E-motor

The use case of SESAMO partners Infineon and ikv++ provides an example of the challenges of developing a reusable component for an environment with demanding safety and security related characteristics. Reuse has become essential for maintaining cost and time-to-market competitiveness in today’s embedded systems industry. The Automotive Open System Architecture AUTOSAR represents one industry’s response to the reuse challenge. AUTOSAR is a generic software architecture with several levels of standardization ranging from top level SoftWare Components (SWCs) to low level Microcontroller Abstraction Level (MCAL).

Infineon is developing a Complex Device Driver for an electrical motor intended for reuse in a 32 bit microcontrollers within an AUTOSAR environment in a variety of applications, ranging from power steering to transmission to chassis (e.g. damper) and hybrid vehicles. Due to its high potential for reuse, this eMotor CDD is known as a Safety Element out of Context (SEooC) in the terminology of the automotive safety standard ISO 26262.

Due to the demanding applications in which it will be used, the eMotor CDD must respect the highest Automotive Safety Integrity Level (ASIL D) according to the ISO 26262 standard. The safety requirements include extremely stringent performance specifications (a maximum of 50µs fast control loop interval). Engine tuning for adjustment of vehicle behavior and performance is normal and commonly practiced. During this process, eMotor information is modified. These modifications must not compromise safety related performance parameters, a challenge that is further complicated by the risk of security-related attacks related to eMotor information (e.g. software, calibration data, bus information and sensor). Two SESAMO technical challenge patterns may be found in this use case:

  • Pre-runtime compromise of safety and security related data: unauthorized or erroneous modification of calibration data; modification of low-level code to change functionalities.

  • Run-time compromise of safety and security related performance characteristics: security breach modifies performance characteristics in such a way as to violate safety goals.

In addition, this use case exhibits a major challenge for the process of safety and security qualification against the appropriate standards of a reusable component with multiple target applications.