly utilized in aircraft and tactical guidance systems and offer performance on the order of 10x to 1,000x higher than traditional MEMS sensors. As autonomous vehicle technology and safety standards progress, it is becoming apparent that the positioning accuracy and precision required from IMUs and INS now approaches those for aerospace and eeworldonline.com
|
designworldonline.com
INERTIAL MEASUREMENT
RTK positioning and location technologies are valuable for a wide range of autonomous applications including those in agriculture, construction, robotic delivery, drones, as well as for consumer autonomous vehicles. tactical grade devices – consistent and reliable centimeter-level accuracy rather than meter-level accuracy. Until recently, this level of performance and safety integrity for IMUs has been too expensive for high volume markets such as automotive. However, we are now seeing innovations in design and manufacturing that make high-performance IMU technology accessible and economical for a wide range of autonomous applications and broader industrial uses.
WHY AN IMU? An IMU is an electronic module that integrates multiple inertial sensors to generate acceleration and angular rate measurements along multiple axes or degrees of freedom. A six-degree-of-freedom (DOF) IMU consists of a three-axis gyroscope and a three-axis accelerometer. Measurements from these sensors taken over time are combined using an Extended Kalman filter (EKF) to make highly accurate calculations of position, velocity and attitude or orientation. Attitude heading and reference systems (AHRS) combine magnetometer readings with IMU data to calculate heading, roll and pitch. An INS adds GPS to track the position, orientation and velocity of an objects. In a typical AV application, the INS works in conjunction with the traffic and HD maps as well as with perception sensor systems to determine the vehicle route and how to navigate it. When all systems are operating normally, with nominal environmental conditions and good satellite coverage, an INS with a traditional automotive-grade IMU usually provides sufficient positioning accuracy and reliability for safe operations. However, more often than not, environmental or other external conditions are less than ideal. Commonly, the GPS signal is lost or degrades because of urban canyons, tunnels, overpasses, multipath errors, or poor satellite coverage. Alternatively, or in addition to GPS loss, a vehicle may encounter tricky conditions such as precipitation or reflective surfaces which can compromise the performance or integrity of data from the camera, lidar, and/or radar systems. In all cases, it is imperative that the autonomous vehicle reliably continue to navigate itself along the route, safely maneuver to a stop, and/or request intervention. The task of navigating when sensor inputs are garbled often involves a process called dead reckoning. Here the AV system relies on other sensors, primarily the IMU, wheel rotation sensors and, if available, vision. 8 • 2020
DESIGN WORLD — EE NETWORK
31
®
®
AUTONOMOUS & CONNECTED VEHICLES
Sensing in AVs
1
2
GPS (Global positioning system)
INS (Inertial navigation system)
Uses satellite geolocation data to localize vehicle with a few meters accuracy.
Calculates vehicle position, orientation and velocity using IMU and GPS data.
3
4
Lidar (Light detection and ranging)
Radar (radio detection and ranging)
Measures distances and detects objects using lasers and reflections.
Calculates range, velocity and angles of long range objects using RF waves.
Fortunately, the one external factor we can rely on to remain constant (mostly) is Earth’s gravity. Regardless of environmental conditions, the IMU will keep sensing and provide position information. Using the appropriate level of IMU performance can be the difference between crashing into the wall of a tunnel or making it through to the other side. Bias and drift errors inherent in all MEMS devices place a burden on the system to remove those errors. Errors unaccounted for directly integrate over time into position error. High-end IMUs that are rigorously calibrated over temperature and time can drastically reduce these error sources. IMUs with built-in redundancy provide enable even higher precision position estimates, with further benefits of safety, integrity and reliability for the entire AV system and sensor fusion network.
REAL-TIME KINEMATICS Another exciting trend in precise INS positioning is the emergence and expansion of RTK or Real-Time Kinematics. RTK improves GPS positioning accuracy by a factor of 100x, from meter-level accuracy down to centimeter-level accuracy when appropriately fused with IMU data. RTK technology refines the position data received from GPS signals by removing ionospheric and tropospheric delays, multipath, satellite clock and ephemeris errors (caused by the GPS receiver using the satellite’s location in position calculations). RTK systems use survey grade base stations which broadcast corrections to rovers (moving objects or
32
DESIGN WORLD — EE NETWORK
8 • 2020
5
6
Cameras
Infrared sensors
Multiple cameras create a visual representation of the surroundings.
Detect objects (such as pedestrians) using infrared spectrum.
7
8
Ultrasonic sensors
Odometry sensors
Measures short range distances using ultrasonic waves.
Wheel tick sensors and steering angle sensors.
The eight kinds of sensors typically found on autonomous vehicles. vehicles) via a cellular signal. The corrections are fused with GPS and IMU data through complex algorithms and Kalman Filters to provide a final position specific to a rover. Until recently, RTK and similar services have come with a hefty price tag and long acquisition times. So they have been used primarily in agriculture, land survey, construction applications for off-road vehicles in geo-fenced areas. The proliferation of autonomous vehicles and their need for precision positioning is giving rise to new RTK software scalable across geographies which is economical, easy to integrate, and optimized for AV sensor fusion. It is essential for any autonomous vehicle to precisely know its location and surroundings, its destination and how to get there. Though it is unclear when autonomous vehicles will be consumer items, the technology is already wide spread in some industry segments. The combined capabilities of advanced IMUs and RTK promise to democratize inertial navigation systems that provide the high performance, safety and enhanced integrity that is vital for scalable and secure autonomous operation.
