Downloaded from SAE International by Univ of Nottingham - Kings Meadow Campus, Sunday, August 12, 2018
Functional Safety and Secure CAN in Motor Control System
Design for Electric Vehicles
2017-01-1255
Published 03/28/2017
Zhihong Wu, Ke lu, and Yuan Zhu
Tongji University
Xiaojun Lei
Shanghai Dajun Technologies Inc.
Liqing Duan
Shanghai G-Pulse Technology Co Ltd
Jian_ning Zhao
Tongji University
CITATION: Wu, Z., lu, K., Zhu, Y., Lei, X. et al., "Functional Safety and Secure CAN in Motor Control System Design for Electric
Vehicles," SAE Technical Paper 2017-01-1255, 2017, doi:10.4271/2017-01-1255.
Copyright © 2017 SAE International
Abstract
Permanent magnet synchronous motors (PMSM) are widely used in
the electric vehicles for their high power density and high energy
efficiency. And the motor control system for electric vehicles is one of
the most critical safety related systems in electric vehicles, because
potential failures of this system can lead to serious harm to humans’
body, so normally a high automotive safety integrity level (ASIL) will
be assigned to this system. In this paper, an ASIL-C motor control
system based on a multicore microcontroller is presented. At the same
time, due to the increasing number of connectivity on the vehicle,
secure onboard communication conformed to the AUTOSAR standard
is also implemented in the system to prevent external attacks.
In this paper, the functional safety development process of the motor
control system is presented: in the item definition stage, the system is
defined according to its functionalities and interaction with the
environment and other items, and then the hazard analysis and risk
assessment of the system is carried out to derive the safety goals and to
assign the automotive safety integrity levels. For system architecture
design, a proposed structure based on the E-GAS 3-layer monitor
concept is proposed and functional safety requirements are assigned.
The system is implemented with a multicore architecture
microcontroller. For torque monitoring, a torque estimation algorithm
for PMSMs is also presented. And considering the security threats to the
vehicles, secure onboard communication usage is also described in the
paper to provide a mechanism to authenticate and verify the CAN
messages between the vehicle control unit and the motor control system.
Introduction
In recent years, great efforts have been made by automotive
companies to develop electric vehicles in order to reduce greenhouse
gas emissions. In electric vehicles, internal combustion engines are
replaced by electric machines, for example induction machines and
PMSMs. And in order to ensure the safety of electric vehicles, more
and more vehicle manufacturers demand their suppliers to provide
motor control systems/motor control units (MCU) developed
according to the road vehicles functional safety standard, i.e.
ISO26262[1].
On the other hand, security threats to vehicles increased significantly
with the development of Vehicle Information and Communications
Technology [2][3]. Since the information security is not considered in
the design of the traditional in-vehicle communication network, and
because of the vulnerabilities of the widely used control area network
(CAN) [2], external threats may lead to the violation of the safety
targets, and finally result in harm to the traffic participants. In that case,
although the functional safety development of the MCU is widely
discussed [4][5][6], the security aspects are not taken into account.
In this paper, a functional safety concept of the MCU based on the
E-Gas [7] 3-layer architecture is presented. The E-Gas monitoring
concept is developed by the E-Gas work group in order to standardize
the monitoring of gasoline and diesel engine control systems. In this
paper, it is adjusted for MCU monitoring. Torque monitoring method
applicable both for Surface-Mounted PMSM (SPMSM) and interior
PMSM (IPMSM) is also described in this paper.
The proposed system is developed based on the AUTomotive Open
System Architecture (AUTOSAR), which created and established an
open and standardized software architecture for automotive electronic
control units. The security of the CAN communication is enhanced
by replacing the end to end (E2E) protection with the SECure
Onboard Communication (SecOC) concept [8]. SecOC is used to
provide resource-efficient and practicable authentication mechanisms
for critical data, and the authentication mechanisms are seamlessly
Downloaded from SAE International by Univ of Nottingham - Kings Meadow Campus, Sunday, August 12, 2018
integrated with the AUTOSAR communication systems. In SecOC,
the message authentication code (MAC) is used to authenticate and
verify the CAN messages between the vehicle control unit (VCU)
and MCU.
the car. A high voltage battery is used as energy storage. The MCU
includes an inverter controlled by a control board. Since the stored
energy is only available as DC voltage, the inverter is used for power
conversion of the DC battery to the AC three-phase electric motor.
