Three considerations for automotive powertrain safety and security

Jürgen Belz, senior consultant, functional safety and cybersecurity at PROMETO co-authored this technical article.

With functional safety and security concerns in automotive electronics gaining attention, including in standards bodies, it’s important for automotive designers to enable functionally safe and secure automotive electric powertrains. Functional safety, cybersecurity and high-voltage safety play an important role in the design, development and mass production of modern electric vehicles.

Functional safety

A prevalent estimate for the amount of software in a modern vehicle is between 100 and 200 million lines of code. This software runs on a large variety of programmable electronic control units and provides functions for advanced driver assistance systems and safety features in the vehicle. Examples of such systems include blind-spot monitoring, automatic emergency brakes and adaptive cruise control. Vehicles with autonomous and electric features require functional safety for safe operation.

Cybersecurity

The increasing sophistication in the type and amount of connectivity available makes vehicles more vulnerable to digital attacks. What was once considered the gold standard in the prevention of cyberattacks is no longer valid. Given the implementation of communications protocols like Controller Area Network and Bluetooth®, and now Global System for Mobile Communications and Wi-Fi® networks for vehicle-to-vehicle communication, automobiles are no longer protected by the “air gap” between them and networks that hackers may employ. Imagine a scenario where a hacker immobilizes a vehicle and only unlocks it after being paid a ransom in bitcoin.

High voltage

Additionally, all aspects of the electric drivetrain – such as the onboard charger, high-voltage to high-voltage or high-voltage to low-voltage DC/DC converter, and electric vehicle traction inverter – all use programmable microcontrollers (MCUs) such as C2000™ real-time MCUs. And with electric vehicle battery voltages approaching 600 to 800 V, it is equally important to understand and apply the requirements for high-voltage safety systems.

Automotive safety and security standards

These international standards address safety and security aspects:

  • International Organization for Standardization (ISO) 26262:2018 outlines the functional safety requirements of road vehicles.
  • ISO 6469:2018 specifies high-voltage electrical safety requirements for electrically propelled road vehicles.
  • United Nations Economic Commission for Europe WP29:2020 details automotive cybersecurity requirements for automakers worldwide.

Additionally, automotive Tier 1s (subsystem manufacturers) follow:

  • ISO DIS 21434:2020, which is still a draft international standard and a superset of Society of Automotive Engineers (SAE) J3061. ISO DIS 21434:2020 outlines a cybersecurity management framework and activities in deference to the ISO 26262 functional safety-compliant V-model-based product development life cycle.
  • SAE J3061:2016, the original “Cybersecurity Guidebook for Cyber-Physical Vehicle Systems” on which ISO/SAE DIS 21434 is based.

Electric vehicle system designers must consider aspects of all three safety and security measures.

ISO 26262 defines four automotive safety integrity levels (ASILs), as listed in Table 1.

ASIL class

Single-point fault metric

Latent fault metric

Probabilistic metric for hardware random fails

ASIL A

n/a

n/a

n/a

ASIL B

≥90%

≥60%

≤100 failure in time (FIT)

ASIL C

≥97%

≥80%

≤100 FIT

ASIL D

≥99%

≥90%

≤10 FIT

Table 1: ISO 26262 quantitative random hardware diagnostic coverage metrics per each ASIL class

ISO/SAE 21434 defines four cybersecurity assurance levels (CALs) based on attack vector and impact, as listed in Table 2.

 

 

Attack vector

 

 

Physical

Local

Adjacent

Network

Impact

Negligible

n/a

n/a

n/a

n/a

Moderate

CAL 1

CAL 1

CAL 2

CAL 3

Major

CAL 1

CAL 2

CAL 3

CAL 4

Severe

CAL2

CAL 3

CAL 4

CAL 4

Table 2: ISO/SAE 21434 cybersecurity assurance levels


SAE J3061 defines four cybersecurity integrity levels (CSILs) and recommends the application of a cybersecurity process for all automotive systems responsible for functions that are ASIL rated per ISO 26262, or for functions associated with subsystems such as propulsion, braking and steering. These are CSIL A, CSIL B, CSIL C and CSIL D.

ISO 6469 describes four classes that depend on the maximum working voltage range “U” of an electric circuit, as listed in Table 3.

Voltage class

Highest (maximum) working voltage

DC voltage (in V)

AC voltage (in root-mean-square value)

A

0 < U ≤ 60

0 < U ≤ 30

B

60 < U ≤ 1,500

30 < U ≤ 1,000

B1

60 < U ≤ 75

30 < U ≤ 50

B2

75 < U ≤ 1,500

50 < U ≤ 1,000

Table 3: ISO 6469 permissible maximum voltage levels per each voltage class


There is significant synergy between ISO 21434 and ISO 26262 in terms of how to implement their recommendations during the design, development and mass production of an electrical/electronic/programmable electronic system. 

Conclusion

With the increasing complexity of automotive subsystems in hybrid electric vehicles and electric vehicles and the electrification of the powertrain, safety and security are becoming higher priorities. Fortunately, commonly accepted normative international standards address these safety and security aspects.

TI can help you make security and safety assessments and achieve security and safety goals in your automotive designs. For example, while developing a powertrain solution with a C2000™ real-time MCU, the online safety material is a great starting point.

Additional resources

Anonymous