REFERENCES ACEINNA Inc., https://www.aceinna.com
eeworldonline.com
|
designworldonline.com
CONNECTED VEHICLE SECURITY
Cybersecurity testing in 5G automotive designs 5G network slicing
5G network slicing enables service providers to build virtual end-to-end networks tailored to application requirements. Mobile broad band
Communication Entertainment Internet Mobile broadband slice
Machine -tomachine
Massive IoT slice Mission critical IoT slice
Reliable low latency
Other slices
Retail Shipping Manufacturing Automotive Medical Infrastructure Other applications
Others
An example of 5G network slicing, courtesy of William Malik, Trend Micro.
IoT: Internet of Things
Special instrumentation can help bullet-proof the communication equipment powering next-generation vehicles. CRAIG HENDRICKS ANRITSU CO.
The roll-out of 5G is bringing a host of real-time Internet-of-Things (IoT) capabilities to automotive designs. Use cases such as enhanced Mobile Broadband (eMBB, high-data-rate use cases for 4G LTE and 5G NR services that allows a high data rate across a wide coverage area) and Ultra-Reliable Low Latency Communication (URLLC) are empowering autonomous vehicles, infotainment systems and security programs. They are also allowing automobiles to leverage smart cities systems (V2N). But these capabilities create a new set of design verification hurdles for engineers. One requirement associated with emerging automotive designs utilizing 5G technologies is cybersecurity. Prevention of attacks that can create dangerous scenarios in automotive and other mission-critical applications is a new design consideration for engineers developing components and systems. Much of this concern is due to vulnerabilities caused by the complex architecture associated with 5G. For example, instead of centralized hardware-based switching, 5G
eeworldonline.com
|
designworldonline.com
8 • 2020
DESIGN WORLD — EE NETWORK
33
AUTONOMOUS & CONNECTED VEHICLES
Network simulator platform for testing security in a lab Anritsu MD8475B 2G/3G/4G Network Simulator Smartphone, Telematics Unit, etc.
Testing servers
Testing software Functional Vulnerability Fuzzing
Typical test configuration for cyber-security verification.
Human interface Anritsu MT8000A 5G Network Simulator
employs a software-defined network. This network employs virtualization functions that can be vulnerable from multiple points, if someone gains control of the software. Other vulnerabilities arise because of the high bandwidth and large number of devices connecting to the network.
NETWORK SLICING The flexibility of the 5G architectural approach enables use of efficient, interoperable multi-service pipelines within the core network. These transmission paths support virtual end-to-end network services using a technique called network slicing. Network slicing allows multiple logical networks to run on top of a shared physical network infrastructure. The slices occupying a single physical network are separated such that traffic and security breaches from one slice cannot interfere with another slice. Each slice has the bandwidth and quality of service (QoS) parameters necessary to support a specific service class. Network slicing supports advanced techniques such as URLLC and eMBB, as well as the traditional mobile voice and broadband services. It also brings benefits to telematics control units (TCUs) used in autonomous vehicles. And network slicing improves other Machineto-Machine (M2M) connections used in infrastructure services for smart cities, smart grids, and smart roadways. Though 5G networks benefit automotive designs, the trade-off is they introduce vulnerabilities at almost every layer of the network stack. Such security risks weren’t a concern with 4G LTE. But the air interface that connects 5G UE (user equipment) with base stations potentially let cyber criminals inject malicious control signals. These malicious signals can potentially misdirect traffic, take control of vehicles, force disconnections, or induce critical system failures. There will be considerable 5G traffic offloaded from relatively secure carrier networks to the less secure internet. Recognizing the potential for nefarious activity, 5G network architectures integrate several security features, including security edge protection proxy at the border of the Public Land Mobile Network (PLMN, a mobile wireless network using earth-based stations rather than satellites), enhanced privacy for the Subscription Permanent Identifier (SUPI, a string of decimal digits representing the Mobile Country Code and Mobile Network Code identifying the network operator), and a unified authentication framework that includes the Security Anchor Function (SEAF decides whether UE is authentic via what’s called an anchor key). To design
34
DESIGN WORLD — EE NETWORK
8 • 2020
Penetration
secure UE, engineers must use components, software, and design practices that ensure compatibility and compliance with ABBA (basically a parameter signifying which security features are enabled), SEAF, and other security mechanisms defined in 3GPP TS 33.501. Also vital to protect automotive systems is testing to ensure the UE complies with 5G network security mechanisms. Engineers must have a high degree of confidence that their products can resist compromise or corruption. Many UE manufacturers employ a Practical Security Testing process to ensure product performance. Practical Security Testing uses a network simulator such as a signaling tester or wireless communications test set. These tools serve as a base station to connect with the UE and a testing server that exercises the device using commercial or proprietary software. Functional security measurements are one of a series of tests necessary to verify the UE performs according to specification. Similar to the general functional testing performed during design verification, testing for 5G automotive systems also focuses on security functions. Here, a network simulator typically exercises the UE with sequences created by a lab or a production server. A powerful new generation of test and simulation equipment has been developed to address the specific security concerns associated with automotive designs. These systems can efficiently verify compliance with 3GPP by connecting with actual service servers. This lets comprehensive testing take place without the influence of an RF channel, as well as under specific network conditions. This approach can also reproduce bugs and cyber-attacks common in the field while the UE sits in the lab. Efficient cyber-security testing requires flexible hardware with application-specific software. For example, mobility testing for E-UTRAN New Radio – Dual Connectivity (EN-DC is a way of enabling 5G services and data rates in a predominantly 4G network. UEs supporting EN-DC can connect simultaneously to LTE master nodes and 5G-NR secondary nodes.) Using this application-specific software, EN-DC mobility testing can take place without the need to create complicated scenarios. It simplifies the testing process while providing the flexibility for future tests as standards evolve. Software is available to handle specific tests and levels of complexity. Dedicated software packages can let the base station emulator create an interactive test environment without complicated test scripts. They can support multi-system simulation of common eeworldonline.com