The remainder of this paper is organized as follows: in section
'Functional Safety Concept', the hazard analysis and risk assessment
(HA&RA) for MCU is carried out based on the given item definition,
and the functional safety goals are derived, the system structure based
on the E-Gas 3-layer architecture is introduced; in section "Torque
Monitoring", torque estimation method for permanent magnet
synchronous motors (PMSM) with flux observer is presented, in
section ‘Secure Onboard Communication’, the authentication method
for the CAN communication is introduced. Conclusions are drawn in
the last section.
In vehicles with regenerative braking, the inverter also takes power
from the motor (now acting as a generator) and stores it into the high
voltage battery. Furthermore, the inverter is controlled so as to apply
a desired torque on the shaft of the electric motor. The desired torque
is determined in a vehicle control unit (VCU) by observing the
drivers input and then communicated to the inverter via CAN bus.
Functional Safety Concept
In accordance with ISO26262, the concept phase for automotive
applications includes following requirements:
1.
item definition,
2.
initiation of the safety lifecycle,
3.
hazard analysis and risk assessment,
4.
functional safety concept.
In this paper, item definition and hazard analysis and risk assessment
will be described in detail.
Item Definition:
In ISO26262, the concept development process starts from the Item
definition. The objective of this stage is to describe the functionality of
the item, its dependencies on, and interaction with, the environment
and other items, and to provides the necessary inputs for subsequent
phases, especially the hazard analysis and risk assessment (HA&RA),
which identifies and classifies the potential hazardous events.
And from the item definition, functionalities of the MCU can be
defined as follows:
1.
Provide drive torque when VCU requests acceleration;
2.
Provide braking torque when VCU requests deceleration;
Hazard Analysis and Risk Assessment
Based on the functionalities given in item definition, Hazard Analysis
and Risk Assessment can be performed and the functional safety goals
can be derived. In this requirement, the operational situations in which
the item's malfunctioning behavior will result in a hazardous event
shall be described, and the hazards need to be systematically identified.
A commonly used analysis method to identify the hazards is the Hazard
and operability study (HAZOP). In this method, a list of guide words
such as "NO" "MORE" "LESS" "REVERSE" "INSTEAD" is used to
identify the deviations from the intended design [9]. For example, in
the MCU, analysis of function "Provide driving torque when VCU
requests acceleration" can be interpreted as in table. 1.
Table 1. HAZOP analysis of function 'provide drive torque'
In our application, the item, i.e. the MCU, and its interaction with the
whole powertrain system, are depicted in Fig.1.
After that, the potential hazardous events also need to be categorized
according to following facts:
Fig 1. Simplified Electric Powertrain System
Fig. 1 shows a simplified functional concept of the electric powertrain
which utilizes a three-phase PMSM motor for torque generation. In
this system, the shaft of the electric motor is directly attached to a
gearbox with fixed transmission to convert the high rotation speed of
the shaft to a lower speed. An additional differential gearbox is used
to balance the applied torque between the left and right tire of one
vehicle’s axis. The axis can be either the front axis or the rear axis of
1.
The severity of potential harm
2.
The probability of exposure of each operational situation
3.
The controllability of each hazardous event, by the driver or
other persons potentially at risk
For the classification, ISO26262 provides informative guides for
hazardous events categorizing. Considering the complexity of driving
scenarios and road conditions, it is not possible to present the
complete HA&RA in this paper. In that case, a part of the results are
listed in table. 2 as an example:
Downloaded from SAE International by Univ of Nottingham - Kings Meadow Campus, Sunday, August 12, 2018
Table 2. Part of HA&RA results for MCU
participants are usually able, or barely able, to avoid harm “. The
probability of exposure of the operational situation is classified as E3
because the ISO 26262 suggests that driving on a wet road “ occurs
once a month or more often for an average driver “. And safety goals
of the MCU can be summarized from the HA&RA results and the
ASIL level can be determined. a part of the safety goals are listed in
Table 3.
