Safety Challenges for Connected Cars
by: Charles Kim, Howard University
Around 30 years ago, a social scientist investigated various organizations regarding the various risks they are exposed to in relations to public safety and classified them by two criterias: how complex an organization is and how each part of the organization is coupled together. He placed the organizations into 4 quadrants. Among these quadrants,quadrant 2 was high risk dangerous organizations and quadrant 4 included low risk organizations. Aircrafts, chemical plants, space missions, and nuclear power plants were placed in quadrant 2 as tightly coupled nonlinearly interacting complex and safety-critical systems. Motor vehicles were placed as single-goal agencies along with the post office in the loosely coupled linearly interacting quadrant 4.
Where would he place motor vehicles of the year 2016- the high-tech connected cars which contain thousands of components, tens of thousands of parts, and tens of millions of lines of software code? Notwithstanding his opinion, most of us would not be reluctant to place the connected vehicle in quadrant 2 as tightly coupled and enormously complex systems.
Amid the race for developing autonomous vehicles, driverless cars, and the frantic rush of merge and acquisition between traditional auto manufacturers and Silicon Valley high-tech startups, the susceptibility of the added complexity has slowly emerged in, among others, a demonstration of wireless infiltration to a connected vehicle and remote manipulation of the essential controllers, which led to a recall for a firmware update to fix such vulnerability. In another avenue, Google pushes regulators to accept the artificial intelligence software in their driverless car as a driver arguing that human drivers are asafety risk. The Google argument reminds us of the early phase of the manned space program which first removed the astronauts from controlling the ship and only later, from their protest, allowed minimum involvement. But could the pilotless strategy return Apollo 13 safely back to earth?
Drivers and operators have been blamed for accidents. We often heart that 60 to 80 percent of accidents are the direct result of the operator’s loss of control of the system. However, further investigations of the statistics reveal that 75 percent of the aforementioned operator-caused accidents are due to system malfunctions that have preceded the operator actions. Often an imperfect system leaves the most difficult situation to human operator after all attempts by the system cannot correct the situation.
Is there an automated system so perfect that it does not need human intervention at all? No one can prove that there is such a system. So where is the risk in our stride toward the connected car era? There are 3 areas: hardware failure, software faults, and network vulnerability.
Hardware failure problem of electrified transportation platform is more serious than that of the gas engine platforms. The failure rate of mature components has been improved and is reasonably good; however, electric vehicles have new and gradually maturing components. This immaturity in technology or quality control is the main cause of fire or explosion incidents of batteries and failures in battery management systems, traction motors and drive electronics. It is likely that these components would introduce a new mode of failure. However, hardware problems can be eased gradually and arrived at a very low and negligible failure rate. Moreover, it is assuring that methods exist that can aide in determining hardware failure rate. The issue with software, on the other hand, is more delicate.
As a car gets more complex and more tightly coupled in time and function among the components, software related recalls have increased. Even though software-related faults are not separated in the available vehicle recall statistics, with deduction from a recent medical device recall study which reports of 6 to 20% increase for the last several years of software-related recalls, the uptrend in software related recalls in vehicles is not just a general sense but a fact.
Then why do we have more software-related problems? First, car software gets more complex with millions of lines of code, reaching at the level of jet fighters’ complexity. Second, software’s inherent flexibility, once enjoyed for a quick, unlimited, and low cost alternative, now spells uncontrollably complicated, error burdened software production. Third, although there is no known barrier that prevents from creating fault-free software, there is no proven methodology to do that. Moreover, there is no scientific way to prove software fault-free. This problematic situation seems not to be resolved anytime soon, and hidden software bugs would live with us and arise at an opportune time and surprise us.
Adding to the hardware and software risks, wide and open networking of connected vehicles poses a whole new domain of danger: vulnerability of remote access and malicious manipulation of safety-critical vehicle control functions. Last July’s 1.4 million vehicle recall was made to update the vehicle’s firmware to prevent hackers from such remote access to engine, steering, or acceleration and braking controls.
Detection efforts and information sharing are very important in preventing cyber-attacks to connected cars. Most cyber-security countermeasures are not very effective against new, unknown viruses and attack vectors. Therefore certain resistance against cyber-attack and resilience under compromised situations should be prepared. Of course, we are tempted to jump to more layers of security features to cope with the vulnerability. But this kind of countermeasure would further increase the complexity, tighten the coupling, and thus jeopardize the safety of the system it intends to enhance.
We engineers are inherently of so-called High Reliability Organization (HRO), which acts on the belief that if we are careful and pay enough attention to safety we can build and manage high-risk complex systems. So we tend to dismiss the voice of the Normal Accident campers which alerts that accidents do occur in complex and tightly coupled systems and will occur as if they are normal.
In the gloomy reality that hardware components are gradually failing, software contains hidden bugs, and wireless network is open to exploitable vulnerability, will there be any shining way to achieve fail-safe for connected cars without increasing complexity so that the car system detects the presence of faults or infiltration and reconfigures itself to a safe state? It may be possible if we adopt and design by the "broken part" assumption. Under the assumption, one example of a fail-safe of fail-operate scheme for, say, steering wheel controller, could be realized by paralleling the existing connected controller by an unconnected controller built on different hardware and software. Supervision of two controllers then could enable to detect discrepancy in command signals from them, let the unconnected controller command the steering wheel control, and alert the driver of the problem in the connected controller.
In seeking safety, we have emphasized system thinking and cross-breeding between safety engineering and software. However, with the advent of the connected car era, over them, stronger emphasis should be placed on controlling complexity without simplification or approximation. The importance of the complexity control seems to be aptly affirmed by the deck phrase in a February 2016 Wall Street Journal article on connected cars, quoted from a chief officer of a big automaker, as saying, “the key is putting just enough things in the vehicle. But not too many.”
Charles Kim is a professor in Electrical and Computer Engineering at Howard University. He received a Ph. D. degree in electrical engineering from Texas A&M University (College Station, TX) in 1989. Dr. Kim’s research includes fault and failure anticipation, detection, and location in aero-, naval-, and ground systems of electrical and electronic devices and networks. He has worked for safety and security for safety-critical systems in automotive, energy, aerospace, and nuclear industries. Dr. Kim is a senior member of IEEE.
About the Newsletter
The Transportation Electrification eNewsletter studies topics that span across four main domains: Terrestrial (land based), Nautical (Ocean, lakes and bodies of water), Aeronautical (Air and Space) and Commercial-Manufacturing. Main topics include: Batteries including fuel cells, Advanced Charging, Telematics, Systems Architectures that include schemes for both external interface (electric utility) and vehicle internal layout, Drivetrains, and the Connected Vehicle.
The TEC eNewsletter is now being indexed by Google Scholar.