|
designworldonline.com
CONNECTED VEHICLE SECURITY
Automotive TCU testing actions such as, to name a few, cell selection/ reselection, roaming, SRVCC (Single Radio Voice Call Continuity, a way of handing over VoLTE (Voice over LTE) to 2G/3G networks. VoLTE uses LTE channels for phone calls rather than low-bandwidth voice channels), and EPS fallback (lets phones use the 5G core with NR, but the radio access network may trigger moving the phone to an internet service during call establishment). Such a system makes it possible to efficiently create a real-world environment to test UE for key functions for IMS (IP Multimedia Core Network Subsystem, a framework for delivering IP multimedia services) such as VoLTE , VoNR (Voice over 5G NR), data communications, and messaging. All these tests can take place without forcing the operator to have an extensive understanding of the network protocol. Script software is available that lets users create their own test cases. Engineers must have a deep knowledge of the protocol to write these low-level scripts. For example, users must write test scripts using a ladder sequence with an IMS protocol scripting option. The benefits of this more complex approach include a higher level of flexibility and scalability. There is also software available to capture IMS call flows from a live network and a tool to convert that data into a script, removing the need for the deep knowledge of the IMS protocol. This approach also allows testing IMS functions using carrier-specific IMS implementations. Script software also gives engineers the ability to: • • •
•
Check user-specific abnormal tests and protocol checks at any message level Conduct call processing of LTE for IMS development and evaluation Test STIR/SHAKEN (Secure Telephone Identity Revisited and Signature-based Handling of Asserted information using toKENs, a framework for ensuring the authenticity of a given call) to prevent VoIP call spoofing from spammers Have flexible support for evolving 5G core specification, such as Voice over NR (VoNR)
Dedicated software and network emulators verify the requirements of 5G use cases. For example, it’s more important to eeworldonline.com
|
designworldonline.com
MD8475B
T-put Server
10G HUB MT8000A
IMS Server
Internet Sharing
Control PC (SmartStudio NR) Internet GW verify maximum throughput in eMBB on a 5G UE than on a 4G LTE device. Necessary tests include IP throughput performance and TCP/UDP/FTP. Tests must also support Carrier Aggregation (CA) with 2x2 or 4x4 multiple-input-multiple-output (MIMO) with up to 256QAM. Engineers must also quantify power consumption and heat levels at maximum throughput to satisfy 3GPP standards. Software supports detailed settings related to the base station, packets communication state, UE Tx RF output, and power consumption. Other functional tests for compliance include stress tests of the CPU and software at maximum throughput and tests of a device that supports dual SIM dual active (DSDA, where two SIM cards are constantly active). An example test would measure the UE as it simultaneously conducts 1,000 SMS messages, VoLTE, video streaming, and downloading a large file to measure how robust the software is and test for stack overflows. Also critical for automotive designs is reject testing to see how a TCU responds in abnormal conditions and to duplicate field issues. There are three types of reject testing that can be preformed: Cellular Signaling Message Reject – An example would be an attach reject with 8 • 2020
Internet
An efficient test environment to verify automotive TCU using a 5G and 4G Internet connection. Using network simulators, the TCU can receive multiple IP addresses for various IP connections using numerous APNs that can include IMS servers (for VoLTE/VoNR), T-put server for testing maximum IP throughput, and an internet gateway. a specified reject cause code, and reject for a certain amount of time, a certain number of re-tries or on a certain cell. IMS Message Reject – This is for testing abnormal situations with the IMS protocol to see how the TCU software responds. APN Reject – For rejecting the connection when the TCU requests a certain APN name. (Access Point Name or APN is the name for the settings a phone reads to set up a connection to the gateway between the carrier’s cellular network and the public internet.) All in all, new hardware and software help create economical test environments that emulate real-world scenarios to verify designs and ensure systems comply with 3GPP security standards.
DESIGN WORLD — EE NETWORK
35
AUTONOMOUS & CONNECTED VEHICLES
The data-driven road to automated driving JACE ALLEN | ADAS/AD ENGINEERING AND BUSINESS DEVELOPMENT, DSPACE INC.
Data replay and enrichment tools help analyze driving scenarios and verify simulations based on real-world events. For ADAS and highly automated driving (HAD) applications, the road to homologation--the process of showing a product meets regulatory standards and specifications -- is a long journey that begins and ends with the data. In fact, it’s all about the data. The moment the vehicle’s perception sensors capture data, a complex process begins. The data must be taken through an intensive series of checks and balances to validate standards and specifications, including safety and technical requirements. This process requires a powerful and flexible end-to-end, data-driven development tools. The first step toward homologation begins with data logging within the actual vehicle. Data logging allows engineers to evaluate the development, validation, and optimization of artificial intelligence (AI) algorithms and electronic controls for autonomous functions. Specifically, data logging supports the following activities: • • • • •
Using dSPACE ModelDesk and UAI technology, measurement data collected from the live image on the top is transformed into a 3D simulated scenario on the bottom to enable the testing of perception algorithms.