As shown in the table, the MCU shall only provide drive and brake
torque when requested by VCU and the generated torque shall match
the requested torque. And the safe sate of MCU is specified as “Motor
generates no active torque”, which means in case of violation of the
safety goals, a shut off path shall be activated and force the motor to
produce zero torque.
System Architecture Design
From the safety goals, functional safety requirements shall be
derived, and shall be allocated to the elements of the preliminary
architectural (PA) assumptions. And a referenced PA is the E-Gas
3-layer architecture [7].
The E-Gas Standard describes the standardized monitoring concepts
can be used for the control of gasoline and diesel engines. The
monitoring concept divides the function of the engine control system
into 3 layers:
Layer 1. functional level, contains the engine management
functions.
Table 3. Safety goals and corresponding safe state of MCU
Layer 2. function monitoring level, recognizes the faults in
functional software of layer 1.
Layer 3. controller monitoring level, interacts with the function
controller and enables the function controller hardware and software
diagnostics.
Considering the differences between the motor control and gasoline
and diesel engine control, the E-Gas needs to be adjusted. In the new
E-Gas architecture for MCU, the job assignments of the 3 layers are
accordingly modified, as shown in Fig.2:
For example, one of the hazardous event is “ provide braking torque “
when a drive torque is requested. And this will lead to an unintended
hard brake of the vehicle. In case of driving on a wet road, there is
very high possibility that it will cause an unintended rotational
motion, and the vehicle might collide with roadside objects or
oncoming traffic. So the severity of the hazardous event is estimated
to S3. And the driver will have very small chance to control the
vehicle, so the controllability of each hazardous event is classified as
C3 which means “ less than 90 % of all drivers or other traffic
Fig 2. E-Gas monitoring concept adjusted for MCU
Layer 1. The normal motor control functions are implemented in this
layer, according to the requested torque command from VCU, the
filed-oriented-control (FOC) algorithm is used to calculate the
voltage output of the inverter and to generate the required torque.
Downloaded from SAE International by Univ of Nottingham - Kings Meadow Campus, Sunday, August 12, 2018
Layer 2. In order to monitor the function of the MCU, the torque
generated by the motor is measured and compared with the requested
torque in this layer, in case a violation of the safety goals, the inverter
shall be shut off and the transition into the safe state shall be
initialized.
(2)
Where Rs is the stator resistance, and Vα, Vβ are stator voltages. The
schematic diagram of the described torque estimation method is
shown in Fig.4:
Layer 3. The function controller is diagnosed with an external
watchdog in this layer, the inverter shall also be shut off in case of
fault detection.
With the E-Gas concept, the electric powertrain system can be
depicted as in Fig.3.
Fig 4. Torque Estimation Method with Pure Integrator.
Fig 3. Electric powertrain system with functional safety
The system is implemented with a multicore microcontroller, Aurix
TC275. TC275 is developed as a safety element out of context
(SEOOC) and supports up to ASIL-D application, it provides 2
lock-stepped CPUs (core 0 and core 1) and 1 non-lock-stepped core
(core 2). Layer 1 and layer 2 are assigned to core0 and core 1
respectively, in which the random hardware faults including the
transient faults can be sufficiently covered. The torque command
from the CAN bus is acquired by core 1 and verified by SecOC and
then forward to core 0, where the FOC algorithm is implemented. On
the other hand, in core 1 the torque output is measured based on the
current and voltage and is compared against the requested torque.
Core 1 also controls the shut-off path.