36
DESIGN WORLD — EE NETWORK
8 • 2020
Data enrichment to train AI/machine learning algorithms Prototyping of sensor fusion and perception algorithms in the vehicle Playback of recorded data in the laboratory to simulate test drives and support large-scale simulation Real-time trajectory planning to determine the best position, velocity, acceleration, etc., of the vehicle in a driving scenario Motion control development for optimal control of the autonomous vehicle in reaction to changing parameters and system inputs
Autonomous prototype vehicles generate huge amounts of data (petabytes) from their numerous imaging sensors (lidar, cameras, radar, ultrasonic). Buses and networks (CAN, CAN FD, Ethernet, FlexRay, etc.) get this data where it needs to go. V2X interfaces such as DSRC (Dedicated Short-Range Communications) or 4G or 5G, as well as GPS or electronic horizon capabilities with HD maps are all typically part of the data logging system.
eeworldonline.com
|
designworldonline.com
Using sensor data
AV DATA
Fleet
Artifical intelligence Perception & fusion
How sensor data is used in the development of autonomous vehicle functions.
data
Scene understanding
Data annotation
Machine learning Motion control
Trajectory planning
Data storage
AD software
Autonomous vehicle
Large scale simulation
update
Cloud, data center
The system must support multiple interfaces, and it must support the right number of scenarios necessary for testing. A second question is time synchronization across all the interfaces to ensure logged data is how to ensure these scenarios are logical and represent real world data. precisely time-stamped for synchronized replay. The appropriate level of realism and complexity can only come Additionally, the system must be scalable and provide sufficient from running large-scale simulations. These simulations require the bandwidth and processing power to record the vast amounts of incoming reproduction of numerous scenarios that include those involving critical data from the perception sensors. This necessitates a high-end storage traffic situations and edge cases. system with several terabytes of space. One such system is the dSPACE Simulated scenarios are created manually or automatically from Autera System which puts the power of a Linux server into the vehicle. the measurement data extracted from perception sensors, object lists, Once data becomes available, either through collection from the positioning data, and maps. Advanced physics-based simulation models vehicle’s sensors or imported from other sources, it must be enriched representative of different real-world scenarios (i.e. roads, 3D scenery, to convert it into a usable form. Data enrichment involves annotating, dynamic traffic, etc.), are built using the data to validate ADAS/AD segmenting, and adding more details to the data. Data enrichment plays functions. These scenarios can be played out in software-in-the-loop a fundamental role in the training of AI algorithms and neural networks. (SIL), hardware-in-the-loop (HIL) or cloud-based platforms. It is critical for identifying the targets for AV systems but can also be There are several requirements for devising models that are used for extracting realistic driving scenarios built from real-world data realistic enough for use in AV simulations. One is that the objects in the based on ground truth. model have material properties so they behave the same way as the In 2019, dSPACE acquired understand.ai (UAI), a firm that provides physical assets they represent. Models of camera sensors should also training and validation data used to develop computer vision and machine-learning models for autonomous vehicles . UAI also offers one of Scenario Sensor-realistic Data enrichment the world’s fastest point-cloud generation simulations rendering tools. (Point clouds resemble solid meshes but are simpler and faster to generate and usually have a higher Data logging resolution compared to a solid mesh of the same size.) Data and test management With vehicle perception sensors generating petabytes of data, one might wonder how all that data gets converted to
Data replay
Scenario-based testing
Scalable simulation platform
The key process steps for completing data-driven development and validation of autonomous development systems.
eeworldonline.com
|
designworldonline.com
8 • 2020
DESIGN WORLD — EE NETWORK
Release testing and homologation
Data-driven development and validation
37
Scenario-based testing
AUTONOMOUS & CONNECTED VEHICLES Definition of the complete world (Ontology)
How different scenarios might be used in an open end-to-end simulation ecosystem. Scenariobased testing ensures sufficient test coverage for autonomous driving validation tasks.
Create tests Scenario database
38
DESIGN WORLD — EE NETWORK
Test database
Test result database
Identification of corner cases by observer
Generate tests Generate scenarios
Statistical completeness analysis
provide high-fidelity images and should be able to modify images for lighting effects (i.e. glares, flashes, reflections, etc.), distortion, vignetting, and chromatic aberration. Models of radar sensors should be able to calculate polarimetric measurements. (Radars often use wave polarization in post-processing to improve the characterization of the targets. Polarimetry can estimate the texture of a material, help resolve the orientation of small structures in the target, and resolve the number of bounces of the received signal.) Radar models also manage specular (mirror-like) reflections, diffuse scattering (spread over a wide range), and multipath propagation. Lidar sensor models should provide full support for scanning and flash-based sensors (where each laser pulse illuminates a large area and a focal plane array simultaneously detects light from adjacent directions), including rolling shutter effects (where use of a rolling shutter to record the image scan-line by scan-line distorts the image), and weather conditions such as rain. Additionally, simulated scenarios should be capable of integrating independently simulated processes for traffic flow, driving, or other aspects of vehicle operation. To get to the simulation and validation results for homologation, the simulated environment must be able to run across multiple platforms (SIL, HIL, cloud). One tool for setting up simulation models is called Automotive Simulation Models (ASM). Available from dSpace, the tool consists of open Simulink models that can be used to build full vehicle dynamic and driving scenario simulations. Also available is ModelDesk, an interactive, graphical editor. Such tools permit driving scenarios or traffic scenes to be simulated with an unlimited number of traffic objects and an unlimited number of sensors.