In practical applications, the pure integrator is easily influenced by
the DC drift and the initial value error. In order to solve this problem,
the pure integrator can be replaced by a Modified Low Pass Filter
(MLPF), and the transfer function of MLPF is given as:
(3)
where ωc is the cut off frequency of MLPF. And because there are
phase error and gain error between MLPF and the pure integrator, and
the errors increase when the operating frequency gets close to the cut
off frequency of MLPF. For better estimation accuracy, the outputs of
MLPF need to be compensated. The compensated method is
presented in [10]:
The layer 3 is implemented with an external watchdog, TLF35584. It
performs a “challenge & response” check to the micro-controller
periodically, and monitors the supply voltages for the system, to
make sure that lay 2 operates properly. It also provides a redundant
shut-off path in case layer 2 fail to activate the shut-off path itself.
(4)
Torque Monitoring
In order to monitor the torque output of the motor, the
electromagnetic torque needs to be estimated. For PMSMs, the torque
output can be calculated from the stator flux linkages as:
Where
,
, are estimated flux linkages using MLPF in
time domain, and ωe is the operation frequency of PMSM.
Taking the compensation into account, the estimation diagram is
shown in Fig.5
(1)
Where is estimated electric torque, p is the pole pairs number of
PMSM,
,
are estimated, α β -axis flux linkages, iα, iβ are
measured α β -axis currents.
And the stator flux linkages can be estimated by integrating the stator
voltages:
Fig 5. Flux Estimator with Compensated MLPF.
Downloaded from SAE International by Univ of Nottingham - Kings Meadow Campus, Sunday, August 12, 2018
In order to adapt different operation frequencies, variant cut off
frequency ωc can be implemented in MLPF, and it changes
proportionally to the PMSM operation frequency.
Secure Onboard Communication
In the functional safety concept, the safety is ensured by monitoring
the torque from the motor and comparing it with the requested torque
from VCU.
For the CAN communication, safety mechanism " combination of
information redundancy, frame counter and timeout monitoring" is
recommended in ISO26262 to archive a high diagnostic coverage,
and this mechanism is also known as the E2E protection mechanism.
But because of the Inherent weaknesses of CAN communication, i.e.
broadcast nature, fragility to DoS, no authenticator fields, and weak
access control [2], different attack models targeting the CAN
communication are presented in [2] [3]. The E2E protection is far
from enough because it only utilizes the CRC code for information
redundancy [11]. In order to verify the request command from the
VCU, the SecOC concept from AUTOSAR is adopted to provide
following features:
1.
data freshness
2.
data integrity
3.
data authenticity
In the communication between VCU and the MCU, to provide
message freshness, both sides need to maintain freshness values, e.g.
freshness counter for each uniquely message. On the sender side, a
secured message is created by adding an authentication information
to the message which needs to be authenticated. The authentication
information comprises of a message authentication code and the
freshness value, and the freshness value is considered during
generation of the MAC. And on the receiver side, the authentication
information will be verified to check the freshness, integrity and
authenticity of the message. The process is shown in fig. 6:
Fig 6. Secure Onboard Communication between VCU and MCU.
For the generation of the MAC, CMAC [12] based on AES[13] with
an adequate key length is recommended. And in order to provide
sufficient protection against guessing attacks, AES with a key length
of 128-bit is used in our application. Considering the data length of
CAN payload, only parts of the MAC is transmitted and compared.
The structure of the secured message is shown in fig 7.
Fig 7. Structure of Secured Message.
Summary/Conclusions
In this paper, functional safety concept of the motor control unit in
electric vehicles is presented. Based on the item definition, the
HA&RA analysis is carried out and the safety goals are derived, and
the E-Gas 3-layer concept for engine control is adopted and modified
to fit the motor control application, and from that, the preliminary
architecture is proposed. Two technical aspects of the safety concept
are discussed in detail, i.e. the torque estimation method and the
secure communication concept. For torque estimation algorithm, the
modified low pass filter method is described. And for the verification
of the communication between VCU and MCU, the CAN messages
are supplemented with a freshness value and a MAC calculated with
the encryption method AES128.
References
1.
ISO 26262:2011, “Road vehicles - Functional safety,”
International Organization for Standardization, first edition, 2011
2.
Koscher K. ., “Experimental security analysis of a modern
automobile,” in Proc”. IEEE Security Privacy Symp., Oakland,
CA, USA, 2010, pp. 447–462
3.
Woo Samuel , “A Practical Security Architecture for In-Vehicle
CAN-FD,” IEEE Transactions on Intelligent Transportation
Systems, Volume: 17, Issue: 8, Aug. 2016, pp. 2248 – 2261
4.
Li, S., Chang, C., and Zhao, H., "Functional Safety Development
of E-motor Drive System for PHEV," SAE Technical Paper
2015-01-0261, 2015, doi:10.4271/2015-01-0261
5.
Batchu, S., "Functional Safety in Inverter Hardware," SAE
Technical Paper 2016-28-0166, 2016, doi:10.4271/2016-28-0166
6.
Christiaens, S., Ogrzewalla, J., and Pischinger, S., "Functional
Safety for Hybrid and Electric Vehicles," SAE Technical Paper
2012-01-0032, 2012, doi:10.4271/2012-01-0032
7.
Standard, “Standardized E-Gas monitoring concept,” version
4.0, E-Gas work group, 2007
8.
Requirements on Module Secure Onboard Communication,
AUTOSAR_SRS_SecureOnboardCommunication.pdf
9.
British Standard BS, “IEC61882:2002 Hazard and operability
studies (HAZOP studies)”.
10. Zhihong Wu, Ke Lu, and Yuan Zhu, "A Practical Torque
Estimation Method for Interior Permanent Magnet Synchronous
Machine in Electric Vehicles," PLoS One. 2015; 10(6):
e0130923., doi:10.1371/journal.pone.0130923
Downloaded from SAE International by Univ of Nottingham - Kings Meadow Campus, Sunday, August 12, 2018
11. Handschuh H. and Preneel B., “Minding your MAC
Algorithms,” Information Security Bulletin, Volume: 9,
Number: 6, 2004, pp. 213–221
12. Dworkin M., “Recommendation for block cipher modes
of operation: the CCM mode for authentication and
confidentiality,” NIST Special Publication 800-38C, May 2004
Definitions/Abbreviations
ASIL - Automotive Safety Integrity Level
AUTOSAR - AUTomotive Open System Architecture
CAN - Control Area Network
E2E - End to End
13. Federal Information Processing Std. (FIPS) 197,
“Advanced Encryption Standard (AES),” NIST, U.S. Dept.
Commerce,Washington, DC, Nov. 26, 2001
FOC - Filed-Oriented-Control
Contact Information
IPMSM - Interior PMSM
Zhihong Wu
Tongji University, Shanghai, China
Rm. 410, Jiren Building
4800 Caoan Rd.
Jiading District, Shanghai
201804, China
Tel.: +86 -21 - 69585683
zhihong.wu@tongji.edu.cn
Acknowledgments
This study is supported by National Key Research and Development
Program of China (2016YFB0100804).
HA&RA - Hazard Analysis and Risk Assessment
HAZOP - Hazard and Operability Study
MAC - Message Authentication Code
MCU - Motor Control Units
MLPF - Modified Low Pass Filter
PA - Preliminary Architectural
PMSM - Permanent Magnet Synchronous Motors
SecOC - Secure Onboard Communication
SEOOC - Safety Element Out Of Context
SPMSM - Surface-Mounted PMSM
VCU - Vehicle Control Unit
The Engineering Meetings Board has approved this paper for publication. It has successfully completed SAE’s peer review process under the supervision of the session organizer. The process
requires a minimum of three (3) reviews by industry experts.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or
otherwise, without the prior written permission of SAE International.
Positions and opinions advanced in this paper are those of the author(s) and not necessarily those of SAE International. The author is solely responsible for the content of the paper.
ISSN 0148-7191
http://papers.sae.org/2017-01-1255