Analyse results
Simulate
Analysation of scenario coverage
DATE REPLAY AS A TEST STRATEGY Data replay offers an excellent way to analyze driving scenarios and verify simulations based on real-world data. This can be done with HIL systems such as ScaleXIO as well as with data logging systems that offer a playback mechanism and software to control the synchronized playback (dSPACE Autera with RTMaps is an example). Captured data can be replayed in real time or at a slower rate to manipulate and/or monitor the streamed data. An open, end-to-end simulation ecosystem can run scenarios through simulations via a closed-loop process. The vehicle and algorithms are in the loop, adding control to the simulation process and closing the performance loop. Such a system can be fully automated and used for regression testing with all the advantages of HIL and SIL testing. The system should support standards such as XIL-API, OSI, FMI, OpenScenario, OpenDrive, as well as virtual bus simulation for different buses (i.e. CAN, CANFD, Ethernet). Simulations inject data into the system under test (SUT)--such as the AV software stack or the ECU--to analyze the behavior of the software, system components, sub-systems. Injected data can take the form of real sensor inputs, object lists, or a rest bus simulation (simulating more than one ECU bus connection or node to represent communications bus loads). With ground truth sensor simulation (i.e. how sensors and on-board systems interact with the virtual world and with calculated surfaces and objects), an object list can simply be inserted into the SUT to test algorithms such as path planning. But for a broader scope of testing, either raw data or target lists must be injected into the simulation so the ECU can perform the data fusion and object detection/ tracking. Additionally, probabilistic events can 8 • 2020
Parameter change by intelligent test control Analysation of test coverage
be played out to look at different permutations or functional qualities built into the simulation. This stochastic approach to testing is built into the ground-truth sensor models of the ASM tool suite but can also be applied to the different parameters that are associated with any closed-loop scenario test (vehicle, sensor, software, and environment variables). For maximum simulation performance, ground truth sensors can be used in the simulation – in particular for trajectory path planning and decision making. This type of simulated environment can exercise the algorithms running on specific systems detection of lane markings and boundaries, fellow vehicles, traffic signs, traffic lights, etc. An open, end-to-end simulation can also be fully scalable so simulations and tests can run in the cloud or on High-performance Clusters (HPCs), using advanced orchestration (the automated configuration, management, and coordination of computer systems, applications, and services), technology such as Docker on Linux (an open-source project making it easy to create containers and container-based apps), and Kubernetes (an open-source containerorchestration system for automating application deployment, now maintained by the Cloud Native Computing Foundation). In a nutshell, homologation requires a well-orchestrated test system providing the highest level of safety. Bringing everything together into a seamless tool chain helps smooth the process.
REFERENCES dSPACE Inc., www.dspace.com
eeworldonline.com
|
designworldonline.com
Functional Safety Ready Products When Safety is Critical, Reliability Means Everything
When safety is critical to the success of your design, you can count on Microchip’s proven experience to help you meet functional safety requirements, while minimizing cost and development time. Our broad portfolio of functional safety ready microcontrollers, digital signal controllers, memories, and interface and connectivity products is accompanied by state-of-the-art safety documentation, hardware safety features, safety software libraries, certified development tools and expert support teams. Whether you need to meet mandatory requirements or differentiate your product, we can help you achieve your functional safety goals. Let us show you why we have a proven track record of helping customers with safety critical applications that conform to the functional safety standards: •
Appliances: IEC 60730 (Class B)
•
Industrial: IEC 61508 (SIL)
•
Automotive: ISO 26262 (ASIL)
•
Medical: IEC 62304
To make it easy for you to find the right product for your design, we’ve developed the “Functional Safety Ready” designation. A product with this designation has been carefully selected as one that encompasses the latest features and support collateral. Speak to one of our experts who can help you simplify your design.
microchip.com/functional-safety The Microchip name and logo and the Microchip logo are registered trademarks of Microchip Technology Incorporated in the U.S.A. and other countries. All other trademarks are the property of their registered owners. © 2020 Microchip Technology Inc. All rights reserved. 7/20 DS00003550A
AUTONOMOUS & CONNECTED VEHICLES
Enabling safety and cyber security for the connected car HWEE YNG YEO | KEYSIGHT TECHNOLOGIES
Even the best coding practices are likely to result in vehicles infected with 10,000 software bugs. Simulated attacks can sniff out vulnerabilities before the car hits the road. The era of the connected car, and a growing concern over cybersecurity threats, is here. Safeguarding the connected car is no easy task. According to Code Complete (by Steve McConnell; Cob and Mills, 1990), even the best coding practices produce one coding error per 10,000 lines of code. With about 100,000,000 lines of code in a modern high-end car, this works out to about 10,000 software bugs onboard!
40
DESIGN WORLD — EE NETWORK
Also worrying: According to Upstream Security’s Global Automotive Cybersecurity Report 2020, the number of reported automotive cyber-security incidents almost doubled between 2018 and 2019. The study analyzed 367 automotive cyber-attack incidents since 2010, 155 of which were from 2019. These latest figures equate to a 94% year-on-year growth. The more dramatic hacks and threats to personal safety often make headlines, such as white-hat carjacking with packet codes sent over the internet. This exposed vulnerability heightens the fear that hackers can hijack autonomous vehicles miles way, with helpless passengers onboard. But according to the financial research firm Fortunly, 71% of all data breaches are financially motivated. Seemingly mundane information such as route preferences, credit card payment records, or the driver’s locations, can fetch high prices from seeking bidders. A single cyber hack can cost car makers up to $1 billion and a loss of reputation and customer trust. That’s why car makers are considering cybersecurity ratings for cars – the brand or model that sports a five-shield security rating will likely bolster the brand’s value and fetch a premium.
8 • 2020
eeworldonline.com | designworldonline.com
CYBERSECURITY
The connected car presents both wired and wireless potential attack surfaces.
A HACKER’S PARADISE? Part of the allure of the connected car is the convenience of an internet-on-wheels. But such convenience comes with higher standards for security so the next android package kit (APK) downloaded to your car doesn’t come with Trojan horses that can steal your personal data, or worse, disable your brakes. A closer look at the sub-systems enabling vehicular communication reveals numerous points of vulnerability. Hackers can attempt various incursions ranging from
cryptographic attacks at the hardware level to over-the-air (OTA) protocol attacks. The industry is aware of the need to fortify these at-risk interfaces, but there is no official automotive cybersecurity standard. Car makers and their Tier 1 supply chain develop their own special cybersecurity requirements. These are based on best practices from the SAE J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems, the NIST Risk Management for Automotive Cybersecurity, AUTO-ISAC recommendations, and others.
Life cycle of the vehicle
Development
Product design
Use
Manufacture
Personalizing
Planning
Analysis of threats
Risk evaluation
Use of secondhands
Control of vulnerabilities and incidents
Component test
Design/ implementation
|
Maintenance
System test
Countermeasure requirements
eeworldonline.com
Applying normal use
Disposal
designworldonline.com
Cybersecurity risk management throughout the car’s lifecycle.
8 • 2020
At the time of this writing, the automotive industry is awaiting the ratification of a new ISO/SAE 21434 standard. It is aimed at securing the systematic development of safe vehicles and maintaining this security throughout the entire vehicle life cycle. The ISO/SAE 21434 standard combines both safety and security. It specifies requirements for cybersecurity risk management regarding engineering for concept, development, production, operation, maintenance, and decommissioning for road vehicle electrical and electronic systems, including their components and interfaces. Even as the industry awaits official standards, most automotive OEMs and subsystem makers include cybersecurity risk management in their fleet’s product life cycle. There must be security checks at each stage of design verification and functional test validation. Throughout its life on the road, a car remains vulnerable to security threats. This is why sub-systems such as ECUs must be hack-proof, while security systems must protect the car regardless of firmware updates or app downloads throughout its life. Security even extends to protocols that remove sensitive data before the car’s last journey to the scrapyard. One way automotive design and test engineers try to secure the car is by using a holistic intrusion protection strategy. It combines hardware security validation with software to stress-test potential attack interfaces against a dynamic library of threats. Automotive cybersecurity developers aim to stay steps ahead of hackers, so engineers must constantly update their test plans and run them against a “live” application and
DESIGN WORLD — EE NETWORK
41
AUTONOMOUS & CONNECTED VEHICLES
threat intelligence (ATI) library. For example, Keysight operates ATI subscription services spanning years of knowledge gained from attack information. Both wireless and wire-line interfaces within the car can be tested to validate safety-critical components such as ECUs, as well as communication systems for advanced driver assistance systems (ADAS), and vehicle-toeverything (V2X) applications.
CYBERSECURITY PEN TEST A cybersecurity penetration test architecture may comprise five key components: Connectivity gateways - Allow both wired and wireless connections to the various automotive DUTs.
Test management server – Lets white hat engineers manage their test plans, including scanning for vulnerabilities through various reconnaissance scenarios such as port scanning, fuzz testing, and many more. Recon and fuzzing server – The fuzzing plus many other pen test scenarios run on a server. This is where coding errors and other security loopholes are uncovered before cyberattacks get simulated. Application & threat intelligence (ATI) library – This stores all captured threats and information. It provides granular applicationlevel visibility and control, geolocation, known-bad IP address blocking, and other threat information.
The Keysight automotive cybersecurity penetration test components: Both wireless and wire-line interfaces within the car can be tested to validate the safety-critical components such as ECUs, as well as communication systems for advanced driver assistance systems (ADAS), and vehicle-toeverything (V2X) applications.
Typical pen test setup
Penetration test setup example.
42
DESIGN WORLD — EE NETWORK
8 • 2020
eeworldonline.com
|
designworldonline.com
CYBERSECURITY Automation – With hundreds of DUTs and thousands of test plans, an intelligent automation platform provides a sanity check for engineers to keep their pen test operations together. A typical List APK Test plan may not take long to run. But challenges add up quickly. Imagine hundreds or even thousands of test plans, coupled with DUT revisions and software upgrades. A holistic penetration test platform allows engineers to examine the plethora of cybersecurity loopholes that may put the driver, passenger, and the marque at risk. No single car maker has an exhaustive list of cybersecurity vulnerabilities. That is one reason why car makers are turning to what their IoT counterparts have done – subscribe to secure and dynamic threat intelligence libraries that are available 24x7. One of the challenges automakers face is the need for a systematic and consistent automotive cybersecurity test strategy across different R&D and production teams. Issues shared among the fraternity include poor test-record management and best practices lost via brain drain, as this growing industry provides career mobility for those with experience and expertise. Even as the white hats build up their arsenal of test plans, management teams are rethinking automotive cybersecurity. The industry knows a piecemeal approach to defense is no longer sufficient. Enterprise-level platforms will become increasingly important to help car makers enhance safety and security as the world moves towards autonomous technologies. Big data from such enterprise-level cybersecurity platforms can have bubble-up benefits for the whole automotive industry. Test engineers can keep track of different test configurations and perform
Pinning down the next APK or android debug bridge risk before the hacker does.
re-tests with design changes, improving productivity and product or services quality. Management can glean insights about threat trends and patterns and formulate better defenses to secure the connected car of the future.
REFERENCES Keysight Technologies, www.keysight.com
It’s not a web page, it’s an industry information site So much happens between issues of R&D World that even another issue would not be enough to keep up. That’s why it makes sense to visit rdworldonline.com and stay on Twitter, Facebook and Linkedin. It’s updated regularly with relevant technical information and other significant news to the design engineering community.
rdworldonline.com
AUTONOMOUS & CONNECTED VEHICLES
CAN for better autonomous vehicles Handing data-intensive lidar and radar processing at the sensor itself can let CAN connections make autonomous vehicle networking more economical. KENT LENNARTSSON | KVASER AB
There’s no question that as the autonomous driving capabilities advance, so do the requirements for transmitting large amounts of data. A 2017 paper by Stephan Heinrich, currently a systems architect at Waymo, estimated the bandwidth requirements for an autonomous vehicle. Heinrich figured the four-to-six radar sensors in a car would need 0.1 to 15 Mbit/sec; for the one-to-five lidar sensors, it is 20 to 100 Mbit/sec. The six-to-12 cameras need another 500 to 3,500 Mbit/sec, while the less data-intensive eight-to-16 ultrasonic sensors need less than 0.01 Mbit/ sec. The GNSS and inertial measurement unit (IMU) motion sensors need less than 0.1 Mbit/sec. The total sensor bandwidth works out to between 3 and 40 Gbit/sec. The rapid pace of development in autonomous vehicles, has certainly pushed those numbers up since 2017. In response, autonomous vehicle manufacturers are embracing automotive Ethernet standards that can deliver speeds of 1GB/sec, and IEEE working groups are developing standards to allow for in-vehicle communication at bandwidths of up to 50 Gbit/sec. Compared to these high-bandwidth protocols and applications, there’s no question that CAN bus bandwidths can seem limited. The maximum bandwidth for the High-Speed CAN/CAN-FD (ISO 11898-2) bus is 5 Mbit/sec. For low-speed, fault-tolerant CAN (ISO 11898-3) it is 125 kpbs, and for CAN-XL now under development, it is 10 Mbit/sec. These figures bring up an important question: Does the CAN protocol have a place in autonomous vehicles when it doesn’t even have the bandwidth to carry the data from a single 4K camera to a vehicle’s ECU? Perhaps surprisingly, the short answer to that question is, “Absolutely.” Though CAN’s key limitation is a limited bandwidth, it also has benefits that include built-in reliability and real-time performance, a software/hardware ecosystem that is robust, low power consumption, and good economics. The CAN bus is built from the ground up for real-time control of
44
DESIGN WORLD — EE NETWORK
8 • 2020
essential automotive systems. It’s been used in production vehicles for more than 25 years, and it was developed with that application in mind. In automotive systems, 99.99% reliability isn’t sufficient. If the CAN system controlling a brake pedal failed one out of every 10,000 times a driver braked, CAN would never have seen the widespread adoption it has today. When the pioneers of CAN first developed the protocol in the early 1980s, they understood this. The thousands of automotive engineers who have contributed to the CAN protocol’s development since then have always kept mission-critical reliability as a core goal of the protocol. Anecdotally, I often say that the beauty of the CAN system is that it’s almost impossible to crash. In many cases, you can violate the CAN bus and it will still work. While robust operation should never be an excuse for sloppiness, it illustrates the fault-tolerant capabilities at the core of the CAN bus. In many automotive applications, a delay is just as disastrous as a failure. Going back to the brake example, even a half-second delay between the driver’s input and actuating the brakes from a CANcontrolled pedal could cause an accident. One of the special things about the CAN protocol is how it resolves data collisions. Like Ethernet and many other protocols, CAN is packetbased. It’s possible that two packets could be sent at the same time and collide. When two Ethernet packets collide, the sending process restarts with a random amount of delay. In the event of a second collision, the random delay time is increased. In contrast to Ethernet, every CAN packet has a priority level, and the protocol supports up to 53 million priority levels. To understand how this works on a simple level, imagine the CAN network simultaneously sends both a packet to activate the brake pedal and a packet to turn on the windshield wipers. The packets collide, but the brake pedal packet has a higher priority. It goes through without delay or corruption, and the windshield wiper packet comes through shortly after. There are rules that can be added to the Ethernet protocol that can resolve issues with the protocol’s standard handling of packet collisions. But automotive Ethernet systems with time-sensitive networking tend to be about six times more expensive than equivalent CAN systems. In CAN, those rules are built into the protocol’s foundation.
eeworldonline.com | designworldonline.com
Traditional automotive communication architecture
TAILOR-MADE COMMUNICATIONS? It’s tempting to look at intra-vehicle communication and conclude we should start from the ground up to develop a new communications protocol. In my experience, this approach often makes sense only by ignoring the true cost of implementing new communication standards. For example, what about documentation? Software tools, APIs and hardware tools all must be created. And once the vehicle launches, will dealers and mechanics need to buy new hardware for repairs and updates? Ditto for new software and training. In contrast, the CAN protocol is mature. It has a robust ecosystem of hardware and software tools with wide support in the automotive world. Development of autonomous vehicles using the CAN protocol will resolve many challenges surrounding the use of a more exotic communications protocol. eeworldonline.com
|
designworldonline.com
There are several possible models for implementing CAN communications in autonomous vehicles. Perhaps the most obvious it to limit CAN to low-bandwidth communications. This approach is simple and intuitive. While autonomous vehicles entail transmitting large amounts of data, some systems within even the most advanced autonomous vehicles don’t. Here, Ethernet handles high-bandwidth communications, like video and lidar, while CAN carries low-bandwidth communications like sending signals to vehicle systems or communicating with IMUs. The model of dividing tasks between CAN and Ethernet based on bandwidth certainly works. CAN and Ethernet can be easily integrated, and both protocols can perform reliably in this scheme. However, other models for using CAN in autonomous vehicles improve reliability even further. 8 • 2020
CAN FOR AVs
Many communication architectures for autonomous vehicles today limit CAN to a low-bandwidth role. Ethernet handles communications like video and lidar, while CAN takes care of sending control signals to vehicle systems or communicating with IMUs. A potentially more economical architecture distributes processing at the sensor nodes so much of the dataintensive processing happens locally, drastically reducing the bandwidth needed to transmit that information to the ECU. A CAN network can easily handle the resulting data streams.
DESIGN WORLD — EE NETWORK
45
AUTONOMOUS & CONNECTED VEHICLES
Distributed automotive communication architecture
One is to use distributed processing. Transmission of uncompressed 4K video at 60 fps can require upwards of 2GB/sec bandwidth. But that video need only go from a 4K camera to a centralized ECU if the ECU does the video processing. With a distributed architecture, some or all of the processing of that video happens at the camera and can drastically reduce the bandwidth necessary to transmit that information to the ECU. An automated vehicle ECU making critical decisions about piloting the vehicle doesn’t really need all 2.99 GB of data in a single second of 4K video. What it needs to know are things like, “There’s a car merging from the right; it’s currently 23 ft away and moving at 48 mph.” Processing the 4K data in or near the camera makes it possible
46
DESIGN WORLD — EE NETWORK
to just send the results to the ECU for decision-making. A CAN network can easily handle such a data stream. Additionally, proponents of distributed vehicle networks argue that such a scheme brings fault tolerance, reliability and redundancy.
CAN AND ETHERNET IN PARALLEL It’s easy to see CAN and automotive Ethernet as competing standards. An alternative model for autonomous vehicle communications is one where CAN and automotive Ethernet run in parallel. Under this model, a single 4K camera might connect to a central ECU via both CAN and Ethernet. The Ethernet connection would carry raw or compressed 4K video, while the CAN connection would carry essential timing, error checking and processed data. 8 • 2020
Each communications protocol does what it does best, and the vehicle benefits from increased redundancy, error checking and a more robust communications network. As autonomous vehicles mature, so will their needs for higher-bandwidth data transmission capabilities. The CAN protocol will still hold an important role in future autonomous vehicles. Utilization of CAN in appropriate autonomous vehicle communication applications will speed development, reduce costs and improve safety and reliability for decades to come.
REFERENCES Kvaser Inc., https://www.kvaser.com/
eeworldonline.com
|
designworldonline.com
1.800.463.9275
newark.com
Discover Over a Million
Engineering Products from Suppliers You Know and Trust 900+ new products each week
Custom services such as kitting, panel meters, enclosures, and many more! Market-leading online community of over 600,000 engineers
AD INDEX AUTONOMOUS & CONNECTED VEHICLES HANDBOOK | AUGUST 2020
Coilcraft........................................................................BC
Microchip...................................................................... 39
Digi-Key............................................................Cover, IFC
MISUMI........................................................................IBC
Keystone Electronics Corp............................................. 1
Newark, An Avnet Company........................................ 47
LEMO USA................................................................... 31
SALES Jami Brownlee jbrownlee@wtwhmedia.com 224.760.1055 Mike Caruso mcaruso@wtwhmedia.com 469.855.7344 Bill Crowley bcrowley@wtwhmedia.com 610.420.2433 Jim Dempsey jdempsey@wtwhmedia.com
LEADERSHIP TEAM Mike Francesconi mfrancesconi@wtwhmedia.com 630.488.9029 Neel Gleason ngleason@wtwhmedia.com 312.882.9867 @wtwh_ngleason Courtney Nagle cseel@wtwhmedia.com 440.523.1685
Publisher Mike Emich memich@wtwhmedia.com 508.446.1823 @wtwh_memich Managing Director Scott McCafferty smccafferty@wtwhmedia.com 310.279.3844 @SMMcCafferty EVP
216.387.1916
Jim Powers jpowers@wtwhmedia.com
Michael Ference
312.925.7793 @jpowers_media
Marshall Matheson mmatheson@wtwhmedia.com 805.895.3609 @mmatheson
mference@wtwhmedia.com 408.769.1188
W
OR
LD
@mrference
G @DESI 48
DESIGN WORLD — EE NETWORK
8 • 2020
N
eeworldonline.com | designworldonline.com
DRIVE INTO INNOVATION If 7,000 cells can power your EV at breathtaking speeds, then imagine the possibilities with MISUMI’s 23,000,000 part numbers, 2,900 industrial commodity brands and 80 Sextillion part configurations. MISUMI has been supporting the EV industry with breakthroughs in quality, cost and time not obtainable through existing supply chains.
AC/DC Converter
Inverter Battery Pack
Charger
Electric Motor
ENERGIZE YOUR FACTORY
MISUMI’s 24 GLOBAL FACTORIES and millions of industrial components from key manufacturers provides a ONE-STOP-SHOP for EV factory automation.
SAVE DESIGN TIME with configuration software, RAPID DESIGN, which generate CAD models for download along with instant quote and delivery details
Order with ease using MISUMI’s simplified Web Ordering System or connect directly via EDI and/or PunchOut to improve order efficiency
REDUCE DOWNTIME with MISUMI’s extensive inventory of maintenance and repair products from thousands of leading manufacturers
Public Company
Global Footprint
Manufacturer & Distributor
$3 Billion in Sales
23 Manufacturing Facilities
25.3 Million Components
300,000 Customers
17 Distribution Centers
80 Sextillion Part Configurations
10,000+ Employees
64 Sales Offices
3,000+ Brands
Call, or email, and chat with our engineering support staff
misumi.info/auto
Advanced Magnetics for ADAS
From high-current, high-efficiency power inductors to filter components for a variety of communications buses, Coilcraft has the magnetics for all of your Advanced Driver Assistance Systems Coilcraft offers a wide range of AEC-Q200 qualified products engineered for the latest advanced driver assistance systems, including high-temperature, high power density power inductors for radar, camera and LiDAR applications. Our compact, low-profile WA8351-AL ultrasonic sensor transformer offers excellent temperature stability up to 125°C
and high performance for time-of-flight (TOF) sensing. Also choose from our broad selection of common mode chokes and filter elements for a variety of communications buses. To learn more about our advanced solutions for ADAS and other automotive/ high-temp applications, visit us at www.coilcraft.com/AEC. ÂŽ
WWW.COILCRAFT.COM
